2014 WRCCDC Overview and Debrief

2014 WRCCDC Overview and Debrief

wrccdc_logo_lgThe idea behind CCDC (Collegiate Cyber Defense Competitions) and competitions like it are to allow students to showcase their skills and abilities in a pseudo-real world situation. These competitions are a wonderful addition to the Information Technology world and generally provide a positive addition to any student’s learning experience.

I am a Red Team member; it is my job to make your lives hell during competition. I use tools, skills, and Google to make your lives even worse than the Black Team does. I’m writing out this post for you Blue Team members to understand what Red Team does and how to possibly prevent Red Team from living on your Domain Controllers.

Blue teams are naturally at a disadvantage in this style of competition due to the nature of the beast. The attackers can gain footholds faster than patches can be applied or passwords changed. At WRCCDC the hour head start that teams get should be used to prioritizing your risk, applying as many patches as possible, removal of basic vulnerable services, user account auditing, and checking for basic password strength. Yes the machines provided are often broken, running Red Star Linux, or Server Core, but a simple reimage can solve many problems. The point value of a reimage is less costly than having me sit on a Server Core machine that your domain administrator who does not know how to properly manage the Server. From my position on a DC, I control access to every Windows Machine on the network and can pivot from any machine to another. This type of access allowed me to maintain persistence until the end of CCDC. By adding new domain administrator accounts, pivoting from DCs to client machines, with the traffic appearing to start from the DC to a client I was able to stay stealthier than if I was connecting to every machine via my Cobalt Strike server or client.

Here are some low hanging fruit that every blue team should know about and should think about:

  • Lack of user account auditing. Honestly, does “whiteteam” need to be a domain admin?
  • Creation of domain admin accounts. C1utch was all over your boxes blue teams.
  • Know what services are actually needed, disable or patch anything that you possibly can. By removing attack surface, the threat map gets smaller.
  • Look for default passwords and schemas. PostgreSQL this year was running as postgres with no password and default template1. This allowed me to dump SSH keys and maintain access to those machines
  • Service filtering. Stop SMB from traversing over the router if possible, removes many methods I use to maintain persistence.
  • IPv6 is a thing, know what it is, how to use it or disable it.

Rupert Cunningham says hello by the way.

CyberPatriot National Finals this week

CyberPatriot National Finals this week

n2c6fw-b781279339z.120140312113222000g6k1is0g2.1This weekend marks the end of CyberPatriot VI with the National Competition at the Gaylord National Convention Center in National Harbor, MD. It has been an amazing journey these last few months guiding and training these brilliant young minds at Troy High School. As my responsibilities and duties conclude for this season of CyberPatriot VI, I reflect upon the joys, the frustrations, the highs and the lows. And yet, I can not help but smile and experience joy at every moment. Honestly, I felt like I got the better end of the deal. I gained so much more and grew in so many ways that I think my mentees’ do not even realize.

I want to say it’s easy being a cybersecurity mentor, but it is almost like a full time job. Thankfully my fellow colleagues at Net Force has been gracious enough to allow me some leeway to make up some hours in the evening during mentorship sessions. Thank you to my colleagues for the flexibility and patience on my ever changing schedules.

I am extremely proud of each member of this year’s CyberPatriot VI team at Troy High School. I kept throwing more at them and they kept rising to the challenge.

I encourage everyone to consider mentoring a team or a few students next year. It is extremely rewarding emotionally, spiritually.

To next year’s mentors:

  • Care for your mentees. Make that emotional investment. There is nothing more rewarding when they see you and their faces light up. Especially in victories, when they see you and they will come running to you and hugging you. You will in many ways become an older brother/sister figure in their lives.
  • Be patient. Be compassionate. Be merciful. Be full of grace and forgiveness. Mentees will drive you crazy. Mentees will make mistakes. This is all part of the learning process. That is why they are here: to learn, to grow.
  • Be accessible. Be available. Students hear the word mentor and they automatically put distance between themselves and you. Close the gap and engage them. Engage all of them. Even that shy mentee in the corner. Get to know who they are.
  • Encourage your mentees. Build them up. It is easy to become discouraged. Each student has unlimited potential. We as mentors need to teach them how to harness that potential.
  • Everything matters. The technical skills. The soft skills. The behavior. Who they become as an individual. Help them to become better men and women. Groom them to be polite, respectful, honorable young men and women. They will adopt your behavior, your good and bad habits. Chivalry is not dead. 😉
  • It is okay to not know everything. I will be the first to say I don’t know everything or anything. Don’t be afraid to ask for resources, help, guidance and wisdom. I attribute much of my success with my group of mentees this year was not of my own knowledge or doing, but going out and asking questions, and seeing how my professors and other coaches/mentors approach things and actively listening to them. Everyone will share with you a small bit of information which will tell you what worked, and what didn’t work for them. Focus on your strengths. Identify your weaknesses. Let those who have strengths in your weaknesses help you.
  • Most importantly: what you do matters. By being a part of their lives, you will shift their lives in ways you will never know or understand. Positively influence them. You will inspire them to achieve great things.

1606205_593625814873_615704767_oTo my mentees/protégés/future colleagues/friends/brothers in cybersecurity:

  • If you happen to win this week, awesome, but give it your all. Have no regrets. At the end of the competition, walk away with your heads held high knowing you did your best at that moment in time.
  • Be confident in your skills. You know your stuff. You have been preparing this entire academic year. You are ready. Remember, this is a journey of a lifetime. This is only the beginning of something amazing. Not the end. Tomorrow is and will be another day. This is the time of your lives right now. You’re never going to forget it. It will be all over in a moment. No sad faces. No regrets. Just go out there tomorrow and have a blast. Live it. Carpé Momentum. (Seize the Moment). Have fun.
  • I have complete confidence in each of your abilities, talents, skills, knowledge.
  • I’m extremely proud of each and everyone of you. Each of you have grown so much and I can not stress that each of you are amazing individuals.  You’ve won my admiration, my respect, and I look forward to the day each of you join the ranks in this industry full-time. Each of you have accomplished much this year, and to the senior class that is leaving high school, I hope all of you will return and mentor future CyberPatriot teams and individuals. I hope you also look at being part of the US Cyber Challenge as well

If you are in the National Harbor, MD or DC Metro Area this week, I encourage everyone to come out this Friday, March 28 and check out CyberPatriot VI. Tours will be given all day at the competition venue (Gaylord National Center)

2014 Western Regional Collegiate Cyber Defense Competition (WRCCDC) Analysis

2014 Western Regional Collegiate Cyber Defense Competition (WRCCDC) Analysis

Last Saturday marked the beginning of the 2014 Western Regional Collegiate Cyber Defense Competition Season with the successful completion of qualifiers. Over the past four years, I have watched this competition expand and grow so much that there are now fourteen universities and colleges across California, Nevada and Arizona vying for a chance to compete at the National Collegiate Cyber Defense Competition with several more schools looking to assemble teams in coming months to compete in the 2015 season.

For the schools that advanced, congratulations. See you at the end of March where you will face off against some members of our own Net Force Red Team.

For those who were unable advanced, and walked away disappointed, don’t. This is just merely the beginning of your journey.

I encourage you to continue pursuing this field, this challenge and don’t give up! Failure only happens if you walked away and gave up. No one becomes good in this field or any other field without hard work, and practice, practice, practice. There is no secret to success.

Furthermore, WRCCDC itself has increased in challenge, difficulty, and it will continue to be that way. It’s not meant to kick you out of the competition because we don’t want you there. We honestly do. Rather, the adversary is getting better every day and we need to get the good guys to be stronger, faster, better, in terms of being to do analytics, analysis, triage, and incident response. Truthfully, we are far behind where we should be. The adversary is becoming stronger each and every day and we are too. We simply have not overtaken them yet.

Lessons Learned:

wrccdc-2014-qualifers-topologyHere are some notes that you most likely experienced and areas to work out. Note not everything will apply, however after watching four seasons of teams compete, there are always a few items that will always stand out that affects all teams.

  • Know your environment. Know your network. We always provide a topology as a snapshot and a baseline reference. It always gives you an idea of what is possible to expect. It is also like real life. Network topologies are highly inaccurate and always inconsistent, especially in real life. But moreover, the network topology is also an indicator of where there may be potential single points of failure. For example, in the qualifiers, the central point of failure was the PFSense Box. If it went offline, it took everything offline.
  • Know where the low hanging fruit is. It’s important to know that what hurts the most in long term is going to be the low hanging fruit. It’s always the easiest fruit and tree branch that an adversary will grab onto first. If they successfully pluck the tree of its fruit or grab onto a tree branch, it’s hard to shake them off. Low hanging fruit consists of the most CRITICAL patches, as well as those pesky user credentials, among other things.
  • Know your game plan. Five minutes of planning is better than spending fifty minutes running around like a chicken without a head. The first five minutes should quite literally be all muscle memory to the point where you can come in running and know what to do without asking what needs to be done. Constantly strive to optimize your processes, and find ways to shave off a few seconds. There is always someway, a method, a technique, something that allows you to do things faster, quicker, better, smarter and expend less energy. Saving a few seconds here, and there will add up to minutes and possibly hours of savings when keeping the red team out.
  • Know the services, and know what makes them tick. Every service, whether it be web, mail, FTP, Active Directory, DNS, all have a certain combination of ports and components that make them function and tick. For example, you can always assume that Active Directory box is also a DNS box. Or that if there is an eCommerce box, it’s likely powered by some sort of database. Know what ports each service use too.
  • Know your role. Know where your single point of failure is. It’s important to be able to spread the workload and be able to know when someone is being overwhelmed. Everyone should have their specialty, but everyone should have some of the basic knowledge of how to do some of the basics or get a subject matter expert to the place where they need to be where they can do what needs to be done. Too often teams have a single expert in one area, and unfortunately teams underestimate where their single point of failure is. When it does happen and something fails, things tend to go horribly wrong.
  • Know more than simply technical skills. Brush up and polish up your soft skills. WRCCDC is simply more than a technical competition. It is a business competition. It is about people, processes, and technology.

    At WRCCDC, and any other CCDC, it is a test of your ability to manage stress, your project management skills, your leadership skills (remember everyone can lead, not everyone has the authority), your skills as a team member, investigator, communicator (with each other and with management), a writer, and your wisdom to know when you need to ask for help when you’re simply overwhelmed. There are simply so many soft skills that leads to a successful team. Yes I know you may disagree with me on this, however, successful teams know their limits, and identify weaknesses. They work together to overcome those weaknesses or ensure they cover the weaknesses with their strengths. They work together to find compensating controls and processes. Leaders are encouraging and they help build their team members up.

WRCCDC is an interplay of people, processes and technology. It tests the dynamics and personalities between people. It tests your processes. It tests your technical skills and know-how.

I look forward to seeing each and every one of you compete in the coming months. Remember, this is only the beginning of an amazing journey, not the end.

More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

Approximately 401,120 vBulletin.com and 503,204 vBulletin.org member accounts who post on each respective site are being asked to change their passwords after accounts on both websites were compromised in an attack.

How many victims? About 900,000

What type of personal information? Usernames, email addresses, and hashed passwords. It is unknown at this time if members area information and any personal identifiable customer information is at risk.

What was the response? An investigation is ongoing internally. Wayne Luke, vBulletin Technical Support Lead, posted about the attack, alerting users of the data breach and is encouraging users to update their passwords.

Details of attack: A development server, mainly used for quality assurance, was successfully broken into during the summer. Sometime between the summer and early October, the attackers successfully gained access to the primary database server, installed Adminer (formerly phpMinAdmin) and accessed the vBulletin.com and vBulletin.org user tables. At the conclusion of the attack, they deleted Adminer.

The log files that were examined do not show any attempted access of customer data in the support system and that they targeted the vBulletin user table. The log integrity is in question given that the attackers did delete evidence of their presence.

Quote: “We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Source: vBulletin.com and vBulletin.org