CLICK HERE TO DOWNLOAD THIS IMAGE & COLOR IT IN!Inside: Context-rich reporting with Ally’s new Knowledge Base, a Dear Asa tale that highlights the importance of the cyber trade, and a grab bag of breach chronicles to inspire your next scenario. Plus, get a glimpse into the next creation from Ally’s workshop (hint: it’s a feature so often requested that it practically forged itself)!
Facilitators have told us they’re facing two recurring battles as of late…
The first: “How can I give contextual feedback in my Ally After-Action Reports?”
TTX reports should be tied to a client’s own doctrine, not generic wisdom. For that reason, we’ve summoned a new feature which we call the Knowledge Base. Upload your client’s Incident Response Plan (IRP) and this helpful companion will reveal how performance during the TTX compares to documentation. Over time, we’ll support uploads for additional scrolls like runbooks, cyber insurance policies, and custom evaluation criteria.
Venture to the Build Chronicle section below to learn how you can start using the Knowledge Base today!
The second: “I need a powerful tabletop exercise scenario…swiftly.”
Imagine a client just reached out and asked you to run a TTX two weeks from today. Sand begins to fall in the hourglass, marking the pressure of time. You stare at a blank page struggling to find inspiration. Your old templates feel like outdated relics from a past campaign.
Don’t worry, we’ve been there. That’s why we’re crafting a scenario generation engine that takes you from zero to fully-prepared hero in minutes. It’s nearly ready, and we’re inviting a handful of Facilitators to preview it and help refine what comes next. Reach out to Rob or Scout if you want in!
You allies in IR,
Rob & Scout
An anonymous external researcher submitted a bug bounty report identifying what appeared to be an open Azure storage account containing a large volume of confidential-looking data, including database backups. The report was triaged by the Security Operations Centre and assessed as low priority because the storage account was secured and not publicly accessible. The report was closed without further investigation.
Two months later, another team revisited the storage account and identified that the account contained five terabytes of production database backups in an unsecured format. There was no access logging for the storage account due to cost considerations. It was not possible to determine whether the data had been accessed or exfiltrated.
We went through a long process of downloading the backups, performing integrity checks, provisioning database servers, and restoring backups. Finally, a segregated team analyzed the restored databases to classify the data, determine its sensitivity, and identify affected clients.
The result: Impacted clients were notified approximately six months after the incident was formally identified. Some were given financial incentives on contract renewals to secure their business. No regulators were notified at any stage.
— Chief Information Security Officer | Financial Services
A quiet flaw in PayPal’s Working Capital app left sensitive customer data exposed for nearly half a year before anyone sounded the horn. Facilitators can use this scenario seed to remind clients that no fortification is impenetrable, meaning routine inspection is essential. Unravel the scroll
A band of bandits known as ShinyHunters claims to have seized 14 million records from Panera Bread, proving that even the most well-known brands can find their defenses going stale. Read the field report
Raiders reportedly ran off with 1.7 million corporate records from CarGurus, turning internal ledgers into plunder for the shadow markets. Facilitators can draw inspiration from the deadly fusion of vishing and phishing highlighted here. Discover what happened
A renowned North Carolina radiology practice unearthed a data breach that may have exposed names, addresses, Social Security numbers and bank accounts. Healers are a prime mark for cyber rogues, but adequate preparation can turn the tide in tales like this one. Open the chronicle
Conjured by Elvira and Megh!
Every exercise tells a story. The question is whether that story is measured against the client’s own doctrine or left drifting in abstraction. That’s where our brand new Knowledge Base comes into play.
In the heat of a TTX, some party members follow the Incident Response Plan as unwaveringly as a paladin following his or her oath. Others charge in steel-first and act on instinct, leaving documentation tomes back at camp.
With the Knowledge Base’s IRP Gaps module, you can see where actions strayed from documented process, escalation paths wandered, roles blurred, communications fizzled out, and playbooks unraveled. Knowledge Base then helps you recommend plan upgrades with targeted training regimens. This provides clear quest markers for closing the gaps and levelling up your client’s IRP.
We’ve introduced you to a Knowledge Base companion built to sharpen After-Action Reports, studied the battle strategies of the ShinyHunters bandits, and revealed Ally’s next move with the scenario generation engine. Wishing you well on your next quest!
About Ally Security
Ally is here to support facilitators, which in turn creates a virtuous cycle where exercises take less time, provide more value, are run more frequently, and can make every organization can be better prepared.
The unexpected wins. The client curveballs. The chaos you couldn’t have scripted if you tried. Dear Asa is your space to share the stories that don’t make it into the official post-incident report. Script, submit, and enjoy a chance to be featured or quoted in an upcoming post.
