I was lurking on this one, but Fr. John just made a point I would like to add to. It is a bit of a tangent, but-
John's point about "living off the land" reminded me of all the times I have seen admins who *have* the sexy tools when things get ugly- but they never really learned how to use them or what the the tools could really do, much less considered if/how/when to use them in a crisis. I have even "heard" about admins battling LAN infestations who didn't know/forgot how to use their perimeter security appliance and had to cry for help to the vendor's engineering team. Jack On 8/1/09, John Strand <[email protected]> wrote: > So far the BLue team recommendations have been fantastic, so I though > I would drop in a few suggestions to keep the discussion going. > > One of the first things I wish any BLue teamer would do is download > the SANS incident response cheat-sheets for Windows and for Linux. > > http://isc.sans.org/diary.html?storyid=5354 > > http://www.sans.org/info/3826 > > http://www.sans.org/info/3831 > > Consider this the basics to play. I hate it when I see a defender > stare at Task Manager for an hour or two with a blank stare on their > face. What are they looking for? EvilBackdoor.exe? > > Now, how about how to use your firewall on Linux? > > http://www.youtube.com/watch?v=kUdCsZpt2ew > > What if you do not have a firewall on a Windows server? You are > screwed right? No, look at IPSec filters. > > http://www.youtube.com/watch?v=amHaBmOlfgE > > Why is it that many times the BLue team keeps getting owned by RPC or > SMB and they don't block the ports? > > And what about some log analysis kung-fu? > > (Special note:I am trying to invoke the all powerful Red SANS > Instructor with the above statement.) > > If IP Address X, or range Y keeps attacking you, block them. > > (Another special note.. I recommend only blocking temporarily and > being very careful when you do. Otherwise, you may DoS yourself.) > > Sure, third party tools are great.. However, many REd/BLue activities > (I am talking to you Tim) will not allow defenders to get access to > all of this stuff right out of the gate. > > Why? > > Is it because the people who put these games on evil? Possibly (I am > still talking to you Tim). Possibly. However, the real reason is that > all of our security technologies, while helpful, have their > limitations. We depend on them far to much. We need to learn how to > "live off the land" as it were. Also, a solid long term strategy > may not work right now. Developing these defender skills for short > term damage control is key to our industry. > > So, there have been some very cool recommendations for third party > tools. Now I want you to focus on the CLI and the built-in tools you > get with a Windows or Linux system. > > > This is, quite possibly, the best security list ever. > > > -strandjs > > > > On Jul 30, 2009, at 1:43 PM, Tim Rosenberg wrote: > >> John, >> Thanks for the nod. I like the thread. Also thanks to Paul for >> attending our NYC CTF event and running an excellent Red Cell as >> always. >> >> These suggestions are all very good. One thing I would offer up. >> We have the Cyber Dawn event in October in VA. It would be great to >> have a professional defense team there to show/document/demonstrate >> how to lock down a system/network and monitor it. One of the great >> suggestions from the NYC event was that there needed to be a Defense >> Coach...just like the role Larry played in Vegas. I frankly >> couldn’t agree more. >> >> I see the note about apache and windows...time to trade up some of >> the defensive assets too. >> >> One of the things I would ask the defender community. One of the >> difficult things in designing these exercises is the creation of a >> series of functional network services that are realistic and yet >> vulnerable. Rather than turning this into a patch game where the >> fastest keyboard wins, the feedback I’m getting from participants is >> to provide more of a leg up for the defenders. This needs to be >> balanced against a diverse skill set of Red Cell, some of whom are >> professional pen testers, others are running metasploit for the >> first time. So here’s some thoughts, please feel free to criticize. >> Providing a ‘test network’; an unprotected unpatched network that is >> unstaffed by humans. This would be used as a test net for new Red >> Cell to cut their teeth on tools prior to going against the human >> defended networks. The down side to this is that by the time >> they’ve played around, the holes they exploited on the Test Net will >> most certainly be closed by the humans. >> Provide unpatched ‘legacy systems’ that cannot be updated by the >> defenders. These low hanging fruit targets would be only one or two >> systems inside the defenders’ networks. It would provide an easy >> target for the Red Cell, but for them to further exploit the >> network, they would have to know how to pivot really well. >> Defender challenges; I would welcome an opportunity to connect to >> the larger community and ask for help in building systems that may >> only have one way in. Preferably through a single less known or >> more difficult vulnerability. For example, Paul has consistently >> found a way into the Debian boxes we use. However, he only get >> limited user access as there is nothing installed to support local >> privilege escalation. >> Cheers, >> Tim Rosenberg >> >> >> On 7/28/09 11:29 PM, "John Strand" <[email protected]> wrote: >> >>> Time to bring Tim in on this. >>> >>> The White Wolf guys are simply the best at this kind of simulation. >>> >>> Tim, care to throw in your two cents? >>> >>> john >>> >>> >>> >>> On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote: >>> >>>> All Good Suggestions. To answer Erik's question on scoring per my >>>> experience last week at the NYC CTF. >>>> >>>> Red Team members were required to run a script on the comrpomised >>>> system once it was compromised to gain a point for the hack. They >>>> were encouraged to take data but no DDOS were allowed. However, >>>> they could take down systems towards the end of the day (although >>>> they would not getting points for doing so but the blue team would >>>> gain points for systems down - more points are bad for blue). >>>> >>>> Blue Team Members with the lowest score won. They needed to keep >>>> systems and services online. If compromised they could regain >>>> (subtract some points) if they were able to get the systems online >>>> quickly and accurately report data loss to the FBI field office. >>>> (Paul and Renald actually did a good job destroying the team that >>>> won but because they were able to restore and start over (DR) they >>>> regained their lead. >>>> >>>> So with that said while tools (both preventative and reactive) >>>> would certainly help the blue team, I think the most important >>>> thing is to be organized, have a plan, have the expertise (one >>>> person for linux, one for windows, one for web apps/databases, and >>>> one for networking), and know when to say we are screwed lets >>>> implement our DR plan. And ss Erik pointed out lock down the >>>> systems! >>>> >>>> Some command line and gooyee tools could certainly have helped >>>> with this but would be no substitute for experience and >>>> organization. Scripting command line stuff and GPO's would >>>> certainly help in a large environment (have quite of bit of >>>> experience there) but in an exercise like this it may just slow a >>>> team down (better to do it manually since there were only a >>>> handful of systems). >>>> >>>> So AV, log monitoring, best practices (i.e. all of Erik's >>>> preventative suggestions and more), and things like TCSTools >>>> switchblade for incident response would all be helpful. I'm >>>> wondering if the questions of what tools is the right question. >>>> Maybe the question is what best practices? >>>> >>>> Just My 2 1/2 cents. >>>> >>>> >>>> >>>> On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison >>>> <[email protected]> wrote: >>>>> beyond a lot of the great reactive or visibility driven >>>>> suggestions already provided, and assuming this is in a lab >>>>> environment (i hope) - harden the crap out of the server. >>>>> standard fare, remove/disable unnecessary services, change >>>>> default service accounts to low priv. add manual ntfs permissions >>>>> across the filesystem *and registry* to limit that account's >>>>> access. patch the os, apps, services, any web software (just >>>>> assuming they're gonna give you joomla w/ 1500 plugins and >>>>> modules to make it utterly impossible to win). move db passwords >>>>> in the code into an included file ../ out of the main web >>>>> directory, deny writes to all web directories for the duration of >>>>> the scenario so no webshells can be uploaded, fix outbound >>>>> connections at the firewall (host and upstream), switch services >>>>> to listen only on 127.0.0.1, blah blah blah.. the list goes on >>>>> >>>>> how are you measuring successful intrusion? what's the jackpot >>>>> for red? you could just be a bastard, and move or delete that >>>>> file :D lock it away in a truecrypt volume protected by keys and >>>>> passphrases. >>>>> >>>>> >>>>> >>>>> On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <[email protected] >>>>> > wrote: >>>>>> Very Nice. Does Autopatcher allow you to manually copy over >>>>>> patches (already have many downloaded)? >>>>>> >>>>>> To add some: >>>>>> >>>>>> Again Sysinternals Tools: Process Monitor, PSTools, TCPView >>>>>> Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter >>>>>> Nessus - Home Feed of course >>>>>> Dumpsec - NTFS File Permission dumper >>>>>> Your favorite free sniffer - Wireshark, etc.. >>>>>> MRTG - Router bandwidth monitoring >>>>>> AVG or other decent free AV >>>>>> Snort >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez >>>>>> <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> 8 GB stick prepared with autopatcher >>>>>>> http://www.autopatcher.com/http://www.autopatcher.com/ >>>>>>> I would have patches for all versions of windows. >>>>>>> >>>>>>> <http://www.autopatcher.com/> I would also place portable >>>>>>> firefox, and xamp in case i need to migrate an apache LAMP >>>>>>> server to an updated version since I have seen a trend of >>>>>>> putting apache on windows in this competition, also place >>>>>>> several pre-made security templates for use with GPO or local >>>>>>> application, URLscan installer and pre-made urlscan.ini files. >>>>>>> Komodo free firewall installer and the NSA cisco templates, acl >>>>>>> templates, Nipper for checking the cisco equipment config >>>>>>> quickly and some pvaln sample configs. Keepass for password >>>>>>> storage and generation. >>>>>>> >>>>>>> >>>>>>> that is what comes now to mind. >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 28, 2009 at 8:54 AM, John Strand >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>>> Please! PSW land! Share your Blue Team tactics! >>>>>>>> >>>>>>>> What tools, scripts, and techniques do you use as part of >>>>>>>> Incident Response and Blue Team Activities? >>>>>>>> >>>>>>>> >>>>>>>> I have sat in on one to many Red/Blue/CTF games where the Red >>>>>>>> team gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain >>>>>>>> and Able, Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and >>>>>>>> various torture techniques (including IronGeek's rubber hoses) >>>>>>>> and the the Blue team gets.... >>>>>>>> >>>>>>>> >>>>>>>> "An un-patched Windows 2000 box and a slew of un-patched >>>>>>>> software!!!!!'' >>>>>>>> >>>>>>>> Please see the following video for reference: >>>>>>>> >>>>>>>> http://www.youtube.com/watch?v=Y77n--Af1qo >>>>>>>> >>>>>>>> >>>>>>>> Yea.. Thats right.... As of today the Blue Team is what you >>>>>>>> get assigned to when you are caught stuffing peas up your nose. >>>>>>>> >>>>>>>> This stops today!!! >>>>>>>> >>>>>>>> There are a few rules. Tricks and scripts must be able to run >>>>>>>> at the command line of your operating system of choice and all >>>>>>>> tools must be freeware or open source. >>>>>>>> >>>>>>>> >>>>>>>> Thats it!!! >>>>>>>> >>>>>>>> Look, the Blue Team can rock!!! So please share your tricks. >>>>>>>> >>>>>>>> I am going to collect and add to them so we have a solid list >>>>>>>> and this will serve as the playbook for the Blues going forward. >>>>>>>> >>>>>>>> >>>>>>>> Be expecting this on the PDC site soon. >>>>>>>> >>>>>>>> strandjs >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Pauldotcom mailing list >>>>>>>> [email protected] >>>>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>>>>> Main Web Site: http://pauldotcom.com >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Pauldotcom mailing list >>>>>>> [email protected] >>>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>>>> Main Web Site: http://pauldotcom.com >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Pauldotcom mailing list >>>>>> [email protected] >>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>>> Main Web Site: http://pauldotcom.com >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> >>> > > -- Sent from my mobile device ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
