capture the flag in windows security

9/8/2015

1

Sponsored by

Using Capture the Flag and Security Simulations to Improve Response Time,

Hone Skills and Find Vulnerabilities

2015 Monterey Technology Group Inc.

Thanks to

Made possible by

James Griffin


9/8/2015

2

Preview of key points

Capture the flag Goals

How to plan

How to design

Related exercises

Related exercises

Table top exercises

Live fire drills

Simulations

9/8/2015

3

Related exercises

Table top exercises Purpose: finding high level, unanticipated or blended

vulnerabilities

No hacking going on

Sitting around a table Brainstorming attack scenarios

Considering response to an attack scenario

Have representatives from each area of IT and security

Need a challenger and an arbiter

Related exercises

Simulations Not about finding security vulnerabilities

More about finding vulnerabilities or gaps Procedures

Communication

Contacts and stakeholders

Decision making capability

9/8/2015

4

Related exercises

Live fire drills Purpose test your team with your actual network being

protected

Risk to production

Hard to get approval and buy-in

Need a very professional hacking team

High risk and high value

Capture the flag

3 types Defense oriented

Offense oriented

Hybrid

Team options Individual

Single player

Multiple competing players

Teams Single team

Multiple competing teams on same side

9/8/2015

5

A basic offensive CTF game

http://www.sans.org/reading-room/whitepapers/casestudies/capture-flag-education-mentoring-33018 - Jerome Radcliffe

Several teams attempting to capture flags on servers

Flags are simple text files placed in specific locations where teams must locate

Cool if the files, when combined form a larger message

Moderator Facilitates

Adjudicates

Keeps score

Gives hints where necessary to make sure all teams completethe game

Winning based on time to complete Can also be based on highest score within time

Getting started

What are your goals for the game? Help people think like the offense?

Build skills?

Preserve/build confidence?

Make folks more aware/believing of the risks your organization faces?

Held during or after work?

Support from management Hardware

Venue

Prizes

Food

9/8/2015

6

Game dynamics and logistics

Give sufficient notice

How to form teams? Radcliffe used 2-person teams limited to 1 computer to

encourage team interaction

How long? All day or weekend advanced players

3 hours for entire event more appropriate for first game

Need time for getting started, and to have a post game discussion, prizes, etc

Lay ground rules

Scoreboard

Technical design of the actual game

Choose your targets Device, OS, application

Advantages for selecting Familiar

Unfamiliar

Decoy servers?

Setup network Isolated?

Choose your vulnerabilities to exploit Put the flag behind these vulnerabilities

Design your attacker client PCs

9/8/2015

7

Flags

Choose your target Device, OS, application

Advantages for selecting Familiar

Unfamiliar

Choose your vulnerabilities to exploit Put the flag behind these vulnerabilities

How many vulnerabilities and how difficult? Enough to keep it interesting and valuable

Not too many to demoralize folks that cant complete

Be careful deciding whether its OK if not every team finishes

Time limit

If possible have the flags build on each other

Realism not a strict requirement

Example flags

Not intended for use in current games Good examples of vulnerabilities that serve different purposes

IIS Unicode exploit https://www.kb.cert.org/vuls/id/111677

Nice vulnerability because its very easy to understand

Requires no special tools or programming use it right from your browser

SQL Injection Get application password stored in database

Hide a SSH behind a nonstandard port

Allow users to upload a program via shared folder and then execute via IIS cgi

Decoy servers

Found passwords are a great way to build one flag off the next

Much more advanced

9/8/2015

8

Design your attacker client PCs

Provide all necessary tools Beginner

Short amount of time

If you want to follow a one-design approach

Leave it to them to research, find and download Advanced

Lots of time

Provide Internet access? Lay ground rules

Game day

Start on time

Opening words Review rules Explain scoring List prizes

Begin competition

Circle room monitoring progress Help lagging teams get unstuck with hints Keep score Make general announcements as necessary to keep game on

track

Stop on time

Award prizes

Have post game discussion Lessons learned What to change for next game

Survey

9/8/2015

9

Capture the Flag

Bottom line Technical skills are a factor

But mindset is the big thing Understanding how attackers think and work

Start looking at your network from the outside-in

Confidence

Planning

Resources Hardware and software

Coordination Team travel and availability

Setup Very technical!

Creation of the flags and how to explain to participants is the biggest challenge

Knowing how to give hints also a challenge

Capture the Flag

Get all the benefits of Capture the Flag without any of the pain Planning

Hardware

Setup

Design

Teardown

Not even necessary to make an event Staff availability

Capture the Flag As a Service


9/8/2015

10

Cyber Security: Simulation Platform

James Griffin (Jimmy), Stan Kiefer

Senior Managers, Product Management

Copyright 2015 Symantec Corporation

Security Organizations are Fighting an Asymmetric Battle

20

Cybersecurity top IT skills shortage for 4th year in a

row*

Staff unprovenlack of hands-on experience

with a breach

Organizations are never certain of cyber-

readiness

Seemingly limitless resources

Sophisticated, multi-stage attacks

Attacker tactics constantly morphing

* ESGs annual global IT Spending Intentions survey has shown a problematic shortage of cybersecurity experts as the top IT skills shortage for four years in a row. http://www.esg-global.com/research-reports/2015-it-spending-intentions-survey/

9/8/2015

11


Security Simulation Strengthens Cyber Readiness

Cloud-based, virtual training experience

Live-fire simulation of multi-staged, advanced targeted attack scenarios

Players assume the identity of their adversaries to learn motives, tactics and tools

Engaging, immersive security training through gamification

21


Think Like Your Attacker

22

Hacktivistwants notoriety, attention

Cyber Criminalmotivated by money

Cyber Espionageseeking IntellectualProperty for profit

Cyber War Crimespolitically motivated,

nation states, looking to gain advantage

What Theyre

Trying to Steal

How They Stole It

The Attacker

Reconnaissance

Incursion

Discovery

Capture

Exfiltration

9/8/2015

12


Real-world Attack Scenarios

23

Scenario 1:The EDC and RKI

Scenario 2:The Coffee Shop Hack

Scenario 3:EDC and the Lost Laptop

Scenario 4:Forensics Examiner

Mishandles Evidence

Skills:

Ethical hacking

Penetration Testing

Forensics

Data exfiltration

Methods:

Identify targets

Compromise network and systems

Blend attacks

Exfiltrate data

Mission: Breach & Steal Information


Implement Skill Assessment and Development Programs

Identify Organizational Gaps

Assess and Advance Your Team

24

Identify skills requirements for individuals and organizations

Identify gaps in team coverage

Assess skills of potential job candidates, new hires and existing employees

Focus on security strategy and tactics, techniques and procedures (TTP)

Manual and automated skills assessment and performance analysis

Prescriptive guidance for skill set development

Conduct iterative skill development programs for continuous learning

Participate

Assess skills

Create develop

ment plan

Participate / Learn

Assess Progres

s

9/8/2015

13


Demo

25

capture the flag in windows security

Documents