Sunday, May 5, 2013

MACCDC 2013, A Blue Teamer's Lessons Learned: Part 4 - Game Time


This is the fourth part of a series of blog posts I'm writing to relate the various things I learned from getting to experience the glory that is MACCDC.  Here is the table of contents:





#4 - Game Time


Game Time


1) Make the most of your time.  This can be construed multiple ways, but if team members don't have access to the machines as expected, immediately start finding an alternate path.  Familiarize yourself with the scorebot gui to locate flags and injects.  If you're waiting for an answer on something, try to multi-task.  There ideally should never be a time where someone is sitting and doing absolutely nothing.

2) Don't get over-confident.  I'm guilty of this myself.  I set down the basics on two linux boxes without setting deeper security, and they both got owned on day two.  So, no matter the standings point-wise, don't stop securing a system until the end of the competition.

3) Communication.  It's the team captain's responsibility to receive and assign injects.  At the same time, the team captain is going to be pulled in multiple directions.  Therefore, the team captain needs to effectively disseminate the injects so that the whole team can be aware of all the details.  This can be done by having the team captain log in to every machine so each team member can see the injects, or he/she can assign the injects.  If assigning injects, the approach should be the team captain asking the team for familiarity with the subject and assigning the inject to the team member with the most familiarity.  If no one knows the inject subject, then the team captain should assign it to the person with the most availability to multi-task.

3) Receiving injects.  Injects are a high scoring component of the game, so the team needs to identify all potential ways injects can be delivered.  This year that included a) email, b) phone, and c) sneakernet.  Within the first two hours of competition time, these methods should be identified and monitored.

4) Inject handling.  When team members receive an inject, those same team members may get pulled away from completing it.  If so, then the team member that was handling that inject needs to hand it off to another team member to ensure it gets completed or progress is made.  Basically, an inject should never stop being worked.  This will ensure the team receives points for completing the inject and that it will be finished in case another inject builds upon it.  When injects are received the team captain needs to identify the deadline and keep monitoring progress as time ticks down to the deadline so the inject completion does not fall by the wayside.

5) Scorebot.  Each team member needs to, at some point, open scorebot and monitor the respective services on their assigned VMs.  Identify the services with the most points scored, and try to ensure that they stay active.  If the team members do not have time, then the team captain can perform this function on the "high side" (if there is one).

And that wraps up my lessons learned from a high-level.  I hope this helps those preparing for CCDC-type competitions.  Check out Rob Fuller's presentation for more technical detail.



2 comments :

  1. Awesome posts! New link to the slides are here: http://www.room362.com/blog/2012/03/19/how-to-win-ccdc-slides/ sorry for the change, switched up blogging platform.

    ReplyDelete
  2. Thanks! I'm a big fan of Metasploit Minute. I updated the slides link - great stuff!

    ReplyDelete