Cyberdawn - A Diverse Cyber Exercise - Part I

Cyber Exercise

Over this past weekend I attended Cyberdawn, a cyber exercise that was hosted by Battlefield High School in Haymarket, Virginia.

One of the first things that impressed me about this event was the diverse population of players and attendees. The defending and attacking teams were represented by high school students, college students, industry professionals and cadets in the Army and Air Force academies. I met people ranging from Army captains trying to make the world a more secure place, to the team leader of the Defcon CTF organizers. The Army captain was in attendence to observe the event and talk to people in the field to better understand information security. John Bos, team leader for “sk3wl0fr00t”, was in attendance to help out as a volunteer and share his experience with CTF events with both the red and blue teams.

Battlefield High School was amazing, it’s only five years old and provides kids with a wealth of opportunity. Everyone there was great, even though the red team almost got detention!

They have an extensive ROTC program, a large robotics lab and an IT program that has a 100% placement rate for its internship program. This event was very refreshing to see and experience. I wish my high school presented these opportunities - well we did have Commodore 64 computers back then, which were all the rage.

The cyber exercise was played over two days and the Air Force academy was placing in the top three slots throughout the event. They were a very enthusiastic team and were anxious to begin working in information security

At this even, I got a chance to better understand the value of a “cyber exercise”. I spoke at length with people heavily involved with Capture The Flag events and cyber exercises (look for a series of interviews coming up on the Tenable Network Security Podcast on this topic). The most important thing the blue teams are learning is how to stay calm under fire and work together as a team. I was surprised that the most effective techniques and tactics used by the successful blue teams centered around people skills. It didn't matter how fast you could run netstat and kill off connections from backdoor programs put there by the red ream if you did not have a solid plan for remediation and ensuring production services were running. This provided a valuable learning experience for everyone there, including myself. Some may say that it is not realistic, and in a way the game is designed to be a little unfair to the blue team. For example, during the first two hours of the game the teams had to defend their systems without the use of network firewalls or patches. While this may not be commonplace in the real world, it does emulate how you must defend your network once an attacker has gained access behind the firewall, or if the threat comes from the inside. In addition, there are plenty of cases where you are not allowed to apply patches to a machine in a timely manner, making defending exposed and vulnerable systems a very challenging aspect of the game and contributing to the overall experience.

The game is hosted by White Wolf Security, who do a fantastic job of providing a very realistic environment, right down to a VoIP phone system. The phone system is in play and teams incur penalties if it’s compromised by the red team.

I was asked several times about the Red Team organization, having led the Red Team in several events beforehand. For this event, I took a very “hands off” approach and let the various members execute their individual attack plans. The Red Team was very effective in this event, gaining access and keeping access to several systems during the event. Anytime they would get stuck, or need some clarification on the game, I provided them with guidance. In other cases (typically in smaller games), the Red Teams can be divided by skill set and/or tasks. For example, one team can perform recon and network mapping, another team can gain access to systems and yet another team can make sure that they keep access. Again, organization and staying calm is key to success for the red team. Even if you've spent an hour trying to gain access to a system only to break in and have your access cut off, you need to remain calm and move on to the next task that will hopefully get you back into the system(s).

The Red Team's home for the weekend was the army ROTC room, where there was a great display of different war planes and military paraphernalia.

Nothing Goes as Planned

If there is one lesson I always take away from “cyber exercises”, it’s that nothing goes as planned. I had what I thought was a strong plan of attack. I had customized modules in Core IMPACT to update the scoring server, and practiced my techniques for keeping access. However, Murphy was out in full force and my plans were foiled (Turns out my module was not updating the scoring server properly, and I didn’t get points for the system compromises). You have to be prepared for this and have a backup plan, or just put your head down and fix the problems. Panic is not an option. You have limited time to compromise as many systems as possible, just as you would in a professional penetration test. This exercise is great practice, and at the end you do not have to write a report, but it allows you to hone your skills and play out several scenarios of "what would I do if...".

For the defenders, plans are important, but they typically get thrown out the window in the first hour of the competition. The attackers are usually very creative and present new and different challenges to the Blue Team throughout the event. However, the blue team plan has to include the following in order to be successful:

• Install anti-virus software - While there are many easy ways to evade anti-virus software, every little bit helps, especially in a game where time is so critical. The goal for a defender is to make it more expensive for an attacker to penetrate the systems. Cost could be measured monetarily or with time, and taking the extra step to evade anti-virus software can take a bit more time (For example, having to run their payloads through a packer or something like PE-Scrambler and re-test functionality). By adding small measures of defense that cause attackers to take more time to successfully break-in, you can increase your chances of successfully defending the system.
• Change passwords - An attacker who has your password will have access to your system until it is changed. Don't limit yourself to changing just system passwords, but all passwords on the system including user and service accounts that have the ability to login. An attacker able to login into your system can be hard to find on the surface. A login looks like normal behavior, and this method of access works on a fully patched system. In addition, the attacker does not have to rely on a buffer overflow, which can cause system instability, so password abuse is commonplace by attackers.
• Know Your System - It is important as a defender to know what purposes your systems serve, and what they should be doing. Knowing this helps you to identify behavior that just should not occur in the normal course of business operations. Assigning one person to review and kill unknown running processes and connections is key, but you must define what is "unknown". For example, your phone system PBX server making SSH connections to other systems on the Internet should raise a red flag.
• Proper outbound filters - Once attackers compromise a system, they need a way back out in order to maintain control of that system. If you have a strict outbound policy it can do two things that help make defense easier. First, it forces the attacker to search for the limited ways out of the network, potentially cutting off access to the system if they have deployed a payload that cannot get past the firewall. Second, it limits the outbound traffic that you have to monitor. For example, if you block all other ports aside from TCP ports 80 and 443 from leaving your network, then you can monitor those two paths for suspicious behavior, such as an exchange server making an outbound connection on port 80 to an IP address in China.
• Check your logs - Some key issues to determine from your logs: Are people logging in from systems that are on the Internet? Is this normal systems behavior? Have your logs been modified or deleted? Logs can be a great indicator of a compromise. Some specific things to look for are services starting up unexpectedly, unauthorized users being added and successful logins under suspicious circumstances.

The Red Team needs to be creative throughout the exercise, and typically towards the end is when things get "interesting". In this case, the Red Team compromised a system and was preparing to blast music through the speakers to distract and physiologically attack the blue teams.

Data Theft

SQL injection continues to be a huge problem, both in the real world and in the game. On both Linux and Windows systems, the following SQL queries were wildly successful with respects to allowing us to run commands:

Linux:

Windows:

Due to the SQLi vulnerabilities, seven teams lost their entire Human Resources (HR) database, which include the names, birth dates and social security numbers of their employees. To simulate a real-world scenario, the red team members emailed each of the seven team's captains and informed them that they had stolen their employee data. The situation got worse for the seven teams as the email also informed them that the red team had not only made a copy of the data, but deleted the copies from the servers and was now holding it for ransom. This added a great element to the game, and worked to raise the already elevated stress levels of the blue teams.

(Click image for larger version)
The Red Team compromised the data of several Blue Teams, then presented this image in a debriefing after the first day of game play. The Blue Teams were a bit overwhelmed. The information above is of course fictitious.

In Part II we will look at how the Red Team was able to gain access to systems without software exploits, and maintain access to the systems.