PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Blue Team Tactics

From: jackadaniel at gmail.com (Jack Daniel)
Date: Sat, 1 Aug 2009 09:07:25 -0700
I was lurking on this one, but Fr. John just made a point I would like
to add to.  It is a bit of a tangent, but-

John's point about "living off the land" reminded me of all the times
I have seen admins who *have* the sexy tools when things get ugly- but
they never really learned how to use them or what the the tools could
really do, much less considered if/how/when to use them in a crisis.
I have even "heard" about admins battling LAN infestations who didn't
know/forgot how to use their perimeter security appliance and had to
cry for help to the vendor's engineering team.

Jack

On 8/1/09, John Strand <strandjs at gmail.com> wrote:

So far the BLue team recommendations have been fantastic, so I though
I would drop in a few suggestions to keep the discussion going.

One of the first things I wish any BLue teamer would do is download
the SANS incident response cheat-sheets for Windows and for Linux.

http://isc.sans.org/diary.html?storyid=5354

http://www.sans.org/info/3826

http://www.sans.org/info/3831

Consider this the basics to play.  I hate it when I see a defender
stare at Task Manager for an hour or two with a blank stare on their
face. What are they looking for?  EvilBackdoor.exe?

Now, how about how to use your firewall on Linux?

http://www.youtube.com/watch?v=kUdCsZpt2ew

What if you do not have a firewall on a Windows server?  You are
screwed right?  No, look at IPSec filters.

http://www.youtube.com/watch?v=amHaBmOlfgE

Why is it that many times the BLue team keeps getting owned by RPC or
SMB  and they don't block the ports?

And what about some log analysis kung-fu?

(Special note:I am trying to invoke the all powerful Red SANS
Instructor with the above statement.)

If IP Address X, or range Y keeps attacking you, block them.

(Another special note..  I recommend only blocking temporarily and
being very careful when you do.  Otherwise, you may DoS yourself.)

Sure, third party tools are great..  However, many REd/BLue activities
(I am talking to you Tim) will not allow defenders to get access to
all of this stuff right out of the gate.

Why?

Is it because the people who put these games on evil? Possibly (I am
still talking to you Tim). Possibly.  However, the real reason is that
all of our security technologies, while helpful, have their
limitations. We depend on them far to much.  We need to learn how to
"live off the land" as it were.    Also, a solid long term strategy
may not work right now.  Developing these defender skills for short
term damage control is key to our industry.

So, there have been some very cool recommendations for third party
tools.  Now I want you to focus on the CLI and the built-in tools you
get with a Windows or Linux system.


This is, quite possibly, the best security list ever.


-strandjs



On Jul 30, 2009, at 1:43 PM, Tim Rosenberg wrote:


John,
Thanks for the nod. I like the thread.  Also thanks to Paul for
attending our NYC CTF event and running an excellent Red Cell as
always.

These suggestions are all very good.  One thing I would offer up.
We have the Cyber Dawn event in October in VA.  It would be great to
have a professional defense team there to show/document/demonstrate
how to lock down a system/network and monitor it.  One of the great
suggestions from the NYC event was that there needed to be a Defense
Coach...just like the role Larry played in Vegas.  I frankly
couldn?t agree more.

I see the note about apache and windows...time to trade up some of
the defensive assets too.

One of the things I would ask the defender community.  One of the
difficult things in designing these exercises is the creation of a
series of functional network services that are realistic and yet
vulnerable.  Rather than turning this into a patch game where the
fastest keyboard wins, the feedback I?m getting from participants is
to provide more of a leg up for the defenders.  This needs to be
balanced against a diverse skill set of Red Cell, some of whom are
professional pen testers, others are running metasploit for the
first time.  So here?s some thoughts, please feel free to criticize.
Providing a ?test network?; an unprotected unpatched network that is
unstaffed by humans.  This would be used as a test net for new Red
Cell to cut their teeth on tools prior to going against the human
defended networks.  The down side to this is that by the time
they?ve played around, the holes they exploited on the Test Net will
most certainly be closed by the humans.
Provide unpatched ?legacy systems? that cannot be updated by the
defenders.  These low hanging fruit targets would be only one or two
systems inside the defenders? networks.  It would provide an easy
target for the Red Cell, but for them to further exploit the
network, they would have to know how to pivot really well.
Defender challenges; I would welcome an opportunity to connect to
the larger community and ask for help in building systems that may
only have one way in.  Preferably through a single less known or
more difficult vulnerability.  For example, Paul has consistently
found a way into the Debian boxes we use.  However, he only get
limited user access as there is nothing installed to support local
privilege escalation.
Cheers,
Tim Rosenberg


On 7/28/09 11:29 PM, "John Strand" <strandjs at gmail.com> wrote:


Time to bring Tim in on this.

The White Wolf guys are simply the best at this kind of simulation.

Tim, care to throw in your two cents?

john



On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote:


All Good Suggestions. To answer Erik's question on scoring per my
experience last week at the NYC CTF.

Red Team members were required to run a script on the comrpomised
system once it was compromised to gain a point for the hack. They
were encouraged to take data but no DDOS were allowed. However,
they could take down systems towards the end of the day (although
they would not getting points for doing so but the blue team would
gain points for systems down - more points are bad for blue).

Blue Team Members with the lowest score won. They needed to keep
systems and services online. If compromised they could regain
(subtract some points) if they were able to get the systems online
quickly and accurately report data loss to the FBI field office.
(Paul and Renald actually did a good job destroying the team that
won but because they were able to restore and start over (DR) they
regained their lead.

So with that said while tools (both preventative and reactive)
would certainly help the blue team, I think the most important
thing is to be organized, have a plan, have the expertise (one
person for linux, one for windows, one for web apps/databases, and
one for networking), and know when to say we are screwed lets
implement our DR plan. And ss Erik pointed out lock down the
systems!

Some command line and gooyee tools could certainly have helped
with this but would be no substitute for experience and
organization. Scripting command line stuff and GPO's would
certainly help in a large environment (have quite of bit of
experience there) but in an exercise like this it may just slow a
team down (better to do it manually since there were only a
handful of systems).

So AV, log monitoring, best practices (i.e. all of Erik's
preventative suggestions and more), and things like TCSTools
switchblade for incident response would all be helpful. I'm
wondering if the questions of what tools is the right question.
Maybe the question is what best practices?

Just My 2 1/2 cents.



On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison
<eharrison at gmail.com> wrote:

beyond a lot of the great reactive or visibility driven
suggestions already provided, and assuming this is in a lab
environment (i hope) - harden the crap out of the server.
standard fare, remove/disable unnecessary services, change
default service accounts to low priv. add manual ntfs permissions
across the filesystem *and registry* to limit that account's
access. patch the os, apps, services, any web software (just
assuming they're gonna give you joomla w/ 1500 plugins and
modules to make it utterly impossible to win). move db passwords
in the code into an included file ../ out of the main web
directory, deny writes to all web directories for the duration of
the scenario so no webshells can be uploaded, fix outbound
connections at the firewall (host and upstream), switch services
to listen only on 127.0.0.1, blah blah blah.. the list goes on

how are you measuring successful intrusion? what's the jackpot
for red? you could just be a bastard, and move or delete that
file :D lock it away in a truecrypt volume protected by keys and
passphrases.



 On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <gbugbear at gmail.com

wrote:
Very Nice. Does Autopatcher allow you to manually copy over
patches (already have many downloaded)?

To add some:

Again Sysinternals Tools: Process Monitor, PSTools, TCPView
Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter
Nessus - Home Feed of course
Dumpsec - NTFS File Permission dumper
Your favorite free sniffer - Wireshark, etc..
MRTG - Router bandwidth monitoring
AVG or other decent free AV
Snort






On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez
<carlos_perez at darkoperator.com

wrote:



8 GB stick  prepared with autopatcher
http://www.autopatcher.com/http://www.autopatcher.com/
 I would have patches for all versions of windows.

 <http://www.autopatcher.com/> I would also place portable
firefox, and xamp in case i need to migrate an apache LAMP
server to an updated version since I have seen a trend of
putting apache on windows in this competition, also place
several pre-made security templates for use with GPO or local
application, URLscan installer and pre-made urlscan.ini files.
Komodo free firewall installer and the NSA cisco templates, acl
templates, Nipper for checking the cisco equipment config
quickly and some pvaln sample configs. Keepass for password
storage and generation.


that is what comes now to mind.


On Tue, Jul 28, 2009 at 8:54 AM, John Strand
<strandjs at gmail.com> wrote:


Please! PSW land! Share your Blue Team tactics!

What tools, scripts, and techniques do you use as part of
Incident Response and Blue Team Activities?


I have sat in on one to many Red/Blue/CTF games where the Red
team gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain
and Able, Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and
various torture techniques (including IronGeek's rubber hoses)
and the the Blue team gets....


"An un-patched Windows 2000 box and a slew of un-patched
software!!!!!''

Please see the following video for reference:

http://www.youtube.com/watch?v=Y77n--Af1qo


Yea..  Thats right.... As of today the Blue Team is what you
get assigned to when you are caught stuffing peas up your nose.

This stops today!!!

There are a few rules.  Tricks and scripts must be able to run
at the command line of your operating system of choice and all
tools must be freeware or open source.


Thats it!!!

Look, the Blue Team can rock!!!  So please share your tricks.

I am going to collect and add to them so we have a solid list
and this will serve as the playbook for the Blues going forward.


Be expecting this on the PDC site soon.

strandjs

_______________________________________________
 Pauldotcom mailing list
 Pauldotcom at mail.pauldotcom.com
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com



_______________________________________________
 Pauldotcom mailing list
 Pauldotcom at mail.pauldotcom.com
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com




_______________________________________________
 Pauldotcom mailing list
 Pauldotcom at mail.pauldotcom.com
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com




_______________________________________________
 Pauldotcom mailing list
 Pauldotcom at mail.pauldotcom.com
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com


 _______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com








-- 
Sent from my mobile device

______________________________________
Jack Daniel, Reluctant CISSP
http://twitter.com/jack_daniel
http://www.linkedin.com/in/jackadaniel
http://blog.uncommonsensesecurity.com
Previous By Date Next
Previous By Thread Next

Current thread: