Cyber-RAID 0, Day One - Blue Team

Asmodian X is Red-Teaming, but here are some of my thoughts on Cyber-RAID 0 from the Blue Team side.

First: today was one of the most frustrating and stressful days of my entire IT career. That's saying something, considering that I'm officially off the clock, on vacation with a "four-day weekend." I'm burning vacation days to participate, and some good friends of mine with strong ties to the financial, law enforcement and education industries sponsored my attendance at this event. Being stressed out doesn't mean I'm not having fun, though. This is my first time in a game like this, so it's new and exciting to me.

Next, I have an all-star team working with me. We got to self-organize into groups, so I already knew some of the people on my team, and what they're capable of.

Blue Teams
The "Blue Team" is actually 4 teams with 8 members each. The goal of each blue team is to get as few marks against their network as possible. Each "network" is a VMWare server with 8 VMs. Each team gets a nearly identical setup, save for a few passwords being different. Marks are racked up based on the integrity of mandatory services. Your exchange server goes down? That's a certain number of marks against your team. An attacker deletes or modifies a certain file on your web server? More marks against you. These accumulate periodically until you restore the services to their intended state. I won't go into what all services are checked or what kinds of virtual machines we're running, since some of my red-team buddies might take advantage of the information. It's safe to say that there were many services running that didn't need to be.

By gathering enough data to implicate a specific attacker, each Blue Team can recover some of the marks against their network as well as getting the attacker "arrested" - sidelined for 30 minutes.

The Red "Team"
The Red Team is full of lone-gunmen who are free to collaborate if they wish, but they're much less structured than the Blue Teams are. Each Red Team member scores points for themself by getting phone-home scripts or binaries to run from the Blue Team network. Ideally, they exploit remote-code-execution vulnerabilities, pop a box to get a session or shell, or otherwise get the Blue Team's systems to contact the scoring server on their behalf. The goal of the Red Team attackers is to score as many points as possible. If they can persist their hold on a Blue Team network, they can continue to rack up points by running their phone-home processes repeatedly. Note: these scripts can't be run in an infinite loop effectively to rack up tens of thousands of points per minute.

The Pointy-Haired Boss
Toward the end of the day, our Virtual CEO decided to DEMAND that we change our firewall rulesets to open certain ports for outbound access to any remote server. As you can imagine, per the rules of the game, many of the blue teams had opted to implement egress filtering rules that would allow the services to be contacted from the outside, but to disallow any outgoing connections originating from our servers in order to foil any successful "phone home" attempts, even in the event of a complete system compromise. This demand was certain to throw a wrench into egress filtering rules, but the team I'm on dealt with it well enough. Tomorrow, more demands will be thrown at us, and the usual fare of IT issues will be simulated: password resets, account creation, etc.

Results
"We have met the enemy, and he is us!"

At the start of the game, each of the Blue Teams caused more problems for themselves than the attackers did: team-mates accidentally knocking out power to production systems, intentionally telling Red-Teamers to "Piss Off" by modifying an integrity-monitored web page, and failing to fully understand this network that was just dropped into our laps are only three examples of the sort of frustrating things I saw today, and pretty much every team had the same problems.

There's still a half-day ahead of us, but the last time I checked, our Blue Team team was in the lead (by virtue of having nearly a thousand fewer "marks" against us than our closest competitor) but I have a feeling we'll need to work hard to stay in the lead. The members of the Red Team seem to be having a very, very rough go of things as well. The top attacker, last I saw, had a mere dozen points. My guess is that the attackers are landing a few successful exploits, but are having difficulty with the way points are awarded.

We'll see how it turns out at 13:00 tomorrow afternoon. B-Sides runs all day tomorrow as well, but Cyber-RAID participants will miss out on the first half.