Cyberdawn - A Diverse Cyber Exercise - Part II
Passwords are just so easy to abuse...
It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required.
Keeping Access
This is perhaps one of the toughest jobs an attacker has. The systems are constantly being rebooted, patched, re-configured and have network problems cropping up - just like in the real world! So, the same problems we have in the game are the ones that attackers and penetration testers face when attacking a network and trying to maintain a foothold. Some of the methods used by the Red Team, which were all met with mixed success, follows:
- SSH Trust Keys - One of the Red Team members managed to keep access to the systems by adding a trusted SSH key. The Blue Team changed the passwords, but did not remember to check for the presence of a trusted key.
- Rootkits - Several different rootkits were installed, ranging from the Immunity rootkit to Poison Ivy. These were effective in being undetected on the system, but they still needed to call “home” from a running process.
- Penetration Testing Frameworks - Core IMPACT agents were deployed to compromised hosts. Since the various teams can see these processes, IMPACT's module called the "agent process injector" that was used to install the agent code into an existing process, such as "explorer.exe", which then made a reverse connection back to the Red Team on port 80. This gave the Red Team a little more staying power inside the various networks, which allows pivoting - the ability to launch attacks from inside the firewall. An important point to remember from a defensive perspective is that when analyzing a system for evidence of a compromise, it is important to see which processes are making outbound connections, unless of course the copy of tcpview becomes trojaned.
Conclusion
I tend to think of the “cyber exercises” as an accelerated learning environment. In the real world, you would not have as many attacks and responses in such a short period of time. It is precisely this type of environment that can greatly assist both attackers and defenders improve their skills. It also underscores some of the areas that defenders should focus on, such as monitoring outgoing traffic, creating and implementing a strong password policy and having a process in place to collect and analyze system logs. Tenable's enterprise products can help in all of these areas. The Passive Vulnerability Scanner and Tenable Network Monitor products inspect network traffic for vulnerabilities and allow you to identify suspicious behavior with the Security Center. The Security Center can correlate system logs with both vulnerability and network logs, identifying patterns that could represent security breaches. See the references section below for more examples of Tenable product usage to detect malicious behavior on the network and systems in your environment.
References
Related Articles
How A CNAPP Can Take You From Cloud Security Novice To Native In 10 Steps
May 23, 2024Context is critical in cloud security. In a recent RSA presentation, Tenable's Shai Morag offered ten tips for end-to-end cloud infrastructure security.
Logs of Our Fathers
September 22, 2009<p>At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it <a href="http://www.ted.com/talks/lang/eng/george_dyson_at_the_birth_of_the_computer.html" target="_blank">here, on the TED site</a>. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.</p> <h3>November, 1951 </h3> <p style="TEXT-ALIGN: center"><a href="http://www.ranum.com/security/computer_security/papers/ur-syslogs/first_syslog.jpg" target="_blank"><img border="0" height="375" src="http://www.ranum.com/security/computer_security/papers/ur-syslogs/t/first_syslog.jpg" width="500" /></a> <br /><strong>Machine Log #1</strong></p>
ShmooCon 2009 - Playing Poker for Charity
February 12, 2009Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees ...
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Conferences
- Event Monitoring
- Events
- Log Analysis