Sunday, March 8, 2015

ISTS12 Thoughts, Notes, Feedback, Braindump -- Airport Edition

--Airport Edition--

Was asked to play on the Red Team for ISTS 12 at Rochester Institute of Technology.

The ISTS even runs similarly to the CCDC events, except they all teams to attack each other for points.

Anyway here are some musing on the weekend in various categories

-Things to tell the teams
-Metasploit vs Canvas
-Thoughts on the game and suggestions

Things to tell the teams:

Mubix has a great deck he updates every year on how to win at CCDC, most of it applies to ISTS.  I mentioned to the team that they should review it for next year

Things I'd add

  • On *nix and OS X try to learn osquery before the event.  This is a pretty quick and easy was to get some host instrumentation  on *nix/OS X
  • Sysinternals tools for windows
  • Do OSINT on your red team (ideally before the event), check their blogs, see how they *publicly* persist learn to look for that stuff during the event.  Example: Raf from Strategic Cyber (Cobalt Strike) was there, using beacon. Read his docs on how beacon works or how he does other persistence and go look for it.
  • Have team roles 
  • Decide if you want to win, attack, defend, etc.  A bunch of points came during the ISTS event came from doing challenges.  In fact it looked like most teams abandoned securing hosts and worked on challenges as there we more points to be made doing that than keep services up.
  • pwnwiki 
  • make your own personal wiki to keep up with how you hack stuff

Life Stuff

  • Have fun--If something isn't making you happy and you have the option NOT to do it. Then don't. You have the rest of your life to work. Ian mentioned this in his keynote.
  • Manage your social media presence.  If you want to post drunk pictures then create your _sec twitter handle and keep that one professional.  Its hard to get rid of trolls once you have them and employers are going to check you out online.
  • Blog.  Blogs are for you and your notes.  They have the added benefit of (hopefully) being useful for others or serving as a time capsule for your evolution in your career.
  • Learn devops tools. Chef, vagrant, docker, packeransible, fabric, AWS, nonsql databases (memcache, mondo, redis), Elasticsearch.  There are all super powerful tools and they almost all create security vulnerabilities too.
  • Learn to program.  Ruby or Python && bash for scripting.  C++/C# for hardore shiz.
  • Its easier to go from red to blue than blue to red, but easier to go from IR to red.
  • Stay at company until you and the company no longer get value from each other unless there is a monetary reason to stay a bit longer (vesting).
  • Make friends with people you can meet in person too.
  • Invest your money from the beginning, by they time you realize you haven't been saving enough you are going be old(ish) and have to devote much more cash to plus up the 401k/IRA than you would have needed to if you just started saving that 10% in your 20's.
  • Have fun.

Metasploit vs Canvas
--mostly because someone asked on twitter--
CCDC events give me the ability to try things and get caught which is something i didn't always get to do as a consultant. During these events i get to post cool pictures of me popping shells with Metasploit and Canvas.  I used to have a copy of Core Impact and was able to use that too...sadly no more.

I'm primarily a Metasploit guy but its nice to have an alternate source of exploit. For example at ISTS there were hosts vuln to DCOM but the metasploit module didn't work. The Canvas version did. Other examples Canvas ships with a Windows rootkit (HCN) and has more linux local exploits. Metasploit has mimikatz and token stealing built in.

Thoughts on the game and suggestions

First, I had lots of fun so thanks to Bryan and Jared for inviting me.

Game runs with 3 objectives.  Defend. Attack other teams, Solve Challenges.

The organizers have added the attack portion to differentiate themselves from CCDC events. The problem i see is that it's 5 person teams and thats just not enough people to do all 3 objectives.

Stuff i didn't like

  • It is not clear what services are required to run on each host for scoring--this is actually a gripe with MACCDC as well.
  • No scoring for Red Team or no scoring hit for system compromises
  • The objectives didn't seem equally weighted, teams abandoned keeping services up and solved challenges as their were more points to be obtained doing challenges
Stuff I liked
  • Preowned stuff for lolz
  • Teams could barter to get access back to their stuff
  • Red Team freedom to do whatever
  • Internet access
  • Newish OS's so we could do powershell attacks
  • Oldish OS's so you could do old school stuff
  • Web app vulns

-I'd love to see these events use money instead of points. Service availability equals income for most companies. If the scoreboard showed it in dollar values it **may** make service availability more fun for the teams. Specially if they got bonuses for uptime and what not.

-Points for IR for the blue teams.  Identify a red team attack, write it up,  get points or $$ for the write up and signatures

-Network monitoring devices so teams can see attacks coming in --if they configure it  or maybe preconfigure it, then they can write snort alerts or yara rules to identify interesting things.

-Add devops services; its real world and people are more likely to see elastic search than freebsd when they graduate

-Focus more on one of the three objectives; don't care which just pick

-Identify critical systems that cant be down (email, web, etc) [Thanks Mubix]

-Equal weighting on objectives if you keep them all. If you earn 1000 points doing challenges but all your services are down you should also lose 1000 points [Thanks Mubix]


No comments: