Welcome to Gravity Falls, Oregon — where the Mystery Shack runs on paranoia, Journal 3 is the ultimate threat intelligence feed, and a triangular dream demon named Bill Cipher is your top-tier APT. Learn every Security+ SY0-701 domain through Dipper's investigations, Mabel's chaos, Ford's bunker architecture, and Bill's relentless social engineering.
"Trust no one." — Journal 3 | "A DEAL'S A DEAL!" — Bill Cipher
Objectives: 1.1 Security Controls · 1.2 Fundamental Concepts · 1.3 Change Management · 1.4 Cryptographic Solutions
Objectives: 2.1 Threat Actors · 2.2 Attack Vectors · 2.3 Vulnerabilities · 2.4 Indicators of Malicious Activity · 2.5 Mitigations
Objectives: 3.1 Architecture Models · 3.2 Enterprise Infrastructure · 3.3 Data Protection · 3.4 Resilience & Recovery
Objectives: 4.1 Security Techniques · 4.2 Asset Management · 4.3 Vulnerability Management · 4.4 Monitoring · 4.5 Enterprise Capabilities · 4.6 Identity & Access · 4.7 Automation · 4.8 Incident Response · 4.9 Investigations
Objectives: 5.1 Security Governance · 5.2 Risk Management · 5.3 Third-Party Risk · 5.4 Compliance · 5.5 Audits & Assessments · 5.6 Security Awareness
P.I.N.E.S. — Policies, Integrity, Networks, Encryption, Safeguards
S.T.A.N.F.O.R.D. — Social Engineering, Threat Actors, Attack Vectors, Network Attacks, Flaws, Outages, Ransomware, Demons
F.O.R.D. — Frameworks, Organization, Resilience, Design
W.A.D.D.L.E.S. — Watch, Alerts, Detection, Data, Logs, Events, Stability
B.I.L.L. — Boundaries, Integrity, Laws, Liability
Reads logs, hunts threats, and documents anomalies in the journal. Dipper is your incident responder — methodical, evidence-driven, and relentless in detection and analysis.
Embodies end-user behavior — creative, unpredictable, and occasionally the source of unintentional insider risk. Mabel's social energy maps to user-awareness training and phishing susceptibility testing.
The paranoid genius who designed the bunker's security architecture. Ford is your CISO — threat modeler, policy author, zero-trust evangelist, and PKI authority for anomaly research systems.
Stan runs the business with minimal security hygiene — cash-only, fake exhibits, probably violates a compliance regulation per episode. He's your insider-risk-adjacent business owner who prioritizes revenue over security controls.
Soos fixes things — sometimes correctly, sometimes accidentally creating a misconfiguration. He represents IT ops: enthusiastic, well-meaning, and the reason change management procedures exist.
Cool under pressure, practical, and handles physical security. Wendy understands the real-world controls — she knows when to escalate, when to hold the line, and when something is genuinely weird vs. normal weird.
The ultimate Advanced Persistent Threat. Bill is nation-state-level: near-unlimited resources, reality-bending capabilities, motivated by chaos. He social engineers, exfiltrates from minds, and attacks at every layer simultaneously.
Organized crime / hacktivist hybrid. Gideon uses social engineering, physical coercion, and manipulation to gain access. He's the threat actor that never gives up — persistent, resourceful, and personally motivated.
When Bill enters Ford's mindscape and extracts research data directly, that's advanced data exfiltration bypassing all technical controls. The countermeasure isn't purely technical — it's compartmentalization (Ford never giving Bill a mental foothold) plus strong MFA on access to sensitive thoughts. Organizations face the same with spear-phishing + credential theft leading to exfil.
The secret vending machine that leads to Ford's bunker is a physical access control vestibule — you must authenticate through the first door before the second opens. It enforces the principle that two separated checkpoints prevent tailgating. On the SY0-701 exam, this maps directly to objective 1.2 physical security controls and mantraps.
Blendin Blandin traveling through logs and rolling back events is a perfect integrity attack — data is modified, timestamps are wrong, and the chain of custody for forensic evidence is destroyed. The defense is immutable logging, cryptographic log signing, and WORM storage so that even time-travel can't alter what was written.
Bill turning Gravity Falls into a nightmare dimension is the ultimate availability attack — every system overwhelmed, no services function, communications cut off. The countermeasure parallels enterprise DDoS mitigation: scrubbing centers, CDN-based absorption, emergency failover to cold sites, and an incident response plan that survives Weirdmageddon-level disruption.
SSH=22 · HTTP=80 · HTTPS=443 · DNS=53 · NTP=123 · RDP=3389 · LDAP=389 · LDAPS=636 · Syslog=514 · RADIUS=1812/1813 · TACACS+=49
Memory hook: Bill speaks on port 443 (HTTPS), but his real channel is port 22 (SSH — Secure Shell… Bill's deals).
Risk = Likelihood × Impact | SLE = Asset Value × Exposure Factor | ALE = SLE × ARO
RTO = max downtime tolerated before operations fail. RPO = max data age acceptable at recovery. MTTR = average repair time. MTBF = average time between failures.
AES = symmetric (128/192/256-bit) · RSA/ECC = asymmetric · SHA-256/SHA-3 = hashing · PBKDF2/bcrypt = key stretching/salting · Diffie-Hellman = key exchange · PFS = session keys not derived from long-term keys.
SPF = lists authorized sending IPs in DNS · DKIM = cryptographic signature on outbound email · DMARC = policy telling receivers what to do when SPF/DKIM fail (quarantine, reject, or report).
Analogy: SPF = bouncer's guest list · DKIM = wax seal on the envelope · DMARC = instructions to the post office if the seal is broken.
Never trust, always verify. Assume breach. Least privilege always. Micro-segmentation. Continuous monitoring and validation of every session — even Ford's own account gets re-verified when entering the bunker.
Plans, playbooks, tools, training. Ford writes contingency plans; Dipper memorizes the journal.
Identify and understand the incident. Noticing Bill's symbol in SIEM logs and tracing the pattern.
Limit the damage. Isolate compromised portals, restrict access to bunker systems, snapshot state.
Remove the threat. Purge Bill's code, close gateways, rebuild affected systems from known-good images.
Restore operations. Restore journals from encrypted offsite backups; verify integrity with hashes.
Review and improve. Dipper updates Journal 3 with exactly what went wrong and how to prevent it next time.
Account lockouts, impossible travel (Bill logging in from Dimension 52-B and Oregon simultaneously), out-of-cycle logging, missing logs, resource spikes.
Proactively searching for threats not yet detected by automated tools. Dipper reading between the lines of the journal — finding anomalies before SIEM fires.
False positive = alert fires but nothing is wrong (Mabel's glitter gun triggers motion sensors). False negative = real attack missed (Bill slips through undetected). CVSS helps prioritize which to chase.
SIEM collects, correlates, and alerts. SOAR adds automated response — auto-blocks Bill's IP, auto-creates a ticket, auto-notifies Ford without Soos needing to click anything.
Ford — the creator and ultimate responsible party for Journal 3 data. Defines classification and access policy.
Dipper — manages and protects the data on the owner's behalf. Runs backups, enforces access controls.
Soos — processes data per instructions from the owner. Doesn't make policy decisions, just executes them (sometimes incorrectly).
Responsible for GDPR/privacy compliance. Ensures tourist data from the Shack's gift shop isn't shared without consent.
Immediate notification up the chain — Dipper tells Ford within 1 hour of detecting anomalous log activity. Internal SLAs typically require rapid escalation.
Regulatory notifications (GDPR: 72 hours to supervisory authority), breach disclosure to affected individuals, law enforcement when criminal activity is involved.
Many frameworks set hard deadlines: PCI DSS requires immediate notification to payment brands; HIPAA requires 60-day breach notification; GDPR requires 72 hours to regulator.
Before any eradication — preserve evidence. Chain of custody maintained for every artifact. Dipper documents who touched the journal, when, and under what supervision before it's cleaned up.
Within 2 weeks of incident closure. Entire team present. Cover: what happened, root cause, what worked, what didn't, what to improve. Dipper writes it all into an updated journal entry — this becomes the new playbook.
MTTD (mean time to detect) · MTTR (mean time to respond/repair) · Number of IoCs detected vs. missed · Cost of incident · Compliance impact. These feed into the next risk assessment cycle.
If Bill's social engineering succeeded because Mabel clicked a phishing link, new training is mandatory before the next tabletop exercise. Awareness campaigns are updated to reflect current threat actor TTPs observed in the incident.
Journal 3 has been tampered with. Entries are missing, timestamps are wrong, and SIEM is showing Bill's triangular symbol in 14 log files. Blendin Blandin has been spotted near the server room. This is a full IR scenario — walk through every phase correctly to stop Bill and restore the journals.
Dipper notices journal entries from yesterday are gone, replaced by outdated versions. SIEM shows 47 failed logins from an unknown IP and a spike in outbound traffic at 3:17 AM. Ford is suspicious. What's your first move?
Hash verification confirms 12 journal files were modified. Blendin admits to "accidentally" time-traveling through the backup server at 3 AM. Bill's symbol appears in 3 system processes — memory injection suspected. What do you do?
Memory forensics confirms a rootkit installed by Bill's influence via a malicious macro in an email Ford opened. The rootkit has persistence mechanisms in 4 locations. You've contained the blast radius. Now what?
Systems rebuilt. Now you need to restore clean data and make sure this never happens again. Ford wants full documentation. Mabel wants to add glitter to the incident report. Soos says he has a "fix."
You walked through all 6 IR phases:
The wheel turns, the journals are intact, and Waddles gets a celebratory snack. Somewhere Bill's voice fades: "I'LL BE BACK!" — but next time, you'll catch him in Phase 1.
Spaced repetition: Box 1 = new/weak · Box 5 = "Explain it to Ford while Bill whispers backwards." Space=flip · 1=Again · 2=Got It · 3=Easy · S=Skip