capture the flag in windows security
DESCRIPTION
This is a material for windows security trainingTRANSCRIPT
-
9/8/2015
1
Sponsored by
Using Capture the Flag and Security Simulations to Improve Response Time,
Hone Skills and Find Vulnerabilities
2015 Monterey Technology Group Inc.
Thanks to
Made possible by
James Griffin
2015 Monterey Technology Group Inc.
-
9/8/2015
2
Preview of key points
Capture the flag Goals
How to plan
How to design
Related exercises
Related exercises
Table top exercises
Live fire drills
Simulations
-
9/8/2015
3
Related exercises
Table top exercises Purpose: finding high level, unanticipated or blended
vulnerabilities
No hacking going on
Sitting around a table Brainstorming attack scenarios
Considering response to an attack scenario
Have representatives from each area of IT and security
Need a challenger and an arbiter
Related exercises
Simulations Not about finding security vulnerabilities
More about finding vulnerabilities or gaps Procedures
Communication
Contacts and stakeholders
Decision making capability
-
9/8/2015
4
Related exercises
Live fire drills Purpose test your team with your actual network being
protected
Risk to production
Hard to get approval and buy-in
Need a very professional hacking team
High risk and high value
Capture the flag
3 types Defense oriented
Offense oriented
Hybrid
Team options Individual
Single player
Multiple competing players
Teams Single team
Multiple competing teams on same side
-
9/8/2015
5
A basic offensive CTF game
http://www.sans.org/reading-room/whitepapers/casestudies/capture-flag-education-mentoring-33018 - Jerome Radcliffe
Several teams attempting to capture flags on servers
Flags are simple text files placed in specific locations where teams must locate
Cool if the files, when combined form a larger message
Moderator Facilitates
Adjudicates
Keeps score
Gives hints where necessary to make sure all teams completethe game
Winning based on time to complete Can also be based on highest score within time
Getting started
What are your goals for the game? Help people think like the offense?
Build skills?
Preserve/build confidence?
Make folks more aware/believing of the risks your organization faces?
Held during or after work?
Support from management Hardware
Venue
Prizes
Food
-
9/8/2015
6
Game dynamics and logistics
Give sufficient notice
How to form teams? Radcliffe used 2-person teams limited to 1 computer to
encourage team interaction
How long? All day or weekend advanced players
3 hours for entire event more appropriate for first game
Need time for getting started, and to have a post game discussion, prizes, etc
Lay ground rules
Scoreboard
Technical design of the actual game
Choose your targets Device, OS, application
Advantages for selecting Familiar
Unfamiliar
Decoy servers?
Setup network Isolated?
Choose your vulnerabilities to exploit Put the flag behind these vulnerabilities
Design your attacker client PCs
-
9/8/2015
7
Flags
Choose your target Device, OS, application
Advantages for selecting Familiar
Unfamiliar
Choose your vulnerabilities to exploit Put the flag behind these vulnerabilities
How many vulnerabilities and how difficult? Enough to keep it interesting and valuable
Not too many to demoralize folks that cant complete
Be careful deciding whether its OK if not every team finishes
Time limit
If possible have the flags build on each other
Realism not a strict requirement
Example flags
Not intended for use in current games Good examples of vulnerabilities that serve different purposes
IIS Unicode exploit https://www.kb.cert.org/vuls/id/111677
Nice vulnerability because its very easy to understand
Requires no special tools or programming use it right from your browser
SQL Injection Get application password stored in database
Hide a SSH behind a nonstandard port
Allow users to upload a program via shared folder and then execute via IIS cgi
Decoy servers
Found passwords are a great way to build one flag off the next
Much more advanced
-
9/8/2015
8
Design your attacker client PCs
Provide all necessary tools Beginner
Short amount of time
If you want to follow a one-design approach
Leave it to them to research, find and download Advanced
Lots of time
Provide Internet access? Lay ground rules
Game day
Start on time
Opening words Review rules Explain scoring List prizes
Begin competition
Circle room monitoring progress Help lagging teams get unstuck with hints Keep score Make general announcements as necessary to keep game on
track
Stop on time
Award prizes
Have post game discussion Lessons learned What to change for next game
Survey
-
9/8/2015
9
Capture the Flag
Bottom line Technical skills are a factor
But mindset is the big thing Understanding how attackers think and work
Start looking at your network from the outside-in
Confidence
Planning
Resources Hardware and software
Coordination Team travel and availability
Setup Very technical!
Creation of the flags and how to explain to participants is the biggest challenge
Knowing how to give hints also a challenge
Capture the Flag
Get all the benefits of Capture the Flag without any of the pain Planning
Hardware
Setup
Design
Teardown
Not even necessary to make an event Staff availability
Capture the Flag As a Service
2015 Monterey Technology Group Inc.
-
9/8/2015
10
Cyber Security: Simulation Platform
James Griffin (Jimmy), Stan Kiefer
Senior Managers, Product Management
Copyright 2015 Symantec Corporation
Security Organizations are Fighting an Asymmetric Battle
20
Cybersecurity top IT skills shortage for 4th year in a
row*
Staff unprovenlack of hands-on experience
with a breach
Organizations are never certain of cyber-
readiness
Seemingly limitless resources
Sophisticated, multi-stage attacks
Attacker tactics constantly morphing
* ESGs annual global IT Spending Intentions survey has shown a problematic shortage of cybersecurity experts as the top IT skills shortage for four years in a row. http://www.esg-global.com/research-reports/2015-it-spending-intentions-survey/
-
9/8/2015
11
Copyright 2015 Symantec Corporation
Security Simulation Strengthens Cyber Readiness
Cloud-based, virtual training experience
Live-fire simulation of multi-staged, advanced targeted attack scenarios
Players assume the identity of their adversaries to learn motives, tactics and tools
Engaging, immersive security training through gamification
21
Copyright 2015 Symantec Corporation
Think Like Your Attacker
22
Hacktivistwants notoriety, attention
Cyber Criminalmotivated by money
Cyber Espionageseeking IntellectualProperty for profit
Cyber War Crimespolitically motivated,
nation states, looking to gain advantage
What Theyre
Trying to Steal
How They Stole It
The Attacker
Reconnaissance
Incursion
Discovery
Capture
Exfiltration
-
9/8/2015
12
Copyright 2015 Symantec Corporation
Real-world Attack Scenarios
23
Scenario 1:The EDC and RKI
Scenario 2:The Coffee Shop Hack
Scenario 3:EDC and the Lost Laptop
Scenario 4:Forensics Examiner
Mishandles Evidence
Skills:
Ethical hacking
Penetration Testing
Forensics
Data exfiltration
Methods:
Identify targets
Compromise network and systems
Blend attacks
Exfiltrate data
Mission: Breach & Steal Information
Copyright 2015 Symantec Corporation
Implement Skill Assessment and Development Programs
Identify Organizational Gaps
Assess and Advance Your Team
24
Identify skills requirements for individuals and organizations
Identify gaps in team coverage
Assess skills of potential job candidates, new hires and existing employees
Focus on security strategy and tactics, techniques and procedures (TTP)
Manual and automated skills assessment and performance analysis
Prescriptive guidance for skill set development
Conduct iterative skill development programs for continuous learning
Participate
Assess skills
Create develop
ment plan
Participate / Learn
Assess Progres
s
-
9/8/2015
13
Copyright 2015 Symantec Corporation
Demo
25