Monday, April 29, 2013

MACCDC 2013, A Blue Teamer's Lessons Learned: Part 3 - Practice


This is the third part of a series of blog posts I'm writing to relate the various things I learned from getting to experience the glory that is MACCDC.  Here is a "table of contents" which I'll update with relevant posts:



#3 - Preparation (PRACTICE!)

#4 - Game Time


Preparation (PRACTICE!)

The team needs to have practice sessions where the systems are actually available to be utilized.  Scenarios should be utilized for practices to provide a sense of what the competition will be like.  During the practice sessions, each person should tackle the systems they're comfortable with first and then swap to something they are not comfortable with, such as starting on Windows and switching to Linux.  

Any tools desired to be used for competition time need to be vetted first.  Concerning tools, a quick note:


Da Tools


Toolsets - 1st party.  Each system has its own built-in security tools that could be leveraged.  Windows Server 2008 has an advanced firewall in which rulesets can be provisioned pretty granularly.  Linux distros typically have IPTables.  These types of basic built-in tool sets need to be learned through practices.  Before the shiny, fancy tools can be downloaded from the internet station these built-in tools are all you have to work with.

Toolsets - 3rd party.  Everyone loves finding research indicating a particular tool can do this or that, but unless you've actually used it and are comfortable implementing it, it's a waste of time and effort.  Team members should prune the tool set at least a month before competition time to narrow down a definitive list.  During that month or so prior to the competition, during practice sessions these tools need to be tested and tested from both a standalone and live-attack scenario (red-team sessions).

Scripting.  Red teamers automate as much as possible, and so should the Blue team.  Find simple scripts that can do some brute force defense while trying to lock down the system.  These scripts can be kicked off immediately and just run in the background, without waiting to be attacked first.  If they're already running from the start, at least they immediately kick off a Red team member, which prevents them from setting up persistence or at least slows them down.



Continue reading MACCDC 2013, Part 4

3 comments :

  1. When you talk about scripting, what tasks are you referring to? Password changes, installs, or more than that?

    ReplyDelete
  2. Hi Edge_Reaver,

    First, thanks for reading!

    When I talk about scripting, I mean simple looping scripts that scrub temp directories or directories red teamers like to hide things that should normally be empty and/or won't affect running services. These include things like C:\temp on Windows and /tmp on Linux. You could also check directories like prefetch, etc. in the script.

    Scipting password changes would also be helpful. We had an Active Director server that had 1,000 user accounts. A script that checked all non-elevated accounts and then changed the passwords for those accounts according to a pre-defined password scheme would be pretty sweet.

    The challenge with scripts from what I observed was that you need simple scripts of just a few lines that can do some grunt work while you deepen the defense. Then you have that added time to write out a more complex script with more advanced actions.

    Hope that clarifies what I meant!

    ReplyDelete
  3. For those interested in sample defense scripts, I unfortunately don't have any prepped for demo/download. Still on the "to-do" list. However, one of the scripts a guy on our team ran on the SQL 2000 Server (yes, really) was a looping batch script that repeatedly deleted the temp directory. For Linux, check out "defensive tools for the blind" (dtftb). Sorry, but I don't have time to post them before this years regionals. I wish all teams the best of luck!

    P.S. Check out (http://m0r3sh3lls.blogspot.com/2013/05/defensive-scripts-for-ctf.html). Some really good scripts there. Also, do a search on github for ccdc and/or ctf scripts.

    ReplyDelete