I wonder if there has ever been a case where someone from the blue team went after the red teams machines.
I am not sure of the rules of the CTF but being a linux admin I would try to find the MACs and IPs of the attackers as soon as possible and just write a iptables rule to drop all their connections or maybe route them to VM so they won't get suspicious. -Brad On Tue, Jul 28, 2009 at 11:29 PM, John Strand <[email protected]> wrote: > Time to bring Tim in on this. > > The White Wolf guys are simply the best at this kind of simulation. > > Tim, care to throw in your two cents? > > john > > > > On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote: > > All Good Suggestions. To answer Erik's question on scoring per my > experience last week at the NYC CTF. > > Red Team members were required to run a script on the comrpomised system > once it was compromised to gain a point for the hack. They were encouraged > to take data but no DDOS were allowed. However, they could take down systems > towards the end of the day (although they would not getting points for doing > so but the blue team would gain points for systems down - more points are > bad for blue). > > Blue Team Members with the lowest score won. They needed to keep systems > and services online. If compromised they could regain (subtract some points) > if they were able to get the systems online quickly and accurately report > data loss to the FBI field office. (Paul and Renald actually did a good job > destroying the team that won but because they were able to restore and start > over (DR) they regained their lead. > > So with that said while tools (both preventative and reactive) would > certainly help the blue team, I think the most important thing is to be > organized, have a plan, have the expertise (one person for linux, one for > windows, one for web apps/databases, and one for networking), and know when > to say we are screwed lets implement our DR plan. And ss Erik pointed out > lock down the systems! > > Some command line and gooyee tools could certainly have helped with this > but would be no substitute for experience and organization. Scripting > command line stuff and GPO's would certainly help in a large environment > (have quite of bit of experience there) but in an exercise like this it may > just slow a team down (better to do it manually since there were only a > handful of systems). > > So AV, log monitoring, best practices (i.e. all of Erik's preventative > suggestions and more), and things like TCSTools switchblade for incident > response would all be helpful. I'm wondering if the questions of what tools > is the right question. Maybe the question is what best practices? > > Just My 2 1/2 cents. > > > > On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison <[email protected]>wrote: > >> beyond a lot of the great reactive or visibility driven suggestions >> already provided, and assuming this is in a lab environment (i hope) - >> harden the crap out of the server. standard fare, remove/disable unnecessary >> services, change default service accounts to low priv. add manual ntfs >> permissions across the filesystem *and registry* to limit that account's >> access. patch the os, apps, services, any web software (just assuming >> they're gonna give you joomla w/ 1500 plugins and modules to make it utterly >> impossible to win). move db passwords in the code into an included file ../ >> out of the main web directory, deny writes to all web directories for the >> duration of the scenario so no webshells can be uploaded, fix outbound >> connections at the firewall (host and upstream), switch services to listen >> only on 127.0.0.1, blah blah blah.. the list goes on >> >> how are you measuring successful intrusion? what's the jackpot for red? >> you could just be a bastard, and move or delete that file :D lock it away in >> a truecrypt volume protected by keys and passphrases. >> >> >> On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <[email protected]>wrote: >> >>> Very Nice. Does Autopatcher allow you to manually copy over patches >>> (already have many downloaded)? >>> >>> To add some: >>> >>> Again Sysinternals Tools: Process Monitor, PSTools, TCPView >>> Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter >>> Nessus - Home Feed of course >>> Dumpsec - NTFS File Permission dumper >>> Your favorite free sniffer - Wireshark, etc.. >>> MRTG - Router bandwidth monitoring >>> AVG or other decent free AV >>> Snort >>> >>> >>> >>> >>> >>> On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez < >>> [email protected]> wrote: >>> >>>> 8 GB stick prepared with autopatcher http://www.autopatcher.com/ >>>> http://www.autopatcher.com/ I would have patches for all versions of >>>> windows. <http://www.autopatcher.com/>I would also place portable >>>> firefox, and xamp in case i need to migrate an apache LAMP server to an >>>> updated version since I have seen a trend of putting apache on windows in >>>> this competition, also place several pre-made security templates for use >>>> with GPO or local application, URLscan installer and pre-made urlscan.ini >>>> files. Komodo free firewall installer and the NSA cisco templates, acl >>>> templates, Nipper for checking the cisco equipment config quickly and some >>>> pvaln sample configs. Keepass for password storage and generation. >>>> >>>> that is what comes now to mind. >>>> >>>> >>>> On Tue, Jul 28, 2009 at 8:54 AM, John Strand <[email protected]>wrote: >>>> >>>>> Please! PSW land! Share your Blue Team tactics! >>>>> What tools, scripts, and techniques do you use as part of Incident >>>>> Response and Blue Team Activities? >>>>> >>>>> I have sat in on one to many Red/Blue/CTF games where the Red team gets >>>>> Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, Ettercap, >>>>> Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture techniques >>>>> (including >>>>> IronGeek's rubber hoses) and the the Blue team gets.... >>>>> >>>>> "An un-patched Windows 2000 box and a slew of un-patched >>>>> software!!!!!'' >>>>> >>>>> Please see the following video for reference: >>>>> >>>>> http://www.youtube.com/watch?v=Y77n--Af1qo >>>>> >>>>> Yea.. Thats right.... As of today the Blue Team is what you get >>>>> assigned to when you are caught stuffing peas up your nose. >>>>> >>>>> This stops today!!! >>>>> >>>>> There are a few rules. Tricks and scripts must be able to run at the >>>>> command line of your operating system of choice and all tools must be >>>>> freeware or open source. >>>>> >>>>> Thats it!!! >>>>> >>>>> Look, the Blue Team *can* rock!!! So please share your tricks. >>>>> >>>>> I am going to collect and add to them so we have a solid list and this >>>>> will serve as the playbook for the Blues going forward. >>>>> >>>>> Be expecting this on the PDC site soon. >>>>> >>>>> strandjs >>>>> >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
