"Confrontation" PHDays or what we were called the "All-seeing Eye"
Last week, the Positive Hack Days 7 conference was held, within which we can now say the traditional (second time, what is not tradition?) Battle of Defenders and Attacking - The Standoff.
The bottom line is ... A participant can play with SOCs, guarding the city and the villain. And if a user plays as defenders, he is given various means of protection, and villains infiltrate the city segments. You can rob a cow ...
A more detailed description of the roles of the participants is on the organizer's website (Positive Technologies):
')
The first general briefing of the participants in the Confrontation took place on April 12, where the organizers told about plans to build a city that would have to be “hacked” and protected. We got the role of SOC in one of the office segments. SPAN (Servionica Palo Alto Networks) team has become the defenders of this segment.
They turned out to be trained professionals and excellent guys, with whom we quickly found a common language and worked together on the site of the game itself.
Our secondary task was to monitor the city in order to detect and analyze attacks on the urban infrastructure.
The office segment of the city was fully raised by the organizers in a virtual infrastructure based on VMware.
About three weeks before the event, we got access (thanks to the organizers) to the virtual machine with MaxPatrol 8 for scanning and building a network map. It turned out 1719 pages pdf-report.
The week we installed and tested our monitoring tools. We planned to use:
Everything worked as it should. We painted a shift watch group monitoring.
Pentester said that "on the site I will be all 30 hours and have a great time off."
PR said “PHDays is the only way to make a carbon banner”.
There was a feeling that we are ready.
Not really.
“Guys, there is no traffic on our sensors!” Is our motto and a call to the organizers for the first 8 hours of the Confrontation, which began at about 11-30.
Unfortunately, due to technical difficulties, only by 19 o'clock was it possible to send traffic to both IDS:
In terms of volume and observed events, it was clear that far from all traffic was mirrored (although it was requested to the maximum). About traffic mirror on Moloch and say no. And without it, the analysis of anomalies does not make sense.
In fact, everything we did in the week before the event had to be redone again right on the site. Nevertheless, all the same it is necessary to thank the admins of the organizers, they harnessed and helped, where they could.
Valiant defenders for a long time tried to deploy the HIDS agents for control, however, due to the periodic fall of the infrastructure and the lack of access to the Internet from the infrastructure for connections to the repositories, this was never possible.
There was no direct access to the controlled infrastructure, everyone was climbing through a VPN, which also did not add joy. Sadness sadness melancholy ... But the sad thing ends here!
Another interesting story was the dynamic allocation of resources on a virtualization farm. Two SOC analysts sat side by side. Their jobs are also in virtuals. One flew everything, and the other quietly swore at the monitor and said that he had never seen the console slow down.
As a result, during the night and for almost a whole day of monitoring, we managed both to attack and to monitor the controlled segment.
Facebook member of the SPAN team
If you evaluate globally - attacking well done! They broke the process control system and cleaned out the bank and intercepted even the “mayor” sms. As for our Office, it remained untouched, and the defense team completed the standoff with a full 100% "reputation."
Of course, from the attackers, we expected a stronger pressure. What were their difficulties related to? We have three hypotheses:
It is very sad that there were such large-scale technical difficulties, there was little traffic. But this is still elegant space for analytics!
By next year, we will take into account all the mistakes and understand what to demand from the organizers. We are waiting for PHDays 8.
We thank Positive Technologies (especially Victoria, Alexey, Mikhail and Tamara) for organizing this holiday.
We thank the SPAN team for their protection, experience and a good team game.
Thanks to our whole team, you are very cool.
And a special thank you to captain of the monitoring team Maxim Baymaxx for preparing this report.
Now a “All-Seeing Eye” sign adorns one of the walls of the Monitoring Center.
UAC Bypass or the story of three escalations
Report of the Information Security Monitoring Center for the first quarter of 2017
Life without SDL. Winter 2017
The bottom line is ... A participant can play with SOCs, guarding the city and the villain. And if a user plays as defenders, he is given various means of protection, and villains infiltrate the city segments. You can rob a cow ...
Participants of the Confrontation
A more detailed description of the roles of the participants is on the organizer's website (Positive Technologies):
')
Spoiler header
Attackers
Attackers are free to do anything, the main thing is not to violate the logic of construction and operation of the landfill. No troubles and flags, the participants decide for themselves what they want from the city. The task of the attackers is to accomplish the goals set for them by any means convenient for them.
Defenders
Both corporate teams and individual specialists can act as defenders (it is possible under a pseudonym). The defenders will have several specialized teams, each of which will ensure the safety of one object on the range - the operator, the office, etc.
The tasks of the teams include the design, installation, configuration and operation of protective equipment, as well as ensuring the safety and security of the assets of the company to which they are assigned. During the game, the defenders must periodically report on the incidents and work done.
There are 5 objects of protection:
External SOC
During the Confrontation, the SOC must promptly notify the defenders of the attacks and propose protective measures. As well as defenders, SOC teams must publicly report on the attacks carried out and the hacking methods used, provide statistics on the security of the test site (attack trends and other metrics).
Attackers are free to do anything, the main thing is not to violate the logic of construction and operation of the landfill. No troubles and flags, the participants decide for themselves what they want from the city. The task of the attackers is to accomplish the goals set for them by any means convenient for them.
Defenders
Both corporate teams and individual specialists can act as defenders (it is possible under a pseudonym). The defenders will have several specialized teams, each of which will ensure the safety of one object on the range - the operator, the office, etc.
The tasks of the teams include the design, installation, configuration and operation of protective equipment, as well as ensuring the safety and security of the assets of the company to which they are assigned. During the game, the defenders must periodically report on the incidents and work done.
There are 5 objects of protection:
- Telecom operator
- Office
- CHP and substation
- Oil company
- Railway company
External SOC
During the Confrontation, the SOC must promptly notify the defenders of the attacks and propose protective measures. As well as defenders, SOC teams must publicly report on the attacks carried out and the hacking methods used, provide statistics on the security of the test site (attack trends and other metrics).
Training
The first general briefing of the participants in the Confrontation took place on April 12, where the organizers told about plans to build a city that would have to be “hacked” and protected. We got the role of SOC in one of the office segments. SPAN (Servionica Palo Alto Networks) team has become the defenders of this segment.
They turned out to be trained professionals and excellent guys, with whom we quickly found a common language and worked together on the site of the game itself.
Our secondary task was to monitor the city in order to detect and analyze attacks on the urban infrastructure.
The office segment of the city was fully raised by the organizers in a virtual infrastructure based on VMware.
About three weeks before the event, we got access (thanks to the organizers) to the virtual machine with MaxPatrol 8 for scanning and building a network map. It turned out 1719 pages pdf-report.
The week we installed and tested our monitoring tools. We planned to use:
- IDS for Office.
- IDS for the City.
- Moloch for recording and analyzing traffic.
- Network Analyzer to detect anomalies in office traffic.
- Network Analyzer to detect anomalies in the traffic of the City.
- HIDS (host IDS) to monitor key Office servers.
- TIAS for log analysis, monitoring and analytics.
Everything worked as it should. We painted a shift watch group monitoring.
Pentester said that "on the site I will be all 30 hours and have a great time off."
PR said “PHDays is the only way to make a carbon banner”.
There was a feeling that we are ready.
Began!
Not really.
“Guys, there is no traffic on our sensors!” Is our motto and a call to the organizers for the first 8 hours of the Confrontation, which began at about 11-30.
Unfortunately, due to technical difficulties, only by 19 o'clock was it possible to send traffic to both IDS:
- Only traffic from the DMZ was sent to the Office, although a mirror of all traffic was required.
- On the City, traffic was given to the Office’s outer perimeter and traffic to several more vlans without specification.
In terms of volume and observed events, it was clear that far from all traffic was mirrored (although it was requested to the maximum). About traffic mirror on Moloch and say no. And without it, the analysis of anomalies does not make sense.
In fact, everything we did in the week before the event had to be redone again right on the site. Nevertheless, all the same it is necessary to thank the admins of the organizers, they harnessed and helped, where they could.
Valiant defenders for a long time tried to deploy the HIDS agents for control, however, due to the periodic fall of the infrastructure and the lack of access to the Internet from the infrastructure for connections to the repositories, this was never possible.
There was no direct access to the controlled infrastructure, everyone was climbing through a VPN, which also did not add joy. Sadness sadness melancholy ... But the sad thing ends here!
- Do not forget that the Attackers were in the same conditions, but for them the space is important, freedom - they periodically sat much more sad than the defenders.
- At least some traffic is received - it means you can already work!
- The defenders to the interaction are open, the gaps overlap - it means everything is not so bad today.
Another interesting story was the dynamic allocation of resources on a virtualization farm. Two SOC analysts sat side by side. Their jobs are also in virtuals. One flew everything, and the other quietly swore at the monitor and said that he had never seen the console slow down.
As a result, during the night and for almost a whole day of monitoring, we managed both to attack and to monitor the controlled segment.
What was fixed
By office segment
- As soon as traffic was given, someone constantly broke from one of our web servers (198.18.12.177) with incomprehensible and always the same credits from the address 198.18.78.12. They checked - the activity is strange, but not dangerous. Then we will think about it all night long. What they wanted - remains a mystery. Apparently, something went wrong with the Attackers.
- Against the background of claim 1. scans were constantly coming from the same address, exploits and other devilry were falling. Identified NAT Attackers. It was a pity it was impossible to block - fair-play and all that.
- Suspicion of the compromise of our server (198.18.12.169) from the DMZ - from it there was an unhealthy interest in the mysql internal resource (10.25.153.24). The defenders did not answer, how many did not ask. Nothing else came from this address. The compromise was not confirmed, possibly a system checker. Watched him with one eye.
- While monitored, in parallel investigated their own DMZ. XSS was detected on another web server (198.18.12.179). We until the next day's lunch loomed about this to the defenders. As soon as they began to massively try to inject xss, they quickly responded and banned the special characters in the url. As none of the attackers took advantage of - a mystery!
- On the same web server (198.18.12.179) fixed pureFTP. SZI blocked alien calls to FTP. Everything is good.
- On the third web-server (198.18.12.180) we found an open repository of the site (/.git) and notified defenders. They promptly shut down. Teamwork!
- At about 00:30, the subnet 10.64.94.0/24 was activated on the internal network. From there immediately began brute force services in the DMZ. Defenders blocked this subnet, there was no other way out. * Yes, yes, blocking is impossible, but the enemy can not be left inside, it’s impossible to break everything!
- Another web server (198.18.12.141), another available directory / install. Attackers could drag the site to their database and compromise users. The defenders closed access to the folder.
- In the middle of the night, anomalous activity began between the user segment and the domain controller! Attacked SMB. The analysis showed that the DSS from the NSD Secret Net lives its own life and tries to communicate with the main server. Ok, false positive - go further.
- On 198.18.12.169 found / wp_include with all sources. The defenders closed down.
- From 05:00 to 07:00 calm. Pokemaril.
- From 8:00 they started to scan with new forces, no longer trying to hide and not being embarrassed in the means: nmap, sqlmap, nessus, a bunch of self-written scanners (well, or just scripts for nmap). Particularly pleased with the scanner, judging by the user-agent: go-http-client - samopisny, walked through a decent set of vulnerabilities.
- Around the mess - exploits, injections, brute force, scans. All in all, but all the same, useless and uninteresting.
- We saw that the node appeared 198.18.12.143. It was wordpress (almost like everywhere else) with open API access with credits admin: admin123. Hand picked up from the second attempt. Zaalertili, promptly closed.
- Until the last brutey access to FTP. Connections were cut SZI.
Facebook member of the SPAN team
“I’m a safeguard, I don’t want to solve anything, I want to write custom signatures and watch the packages drop.”
- Oh, send drops!
By the city
- 20:26 recorded a successful brutfors smb 172.20.3.147 from 10.25.21.23. Whose address is unknown. No luck to anyone.
- In general, smb, snmp, sql stuck around the city. The attackers walked on them like on their own. Brutfors on all fronts.
- We fixed that on site 203.0.113.169 (like the Telecom object) wordpress and the admin panel was open ... If it weren't for the white hat, they would break it.
- At the end, re-successfully sbled 17.2.20.3.147 smb from 10.25.21.24 (maybe the same ones, just didn't turn off the script).
What happened and did not work
If you evaluate globally - attacking well done! They broke the process control system and cleaned out the bank and intercepted even the “mayor” sms. As for our Office, it remained untouched, and the defense team completed the standoff with a full 100% "reputation."
Of course, from the attackers, we expected a stronger pressure. What were their difficulties related to? We have three hypotheses:
- They did not use all their arsenal. Confrontation is still a game and, perhaps, we were not shown all the tools in order to have a reserve for real projects. And the well-known tools and techniques are easily blocked by means of protection.
- The attackers (like the defenders) did not have direct access to the City’s network, perhaps part of the arsenal simply did not take off.
- Attackers face difficulties when they are actively and quickly counteracted. If you act on the forehead, this is obvious, and if it is thinner, then it will take more time, and the requirements for the skill are different.
It is very sad that there were such large-scale technical difficulties, there was little traffic. But this is still elegant space for analytics!
By next year, we will take into account all the mistakes and understand what to demand from the organizers. We are waiting for PHDays 8.
Thanks
We thank Positive Technologies (especially Victoria, Alexey, Mikhail and Tamara) for organizing this holiday.
We thank the SPAN team for their protection, experience and a good team game.
Thanks to our whole team, you are very cool.
And a special thank you to captain of the monitoring team Maxim Baymaxx for preparing this report.
Now a “All-Seeing Eye” sign adorns one of the walls of the Monitoring Center.
Other blog articles
UAC Bypass or the story of three escalations
Report of the Information Security Monitoring Center for the first quarter of 2017
Life without SDL. Winter 2017
Source: https://habr.com/ru/post/329730/
All Articles