Monday, April 29, 2013

MACCDC 2013, A Blue Teamer's Lessons Learned: Part 3 - Practice

This is the third part of a series of blog posts I'm writing to relate the various things I learned from getting to experience the glory that is MACCDC.  Here is a "table of contents" which I'll update with relevant posts:

#3 - Preparation (PRACTICE!)

#4 - Game Time

Preparation (PRACTICE!)

The team needs to have practice sessions where the systems are actually available to be utilized.  Scenarios should be utilized for practices to provide a sense of what the competition will be like.  During the practice sessions, each person should tackle the systems they're comfortable with first and then swap to something they are not comfortable with, such as starting on Windows and switching to Linux.  

Any tools desired to be used for competition time need to be vetted first.  Concerning tools, a quick note:

Da Tools

Toolsets - 1st party.  Each system has its own built-in security tools that could be leveraged.  Windows Server 2008 has an advanced firewall in which rulesets can be provisioned pretty granularly.  Linux distros typically have IPTables.  These types of basic built-in tool sets need to be learned through practices.  Before the shiny, fancy tools can be downloaded from the internet station these built-in tools are all you have to work with.

Toolsets - 3rd party.  Everyone loves finding research indicating a particular tool can do this or that, but unless you've actually used it and are comfortable implementing it, it's a waste of time and effort.  Team members should prune the tool set at least a month before competition time to narrow down a definitive list.  During that month or so prior to the competition, during practice sessions these tools need to be tested and tested from both a standalone and live-attack scenario (red-team sessions).

Scripting.  Red teamers automate as much as possible, and so should the Blue team.  Find simple scripts that can do some brute force defense while trying to lock down the system.  These scripts can be kicked off immediately and just run in the background, without waiting to be attacked first.  If they're already running from the start, at least they immediately kick off a Red team member, which prevents them from setting up persistence or at least slows them down.

Continue reading MACCDC 2013, Part 4