PRCCDC 2014 RecapBy Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey,

Nate Krussel, and Chris Waltrip,

Scott Amack – PRCCDC Scenario Shark Industries Weapon Manufacturer

Incomplete Network Map Provided

4 Windows 7 Machines

4 Windows XP Machines

Plus various network machines

File and Mail Server, “HMI” Computer, Domain Controller, VPN Server, Web Server

Scott Amack – PRCCDC Team Preparation RADICL Lab Down

Prepped Team for Injects

Team had to practice on their own VM’S

Prepped team to think fast on their feets

Lots of quick exercises in prep class

Scott Amack – PRCCDC Scores Team Scored 6th Overall

1st Place in Incident Response

2nd Place in Injects (15 points from 1st)

1st Place in Uptime

11th Place in Attacks against us

Scott Amack – PRCCDC Inject Scores

Scott Amack – PRCCDC Uptime Scores

Scott Amack – PRCCDC Lessons Learned Need to teach team how to find and eradicate malware

Need to defend against RAT’s (Dark Comet and Poison Ivy Variants)

Need to learn how Cobalt Strike Beacons can be eradicated

Really need a lab environment to practice in

Need to learn multiple tools for doing different tasks

Scott Amack – White Team Debrief Centralized Leadership was excellent

Each Member assigned a specific role works very well Inject with team captain out sick did not work so well for us

Liked that we drew diagrams on the board

Liked that we asked unauthorized visitors to leave immediately

Quick solutions to the right problems is the way to win

Ranger Adams - Responsibilities Going in

Web Server (Ubuntu) Maybe MySQL

There Web Server (Ubuntu) Web Server (IIS) MySQL Box (Ubuntu) Application Server (IIS)

Ranger Adams - Preparation Linux

PHP/JavaScript

Linux Services

Basic Windows

Ranger Adams - Mistakes UFW blocking MySQL

Full control of assets

Attention to Windows

Windows Firewall

Ranger Adams – Lessons Learned Firewalls are tricky, but powerful

Learn more breadth, less depth

Jeff Crocker - Responsibilities Email Server

Jeff Crocker - Preparation Email Server

Online Tutorials

Veteran Knowledge

Presentations

Passwords

Jeff Crocker - Mistakes Open Relay Fix

Sitting by the phone

User Accounts

Excessive Passwords

Jeff Crocker – Lessons Learned Check Assumptions

Gear Switching

Googling Skills

Availability vs. Integrity

Ben Cumber - ResponsibilitiesWindows File Server

• Windows 2008 R2 server

• Running freeFTPd

Windows XP workstations 7 and 8

Ben Cumber - Preparation• Windows hardening guide on personal machine.

• Read through team binder.

• Reviewed PRCCDC rules.

Ben Cumber - Mistakes• Couldn’t RDP to Windows server.

• Could not connect to file service.

• Reinstalled file service (wasn’t necessary)

Ben Cumber – Lessons Learned• RDP

• Filezilla and WinSCP

• Gained a much better understanding of what exactly a file server is.

Keith Drew - Responsibilities Maintain Logs of System Changes

Maintain Telephone Logs

Windows Workstation Hardening

Keith Drew - Preparation Documentation

Mini Lab on Personal Computer

Developed Hardening Guides

Keith Drew - Mistakes Not killing malicious process

Not utilizing all tools available to me (Vsphere Client)

Keith Drew – Lessons Learned How attacks are performed

Heather Haphey - Responsibilities Smoothwall Virtual Router

Handle injects Policy writing Report generation Briefing

Binder creation

Heather Haphey - Preparation Researched Smoothwall and Virtual Routing

Reviewed and rewrote real policies

Practiced briefing

Collected and created binder materials

Read offensive and defensive tactics

Heather Haphey - Mistakes Learned wrong Virtual Router

Vyatta instead of Smoothwall

Didn’t back up editable sample documents

Realized the router GUI too late

Not prepared to detect and prevent attacks

Heather Haphey – Lessons Learned More research about red team tools

Back up anything useful

Snapshot -> Harden-> Snapshot

Get injects done ASAP, use full time Review requirements part-way through

Stay focused on AOR, remain calm

ASK ASK ASK and trust intuition

Get into the scenario, seek real answers

Nate Krussel - Responsibilities Windows Active Directory

Group Policies Domain Knowledge

Team Co-Captain Help in team preparation Back up to Scott

Knowledge Transfer Sharing experience and strategies that have worked or not worked in past

competitions

Nate Krussel - Preparation Doing Previous Years injects

Even if not exactly the same may be fairly close

Read up require services/ports Often the competition has more open things than needed to run the require service

Industry hardening guides Give the quick and useful information on hardening

Acquired General Knowledge Easier stepping into Scotts shoes if need be

Nate Krussel - Mistakes Firewall Rules

Need to only allow certain IP’s to be allowed to access domain, and domain resources Should slow down the red team

To much time as Domain Admin account Much easier for red team to steal credentials if they break into the box

Not checking schedules tasks Allowed red team to manipulate our firewalls across domain

Didn’t lock out all additional user accounts that weren’t required for score bot or us Not how a normal business runs, but works well for the competition

Nate Krussel – Lessons Learned Always scan inside and outside your network and speak up if a new box appears

If given vsphere client, turn off servers RDP and ssh abilities (if possible) and use the client

Check firewall rules regularly

Use virtual router to try and limit access by port level if possible, reduces attack surface greatly

Always communicate and make sure to get conformation of a task that needs to be done to make sure the message got across

Easier to have the DC auto update the group policy instead of having everybody update it themselves

Chris Waltrip – Responsibilities Kali Linux VM

Outside of Corporate Network Used to see what is visible from the outside

Port Scanning Network Sniffing Vulnerability Analysis

Windows Server 2008 R2 (HMI Server) Not initially planned

Chris Waltrip - Preparation Learned the basics of Nmap and Wireshark

Researched Web Application Firewall Specifically ModSecurity Never actually used

Created Cheat Sheets Useful Tools Common & Useful Commands

Chris Waltrip - Mistakes Didn’t see VPN on Second Day

Nmap Port Scans Wireshark DNS Traffic

HMI Server Saw server, but thought was Vyatta Firewall Didn’t know Default Credentials

Attached to Domain

Cobalt Strike Beacons

Chris Waltrip – Lessons Learned Tons!

Nmap and Wireshark

Team Dynamics & Collaboration

Cobalt Strike’s Beacon Has its own packaged DNS server

How Effective Our Countermeasures Were

Pictures from Event