Protecting the Unprotectable
Call Us at: 951.NET.FORCE

Offensive Security

2014 WRCCDC Overview and Debrief

2014 WRCCDC Overview and Debrief

wrccdc_logo_lgThe idea behind CCDC (Collegiate Cyber Defense Competitions) and competitions like it are to allow students to showcase their skills and abilities in a pseudo-real world situation. These competitions are a wonderful addition to the Information Technology world and generally provide a positive addition to any student’s learning experience.

I am a Red Team member; it is my job to make your lives hell during competition. I use tools, skills, and Google to make your lives even worse than the Black Team does. I’m writing out this post for you Blue Team members to understand what Red Team does and how to possibly prevent Red Team from living on your Domain Controllers.

Blue teams are naturally at a disadvantage in this style of competition due to the nature of the beast. The attackers can gain footholds faster than patches can be applied or passwords changed. At WRCCDC the hour head start that teams get should be used to prioritizing your risk, applying as many patches as possible, removal of basic vulnerable services, user account auditing, and checking for basic password strength. Yes the machines provided are often broken, running Red Star Linux, or Server Core, but a simple reimage can solve many problems. The point value of a reimage is less costly than having me sit on a Server Core machine that your domain administrator who does not know how to properly manage the Server. From my position on a DC, I control access to every Windows Machine on the network and can pivot from any machine to another. This type of access allowed me to maintain persistence until the end of CCDC. By adding new domain administrator accounts, pivoting from DCs to client machines, with the traffic appearing to start from the DC to a client I was able to stay stealthier than if I was connecting to every machine via my Cobalt Strike server or client.

Here are some low hanging fruit that every blue team should know about and should think about:

  • Lack of user account auditing. Honestly, does “whiteteam” need to be a domain admin?
  • Creation of domain admin accounts. C1utch was all over your boxes blue teams.
  • Know what services are actually needed, disable or patch anything that you possibly can. By removing attack surface, the threat map gets smaller.
  • Look for default passwords and schemas. PostgreSQL this year was running as postgres with no password and default template1. This allowed me to dump SSH keys and maintain access to those machines
  • Service filtering. Stop SMB from traversing over the router if possible, removes many methods I use to maintain persistence.
  • IPv6 is a thing, know what it is, how to use it or disable it.

Rupert Cunningham says hello by the way.

#AmericanBlackout is really #AmericanFUD

#AmericanBlackout is really #AmericanFUD

How good (or rather how bad) was National Geographic’s American Blackout? I would argue pretty bad, even if the film was accurate.

On Sunday Night, National Geographic debut a fictional, cynical, survivalist movie on how Americans would react if there was an extended power outage due to a cyber attack that knocks out power for the entire nation.

The movie was largely billed as “the story of a national power failure in the United States caused by a cyber attack — told in real time, over 10 days, by those who kept filming on cameras and phones. You’ll learn what it means to be absolutely powerless. Gritty, visceral and totally immersive, see what it might take to survive from day one, and who would be left standing when the lights come back on.”

It was nothing more than 120 minutes of needless panic, despair, all designed to stir up fear, uncertainty, and doubt while selling advertisements for survivalist products and other doomsday television series on National Geographic. Largely, American Blackout had familiar themes found in NBC’s television series Revolution.

It was 120 minutes that could have been better spent catching up on sleep or an activity of choice. For those who missed it, consider yourselves fortunate.

First, forget the fact that the cyber attack at most made up five minutes of the entire movie. Some of the facts were simply downright wrong, such as the fact that the North American grid is interconnected between Canada and Mexico. Granted the grids can be separated like it did in 2003 during the North East Blackout, any widespread loss of power would have affected our neighbors to the north and south. We clearly saw how the 2003 North East Blackout affect both Canada and the United States. Moreover, we also know that there likely be select pockets of power online within a relative short period of time. Again, see the 2003 North East Blackout for examples.

Assuming a massive nation-state sponsored successfully coordinated a cyber attack on one part of the North American Electrical Grid, it would not personally surprise me that utilities across the country would respond appropriately to defend themselves. Moreover, a cyber attack of this magnitude would create massive ripples in a matter of hours in the global economy.

The storyline is plausible, only because anything is possible, but it is extremely unlikely and farfetched at best. The storyline itself could have used a number of alternative plots to illustrate the consequences of a long-term power outage.

But more importantly, it was a massive missed opportunity to share and educate how vulnerable any organization or any technology we employ, including the electrical grid, is from a cyber attack. Alas, they rather spend 5 minutes of a 120 minute movie citing a cyber attack that took humanity to the brink of self-destruction.

Page 1 of 11