April 2013

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier


Hello readers,

For those who are not familiar, the National Collegiate Cyber Defense Competition (NCCDC) is held once a year in San Antonio, Texas. The 10 winning teams from regionals held across the united states come to San Antonio to prove their abilities against an active and aggressive attacker  while at the same time completing business objectives and dealing with simulated customers/users. It's only open to teams of college students and they train through the year and begin the qualification process in late winter.

 I am the captain of the NCCDC red team and have been for 7 years now and in those 7 years we've expanded and grown as a red team to deliver what I would like to think is a unique and compelling experience to the student teams.

On of my redteamers, Alex Levinson, posted a blog with his takeaways from being a CCDC bad guy. You can read it here: https://alexlevinson.wordpress.com/2013/04/24/ccdc-2013-red-team-feedback/

Raphael Mudge gives a more thorough accounting of this years tricks in his write up: http://blog.strategiccyber.com/2013/04/24/national-ccdc-red-team-fair-and-balanced/

I thought I would follow up as promised and give a break down that goes beyond the slide show I posted in the previous post. When I give my redteam debrief I try to collect the screenshots from around the redteam that best illustrate the mistakes that we see made during the competition. As I write this post I've realized its important that I detail more about what we do at national ccdc as a red team for those of you that have never  experienced our welcoming redteam hospitality. As the red team captain I have several duties:

1. Set the strategy for this years attacks
2. Make sure the best possible volunteers are located and brought in to bring the best possible redteam to bear against teams shown to be capable enough to survive the other redteams on their journey.
3. Restrict access to the redteam room to prevent distractions
4. The assignment of redteam members to teams
5. Make a room full of usually solo penetration testers work together and follow my plan
6. Talk to tour groups as they are escorted into the redteam room to explain how we operate, our plan and to prevent them from distracting the redteam.
7. To force communication and cooperation across the different redteam members so all student teams receive the same love.
8. To assist in cultivating custom toolkits, backdoors and tools and get communication started before the event so that everyone knows what is possible.
9. To enforce the rules of the competition to make sure no redteam member voids the provisions put in place to insure a fair contest.
10. To make sure the students meet their redteam members and that they hopefully learn something from the experience.
11. Facilitate requests between the redteam and the gold team
12. Take care of my own assigned student team in making sure I leave behind my own presents.
13. Make sure all the red team members fill out their incident submissions

In short, I have lots to do over the weekend and over the years I've learned alot from the process. I even did a talk at derbycon lat year about what I've learned: http://www.irongeek.com/i.php?page=videos/derbycon2/david-cowen-running-a-successful-red-team If you are running a red team I recommend you watch it.

So after explaining all of that, here is what I think student teams and the industry in general needs to consider when defending.
1. Reinstall is not the solution for remediation
This idea that reinstalling is the best way to recover from an intrusion is something that is not isolated to CCDC students, its a common trend in the industry. However as a CCDC competitor you are under a microscope with an attacker who knows you have to put that system back up as soon as possible to stop the bleeding.

This in the short term is true, however in the long term (as in the rest of the competition) its a faulty perception. The SLA violation you take for having your services down is the largest continual point disruption we can generate as a redteam, all other actions we take against you are one time/one point deduction activities. We bring a bag of tricks to NCCDC but we don't have the time a real world attacker does to continually generate new tools/new techniques in the span of two days. Once you detect and block our years sneaky du jour you will have effectively blocked us for the rest of the competition in a form that will scale to the rest of your systems. This means that in the long term you can keep us out, keep your systems up and your SLA violations to a minimum.

Failing to do this an reacting to the short term access will just cause the same pain to reoccur. This creates a race between you and the redteam to see who can get back into your system faster once you've restored and then take the system down again .. hopefully before the scoring engine checks for an update and you are just continually seen as being down. The SLA violation grows for each period your down, keeping you down  is a tactic not just a funny thing to do.

2. Logfiles are important and part of a bigger picture of data
Past teams were quite observant of the logs to their external services, current teams have seem to lost the art. Watching logs for the services you are providing externally and for errors and login events will help you go a long way in proactively detecting our accesses, probes and intrusions. Beyond the default logs being created for you, learn how to configure them to add additional information to capture more of what we are doing.

3. You have to understand normal to identify abnormal
This may be the most important bit of advice, and the hardest to understand. You need to have worked with an operating system long enough to know what processes, behaviors, files, activity is part of the actual operating system. The only way to do this is with practice, installing and working with different parts of the operating system and seeing what changes, gets added, gets deleted, gets executed.

Once you've learned what is normal, what accounts should own processes, what ports should be open, what ips defined services should be communicating with, etc... Our activities and especially our persistence will stand out much more. Watching a team launch TCP View while you watch them and they don't notice your connection means they are hoping for some giant flag saying 'HACKER FOUND' rather than understanding what traffic is abnormal/bad.

4. Knowing your operating system outside of a google search is important
I understand we all use google, I use google and other search engines every day. However, if to quickly manage and configure your operating system and its services you have to turn to google then you've created a problem. You should know the system and the commands well enough before competition to be able to secure your system as quickly as possible and bring up new services without us watching you google instructions for the next hour as you stumble.

5. Knowing your applications/services capabilities is the only way to secure them
If you encounter a new application either that you have to install or that you find already running the first things you need to understand are:
1. How to administer it locally
2. Does it have default credentials
3. Does it have remote administration capability
4. Search the documentation for security configuration
5. Find out where the application creates logs and error logs
6. Does it connect to another service/database

Then go back through 1-6 and lock it down. We are doing the same thing on the red team side, after all these things fail to get us in will we then start a code review/known exploit search .

6. Learn some basic Incident Response tools and techniques
Alex Levinson said something particularly insightful one evening over margaritas, "When I was a student I saw CCDC as a system administration contest, but really its an Incident Response contest". I think there is alot of truth to this, most students focus on how to install, configure and setup the operating system. Some students get interested in the red teaming aspect of it, but very few get interested into the forensics and incident response aspect of CCDC.

Forensics is what I do for a living so maybe I'm a bit bias, but the amount of grief you could save your team and the number of points you could recoup from our attacks is enough to make atleast one person of your team the incident responder. They should focus on the following:
1. Learn how to capture live memory
2. Learn how to use volatility to find possible malware
3. Learn how to scan for alternate data streams
4. Learn how to work with forensic artifacts such as prefetch and the application compatibility cache
5. Learn how to make and scan timelines for malicious activies
6. Capture network traffic and look for us

Doing this does not take as long as you think once you get good at it and in doing so you will be able to identify, detect, respond and eliminate us and our persistence.

Next year will be harder, I warn you now. I have plans blue teams and you are are the center of them. Take this blog post as a warning and be ready.


I'll be doing an AMA on reddit Monday April 29th 2013 at 1:30pm if you want ask questions or you can leave comments below.

Greetings Reader,
                     Another year and another NCCDC is done. While the red team always wins we are happy to share our victory with this years winner RIT. Every year I present a debrief to the teams that make it to nationals to highlight the common mistakes they make and how they can improve. This years theme was 'Intervention' as we felt the teams overall didn't seem to be improving as we keep escalating our tactics. Here is this years debrief:

http://sdrv.ms/13JOgGg

There was video taken this year and a documentary crew from UTSA. I'll post the video and a more detailed breakdown of our activities this year tomorrow.

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.