Competition Summary Individual Team Notes Team Improvement Competition improvement.
-
Upload
jessie-newton -
Category
Documents
-
view
218 -
download
0
Transcript of Competition Summary Individual Team Notes Team Improvement Competition improvement.
Day 1
Breakfast/Competition Brief Hospital Scenario with Warm Site.
› All Cloud Based Start of Competition
› One hour head start› Chaotic› Changed passwords and began hardening› Bricked one Workstation
Day 1
Generator Issues due to SQL Injection SmoothWall – Blocked 172.x.x.x
› Still had packets coming through
Day 2
Problems in the Morning› Slow Internet (7Kbps)› EMR Issues› Scoring Engine (could not connect)
One Snapshot and One Reset Per machine per hour
SmoothWall cannot traffic shape per interface
Day 2
BackTrack traffic rerouted › (didn’t get its password changed)
Couple of rootkits Rooted sessions
› They were given our passwords for the last 30 minutes
Day 2 - Debrief
Red team didn’t mention much› Phishing
Drill everything Task Organization
› Delegate with Feedback› Follow up› Verify
Day 2 - Debrief
Quality Control› Read Forward for grammar and flow› Read Backward for Spelling
Change Log from beginning› Automated?
Team Member Presentations
Pre-CCDC Prep› WordPress/Apache/MySQL› Windows Server 2008
Security Configuration Time Mostly Spent:
› Changing passwords. yOungOrbitt3l3phOn3Occ!siOn!lly will forever haunt me.
› Downloading Windows Updates and Microsoft Security Essentials and MSE Updates (Waiting on internet)
› Monitoring success/fail server traffic› Injects
Web Server:› Simple HTML hosted on Windows Server 2008 R2› Website defaced. Misspellings?
“Exploit Older Than 1 month”Maxine
Team Member Presentations
Injects› Company Security Policy (150/150)
Gmail slow, failed to submit on time. Surprisingly got all points.
› Alert banner on website (100/100)
› Records Retention Policy (63/125) Lost points:1 year vs. 3 years retention policy. Lesson learned: read documentation closely.
› Website email form w/captcha (0/300) Submitted late, minus captcha I wish I had known php
Maxine
Initial Tasks
Break my box… and lock myself out Familiarize myself to SW and AV Determine hostile and safe networks Browse topologies and traffic routes Create plan for traffic blocking and
shaping
Trevor
SmoothWall
Packets fly – Block known dangerous subnets
› Bad packets still ingressing…???› Block all networks including the “Safe” 172.x
.. No change› Apply QoS to to links – can’t apply QoS to
certain subnets but all equally › Block devices per service – can’t block by
type (TCP/UDP)- Block specified hosts for a business inject – full points
Trevor
AlienVault
Utilize AlienVault to monitor our subnets
View in real time as packets hit each device
Utilize logs and dashboard to determine which attacks were deployed and against which machine
Utilize logs for a business inject – never awarded
Trevor
For improvement
Create ACL’s for each service to each box – give example
Lock down backtrack as my second priority
Copy team competition docs in a clean manner
Test SmoothWall and AlienVault before use if time allows
Trevor
What I learned
Need to prioritize hardening Check for services being up after each
step Need to map network immediately Don’t assume failures are from attacks Don’t count on the internet working Create a file repository on file server Backup, Backup, Backup (One per
hour)Scott
Mistakes I made
Not knowing how scoring system worked
Not updating passwords in scoring engine
Not asking enough questions Did not verify service’s being up from
outside of server Did not Log Everything Eating the lasagna for lunch
Scott
Things to do for next year
Learn specific admin roles Learn popular software packages for
DC, Mail, Web services etc How to run backtrack GUI over SSH Create a script to check for server
uptime Monitor Traffic constantly Practice Competition with other
SchoolsScott
Reflections
Better preparation Infrastructure Connection to servers Injects Presentation
› Less organized than last year Blue Team Debrief
Theora
Next Year Suggestions
Analyze infrastructure Keep a change log Delete unnecessary users immediately Drill on reporting passwords Larger font passwords Watch time Drill machine lock down more
Theora
Jason
Don’t trust White Team› Specifically, executables they give us
If Gmail or similar is used next time, allot more time for sending inject emails before the deadline› Slow internet led to late submissions
Jason
Opening Hand
Generator duty Directions were specific, but also not
entirely inclusive Port closing inject ACCESS!! And Denied Note, get there faster!
Morgan
Back in Business
Began and completed hardening procedures on CentOS server
Performed injects Performed constant checks
Morgan
Day 2
Regular checking of who was logged in Regular checking of system Program Inject More infrastructure issues
Morgan
Endgame
CONSTANT scans and log checking Insuring IP was constant logged in Conclusions
› Find a way to read full team packet› Harden mySQL server against SQL
injection› Scoring engine password change after
reset› Insure white team has access as well as
you!Morgan
Domain Controller
Positives› Never had machine taken over› Had a fairly high uptime› All domain controller injects completed
successfully› No successful attacks against the DC
Nate
Domain Controller
Negatives› Windows updates affected uptime (30
minutes per restart) Part of which may have been the
infrastructure › Had to rollback to beginning of competition
after there was an issue with DNS and GPO’s not being applied properly
› Server had slow reaction time a lot of the time, made it difficult to do a lot.
Nate
Domain Controller
Improvements for next time› Try to just do service pack updates as close
together as possible (not using windows update)
› If infrastructure is slow, only do restarts when absolutely necessary and at convenient times (lunch/dinner)
› Learn to use the security configuration wizard better.
› Be able to restore domain connection with out having to go to each individual machine.
Nate
Team Improvements
Better Password Management› Suggestion from Captain Aaron Garner› Easier to type?
Change database settings in the first 60min
Check websites for sanitization in first 60min
Familiarization with soft Firewalls/routers/switches
Team Improvements
Diagram Network on Board› Kerckhoffs’ Principle
Quickly disseminate default usernames and passwords
Create new GPOs for Domain Server Pay attention to Snapshot policy
Competition Improvements
Better Communication› Prior to Competition
Team Leaders don’t really need to be there› During competition
White team and Black team not very forthcoming Didn’t let tell us not to change email password
Injects› Some injects were not sensible for competition
(ex. Recommendations about cloud services during crisis situation)