Insider Threat Post-Layoff Scenario

Scenario Overview

Exercise Type: Technical Simulation Tabletop Exercise Target Audience: SOC Analysts, IT Security Teams, Network Engineers, HR Business Partners Scenario: Malicious Insider Compromise Following Workforce Reduction Duration: 120-150 minutes Exercise Objective: Validate response capabilities to privileged account abuse and systemic infrastructure sabotage

---

Facilitator Guidelines

• Emphasize coordination between HR and security teams
• Focus on Active Directory recovery procedures and DNS forensic analysis
• Track evidence preservation requirements
• Simulate real-time pressure with escalating injects

---

Exercise Script

INJECT 1: Initial Access Issues (Day 1 - 08:45 AM)

Situation:

• Help desk receives 127 tickets within first hour of operations:
  • Users report "The trust relationship between this workstation and the primary domain failed" errors
  • Multiple domain-joined Linux servers failing SSH key authentication
  • Azure AD hybrid join status showing "Needs Attention" for 43% of devices

Facilitator Notes:

• Observe initial triage procedures
• Note discussions about credential churn vs. infrastructure sabotage

DISCUSSION PROMPT: "What diagnostic steps would you take? How prioritize between user impact vs. security investigation?"

---

INJECT 2: Authentication Failure Analysis (Day 1 - 10:15 AM)

Situation:

• Security team findings:
  • Domain controllers rejecting valid Kerberos tickets (error 0x6FB)
  • Wireshark captures show NTLM fallback attempts being blocked
  • Event ID 4769 (Kerberos service ticket operations) spiking by 1400%
• HR provides list of 87 employees terminated during layoffs

Facilitator Notes:

• Evaluate understanding of Kerberos authentication chain
• Note discussions about golden ticket detection

DISCUSSION PROMPT: "What forensic artifacts would you collect from domain controllers? How validate genuine vs. spoofed authentication attempts?"

---

INJECT 3: EDR Policy Tampering (Day 1 - 1:30 PM)

Situation:

• CrowdStrike Falcon console audit reveals:
  • All prevention policies disabled at 2025-04-25T17:32:00Z (Friday post-layoffs)
  • Modification trace:
    • User: mickey_mouse@internal
    • Source IP: 10.5.16.22 (Terminated sysadmin's workstation)
• Network logs show:
  • Sustained RDP connections to Domain Controller from 10.5.16.22
  • DNS AXFR requests to non-authoritative nameservers

Facilitator Notes:

• Assess chain of custody procedures for terminated employee devices
• Note discussions about policy enforcement bypass techniques

DISCUSSION PROUT: "How would you safely re-enable EDR controls? What safeguards prevent policy tampering recurrence?"

---

INJECT 4: Domain Controller Compromise (Day 1 - 3:00 PM)

Situation:

• DC forensic analysis reveals:
  • LMHosts file modification redirecting LDAP traffic to 127.0.0.1
  • New hidden admin account:
    • Username: Mickey_Mouse
    • SID: S-1-5-21-3623811015-3361044348-30300820-500
    • Last logon: 2025-04-25T17:45:00Z
• Security team identifies:
  • 14 new GPOs pushing malicious registry edits
  • DFS replication to rogue server at 192.168.5.33

Facilitator Notes:

• Evaluate AD forest recovery strategies
• Note discussions about system hardening baseline verification

DISCUSSION PROMPT: "What immediate containment steps for compromised DCs? How verify GPO integrity across the enterprise?"

---

INJECT 5: Credential Harvesting Evidence (Day 2 - 9:00 AM)

Situation:

• Memory forensics on terminated workstation reveals:
  • Mimikatz residues with DC sync commands
  • 28,456 harvested credentials in plaintext
  • Scheduled task calling: powershell -ep bypass -c "Invoke-MassCredentials -Target OU=Finance"
• HR identifies Mickey_Mouse account matches terminated employee's pet name

Facilitator Notes:

• Highlight need for privileged access management controls
• Note discussions about credential lifecycle management

DISCUSSION PROMPT: "What credential rotation strategy would you implement? How handle service account dependencies?"

---

INJECT 6: DNS Infrastructure Sabotage (Day 2 - 1:45 PM)

Situation:

• Network team reports:
  • Authoritative DNS servers returning NXDOMAIN for internal zones
  • External DNS resolution redirected to 104.18.25.93 (malicious comedy site)
  • DNSSEC validation failures across all recursive resolvers
• Packet captures show:
  • TSIG key abuse for zone transfers
  • Dynamic updates deleting A/AAAA records

Facilitator Notes:

• Evaluate DNS forensic investigation techniques
• Note discussions about DNSSEC rollover procedures

DISCUSSION PROMPT: "How would you rebuild DNS infrastructure? What validation steps ensure resolution integrity?"

---

INJECT 7: Post-Recovery Validation (Day 5 - 10:00 AM)

Situation:

• Current state:
  • 100% credential rotation completed
  • New isolated domain forest deployed
  • 93% systems migrated to clean environment
• Remaining issues:
  • Legacy HVAC system still authenticating to old domain
  • 14 IoT devices with hardcoded DNS to malicious IP
  • Pending HR litigation over privacy violations

Facilitator Notes:

• Focus on business continuity vs. security tradeoffs
• Note discussions about IoT security policies

DISCUSSION PROMPT: "What metrics define recovery completion? How prevent similar insider sabotage?"

---

Exercise Debrief

Technical Focus Areas:

1. Active Directory Forest Recovery
2. DNS Infrastructure Hardening
3. Privileged Access Workflow Review
4. Termination Procedures Automation
5. Defense-in-Depth Against Insider Threats

After-Action Deliverables:

• Privileged session monitoring implementation plan
• Dynamic DNS update authentication controls
• Layoff-specific security playbook
• Mandatory vacation policy for sysadmins

Next Steps:

• Conduct purple team exercise testing termination procedures
• Implement FIDO2 hardware tokens for admin access
• Schedule quarterly insider threat simulation drills