Blue Team Tactics

[NSweaney at tulsacash.com (Nathan Sweaney)]

That's what I was thinking.  Valsmith was interviewed on some podcast a
few months back (PDC? Securabit?) and was asked how he would do network
defense rather than offense.  His response was to be proactive about it.
Target the attackers and respond in kind.  One example was leaving
"juicy" data around that contained exploits & meterpreter payloads.
That could very easily be combined with John's technical segment in
ep.161 regarding Office macros.  "On no, you compromised my HR server!
Please don't take this file named employee_records.xls."

 

Taking it a step further, you could combine some intelligent monitoring
& IDS traps to keep track of who you're targeting.  So now combine it
with the conversation with Lance Spitzner.  Our employee_records.xls
also has data in it for Britney Spears (our receptionist of the month!).
When our IDS notices that data leaving the network it logs it and
notifies us of IP address so that we can be expecting a returning
meterpreter session soon and be prepared.  Then when our Metasploit
server has the meterpreter session ready, it can notify us to begin
hacking the attacker.  This also has the side benefit of giving us both
the IP that the data went to, and the IP that the session is coming from
which provides a little more information about the attacker who may be
using bots to launch the attacks from.  

 

I can see where this would be hard to allow in a CTF though.  If the
defenders have the ability to disable the attackers, then it could
become almost too easy.  The only way to compensate would be to make the
red team MUCH larger so that the defenders just don't have time to
counter-attack them all.  

 

- Nathan

 

 

________________________________

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Bradley
McMahon
Sent: Wednesday, July 29, 2009 7:39 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Blue Team Tactics

 

I wonder if there has ever been a case where someone from the blue team
went after the red teams machines.

I am not sure of the rules of the CTF but being a linux admin I would
try to find the MACs and IPs of the attackers as soon as possible and
just write a iptables rule to drop all their connections or maybe route
them to VM so they won't get suspicious. 
-Brad




On Tue, Jul 28, 2009 at 11:29 PM, John Strand <strandjs at gmail.com>
wrote:

Time to bring Tim in on this.

 

The White Wolf guys are simply the best at this kind of simulation.

 

Tim, care to throw in your two cents?

 

john

 

 

 

On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote:





All Good Suggestions. To answer Erik's question on scoring per my
experience last week at the NYC CTF.

Red Team members were required to run a script on the comrpomised system
once it was compromised to gain a point for the hack. They were
encouraged to take data but no DDOS were allowed. However, they could
take down systems towards the end of the day (although they would not
getting points for doing so but the blue team would gain points for
systems down - more points are bad for blue).

Blue Team Members with the lowest score won. They needed to keep systems
and services online. If compromised they could regain (subtract some
points) if they were able to get the systems online quickly and
accurately report data loss to the FBI field office. (Paul and Renald
actually did a good job destroying the team that won but because they
were able to restore and start over (DR) they regained their lead.

So with that said while tools (both preventative and reactive) would
certainly help the blue team, I think the most important thing is to be
organized, have a plan, have the expertise (one person for linux, one
for windows, one for web apps/databases, and one for networking), and
know when to say we are screwed lets implement our DR plan. And ss Erik
pointed out lock down the systems!

Some command line and gooyee tools could certainly have helped with this
but would be no substitute for experience and organization. Scripting
command line stuff and GPO's would certainly help in a large environment
(have quite of bit of experience there) but in an exercise like this it
may just slow a team down (better to do it manually since there were
only a handful of systems).

So AV, log monitoring, best practices (i.e. all of Erik's preventative
suggestions and more), and things like TCSTools switchblade for incident
response would all be helpful. I'm wondering if the questions of what
tools is the right question. Maybe the question is what best practices?

Just My 2 1/2 cents. 




On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison <eharrison at gmail.com>
wrote:

beyond a lot of the great reactive or visibility driven suggestions
already provided, and assuming this is in a lab environment (i hope) -
harden the crap out of the server. standard fare, remove/disable
unnecessary services, change default service accounts to low priv. add
manual ntfs permissions across the filesystem *and registry* to limit
that account's access. patch the os, apps, services, any web software
(just assuming they're gonna give you joomla w/ 1500 plugins and modules
to make it utterly impossible to win). move db passwords in the code
into an included file ../ out of the main web directory, deny writes to
all web directories for the duration of the scenario so no webshells can
be uploaded, fix outbound connections at the firewall (host and
upstream), switch services to listen only on 127.0.0.1, blah blah blah..
the list goes on

how are you measuring successful intrusion? what's the jackpot for red?
you could just be a bastard, and move or delete that file :D lock it
away in a truecrypt volume protected by keys and passphrases.

 

On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <gbugbear at gmail.com>
wrote:

Very Nice. Does Autopatcher allow you to manually copy over patches
(already have many downloaded)?

To add some:

Again Sysinternals Tools: Process Monitor, PSTools, TCPView
Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter
Nessus - Home Feed of course
Dumpsec - NTFS File Permission dumper
Your favorite free sniffer - Wireshark, etc..
MRTG - Router bandwidth monitoring
AVG or other decent free AV
Snort







On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez
<carlos_perez at darkoperator.com> wrote:

8 GB stick  prepared with autopatcher http://www.autopatcher.com/
<http://www.autopatcher.com/> http://www.autopatcher.com/
<http://www.autopatcher.com/>  I would have patches for all versions of
windows. 

<http://www.autopatcher.com/> I would also place portable firefox, and
xamp in case i need to migrate an apache LAMP server to an updated
version since I have seen a trend of putting apache on windows in this
competition, also place several pre-made security templates for use with
GPO or local application, URLscan installer and pre-made urlscan.ini
files. Komodo free firewall installer and the NSA cisco templates, acl
templates, Nipper for checking the cisco equipment config quickly and
some pvaln sample configs. Keepass for password storage and generation.

 

that is what comes now to mind.  

 

On Tue, Jul 28, 2009 at 8:54 AM, John Strand <strandjs at gmail.com> wrote:

        Please! PSW land! Share your Blue Team tactics!

         

        What tools, scripts, and techniques do you use as part of
Incident Response and Blue Team Activities?  

         

        I have sat in on one to many Red/Blue/CTF games where the Red
team gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able,
Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture
techniques (including IronGeek's rubber hoses) and the the Blue team
gets....

         

        "An un-patched Windows 2000 box and a slew of un-patched
software!!!!!''

         

        Please see the following video for reference:

         

        http://www.youtube.com/watch?v=Y77n--Af1qo

         

        Yea..  Thats right.... As of today the Blue Team is what you get
assigned to when you are caught stuffing peas up your nose.

         

        This stops today!!!

         

        There are a few rules.  Tricks and scripts must be able to run
at the command line of your operating system of choice and all tools
must be freeware or open source.

         

        Thats it!!!

         

        Look, the Blue Team can rock!!!  So please share your tricks.  

         

        I am going to collect and add to them so we have a solid list
and this will serve as the playbook for the Blues going forward.

         

        Be expecting this on the PDC site soon.

         

        strandjs

         

        _______________________________________________
        Pauldotcom mailing list
        Pauldotcom at mail.pauldotcom.com
        http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
        Main Web Site: http://pauldotcom.com

 


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090729/ab63f2e2/attachment.htm