Created by: J. Krarup (Infrastructure Lead)
Notes: HANSEN-SAP-01 scheduled for decommission. Target date 2024-09-01. CaliSyncPro dependency identified β migration to cloud-native service required before shutdown. Security patching paused pending decommission.
Handout E: Collaborative Bridge Policy Exception
Large group equivalent: This handout maps to artifact cards B-R23-2 + B-R23-3 + part of C-R1-2.
IT Security exception register and ITSM dependency audit retrieved from BioGenix Solutions IT governance system. Requested by incident response team during lateral movement investigation.
Azure Conditional Access Exception Detail β COLLBRIDGE-EXCL-003
| Field | Value |
|---|---|
| Exception ID | COLLBRIDGE-EXCL-003 |
| Created | 2024-11-14 |
| Created by | IT Security Lead (M. Andersen) |
| Approved by | CTO (K. FΓΈnsmark) |
| Last reviewed | NEVER |
| Expiry date | NOT SET |
| Review cadence | NOT CONFIGURED |
| Policy Bypassed | Description |
|---|---|
| CA-POLICY-MFA-ALL | MFA required for all cloud authentication |
| CA-POLICY-NTLM-BLOCK | Block legacy authentication protocols |
| Scope | Detail |
|---|---|
| Account | svc-rdbridge-admin |
| Source | HANSEN-SAP-01 on-premise subnet (10.12.4.0/24) |
| Permits | NTLM authentication without interactive logon or MFA |
Justification (recorded 2024-11-14):
"Temporary β required during Collaborative Bridge integration phase. To be removed when HANSEN-SAP-01 decommission completes (ITSM-29847)."
"Temporary β required during Collaborative Bridge integration phase. To be removed when HANSEN-SAP-01 decommission completes (ITSM-29847)."
IM NOTES (Do Not Show to Players):
COLLBRIDGE-EXCL-003removed both MFA and NTLM-block enforcement forsvc-rdbridge-adminoriginating fromHANSEN-SAP-01. These were the only authentication controls that would have stopped lateral movement to the Azure R&D environment.- Two actions are required to close the lateral movement path: (1) revoke
svc-rdbridge-admincredentials and (2) close or scopeCOLLBRIDGE-EXCL-003. Revoking credentials alone is insufficient β the exception policy could enable re-exploitation via another compromised account in theHANSEN-SAP-01subnet. - The justification references ITSM-29847 as the trigger for removal. Players must make the cross-reference to the ITSM ticket to understand the full governance chain.
ITSM Ticket β ITSM-29847
ServiceNow β IT Service Management
ITSM-29847: HANSEN-SAP-01 Decommission β Blocked: Collaborative Bridge Dependency
Ticket
ITSM-29847
Status
OPEN
Priority
LOW
Category
Infrastructure / Decommission
Assigned to
UNASSIGNED
Created
2024-08-15
Updated
2024-11-02
Target date
2024-09-01 (OVERDUE)
Activity Log
2024-08-15 09:14:22 β State: NEW β OPEN
2024-09-01 00:00:00 β Automated: TARGET DATE PASSED
No resolution recorded. Ticket remains OPEN.
2024-09-12 14:33:07 β State: OPEN (no change)
Updated by: J. Krarup (Infrastructure Lead)
Notes: CaliSyncPro migration not scoped. Vendor has no cloud-native alternative. Decommission blocked until dependency resolved. Requesting SOC monitoring exclusion to reduce noise on decommission-backlog systems.
Notes: CaliSyncPro migration not scoped. Vendor has no cloud-native alternative. Decommission blocked until dependency resolved. Requesting SOC monitoring exclusion to reduce noise on decommission-backlog systems.
2024-09-14 10:08:44 β Related: SECOPS-EXCL-2024-017 created
SOC monitoring exclusion approved for HANSEN-SAP-01. Justification: Decommission backlog β alerts suppressed to avoid false positive noise during transition period.
2024-10-18 16:22:11 β Assignment change: J. Krarup β UNASSIGNED
J. Krarup departed organization. No handover recorded.
2024-11-02 11:45:33 β State: OPEN (no change)
Updated by: M. Andersen (IT Security Lead)
Notes: Collaborative Bridge integration completed. CaliSyncPro migration still pending. Created COLLBRIDGE-EXCL-003 to maintain HANSEN-SAP-01 connectivity via Collaborative Bridge. Priority set to LOW. No follow-up date scheduled.
Notes: Collaborative Bridge integration completed. CaliSyncPro migration still pending. Created COLLBRIDGE-EXCL-003 to maintain HANSEN-SAP-01 connectivity via Collaborative Bridge. Priority set to LOW. No follow-up date scheduled.
[No further updates β last activity 2024-11-02]
IM Facilitation Notes
- Release when participants ask how
COLLBRIDGE-EXCL-003was created, why it had no expiry, or whyHANSEN-SAP-01was never actually decommissioned. - The ticket history tells the governance failure story through timestamped state transitions: decommission blocked, patching paused, monitoring excluded, owner departed with no handover, exception created with no expiry or review date, then silence for 17 months.
- Key insight: the attacker found this attack path β they did not create it. Each step had an existing process that was not followed through.
- Use this handout to drive discussion on exception lifecycle management, ticket ownership continuity, and the risk of βtemporaryβ controls that become permanent by inaction.