Posted on Monday, 26th March 2012 by Michael

CCDC the First Hour

Despite some popular beliefs the Blue Cell are not provide machines that already been back doored for the Red Cell to use. The machines that you are giving are definitely built in an insecure method but that’s it.

Your object coming into this event is usually the same year after year. XYZ Company fired their incompetent IT staff. Their incompetence will make your next two days a living hell. You are coming into this organization blind, you do not know nor should you trust the current systems or infrastructure. Though you would like to start from the ground up you need to keep business going and repair the damage while defending an onslaught of attacks.

So how do you get the upper hand? Time is of the essence. The Red Cell is very skilled and some can operate almost as fast as an automated program. That being said when the start bell goes most likely within seconds we have several shells on your machines, plus the default credentials of your web apps, firewall and other devices on the network that year. To get the upper hand I personally believe you need to accomplish this at the network layer as well as working as a team. You need to lock down the firewall as quickly as possible to buy yourself time to CLEAN and remove malicious software, patch systems to avoid re-infection, change your passwords to avoid access, assure there are no new accounts that have been added, trace cables to assure there are no rouge devices and to implement your CCDC game plan.

During this time it is important to remain calm and professional. Remember this is only a game at the end of the day. Though acting in an unprofessional manner will cast a shadow over yourself and school especially since there are many recruiters in the audience watching how you act and respond. These are the people you will be working for if you survive this event and decide that a career in information security is for you.

So how do you lock down your firewall? I am not a CISCO expert by any means though I have had my fair share of time on these devices both in previous jobs and at the CCDC.  First I suggest that if your team has a budget that you look at investing in a CISCO ASA 505 for your schools lab so you can train on it. This is not only good for the competition but is a great training aide as you get ready to enter into the real world, you can say you have CISCO ASA experience. You can find them for a few hundred dollars or less on: http://www.ebay.com/sch/?_nkw=cisco%20asa%205505&clk_rvr_id=326713534867 . Second I suggest you do some reading: http://www.cisco.com/en/US/docs/security/asa/quick_start/5505/5505-poster.html , you have several months to the next CCDC qualifier.

These devices have to main ways to administrate them. The first is through the ASDM software and the second is through command line. The device during the competition is already configured for you saving you a lot of time, but also making you very vulnerable.

  1. Change the default password
  2. Save the changes to the flash and save <= the same as a wr mem at command line. Saving itself will not keep the changes unless you reboot. Saving the changes to the memory will apply instantly avoiding cisco/cisco being used even if you changed the password.
  3. Disable remote administration of your firewall on the outside interface. If the TRUE scorebot needs ssh access then limit it by the TRUE scorebots IP.
  4. Disable any any IP allow and create a policy above it that only allows the ports you need. Make sure you know your basic port numbers
    1. 80 => http
    2. 443 => https
    3. 21 => ftp
    4. 22 => ssh
    5. ICMP => protocol not port
    6. Make sure logging is enabled on your rules and the time on your firewall is correct. This is very important in your incident write ups to show logs and have the time match up. Limited time drift in logs are permissible in court but large discrepancies will be thrown out.
    7. Save your changes to running memory and save.

In the event you are not allowed to block IP addresses without cause nor can you block large ranges of IP addresses. So how do you get the permission to set a block? In the real world this is called a business need. For example:

“Dear Mr.Ceo;

During a recent firewall audit the IT Security department has found that several questionable configurations on the firewall that were left there from the previous IT team. These configurations are opening the organization to undue risk by allowing remote administration of the firewall to any one on the internet. Though we have set the password to properly secured one this doesn’t guarantee full security and it would be wise to lock this feature down to only our remote offices and internal staff.

Sincerely IT Security department”

So now that you are working on locking down your firewall what should the rest of your team be doing? Well that is simple; you have up to 8 team mates that should be accomplishing other tasks while one maybe two people are working on locking down the firewall. This is one reason why the red cell does so well, we break down into teams and divide and conquer.

So how should you divide your team up? I would do it by skill set and the below:

A person or persons working on changing system passwords: these individuals should know basic windows and Linux user account administration. Think about on the Linux system doing away with passwords all together and requiring the use of ssh keys.

A person or persons working on web applications: Make sure they know where each application is located. Make sure not only the administrator passwords are changed but all user passwords are changed. Think about having these team mates lock down admin directories to only internal IP ranges by using .htacess files or another method.

A person or persons working on identifying and disabling services: Make sure that you know what is running. Verify that what is running is required and if it is not required then disable it. This user should know how to use services.msc on windows and /etc/services in Linux as well as service blank stop or start.

A person or persons working on applying system patches: Have them focus on remotely exploitable patches first then other patches. Since the firewall should be locked down now exploits like smb will not be as high of a risk.

A person or persons tracing wires and securing wireless: Make sure you know what is plugged into your network and where each wire goes into. WEP is not your friend. It sucks when your IT department comes in that night and rewires things for you and adds devices for your job to work better J

A person or persons monitoring connections and logs: this person should be familiar with the tool tcpview, netstat and log reading. They will be the one that should help detect intrusions and gather evidence for the incident response.

A person or persons working on business injects: Even though there is a threat to your environment, business needs to remain running. Make sure it gets done or you will be done.

If you have any additional people that are not physically working on a box have them become the note takers, document what you have done. Or you can make them a gopher to go get coffee or other supplies. The team captain should be this person. They should act as a manager and supervise dictate and control. They are there to execute your teams plan and keep you guys coordinated and motivated.

This may seem like a lot and not able to be accomplished in an hour, but it can. You will need to run in parallel with each other and multitask. If you have questions please feel free to contact me and remember to reach out to the Red Cell members for help and input throughout the year.

Posted in CCDC | Comments (0)

Leave a Reply

*