1 / 36

PRCCDC 2013

PRCCDC 2013. PRCCDC Team. Overview. Competition Summary Individual Team Notes Team I mprovement Competition improvement. Day 1. Breakfast/Competition Brief Hospital Scenario with Warm Site. All Cloud Based Start of Competition One hour head start Chaotic

zanta
Download Presentation

PRCCDC 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRCCDC 2013 PRCCDC Team

  2. Overview • Competition Summary • Individual Team Notes • Team Improvement • Competition improvement

  3. Day 1 • Breakfast/Competition Brief • Hospital Scenario with Warm Site. • All Cloud Based • Start of Competition • One hour head start • Chaotic • Changed passwords and began hardening • Bricked one Workstation

  4. Day 1 – Network Layout

  5. Day 1 • Generator Issues due to SQL Injection • SmoothWall – Blocked 172.x.x.x • Still had packets coming through

  6. Day 2 • Problems in the Morning • Slow Internet (7Kbps) • EMR Issues • Scoring Engine (could not connect) • One Snapshot and One Reset Per machine per hour • SmoothWall cannot traffic shape per interface

  7. Day 2 • BackTrack traffic rerouted • (didn’t get its password changed) • Couple of rootkits • Rooted sessions • They were given our passwords for the last 30 minutes

  8. Day 2 - Debrief • Red team didn’t mention much • Phishing • Drill everything • Task Organization • Delegate with Feedback • Follow up • Verify

  9. Day 2 - Debrief • Quality Control • Read Forward for grammar and flow • Read Backward for Spelling • Change Log from beginning • Automated?

  10. Team Member Presentations

  11. Team Member Presentations • Pre-CCDC Prep • WordPress/Apache/MySQL • Windows Server 2008 • Security Configuration • Time Mostly Spent: • Changing passwords. yOungOrbitt3l3phOn3Occ!siOn!lly will forever haunt me. • Downloading Windows Updates and Microsoft Security Essentials and MSE Updates (Waiting on internet) • Monitoring success/fail server traffic • Injects • Web Server: • Simple HTML hosted on Windows Server 2008 R2 • Website defaced. Misspellings? “Exploit Older Than 1 month” Maxine

  12. Team Member Presentations • Injects • Company Security Policy (150/150) • Gmail slow, failed to submit on time. Surprisingly got all points. • Alert banner on website (100/100) • Records Retention Policy (63/125) • Lost points:1 year vs. 3 years retention policy. • Lesson learned: read documentation closely. • Website email form w/captcha(0/300) • Submitted late, minus captcha • I wish I had known php Maxine

  13. Perimeter Security Smoothwall Firewall & AlienVault OSSIM Trevor

  14. Initial Tasks • Break my box… and lock myself out • Familiarize myself to SW and AV • Determine hostile and safe networks • Browse topologies and traffic routes • Create plan for traffic blocking and shaping Trevor

  15. SmoothWall Packets fly – Block known dangerous subnets • Bad packets still ingressing…??? • Block all networks including the “Safe” 172.x .. No change • Apply QoS to to links – can’t apply QoS to certain subnets but all equally  • Block devices per service – can’t block by type (TCP/UDP) - Block specified hosts for a business inject – full points Trevor

  16. AlienVault • Utilize AlienVault to monitor our subnets • View in real time as packets hit each device • Utilize logs and dashboard to determine which attacks were deployed and against which machine • Utilize logs for a business inject – never awarded Trevor

  17. For improvement • Create ACL’s for each service to each box – give example • Lock down backtrack as my second priority • Copy team competition docs in a clean manner • Test SmoothWall and AlienVault before use if time allows Trevor

  18. What I learned • Need to prioritize hardening • Check for services being up after each step • Need to map network immediately • Don’t assume failures are from attacks • Don’t count on the internet working • Create a file repository on file server • Backup, Backup, Backup (One per hour) Scott

  19. Mistakes I made • Not knowing how scoring system worked • Not updating passwords in scoring engine • Not asking enough questions • Did not verify service’s being up from outside of server • Did not Log Everything • Eating the lasagna for lunch Scott

  20. Things to do for next year • Learn specific admin roles • Learn popular software packages for DC, Mail, Web services etc • How to run backtrack GUI over SSH • Create a script to check for server uptime • Monitor Traffic constantly • Practice Competition with other Schools Scott

  21. Reflections • Better preparation • Infrastructure • Connection to servers • Injects • Presentation • Less organized than last year • Blue Team Debrief Theora

  22. Next Year Suggestions • Analyze infrastructure • Keep a change log • Delete unnecessary users immediately • Drill on reporting passwords • Larger font passwords • Watch time • Drill machine lock down more Theora

  23. Jason • Don’t trust White Team • Specifically, executables they give us • If Gmail or similar is used next time, allot more time for sending inject emails before the deadline • Slow internet led to late submissions Jason

  24. PRCCDC Events Morgan Weir Morgan

  25. Opening Hand • Generator duty • Directions were specific, but also not entirely inclusive • Port closing inject • ACCESS!! And Denied • Note, get there faster! Morgan

  26. With Assistance • Encrypted mySQL password • Checked PHP code for funny business Morgan

  27. Back in Business • Began and completed hardening procedures on CentOS server • Performed injects • Performed constant checks Morgan

  28. Day 2 • Regular checking of who was logged in • Regular checking of system • Program Inject • More infrastructure issues Morgan

  29. Endgame • CONSTANT scans and log checking • Insuring IP was constant logged in • Conclusions • Find a way to read full team packet • Harden mySQL server against SQL injection • Scoring engine password change after reset • Insure white team has access as well as you! Morgan

  30. Domain Controller • Positives • Never had machine taken over • Had a fairly high uptime • All domain controller injects completed successfully • No successful attacks against the DC Nate

  31. Domain Controller • Negatives • Windows updates affected uptime (30 minutes per restart) • Part of which may have been the infrastructure • Had to rollback to beginning of competition after there was an issue with DNS and GPO’s not being applied properly • Server had slow reaction time a lot of the time, made it difficult to do a lot. Nate

  32. Domain Controller • Improvements for next time • Try to just do service pack updates as close together as possible (not using windows update) • If infrastructure is slow, only do restarts when absolutely necessary and at convenient times (lunch/dinner) • Learn to use the security configuration wizard better. • Be able to restore domain connection with out having to go to each individual machine. Nate

  33. Team Improvements • Better Password Management • Suggestion from Captain Aaron Garner • Easier to type? • Change database settings in the first 60min • Check websites for sanitization in first 60min • Familiarization with soft Firewalls/routers/switches

  34. Team Improvements • Diagram Network on Board • Kerckhoffs’ Principle • Quickly disseminate default usernames and passwords • Create new GPOs for Domain Server • Pay attention to Snapshot policy

  35. Competition Improvements • Better Communication • Prior to Competition • Team Leaders don’t really need to be there • During competition • White team and Black team not very forthcoming • Didn’t let tell us not to change email password • Injects • Some injects were not sensible for competition • (ex. Recommendations about cloud services during crisis situation)

  36. Competition Improvements • Better Infrastructure • Completely cloud based system??? with HIPPA??? • Slow Internet • Remote Desktop within Remote Desktop is slow • BackTrack through PuTTY is limiting • Scoring Engine Issues

More Related