Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRCCDC 2014 Recap By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,

Similar presentations


Presentation on theme: "PRCCDC 2014 Recap By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,"— Presentation transcript:

1 PRCCDC 2014 Recap By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,

2 Scott Amack – PRCCDC Scenario Shark Industries Weapon Manufacturer Incomplete Network Map Provided 4 Windows 7 Machines 4 Windows XP Machines Plus various network machines File and Mail Server, “HMI” Computer, Domain Controller, VPN Server, Web Server

3 Scott Amack – PRCCDC Team Preparation RADICL Lab Down Prepped Team for Injects Team had to practice on their own VM’S Prepped team to think fast on their feets Lots of quick exercises in prep class

4 Scott Amack – PRCCDC Scores Team Scored 6 th Overall 1 st Place in Incident Response 2 nd Place in Injects (15 points from 1 st ) 1 st Place in Uptime 11 th Place in Attacks against us

5 Scott Amack – PRCCDC Inject Scores

6 Scott Amack – PRCCDC Uptime Scores

7 Scott Amack – PRCCDC Lessons Learned Need to teach team how to find and eradicate malware Need to defend against RAT’s (Dark Comet and Poison Ivy Variants) Need to learn how Cobalt Strike Beacons can be eradicated Really need a lab environment to practice in Need to learn multiple tools for doing different tasks

8 Scott Amack – White Team Debrief Centralized Leadership was excellent Each Member assigned a specific role works very well Inject with team captain out sick did not work so well for us Liked that we drew diagrams on the board Liked that we asked unauthorized visitors to leave immediately Quick solutions to the right problems is the way to win

9 Ranger Adams - Responsibilities Going in Web Server (Ubuntu) Maybe MySQL There Web Server (Ubuntu) Web Server (IIS) MySQL Box (Ubuntu) Application Server (IIS)

10 Ranger Adams - Preparation Linux PHP/JavaScript Linux Services Basic Windows

11 Ranger Adams - Mistakes UFW blocking MySQL Full control of assets Attention to Windows Windows Firewall

12 Ranger Adams – Lessons Learned Firewalls are tricky, but powerful Learn more breadth, less depth

13 Jeff Crocker - Responsibilities Email Server

14 Jeff Crocker - Preparation Email Server Online Tutorials Veteran Knowledge Presentations Passwords

15 Jeff Crocker - Mistakes Open Relay Fix Sitting by the phone User Accounts Excessive Passwords

16 Jeff Crocker – Lessons Learned Check Assumptions Gear Switching Googling Skills Availability vs. Integrity

17 Ben Cumber - Responsibilities Windows File Server Windows 2008 R2 server Running freeFTPd Windows XP workstations 7 and 8

18 Ben Cumber - Preparation Windows hardening guide on personal machine. Read through team binder. Reviewed PRCCDC rules.

19 Ben Cumber - Mistakes Couldn’t RDP to Windows server. Could not connect to file service. Reinstalled file service (wasn’t necessary)

20 Ben Cumber – Lessons Learned RDP Filezilla and WinSCP Gained a much better understanding of what exactly a file server is.

21 Keith Drew - Responsibilities Maintain Logs of System Changes Maintain Telephone Logs Windows Workstation Hardening

22 Keith Drew - Preparation Documentation Mini Lab on Personal Computer Developed Hardening Guides

23 Keith Drew - Mistakes Not killing malicious process Not utilizing all tools available to me (Vsphere Client)

24 Keith Drew – Lessons Learned How attacks are performed

25 Heather Haphey - Responsibilities Smoothwall Virtual Router Handle injects Policy writing Report generation Briefing Binder creation

26 Heather Haphey - Preparation Researched Smoothwall and Virtual Routing Reviewed and rewrote real policies Practiced briefing Collected and created binder materials Read offensive and defensive tactics

27 Heather Haphey - Mistakes Learned wrong Virtual Router Vyatta instead of Smoothwall Didn’t back up editable sample documents Realized the router GUI too late Not prepared to detect and prevent attacks

28 Heather Haphey – Lessons Learned More research about red team tools Back up anything useful Snapshot -> Harden-> Snapshot Get injects done ASAP, use full time Review requirements part-way through Stay focused on AOR, remain calm ASK ASK ASK and trust intuition Get into the scenario, seek real answers

29 Nate Krussel - Responsibilities Windows Active Directory Group Policies Domain Knowledge Team Co-Captain Help in team preparation Back up to Scott Knowledge Transfer Sharing experience and strategies that have worked or not worked in past competitions

30 Nate Krussel - Preparation Doing Previous Years injects Even if not exactly the same may be fairly close Read up require services/ports Often the competition has more open things than needed to run the require service Industry hardening guides Give the quick and useful information on hardening Acquired General Knowledge Easier stepping into Scotts shoes if need be

31 Nate Krussel - Mistakes Firewall Rules Need to only allow certain IP’s to be allowed to access domain, and domain resources Should slow down the red team To much time as Domain Admin account Much easier for red team to steal credentials if they break into the box Not checking schedules tasks Allowed red team to manipulate our firewalls across domain Didn’t lock out all additional user accounts that weren’t required for score bot or us Not how a normal business runs, but works well for the competition

32 Nate Krussel – Lessons Learned Always scan inside and outside your network and speak up if a new box appears If given vsphere client, turn off servers RDP and ssh abilities (if possible) and use the client Check firewall rules regularly Use virtual router to try and limit access by port level if possible, reduces attack surface greatly Always communicate and make sure to get conformation of a task that needs to be done to make sure the message got across Easier to have the DC auto update the group policy instead of having everybody update it themselves

33 Chris Waltrip – Responsibilities Kali Linux VM Outside of Corporate Network Used to see what is visible from the outside Port Scanning Network Sniffing Vulnerability Analysis Windows Server 2008 R2 (HMI Server) Not initially planned

34 Chris Waltrip - Preparation Learned the basics of Nmap and Wireshark Researched Web Application Firewall Specifically ModSecurity Never actually used Created Cheat Sheets Useful Tools Common & Useful Commands

35 Chris Waltrip - Mistakes Didn’t see VPN on Second Day Nmap Port Scans Wireshark DNS Traffic HMI Server Saw server, but thought was Vyatta Firewall Didn’t know Default Credentials Attached to Domain Cobalt Strike Beacons

36 Chris Waltrip – Lessons Learned Tons! Nmap and Wireshark Team Dynamics & Collaboration Cobalt Strike’s Beacon Has its own packaged DNS server How Effective Our Countermeasures Were

37 Pictures from Event

38

39

40

41

42

43

44

45


Download ppt "PRCCDC 2014 Recap By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,"

Similar presentations


Ads by Google