Tips

Don’t Forget the Basics

In 2012, Dwayne Williams, National CCDC Director, wrote a post in the CCDC Forums entitled Don’t Forget the Basics. His advice was echoed by experienced CCDC White, Gold and Red Team member interviews conducted to create this resource. (Read his full post here: http://www.nationalccdc.org/blog/2012/02/20/dont-forget-the-basics/).

 

Many teams, especially new teams, fail to address the most fundamental methods to harden their network and systems. Here are some essential vulnerabilities that experienced CCDC competitors and the Red team suggest teams address early in the competition:


Address Firewall/Router vulnerabilities first. The Red Team stated that one of the biggest vulnerabilities they were able to exploit was poor firewall/router rules. A threaded discussion on AnandTech Forums stressed that firewall/router rules “need to be rock solid on inbound and outbound traffic.” One competitor described a significant delay they experienced because router/firewall was blocking legit traffic from inside. The result of this problem was that the team could not update software for an inject for an hour when the inject required a 90 minute deadline. Read the full threaded discussion here(http://forums.anandtech.com/archive/index.php/t-2218750.html). Specific suggestions relating to firewalls and routers include:

o   Know how to implement the Intrusion Prevention System (or related) features on your device

o   Disable unnecessary ports

o   Know how to do a console-based password reset

o   Keep in mind, you will not be able to:

§  Disallow password changes on the router, switch and firewall

§  Block IP subnets and individual address (unless permission has been given by the event organizers)

Change passwords frequently. The Red Team will attempt to decrypt your passwords overnight. So, teams should change all the passwords to unique strong passphrases daily (at a minimum).  

o   Start with default passwords

o   In a threaded discussion, on Red Team member reminded Blue Team members to change the service passwords. This Red Team member said that, “services like SQL and various management consoles are frequently overlooked by businesses and are often "easy win". When I find a blank SA password on a SQL box that is domain joined, we usually have complete network control in under 20 minutes.” http://forums.anandtech.com/archive/index.php/t-2218750.html

Use Hardening Guides and Templates

o   Advice on system hardening was discussed in the AnandTech Forums. This poster wrote that “most older systems (Windows 2003, XP, etc.) are notably stupid when it comes to baseline hardening. Run Microsoft's hardening templates that ship with domain controllers, or manually follow the Center for Internet Security (CIS) hardening guides if you are so inclined. Dumb things like LanManager hashing that is on by default in Windows environments or improper umasks in UNIX/Linux systems are where privilege escalation comes from.” Also be careful of unnecessary services like some of the old dumb finger services that give out information, as well as the old services like rsh and rlogin.” Read the full thread here: http://forums.anandtech.com/archive/index.php/t-2218750.html

Stop unnecessary services

o   Monitor your systems for unnecessary services. The AnandTech threads mentioned “some of the old dumb finger services that give out information, as well as the old services like rsh and rlogin.” Read the full thread here: http://forums.anandtech.com/archive/index.php/t-2218750.html

Patch and update:

o   Figure out how to sneakernet patches/updates. In many CCDC events, the Internet connected systems are not directly connected to the competition systems

Delete accounts that are not necessary for business functionality

Know commands to secure systems as quickly as possible without having to use references

Use logs and analysis tools to keep your team aware of:

o   Service status

o   Network traffic

Remember that a reinstall or restoring images are not always a solution for remediation

o   In past competitions the Red Team penetrated systems early so that any images restored would include their exploit. The 2013 Captain of the Red Team, David Cowen, has seven year of CCDC experience. He wrote a blog post called NCCDC 2013 Lessons Learned. He also cautioned Blue Teams from the costly Service Level Agreement violation penalty that comes from reinstallation.  Cowen writes, “This idea that reinstalling is the best way to recover from an intrusion is something that is not isolated to CCDC students, it’s a common trend in the industry. However as a CCDC competitor, you are under a microscope with an attacker who knows you have to put that system back up as soon as possible to stop the bleeding.” Read his full post here: http://hackingexposedcomputerforensicsblog.blogspot.com/2013_04_01_archive.html 


Here is a list of advice and information that CCDC competitors and coaches have shared that will make new teams feel like veterans:

    • Access to the Internet is not guaranteed and is often filtered through a proxy. Once Microsoft.com was blocked accidentally the actual team networks will not be directly connected to the Internet. Each team will be able to route out of the central network where they can download software, patches, Google, etc. 
    • All Internet traffic is monitored for rule violations and inappropriate content.  So access the Internet will go through a proxy and central firewall from your team systems.
    • Address the basics to harden your systems and prepare to defend. Keep in mind that even power supplies can have IP addresses and default passwords
    • Security Thread wrote on the AnandTech.com boards, “Don't forget web applications. A lot of attacks begin with an SQL injection, or some otherwise equally bonehead coding or configuration problem on the web services. Exhaustively looking for those tends to be more time consuming than many service/network level issues, but it's still worth it.” http://forums.anandtech.com/archive/index.php/t-2218750.html
    • Social Engineering (SE) is part of the competition
    • Be prepared to adjust your plan based on the injects
    • Backup, backup, and backup again.
    • Stay mentally strong. It is possible that even a well prepared team may go through most of the competition with only 50% of their services working and may only have limited control of the machines on your team’s network.
    • Pay attention to operational security: check visitor credentials, monitor your equipment, use surveillance techniques,  call in Law Enforcement if necessary
    • Running services earn points; the sophistication and quality of the solution is not rewarded. (P. Sroufe, S. R. Tate, R. Dantu, E. Celikel. ―Experiences During a Collegiate Cyber Defense Competition,‖ Journal of Applied Security Research, Vol. 5, No. 3, 2010, pp. 382–396.)
    • It is possible that your team will not be given adequate resources or information to complete your tasks. Don’t be rattled – problem solve.

 

Understand the scoring and local rules: Qualifying events may not reflect the regional or National CCDC rules. Regional events may prioritize elements of scoring differently. Furthermore, rules may change annually. Check with your competition director to know whether these rules apply:

  • Competition teams may be able to purchase equipment (computers, routers, cables) using competition points
  • There will be limitations placed on your team’s ability to address problems. For example, changing passwords on your systems may require a written request to the Gold Team and may be restricted to once an hour (this is unique to each Region)
  • ·Competition teams may be able to remediate some of their mistakes by spending some of their competition points 

Comments