PRCCDC 2013PRCCDC Team

Overview

Competition Summary Individual Team Notes Team Improvement Competition improvement

Day 1

Breakfast/Competition Brief Hospital Scenario with Warm Site.

› All Cloud Based Start of Competition

› One hour head start› Chaotic› Changed passwords and began hardening› Bricked one Workstation

Day 1 – Network Layout

Day 1

Generator Issues due to SQL Injection SmoothWall – Blocked 172.x.x.x

› Still had packets coming through

Day 2

Problems in the Morning› Slow Internet (7Kbps)› EMR Issues› Scoring Engine (could not connect)

One Snapshot and One Reset Per machine per hour

SmoothWall cannot traffic shape per interface

Day 2

BackTrack traffic rerouted › (didn’t get its password changed)

Couple of rootkits Rooted sessions

› They were given our passwords for the last 30 minutes

Day 2 - Debrief

Red team didn’t mention much› Phishing

Drill everything Task Organization

› Delegate with Feedback› Follow up› Verify

Day 2 - Debrief

Quality Control› Read Forward for grammar and flow› Read Backward for Spelling

Change Log from beginning› Automated?

Team Member Presentations

Team Member Presentations

Pre-CCDC Prep› WordPress/Apache/MySQL› Windows Server 2008

Security Configuration Time Mostly Spent:

› Changing passwords. yOungOrbitt3l3phOn3Occ!siOn!lly will forever haunt me.

› Downloading Windows Updates and Microsoft Security Essentials and MSE Updates (Waiting on internet)

› Monitoring success/fail server traffic› Injects

Web Server:› Simple HTML hosted on Windows Server 2008 R2› Website defaced. Misspellings?

“Exploit Older Than 1 month”Maxine

Team Member Presentations

Injects› Company Security Policy (150/150)

Gmail slow, failed to submit on time. Surprisingly got all points.

› Alert banner on website (100/100)

› Records Retention Policy (63/125) Lost points:1 year vs. 3 years retention policy. Lesson learned: read documentation closely.

› Website email form w/captcha (0/300) Submitted late, minus captcha I wish I had known php

Maxine

Perimeter SecuritySmoothwall Firewall & AlienVault OSSIM

Trevor

Initial Tasks

Break my box… and lock myself out Familiarize myself to SW and AV Determine hostile and safe networks Browse topologies and traffic routes Create plan for traffic blocking and

shaping

Trevor

SmoothWall

Packets fly – Block known dangerous subnets

› Bad packets still ingressing…???› Block all networks including the “Safe” 172.x

.. No change› Apply QoS to to links – can’t apply QoS to

certain subnets but all equally › Block devices per service – can’t block by

type (TCP/UDP)- Block specified hosts for a business inject – full points

Trevor

AlienVault

Utilize AlienVault to monitor our subnets

View in real time as packets hit each device

Utilize logs and dashboard to determine which attacks were deployed and against which machine

Utilize logs for a business inject – never awarded

Trevor

For improvement

Create ACL’s for each service to each box – give example

Lock down backtrack as my second priority

Copy team competition docs in a clean manner

Test SmoothWall and AlienVault before use if time allows

Trevor

What I learned

Need to prioritize hardening Check for services being up after each

step Need to map network immediately Don’t assume failures are from attacks Don’t count on the internet working Create a file repository on file server Backup, Backup, Backup (One per

hour)Scott

Mistakes I made

Not knowing how scoring system worked

Not updating passwords in scoring engine

Not asking enough questions Did not verify service’s being up from

outside of server Did not Log Everything Eating the lasagna for lunch

Scott

Things to do for next year

Learn specific admin roles Learn popular software packages for

DC, Mail, Web services etc How to run backtrack GUI over SSH Create a script to check for server

uptime Monitor Traffic constantly Practice Competition with other

SchoolsScott

Reflections

Better preparation Infrastructure Connection to servers Injects Presentation

› Less organized than last year Blue Team Debrief

Theora

Next Year Suggestions

Analyze infrastructure Keep a change log Delete unnecessary users immediately Drill on reporting passwords Larger font passwords Watch time Drill machine lock down more

Theora

Jason

Don’t trust White Team› Specifically, executables they give us

If Gmail or similar is used next time, allot more time for sending inject emails before the deadline› Slow internet led to late submissions

Jason

PRCCDC EventsMorgan Weir

Morgan

Opening Hand

Generator duty Directions were specific, but also not

entirely inclusive Port closing inject ACCESS!! And Denied Note, get there faster!

Morgan

With Assistance

Encrypted mySQL password Checked PHP code for funny business

Morgan

Back in Business

Began and completed hardening procedures on CentOS server

Performed injects Performed constant checks

Morgan

Day 2

Regular checking of who was logged in Regular checking of system Program Inject More infrastructure issues

Morgan

Endgame

CONSTANT scans and log checking Insuring IP was constant logged in Conclusions

› Find a way to read full team packet› Harden mySQL server against SQL

injection› Scoring engine password change after

reset› Insure white team has access as well as

you!Morgan

Domain Controller

Positives› Never had machine taken over› Had a fairly high uptime› All domain controller injects completed

successfully› No successful attacks against the DC

Nate

Domain Controller

Negatives› Windows updates affected uptime (30

minutes per restart) Part of which may have been the

infrastructure › Had to rollback to beginning of competition

after there was an issue with DNS and GPO’s not being applied properly

› Server had slow reaction time a lot of the time, made it difficult to do a lot.

Nate

Domain Controller

Improvements for next time› Try to just do service pack updates as close

together as possible (not using windows update)

› If infrastructure is slow, only do restarts when absolutely necessary and at convenient times (lunch/dinner)

› Learn to use the security configuration wizard better.

› Be able to restore domain connection with out having to go to each individual machine.

Nate

Team Improvements

Better Password Management› Suggestion from Captain Aaron Garner› Easier to type?

Change database settings in the first 60min

Check websites for sanitization in first 60min

Familiarization with soft Firewalls/routers/switches

Team Improvements

Diagram Network on Board› Kerckhoffs’ Principle

Quickly disseminate default usernames and passwords

Create new GPOs for Domain Server Pay attention to Snapshot policy

Competition Improvements

Better Communication› Prior to Competition

Team Leaders don’t really need to be there› During competition

White team and Black team not very forthcoming Didn’t let tell us not to change email password

Injects› Some injects were not sensible for competition

(ex. Recommendations about cloud services during crisis situation)

Competition Improvements Better Infrastructure

› Completely cloud based system??? with HIPPA???

› Slow Internet› Remote Desktop within Remote Desktop is

slow› BackTrack through PuTTY is limiting› Scoring Engine Issues