Skip to content

Latest commit

 

History

History
292 lines (200 loc) · 7.99 KB

index.adoc

File metadata and controls

292 lines (200 loc) · 7.99 KB

How to Win CCDC

Press 's' to show speaker notes…​

Note

CCDC has both positive and negative effects on those competing on both the red and blue team (student defensive teams) sides. The positives are: quick priority based problem solving access and on-the-job training with enterprise grade infrastructure and defensive technologies access to industry talent and contacts to hiring firms However, there is a lack of realism that, no fault to CCDC staffers, is impossible to virtualize or simulate, which can lead to misconceptions on both sides if the players are unaware of it. Budgets, vast array of software/technology solutions, large user base and large infrastructure are just some of the scale issues that CCDC is faced with simulating. For instance, a defender can very easily pinpoint a new service on a system if it’s the only one they need to touch during the competition. And creating policies and procedures around that foundation can lead to problems on-the-job.

With the addition of the "cloud" to Nationals, and Mid-Atlantic’s SCADA systems this is coming closer to reality but still needs to be addressed to both the student and red team population at these events. IMHO --mubix

Focus!

At Nationals and at each Regional things will be different, however the thing you’ll hear repeated at every event is "Do your injects!". Effective teams identify what tasks create the most amount of points for the least amount of effort.

Obtain Mentors

In Zak Thoreson’s blog post he mentions reaching out to industry professionals for help preparing for the competition. DO THIS! Invite the Red Team to come talk about / perform / demo attacks and their defenses.

Everyone has a plan…​

Mike Tyson

Until they get hit in the mouth — Mike Tyson

Year(s) in Review

What Blue Teams do wrong…​

  • Get frustrated

  • Think that injects need to be 100%

  • Don’t ask enough questions

  • Leave default credentials

  • Patch too much

Note

  • White/Black/Orange whatever rainbow color teams the particular competition has, they are there to support you. Ask lots of questions.

  • Leaving default credentials aren’t just at the OS level. Web applications, databases, and other applications are just as important.

  • Patching should be extremely targeted. Only patch what can be used for code execution. Check Metasploit, ask on Twitter, Reddit, etc, prepare yourself.

Common misconceptions of the Red Team

  • You use 0days! - Not usually

  • You have a head start! - Nope

  • You have advanced tools!

    • sure.. if you call RDP advanced..

Note

  • First, 0days are worth money. Very few Red Teamers are going to drop 0days at a competition for free. Second, real world companies have to figure out how to deal with 0days.

  • Most of the regions give the Red Teams not only the exact same start time, but much less information about the network they are going up against. You have the biggest advantage here.

  • The Red Team’s only advantage is the ability to prepare ahead of time. Don’t get me wrong, it’s a huge advantage due to the fact that Blue Teams' can’t bring anything in. However, to make tools that can withstand Blue Teams staring straight at them it takes months of development. There really isn’t a fair answer here.

Practice and Preparation

ugly red book

Practice and Prep Notes 1

  • Create a play-book

  • Automate everything you can

  • Have a copy for every member

    • Even if it’s not their focus area

  • Have a list of shortened / easily typed URLs for everything

Note

Practice and Prep Notes 2

  • Password sheets of easily typed, long, passwords

  • Cheat sheets of useful commands

  • List of known / standard users per OS

  • List of known / standard services per OS

Note

Know your team

Roles and Chain of Command

  • Team Captain

    • Gopher

      • Firewall Admin

      • Linux Admin

      • Windows Admin

      • Web Admin

      • Incident Responder

      • Client Services

Note

Team Captain Responsibilities

  • Make sure everyone is focused on the most important tasks

  • Coordinates interdisciplinary requirements

  • Focuses on maximum completion of injects

  • Answers to CEO

  • Insures that nothing distracts other team members

Note

As the team captain your job is to keep the "business" running at let your team members focus on the technical pieces. You receive injects, check on their status, and turn them in. You answer Orange and CEO requests. Basically you are the funnel that keeps all outside noise from touching your team.

Gopher

  • Get/Download anything needed

  • Backup for when Team Captain isn’t present

  • Backup for one of the base billets

Note

While this usually ends up as someone who is skilled in one of the base billets (Linux, Windows, Firewalls etc), they also have to know when to step in to assist the Team Captain.

Firewall Admin

  • http://howtowinccdc.com/wiki/firewall.html

  • RAISE SHIELD Mr Sulu!!

  • Egress and Ingress filter quickly

  • You are the point that traffic can generally be trusted. Help your other team members with identifying malicious traffic

Note

Linux Admin

Note

Windows Admin

Note

Don’t assume that because you know how to use a couple of tools to create and manage a user in active directory that you know how to work active directory. Practice common user administration tasks in Powershell, as well as methods of breaking into a windows computer. Many times students show up and the first windows machine they don’t have a password to will stump them.

Physical Space

  • Go into blackout

Note

Injects

Note

Know your network

*

Note

Know your defences

*

Note

Know your enemy

*

Note

Regional Specific Notes

RegionalMap

Down Arrow…​

Pacific Rim Region

Western Region

North-Central Region

Rocky-Mountain Region

At-Large Region

North-East Region

Mid-Atlantic Region

  • Scores are ordinal (1st in category get 1 point, 8th, 8)

  • Team Captains that go into CEO meetings with statistics like # of services online, # of injects competed, usually have better meetings

South-East Region

South-West Region

Questions?

Note

Special thanks to Devon, Joseph, Marco, Aaron, Raymond, and Brian for the 1 AM jam session to get these slides together. Go social media. Alex Herrick for GPOs and other suggestions Craig Balding for the beautiful 'iptstate' command