Re: [Pauldotcom] Blue Team Tactics

John Strand Sat, 01 Aug 2009 08:35:08 -0700

So far the BLue team recommendations have been fantastic, so I thoughI would drop in a few suggestions to keep the discussion going.

One of the first things I wish any BLue teamer would do is downloadthe SANS incident response cheat-sheets for Windows and for Linux.


http://isc.sans.org/diary.html?storyid=5354

http://www.sans.org/info/3826

http://www.sans.org/info/3831

Consider this the basics to play. I hate it when I see a defenderstare at Task Manager for an hour or two with a blank stare on theirface. What are they looking for? EvilBackdoor.exe?


Now, how about how to use your firewall on Linux?

http://www.youtube.com/watch?v=kUdCsZpt2ew

What if you do not have a firewall on a Windows server? You arescrewed right? No, look at IPSec filters.


http://www.youtube.com/watch?v=amHaBmOlfgE

Why is it that many times the BLue team keeps getting owned by RPC orSMB and they don't block the ports?


And what about some log analysis kung-fu?

(Special note:I am trying to invoke the all powerful Red SANSInstructor with the above statement.)


If IP Address X, or range Y keeps attacking you, block them.

(Another special note.. I recommend only blocking temporarily andbeing very careful when you do. Otherwise, you may DoS yourself.)

Sure, third party tools are great.. However, many REd/BLue activities(I am talking to you Tim) will not allow defenders to get access toall of this stuff right out of the gate.


Why?

Is it because the people who put these games on evil? Possibly (I amstill talking to you Tim). Possibly. However, the real reason is thatall of our security technologies, while helpful, have theirlimitations. We depend on them far to much. We need to learn how to"live off the land" as it were. Also, a solid long term strategymay not work right now. Developing these defender skills for shortterm damage control is key to our industry.

So, there have been some very cool recommendations for third partytools. Now I want you to focus on the CLI and the built-in tools youget with a Windows or Linux system.



This is, quite possibly, the best security list ever.


-strandjs



On Jul 30, 2009, at 1:43 PM, Tim Rosenberg wrote:

John,
Thanks for the nod. I like the thread. Also thanks to Paul forattending our NYC CTF event and running an excellent Red Cell asalways.
These suggestions are all very good. One thing I would offer up.We have the Cyber Dawn event in October in VA. It would be great tohave a professional defense team there to show/document/demonstratehow to lock down a system/network and monitor it. One of the greatsuggestions from the NYC event was that there needed to be a DefenseCoach...just like the role Larry played in Vegas. I franklycouldn’t agree more.
I see the note about apache and windows...time to trade up some ofthe defensive assets too.
One of the things I would ask the defender community. One of thedifficult things in designing these exercises is the creation of aseries of functional network services that are realistic and yetvulnerable. Rather than turning this into a patch game where thefastest keyboard wins, the feedback I’m getting from participants isto provide more of a leg up for the defenders. This needs to bebalanced against a diverse skill set of Red Cell, some of whom areprofessional pen testers, others are running metasploit for thefirst time. So here’s some thoughts, please feel free to criticize.Providing a ‘test network’; an unprotected unpatched network that isunstaffed by humans. This would be used as a test net for new RedCell to cut their teeth on tools prior to going against the humandefended networks. The down side to this is that by the timethey’ve played around, the holes they exploited on the Test Net willmost certainly be closed by the humans.Provide unpatched ‘legacy systems’ that cannot be updated by thedefenders. These low hanging fruit targets would be only one or twosystems inside the defenders’ networks. It would provide an easytarget for the Red Cell, but for them to further exploit thenetwork, they would have to know how to pivot really well.Defender challenges; I would welcome an opportunity to connect tothe larger community and ask for help in building systems that mayonly have one way in. Preferably through a single less known ormore difficult vulnerability. For example, Paul has consistentlyfound a way into the Debian boxes we use. However, he only getlimited user access as there is nothing installed to support localprivilege escalation.
Cheers,
Tim Rosenberg


On 7/28/09 11:29 PM, "John Strand" <[email protected]> wrote:
Time to bring Tim in on this.

The White Wolf guys are simply the best at this kind of simulation.

Tim, care to throw in your two cents?

john



On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote:
All Good Suggestions. To answer Erik's question on scoring per myexperience last week at the NYC CTF.
Red Team members were required to run a script on the comrpomisedsystem once it was compromised to gain a point for the hack. Theywere encouraged to take data but no DDOS were allowed. However,they could take down systems towards the end of the day (althoughthey would not getting points for doing so but the blue team wouldgain points for systems down - more points are bad for blue).
Blue Team Members with the lowest score won. They needed to keepsystems and services online. If compromised they could regain(subtract some points) if they were able to get the systems onlinequickly and accurately report data loss to the FBI field office.(Paul and Renald actually did a good job destroying the team thatwon but because they were able to restore and start over (DR) theyregained their lead.
So with that said while tools (both preventative and reactive)would certainly help the blue team, I think the most importantthing is to be organized, have a plan, have the expertise (oneperson for linux, one for windows, one for web apps/databases, andone for networking), and know when to say we are screwed letsimplement our DR plan. And ss Erik pointed out lock down thesystems!
Some command line and gooyee tools could certainly have helpedwith this but would be no substitute for experience andorganization. Scripting command line stuff and GPO's wouldcertainly help in a large environment (have quite of bit ofexperience there) but in an exercise like this it may just slow ateam down (better to do it manually since there were only ahandful of systems).
So AV, log monitoring, best practices (i.e. all of Erik'spreventative suggestions and more), and things like TCSToolsswitchblade for incident response would all be helpful. I'mwondering if the questions of what tools is the right question.Maybe the question is what best practices?
Just My 2 1/2 cents.
On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison<[email protected]> wrote:
beyond a lot of the great reactive or visibility drivensuggestions already provided, and assuming this is in a labenvironment (i hope) - harden the crap out of the server.standard fare, remove/disable unnecessary services, changedefault service accounts to low priv. add manual ntfs permissionsacross the filesystem *and registry* to limit that account'saccess. patch the os, apps, services, any web software (justassuming they're gonna give you joomla w/ 1500 plugins andmodules to make it utterly impossible to win). move db passwordsin the code into an included file ../ out of the main webdirectory, deny writes to all web directories for the duration ofthe scenario so no webshells can be uploaded, fix outboundconnections at the firewall (host and upstream), switch servicesto listen only on 127.0.0.1, blah blah blah.. the list goes on
how are you measuring successful intrusion? what's the jackpotfor red? you could just be a bastard, and move or delete thatfile :D lock it away in a truecrypt volume protected by keys andpassphrases.
On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <[email protected]> wrote:
Very Nice. Does Autopatcher allow you to manually copy overpatches (already have many downloaded)?
To add some:

Again Sysinternals Tools: Process Monitor, PSTools, TCPView
Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter
Nessus - Home Feed of course
Dumpsec - NTFS File Permission dumper
Your favorite free sniffer - Wireshark, etc..
MRTG - Router bandwidth monitoring
AVG or other decent free AV
Snort
On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez <[email protected]> wrote:
8 GB stick prepared with autopatcher http://www.autopatcher.com/http://www.autopatcher.com/I would have patches for all versions of windows.
<http://www.autopatcher.com/> I would also place portablefirefox, and xamp in case i need to migrate an apache LAMPserver to an updated version since I have seen a trend ofputting apache on windows in this competition, also placeseveral pre-made security templates for use with GPO or localapplication, URLscan installer and pre-made urlscan.ini files.Komodo free firewall installer and the NSA cisco templates, acltemplates, Nipper for checking the cisco equipment configquickly and some pvaln sample configs. Keepass for passwordstorage and generation.
that is what comes now to mind.
On Tue, Jul 28, 2009 at 8:54 AM, John Strand<[email protected]> wrote:
Please! PSW land! Share your Blue Team tactics!
What tools, scripts, and techniques do you use as part ofIncident Response and Blue Team Activities?
I have sat in on one to many Red/Blue/CTF games where the Redteam gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cainand Able, Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 andvarious torture techniques (including IronGeek's rubber hoses)and the the Blue team gets....
"An un-patched Windows 2000 box and a slew of un-patchedsoftware!!!!!''
Please see the following video for reference:

http://www.youtube.com/watch?v=Y77n--Af1qo
Yea.. Thats right.... As of today the Blue Team is what youget assigned to when you are caught stuffing peas up your nose.
This stops today!!!
There are a few rules. Tricks and scripts must be able to runat the command line of your operating system of choice and alltools must be freeware or open source.
Thats it!!!

Look, the Blue Team can rock!!!  So please share your tricks.
I am going to collect and add to them so we have a solid listand this will serve as the playbook for the Blues going forward.
Be expecting this on the PDC site soon.

strandjs

_______________________________________________
 Pauldotcom mailing list
 [email protected]
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com
_______________________________________________
 Pauldotcom mailing list
 [email protected]
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com
_______________________________________________
 Pauldotcom mailing list
 [email protected]
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com
_______________________________________________
 Pauldotcom mailing list
 [email protected]
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com
 _______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Re: [Pauldotcom] Blue Team Tactics

Reply via email to