Threat Research

Backdoors & Breaches gameplay guide

DataDogHQ
Backdoors & Breaches gameplay guide

Keypoints

  • Datadog introduced an expansion pack for the Backdoors & Breaches game at DASH 2025 to help teams practice incident response skills.
  • The game simulates attack scenarios using cards that represent different stages of an attack: Initial Compromise, Pivot and Escalate, Persistence, and C2 and Exfil.
  • The expansion pack incorporates Datadog’s security and observability products, allowing teams to tailor exercises to their real-world monitoring setups.
  • An Incident Captain leads the game, selecting attack cards secretly while Defenders collaborate to identify the attack methods within 10 rounds.
  • The game includes Procedure cards for detecting attacks and Inject cards to simulate unexpected security events, enhancing the learning experience.
  • The deck is suitable for security professionals, students, and teams looking to practice incident response in a collaborative, low-stakes environment.
  • Example scenarios in the expansion pack cover cloud application compromises, insider threats, and GitHub Actions security issues.

MITRE Techniques

  • [T1078] Valid Accounts – Used as “Compromised SSO Federated Identity” to illustrate how attackers use stolen credentials for access (“Compromised SSO Federated Identity”).
  • [T1553] Subvert Trust Controls – Represented by “Backdoored Role Trust Policy” showing persistence methods through policy modification (“Backdoored Role Trust Policy”).
  • [T1567] Exfiltration Over Web Service – Highlighted by scenarios such as “Living off the Cloud as Exfil” and “Snapshotting Resources as Exfil” for data exfiltration methods (“Living off the Cloud as Exfil”, “Snapshotting Resources as Exfil”).
  • [T1098] Account Manipulation – Demonstrated by “Additional Credential Creation” as a persistence technique (“Additional Credential Creation”).
  • [T1204] User Execution – Implied in phishing campaign scenarios targeting cloud administrators (“Phishing campaigns that target cloud administrators”).

Indicators of Compromise

  • [File Names] Examples of compromised components – “Backdoored Container Image”, “Backdoored Role Trust Policy”.
  • [Log Entries] Security monitoring indicators – AWS CloudTrail logs with unusual Access Denied errors mentioned in web application exploitation scenario.
  • [Alerts] AWS Cost Management alert signaling unusual network usage – Increased egress network bill indicating possible exfiltration activity.

Read more: https://securitylabs.datadoghq.com/articles/backdoors-and-breaches-gameplay-guide/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint