Blue Team Tactics

[cclymer at gmail.com (Chris Clymer)]

Theres a nice nagios plugin to monitor new ports being opened using  
nagios. Tossing up a nagios instance to monitor the health of various  
services might not be a bad idea. With a little effort it can parse  
logs too, but splunk might be a better choice here.

Sent from my iPhone

On Jul 28, 2009, at 11:45 AM, mOses <trklisted at networksamurai.org>  
wrote:

> For shame for Shame!
>
>    There are definitely 'defensive tools' that are lacking in some of
> the CTF games! The attackers are coming into this to 'win' how come
> the defenders are not also preparing to win?
>
> - If you know your being attacked from the 'network', how come there
> are no sensors involved? Maybe its a time contraint that we don't have
> IDS? That is a real life item that should be given to defenders. IDS
> an also do some TCP resets and shunning, which can be valuable. While
> the attackers can evade IDS this maybe a nice little stop gap. The
> question is, can you prepare ahead of time with an IDS sensor? The
> 'attackers' are preparing ahead of time with their tools?
> - Patching is an OK option, but yet again not 100% fool proof right,
> Software will be insecure so you can't solely rely on patching.
>
> - Logging and Correlated Logs will be important to a blue team, but if
> its not available even a basic BASE console will be enough for IDS
> eventing, or maybe the free Splunk platform?
>
> - There are the SysInternal tools. Procmon, Filemon, Regmon.
> ProcessExplorer, NetMon.
> - What about things like GMER, Rootkit Revealer and other items to
> look for the existence of nasties?
>
> - If you are a defender in a game, maybe it would be prudent to setup
> tools like 'flow' analysis to look at netflow
> - What about leveraging some scripts from NMAP. nmap scan the network
> and do diff's. If you see new ports opened or listening, maybe you've
> been comprimised!
>
> I love the conversation. The real value in these CTF games and
> Pentests is not for the attacker all the time, the real value is in
> understanding how to do 'live' defense.
>
> On Jul 28, 2009, at 8:54 AM, John Strand wrote:
>
> > Please! PSW land! Share your Blue Team tactics!
> >
> > What tools, scripts, and techniques do you use as part of Incident
> > Response and Blue Team Activities?
> >
> > I have sat in on one to many Red/Blue/CTF games where the Red team
> > gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able,
> > Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture
> > techniques (including IronGeek's rubber hoses) and the the Blue team
> > gets....
> >
> > "An un-patched Windows 2000 box and a slew of un-patched
> > software!!!!!''
> >
> > Please see the following video for reference:
> >
> > http://www.youtube.com/watch?v=Y77n--Af1qo
> >
> > Yea..  Thats right.... As of today the Blue Team is what you get
> > assigned to when you are caught stuffing peas up your nose.
> >
> > This stops today!!!
> >
> > There are a few rules.  Tricks and scripts must be able to run at
> > the command line of your operating system of choice and all tools
> > must be freeware or open source.
> >
> > Thats it!!!
> >
> > Look, the Blue Team can rock!!!  So please share your tricks.
> >
> > I am going to collect and add to them so we have a solid list and
> > this will serve as the playbook for the Blues going forward.
> >
> > Be expecting this on the PDC site soon.
> >
> > strandjs
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com