prccdc 2014 recap by scott amack, ranger adams, jeff crocker, ben cumber, keith drew, heather...
TRANSCRIPT
PRCCDC 2014 RecapBy Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey,
Nate Krussel, and Chris Waltrip,
Scott Amack – PRCCDC Scenario Shark Industries Weapon Manufacturer
Incomplete Network Map Provided
4 Windows 7 Machines
4 Windows XP Machines
Plus various network machines
File and Mail Server, “HMI” Computer, Domain Controller, VPN Server, Web Server
Scott Amack – PRCCDC Team Preparation RADICL Lab Down
Prepped Team for Injects
Team had to practice on their own VM’S
Prepped team to think fast on their feets
Lots of quick exercises in prep class
Scott Amack – PRCCDC Scores Team Scored 6th Overall
1st Place in Incident Response
2nd Place in Injects (15 points from 1st)
1st Place in Uptime
11th Place in Attacks against us
Scott Amack – PRCCDC Inject Scores
Scott Amack – PRCCDC Uptime Scores
Scott Amack – PRCCDC Lessons Learned Need to teach team how to find and eradicate malware
Need to defend against RAT’s (Dark Comet and Poison Ivy Variants)
Need to learn how Cobalt Strike Beacons can be eradicated
Really need a lab environment to practice in
Need to learn multiple tools for doing different tasks
Scott Amack – White Team Debrief Centralized Leadership was excellent
Each Member assigned a specific role works very well Inject with team captain out sick did not work so well for us
Liked that we drew diagrams on the board
Liked that we asked unauthorized visitors to leave immediately
Quick solutions to the right problems is the way to win
Ranger Adams - Responsibilities Going in
Web Server (Ubuntu) Maybe MySQL
There Web Server (Ubuntu) Web Server (IIS) MySQL Box (Ubuntu) Application Server (IIS)
Ranger Adams - Preparation Linux
PHP/JavaScript
Linux Services
Basic Windows
Ranger Adams - Mistakes UFW blocking MySQL
Full control of assets
Attention to Windows
Windows Firewall
Ranger Adams – Lessons Learned Firewalls are tricky, but powerful
Learn more breadth, less depth
Jeff Crocker - Responsibilities Email Server
Jeff Crocker - Preparation Email Server
Online Tutorials
Veteran Knowledge
Presentations
Passwords
Jeff Crocker - Mistakes Open Relay Fix
Sitting by the phone
User Accounts
Excessive Passwords
Jeff Crocker – Lessons Learned Check Assumptions
Gear Switching
Googling Skills
Availability vs. Integrity
Ben Cumber - ResponsibilitiesWindows File Server
• Windows 2008 R2 server
• Running freeFTPd
Windows XP workstations 7 and 8
Ben Cumber - Preparation• Windows hardening guide on personal machine.
• Read through team binder.
• Reviewed PRCCDC rules.
Ben Cumber - Mistakes• Couldn’t RDP to Windows server.
• Could not connect to file service.
• Reinstalled file service (wasn’t necessary)
Ben Cumber – Lessons Learned• RDP
• Filezilla and WinSCP
• Gained a much better understanding of what exactly a file server is.
Keith Drew - Responsibilities Maintain Logs of System Changes
Maintain Telephone Logs
Windows Workstation Hardening
Keith Drew - Preparation Documentation
Mini Lab on Personal Computer
Developed Hardening Guides
Keith Drew - Mistakes Not killing malicious process
Not utilizing all tools available to me (Vsphere Client)
Keith Drew – Lessons Learned How attacks are performed
Heather Haphey - Responsibilities Smoothwall Virtual Router
Handle injects Policy writing Report generation Briefing
Binder creation
Heather Haphey - Preparation Researched Smoothwall and Virtual Routing
Reviewed and rewrote real policies
Practiced briefing
Collected and created binder materials
Read offensive and defensive tactics
Heather Haphey - Mistakes Learned wrong Virtual Router
Vyatta instead of Smoothwall
Didn’t back up editable sample documents
Realized the router GUI too late
Not prepared to detect and prevent attacks
Heather Haphey – Lessons Learned More research about red team tools
Back up anything useful
Snapshot -> Harden-> Snapshot
Get injects done ASAP, use full time Review requirements part-way through
Stay focused on AOR, remain calm
ASK ASK ASK and trust intuition
Get into the scenario, seek real answers
Nate Krussel - Responsibilities Windows Active Directory
Group Policies Domain Knowledge
Team Co-Captain Help in team preparation Back up to Scott
Knowledge Transfer Sharing experience and strategies that have worked or not worked in past
competitions
Nate Krussel - Preparation Doing Previous Years injects
Even if not exactly the same may be fairly close
Read up require services/ports Often the competition has more open things than needed to run the require service
Industry hardening guides Give the quick and useful information on hardening
Acquired General Knowledge Easier stepping into Scotts shoes if need be
Nate Krussel - Mistakes Firewall Rules
Need to only allow certain IP’s to be allowed to access domain, and domain resources Should slow down the red team
To much time as Domain Admin account Much easier for red team to steal credentials if they break into the box
Not checking schedules tasks Allowed red team to manipulate our firewalls across domain
Didn’t lock out all additional user accounts that weren’t required for score bot or us Not how a normal business runs, but works well for the competition
Nate Krussel – Lessons Learned Always scan inside and outside your network and speak up if a new box appears
If given vsphere client, turn off servers RDP and ssh abilities (if possible) and use the client
Check firewall rules regularly
Use virtual router to try and limit access by port level if possible, reduces attack surface greatly
Always communicate and make sure to get conformation of a task that needs to be done to make sure the message got across
Easier to have the DC auto update the group policy instead of having everybody update it themselves
Chris Waltrip – Responsibilities Kali Linux VM
Outside of Corporate Network Used to see what is visible from the outside
Port Scanning Network Sniffing Vulnerability Analysis
Windows Server 2008 R2 (HMI Server) Not initially planned
Chris Waltrip - Preparation Learned the basics of Nmap and Wireshark
Researched Web Application Firewall Specifically ModSecurity Never actually used
Created Cheat Sheets Useful Tools Common & Useful Commands
Chris Waltrip - Mistakes Didn’t see VPN on Second Day
Nmap Port Scans Wireshark DNS Traffic
HMI Server Saw server, but thought was Vyatta Firewall Didn’t know Default Credentials
Attached to Domain
Cobalt Strike Beacons
Chris Waltrip – Lessons Learned Tons!
Nmap and Wireshark
Team Dynamics & Collaboration
Cobalt Strike’s Beacon Has its own packaged DNS server
How Effective Our Countermeasures Were
Pictures from Event