Preparing For The Strategic Security CTF

Slides:



Advertisements
Similar presentations
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Advertisements

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
System and Network Security Practices COEN 351 E-Commerce Security.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Welcome to EECS 354 Network Penetration and Security.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Computer Security and Penetration Testing
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Maintaining and Updating Windows Server 2008
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
5205 – IT Service Delivery and Support
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina.
Ch 11 Managing System Reliability and Availability 1.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.
Hands-On Microsoft Windows Server 2008
Intrusion Detection MIS ALTER 0A234 Lecture 11.
Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.
Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.
Using Windows Firewall and Windows Defender
COEN 252 Computer Forensics
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
What’s Going On? This is a “Capture The Flag” hacking contest Teams from a number of Universities/Institutions compete against each other Each team has.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Module 14: Configuring Server Security Compliance
Orphaned Servers and Broken Processes 2007 Security Professionals Conference April 12, 2007.
A Basic Introduction to Computer Security John H. Porter University of Virginia Department of Environmental Sciences.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
What do you know about your network Or maybe you don’t know who’s really there.
Mark Shtern.  Secure your infrastructure using IDS, application firewalls, or honeypots  Plant your flag on opponent’s machine  Prevent intruders from.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
OWASP Secure Configuration Guide Alexander Antukh 25/11/2014.
Role Of Network IDS in Network Perimeter Defense.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
IS3220 Information Technology Infrastructure Security
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Critical Security Controls
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
6. Application Software Security
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Bethesda Cybersecurity Club
Presentation transcript:

Preparing For The Strategic Security CTF Presented By: Joe McCray joe@strategicsec.com http://www.linkedin.com/in/joemccray http://twitter.com/j0emccray Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep CTF Overview What Is A CTF? Generic CTF Prep Strategic Security Specific CTF Prep Incident Response System Hardening System Logging Intrusion Detection System Attacking Systems Maintaining Access Strategic Security, Inc. © http://www.strategicsec.com/

What We Will Be Covering Today Today We Will Be Covering What Is A CTF? Generic CTF Prep Strategic Security Specific CTF Prep Incident Response System Hardening System Logging Intrusion Detection System Attacking Systems Maintaining Access Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ What is A CTF? Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF? According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In computer security, Capture the Flag (CTF) is a computer security competition. CTF contests are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world. Reverse-engineering, network sniffing, protocol analysis, system administration, programming, and cryptanalysis are all skills which have been required by prior CTF contests at DEF CON. There are two main styles of capture the flag competitions: attack/defense and jeopardy. Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Jeopardy style competitions usually involve multiple categories of problems, each of which contains a variety of questions of different point values. Teams race to be the first to solve the most number of points, but do not directly attack each other. Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In an attack/defense style competition, each team is given a machine (or a small network) to defend on an isolated network. Teams are scored on both their success in defending their assigned machine and on their success in attacking other team's machines. Image from: http://ctf.itsec.rwth-aachen.de/vpn/ Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Depending on the nature of the particular CTF game, teams may either be attempting to take an opponent's flag from their machine or teams may be attempting to plant their own flag on their opponent's machine. Image from: http://ctf.itsec.rwth-aachen.de/vpn/ Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep Jeopardy Style CTF Prep Similar to preparing for the TV Show Jeopardy: http://ken-jennings.com/faq Really hard to cram for so hit the common trivia stuff Hacker history High profile attacks/vulnerabilities Hacker movies Skip the protocol/programming stuff – either you know it or you don’t Network Attack/Defense Prep Download all patches for common OSs, or build your own repos Organize your incident response tools Have trusted binaries for most common Oss Organize your exploitation/post-exploitation tools/scripts Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security CTF Prep Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security CTF Prep Step 1: Start with the basics Verify that the place you will be playing from has fast/stable internet Verify that the network that you will be playing from is secure/safe Create a separate subnet for yourself (cheap router) Turn off or firewall all of the other computers in your subnet Make sure no one else is using your subnet during the game Verify that the attack workstation/Virtual Machine you will be using has at least 2GB of RAM Verify that the defensive server has at least 4GB of RAM Download/Install the latest version of VMWare Workstation or Player Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security CTF Prep Step 2: Get Your Team Organized Set up a means for your team to interactively communicate in real time Google Hangout, Skype, IRC, etc Set up a means for your team to share resources (docs, tools, etc) Google Hangout, Google Docs, Sharepoint, Wiki Understand that some teammates may be in different timezones Break your team up by function(s) Attackers Defenders Systems Administrators Researchers Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security CTF Prep Step 2: Get Your Team Organized (Cont.) Players that do not have a team will be placed on teams by Thursday 5 Dec. Get your new teammates integrated quickly Job role(s) Access to team resources Get everyone’s tools, scripts together and try to get them documented so team members can know how to use them and more importantly what they look like to your defensive mechanisms Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Step 3: Prepare For Incident Response The first critical skill required of this game will be incident response Your system will be backdoored Your system will be rootkited Your system will be loaded with vulnerabilities Everything from weak passwords, to custom buffer overflows Required Incident Response Skills Your team will have to be able to quickly find and remove backdoors Your team will have to be able to quickly find and remove rootkits Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 1: List all running processes) GUI Tools Task Manager Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Command-line Tools Tasklist Command: http://technet.microsoft.com/en-us/library/bb491010.aspx PsList: http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 2: Identify malicious processes) Look up every process that is running to see if it is legitimate Resources: http://www.fileresearchcenter.com/ http://www.neuber.com/taskmanager/process/index.html http://www.liutilities.com/products/wintaskspro/processlibrary/ Of course Google! Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 3: Kill all malicious processes) GUI Tools Task Manager Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Command-line Tools Taskkill Command: http://technet.microsoft.com/en-us/library/bb491009.aspx PsKill http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 4: Find All Malicious Connections) TCPView (GUI Tool): http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx Netstat Command: http://windowsitpro.com/windows/using-netstat-get-list-open-ports https://isc.sans.edu/forums/diary/Fun+With+Windows+Netstat/1911 http://computer-networking.wonderhowto.com/how-to/detect-hackers-with-netstat-262222/ http://www.dti.ulaval.ca/webdav/site/sit/shared/Librairie/di/operations/informatique/windows/netstat_results.htm During the game – take note of your teammates’ IP addresses If there is an IP that doesn’t belong to your teammates connected to your server – that is probably an attacker from another team and you should kill that connection Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 5: Kill All Malicious Connections) TCPView (GUI Tool): http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx Taskkill Command wKillcx http://wkillcx.sourceforge.net/ Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 6: Find Malicious Services) References: http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a- service/ http://www.addictivetips.com/windows-tips/smartly-analyze-windows- local-services-for-malware-rootkits-more/ http://reverseengineering.stackexchange.com/questions/2019/debuggin g-malware-that-will-only-run-as-a-service Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 7: Find Rootkits) References: http://www.computerweekly.com/feature/Rootkit-and-malware- detection-and-removal-guide Strategic Security, Inc. © http://www.strategicsec.com/

Incident Response Resources Good Technical Incident Response Resources References: http://www.slideshare.net/pmelson/malware-analysis-made-simple-presentation http://computer-forensics.sans.org/summit-archives/DFIR_Summit/Finding-Malware-Like-Iron-Man-Corey-Harrell.pdf Strategic Security, Inc. © http://www.strategicsec.com/

What Are We Covering Today Today We Will Be Covering What Is A CTF? Generic CTF Prep Strategic Security Specific CTF Prep Incident Response System Hardening System Logging Intrusion Detection Systems Attacking Systems Maintaining Access Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) STIG http://iase.disa.mil/stigs/ Hardening Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml https://secure.ericade.net/security/index.php/Windows_Hardening_Guide https://benchmarks.cisecurity.org/downloads/benchmarks/ Generic Hardening Resources http://www.xmarks.com/topic/server_hardening Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 2: Organize Your Tools and Scripts) MBSA http://www.microsoft.com/en-us/download/details.aspx?id=7558 Benchmark Assessment Tools http://benchmarks.cisecurity.org/downloads/audit-tools/ Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 3: Focus on Scripting) Scripting For Security http://www.sans.org/reading-room/whitepapers/scripting http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html http://technet.microsoft.com/en-us/scriptcenter/dd742377.aspx http://www.sans.org/reading-room/whitepapers/auditing/simple-windows-batch-scripting-intrusion-discovery-33193 Interesting Book I Came Across Today http://www.amazon.com/Perl-Scripting-Windows-Security-Monitoring/dp/159749173X Haven’t read it Don’t know the author But looks interesting and may help with this game Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 4: Focus on Continuous Monitoring) Be conscious of the potential skill of the attackers Consider yourself breached at all times during the game IMPORTANT Throughout the game be sure to constantly verify that your security configurations have not changed Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) Stigs http://iase.disa.mil/stigs/ Hardening Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml https://secure.ericade.net/security/index.php/Windows_Hardening_Guide https://benchmarks.cisecurity.org/downloads/benchmarks/ Generic Hardening Resources http://www.xmarks.com/topic/server_hardening Blah Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Logging Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 1: Understand Windows Logging) Windows Logging Basics http://www.windowsecurity.com/articles- tutorials/windows_os_security/Understanding_Windows_Logging.html http://www.sans.org/security-resources/idfaq/logging-windows.php http://en.wikipedia.org/wiki/Event_Viewer Event ID Listings http://www.eventid.net/ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 2: Organize Log Analysis Tools) Free Tools http://www.microsoft.com/en-us/download/details.aspx?id=24659 http://www.lizard-labs.net/log_parser_lizard.aspx http://visuallogparser.codeplex.com/ Learn To Use Log Parser and Log Parser Lizard http://computer-forensics.sans.org/blog/2011/02/10/computer-forensics-howto-microsoft-log-parser Take it to the next level with Splunk https://www.sans.org/reading-room/whitepapers/logging/setting-splunk- event-correlation-home-lab-34422 Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 3: Organize Important Queries) Good queries to run: http://aggressivevirusdefense.wordpress.com/2010/04/23/log-parser/ http://www.codinghorror.com/blog/2005/08/microsoft-logparser.html Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 4: Set Up Automated Tasks) Windows Automation Basics http://www.techradar.com/us/news/software/applications/how-to- automate-tasks-in-windows-1107254 http://www.iopus.com/guides/winscheduler.htm http://stackoverflow.com/questions/6933698/automate-services-restart- in-windows-server-2003 Strategic Security, Inc. © http://www.strategicsec.com/

Intrusion Detection Systems Strategic Security, Inc. © http://www.strategicsec.com/

Intrusion Detection Systems The Methodology (Step 1: Start With The Basics) Do you have the resources to run an IDS? VMWare Workstation or ESXi (recommended) At least 2GB of RAM to allocate to the IDS Run on the same host machine as your team server (eases network configuration issues) Are you willing to build it/debug it now? Probably want a full day or 2 to just to play around with it if this is your first time Run attacks with metasploit and get a feel of what alerts look like and how fast they come in Strategic Security, Inc. © http://www.strategicsec.com/

Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy) Lots of IDSs to choose from Network Based Snort http://snort.org/ Suricata http://www.openinfosecfoundation.org/index.php/download-suricata Bro http://www.bro.org/ Host-Based OSSEC http://www.ossec.net/ Strategic Security, Inc. © http://www.strategicsec.com/

Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy - Cont) Network based IDS are good, but are highly prone to false positives Host-Based IDS are great, but require something running on the host The best option is to combine the two IDS types, but that can be a lot of work The problem with deploying both of them is that it can be a lot of work Strategic Security, Inc. © http://www.strategicsec.com/

Intrusion Detection Systems The Methodology (Step 3: Deploy with bang for buck in mind) Use something that gives you the most bang for your buck (tools/features) Use something that you can build quickly My Recommendations: Security Onion: http://blog.securityonion.net/p/securityonion.html OSSIM: http://www.alienvault.com/open-threat-exchange/projects Strategic Security, Inc. © http://www.strategicsec.com/

Strategic Security, Inc. © http://www.strategicsec.com/ Contact Me.... Toll Free: 1-866-892-2132 Email: joe@strategicsec.com Twitter: http://twitter.com/j0emccray LinkedIn: http://www.linkedin.com/in/joemccray Strategic Security, Inc. © http://www.strategicsec.com/