1 / 45

PRCCDC 2014 Recap

PRCCDC 2014 Recap. By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey , Nate Krussel , and Chris Waltrip ,. Scott Amack – PRCCDC Scenario. Shark Industries Weapon Manufacturer Incomplete Network Map Provided 4 Windows 7 Machines 4 Windows XP Machines

eileen
Download Presentation

PRCCDC 2014 Recap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRCCDC 2014 Recap By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,

  2. Scott Amack – PRCCDC Scenario • Shark Industries Weapon Manufacturer • Incomplete Network Map Provided • 4 Windows 7 Machines • 4 Windows XP Machines • Plus various network machines • File and Mail Server, “HMI” Computer, Domain Controller, VPN Server, Web Server

  3. Scott Amack – PRCCDC Team Preparation • RADICL Lab Down • Prepped Team for Injects • Team had to practice on their own VM’S • Prepped team to think fast on their feets • Lots of quick exercises in prep class

  4. Scott Amack – PRCCDC Scores • Team Scored 6th Overall • 1st Place in Incident Response • 2nd Place in Injects (15 points from 1st) • 1st Place in Uptime • 11th Place in Attacks against us

  5. Scott Amack – PRCCDC Inject Scores

  6. Scott Amack – PRCCDC Uptime Scores

  7. Scott Amack – PRCCDC Lessons Learned • Need to teach team how to find and eradicate malware • Need to defend against RAT’s (Dark Comet and Poison Ivy Variants) • Need to learn how Cobalt Strike Beacons can be eradicated • Really need a lab environment to practice in • Need to learn multiple tools for doing different tasks

  8. Scott Amack – White Team Debrief • Centralized Leadership was excellent • Each Member assigned a specific role works very well • Inject with team captain out sick did not work so well for us • Liked that we drew diagrams on the board • Liked that we asked unauthorized visitors to leave immediately • Quick solutions to the right problems is the way to win

  9. Ranger Adams - Responsibilities • Going in • Web Server (Ubuntu) • Maybe MySQL • There • Web Server (Ubuntu) • Web Server (IIS) • MySQL Box (Ubuntu) • Application Server (IIS)

  10. Ranger Adams - Preparation • Linux • PHP/JavaScript • Linux Services • Basic Windows

  11. Ranger Adams - Mistakes • UFW blocking MySQL • Full control of assets • Attention to Windows • Windows Firewall

  12. Ranger Adams – Lessons Learned • Firewalls are tricky, but powerful • Learn more breadth, less depth

  13. Jeff Crocker - Responsibilities • Email Server

  14. Jeff Crocker - Preparation • Email Server • Online Tutorials • Veteran Knowledge • Presentations • Passwords

  15. Jeff Crocker - Mistakes • Open Relay Fix • Sitting by the phone • User Accounts • Excessive Passwords

  16. Jeff Crocker – Lessons Learned • Check Assumptions • Gear Switching • Googling Skills • Availability vs. Integrity

  17. Ben Cumber - Responsibilities Windows File Server • Windows 2008 R2server • Running freeFTPd Windows XP workstations 7 and 8

  18. Ben Cumber - Preparation • Windows hardening guide on personal machine. • Read through team binder. • Reviewed PRCCDC rules.

  19. Ben Cumber - Mistakes • Couldn’t RDP to Windows server. • Could not connect to file service. • Reinstalled file service (wasn’t necessary)

  20. Ben Cumber – Lessons Learned • RDP • Filezilla and WinSCP • Gained a much better understanding of what exactly a file server is.

  21. Keith Drew - Responsibilities • Maintain Logs of System Changes • Maintain Telephone Logs • Windows Workstation Hardening

  22. Keith Drew - Preparation • Documentation • Mini Lab on Personal Computer • Developed Hardening Guides

  23. Keith Drew - Mistakes • Not killing malicious process • Not utilizing all tools available to me (Vsphere Client)

  24. Keith Drew – Lessons Learned • How attacks are performed

  25. Heather Haphey - Responsibilities • Smoothwall Virtual Router • Handle injects • Policy writing • Report generation • Briefing • Binder creation

  26. Heather Haphey - Preparation • Researched Smoothwall and Virtual Routing • Reviewed and rewrote real policies • Practiced briefing • Collected and created binder materials • Read offensive and defensive tactics

  27. Heather Haphey - Mistakes • Learned wrong Virtual Router • Vyatta instead of Smoothwall • Didn’t back up editable sample documents • Realized the router GUI too late • Not prepared to detect and prevent attacks

  28. Heather Haphey – Lessons Learned • More research about red team tools • Back up anything useful • Snapshot -> Harden-> Snapshot • Get injects done ASAP, use full time • Review requirements part-way through • Stay focused on AOR, remain calm • ASK ASK ASK and trust intuition • Get into the scenario, seek real answers

  29. Nate Krussel - Responsibilities • Windows Active Directory • Group Policies • Domain Knowledge • Team Co-Captain • Help in team preparation • Back up to Scott • Knowledge Transfer • Sharing experience and strategies that have worked or not worked in past competitions

  30. Nate Krussel - Preparation • Doing Previous Years injects • Even if not exactly the same may be fairly close • Read up require services/ports • Often the competition has more open things than needed to run the require service • Industry hardening guides • Give the quick and useful information on hardening • Acquired General Knowledge • Easier stepping into Scotts shoes if need be

  31. Nate Krussel - Mistakes • Firewall Rules • Need to only allow certain IP’s to be allowed to access domain, and domain resources • Should slow down the red team • To much time as Domain Admin account • Much easier for red team to steal credentials if they break into the box • Not checking schedules tasks • Allowed red team to manipulate our firewalls across domain • Didn’t lock out all additional user accounts that weren’t required for score bot or us • Not how a normal business runs, but works well for the competition

  32. Nate Krussel – Lessons Learned • Always scan inside and outside your network and speak up if a new box appears • If given vsphere client, turn off servers RDP and ssh abilities (if possible) and use the client • Check firewall rules regularly • Use virtual router to try and limit access by port level if possible, reduces attack surface greatly • Always communicate and make sure to get conformation of a task that needs to be done to make sure the message got across • Easier to have the DC auto update the group policy instead of having everybody update it themselves

  33. Chris Waltrip – Responsibilities • Kali Linux VM • Outside of Corporate Network • Used to see what is visible from the outside • Port Scanning • Network Sniffing • Vulnerability Analysis • Windows Server 2008 R2 (HMI Server) • Not initially planned

  34. Chris Waltrip - Preparation • Learned the basics of Nmap and Wireshark • Researched Web Application Firewall • Specifically ModSecurity • Never actually used • Created Cheat Sheets • Useful Tools • Common & Useful Commands

  35. Chris Waltrip - Mistakes • Didn’t see VPN on Second Day • Nmap Port Scans • Wireshark DNS Traffic • HMI Server • Saw server, but thought was Vyatta Firewall • Didn’t know Default Credentials • Attached to Domain • Cobalt Strike Beacons

  36. Chris Waltrip – Lessons Learned • Tons! • Nmap and Wireshark • Team Dynamics & Collaboration • Cobalt Strike’s Beacon • Has its own packaged DNS server • How Effective Our Countermeasures Were

  37. Pictures from Event

More Related