Passwords are just so easy to abuse...
It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required.
This is perhaps one of the toughest jobs an attacker has. The systems are constantly being rebooted, patched, re-configured and have network problems cropping up - just like in the real world! So, the same problems we have in the game are the ones that attackers and penetration testers face when attacking a network and trying to maintain a foothold. Some of the methods used by the Red Team, which were all met with mixed success, follows:
- SSH Trust Keys - One of the Red Team members managed to keep access to the systems by adding a trusted SSH key. The Blue Team changed the passwords, but did not remember to check for the presence of a trusted key.
- Rootkits - Several different rootkits were installed, ranging from the Immunity rootkit to Poison Ivy. These were effective in being undetected on the system, but they still needed to call “home” from a running process.
- Penetration Testing Frameworks - Core IMPACT agents were deployed to compromised hosts. Since the various teams can see these processes, IMPACT's module called the "agent process injector" that was used to install the agent code into an existing process, such as "explorer.exe", which then made a reverse connection back to the Red Team on port 80. This gave the Red Team a little more staying power inside the various networks, which allows pivoting - the ability to launch attacks from inside the firewall. An important point to remember from a defensive perspective is that when analyzing a system for evidence of a compromise, it is important to see which processes are making outbound connections, unless of course the copy of tcpview becomes trojaned.
I tend to think of the “cyber exercises” as an accelerated learning environment. In the real world, you would not have as many attacks and responses in such a short period of time. It is precisely this type of environment that can greatly assist both attackers and defenders improve their skills. It also underscores some of the areas that defenders should focus on, such as monitoring outgoing traffic, creating and implementing a strong password policy and having a process in place to collect and analyze system logs. Tenable's enterprise products can help in all of these areas. The Passive Vulnerability Scanner and Tenable Network Monitor products inspect network traffic for vulnerabilities and allow you to identify suspicious behavior with the Security Center. The Security Center can correlate system logs with both vulnerability and network logs, identifying patterns that could represent security breaches. See the references section below for more examples of Tenable product usage to detect malicious behavior on the network and systems in your environment.