This weekend was the Community College Cyber Defensecompetition at Iowa State University. Ihad the opportunity to be on the Red Team and as it was my first time toparticipate on the Red Team as part of one of these competitions, I was eagerto see how the Blue Team's defense compared to what we see in industry.
The scenario for the event was a common one that we see inindustry all the time. Each team was given an already existing server that wasrunning a number of services on it. Each team was to be part of a rejuvenatedsecurity program whose task it was to implement proper security policy on thesystems and secure the data. These students had a hefty budget where they couldimplement new servers, upgrade systems, and harden configurations in order toprotect their systems from compromise by the Red Team.
What we found when we started assessing the systems wasfairly representative of what we see in corporate security. The teams broke down into three distinctgroups. The first group of teams haddone basic hardening, but software wasn't upgraded and there wasn't a lot ofadditional hardening put in place. Thesecond group had patched all their operating systems, but the software runningon the machines still had flaws. Thethird group spent time and did a better job engineering their environment,moving from older software to the latest version, ensuring all software waspatched, and deploying OS hardening beyond what was default out of the box.
The results from the competition reflected what would beexpected, the teams that went above and beyond with their hardening andarchitected security into their environment faired the best. Even though the Red Team had validcredentials for systems in the environment, the target data couldn't becompromised, and by the end of the game, two teams had created environmentsthat remained uncompromised by the end of the competition.
These three groups exist prominently in corporate securityas well. Obviously not everyone will fitfirmly into one of these groups, but they are a good generalization for threedifferent levels of security maturity in organizations. The first group oforganizations has reached a level where there is basic patch management throughWSUS or SCCM but the patches that are being pushed are primarily for remoteexploit vulnerabilities in Windows. These organizations usually have some levelof firewall filtering ports coming into the organization, but very limitedegress filtering. While the OS is being patched, we frequently see poor patchmanagement of software in this environment, with network services andworkstation applications being out of date or missing patches. With the patchmanagement in place, these same organizations don't have good processes in placefor patch validation.
The impact of these things together is that while mostsystems are patched, patching oversights and weak configurations frequentlyallow attackers into these environments. As only remote exploits are being patched, navigating these environmentsafter an initial compromise is fairly easy, and escalation is trivial due tothe lack of patching of privilege escalation vulnerabilities. This turned outto be true in the competition as well. With some systems missing patches that prevent privilege escalation andothers with weak configurations that allowed for easy escalation, a number ofteams were compromised across all of their services.
The second group has better hardening, some egress filteringon the network, with good patch management for operating systems. Where these networks tend to lack is stillwith the application management and system configurations. In Windowsenvironments, these systems frequently have good patch management, but arerunning with all users as local admins, have the default cached credentials,and may be running vulnerable 3rd party software such as vulnerableAdobe products or Java.
In the competition, most of the groups fell into thiscategory. There was some ingress(inbound) and egress(outbound) filtering on the network, but default passwordsfor web applications may not have been changed, and while SELinux may have beendeployed on Linux systems, there were users that had unrestricted sudo accesson the system. During penetration tests,this is also where the majority of companies fall into right now. Although the networks don't have MS08-067lying around, through NetBIOS Name Spoofing (NBNS) or Link-Local Multicast NameSpoofing (LLMNS) credentials can be captured allowing testers to get access toindividual systems. In many of thesecases, each user has local Administrator access to their machine, and cachedcredential management is poor, so while it's more difficult to get ontosystems, the configuration of the systems allows for escalation and eventuallyfull domain access.
The third group is the one that the top teams in thecompetition fell into. This group had excellent ingress and egress filtering,limited the access of user accounts on systems, and ensured that software didnot contain default configurations. BySELinux and chroot jails under Linux, very little information was exposed. Limited Windows accounts with softwarewhite-lists made gaining any traction on Windows systems difficult. These things combined with the system hardeningfrom the last two, allowed the top two teams to not have any services exploitedduring the contest.
While some of these technologies are suitable for productionenvironment, things like chroot jails and software white-lists aren't alwayspractical. But successful organizationsare doing successful privilege limitation, network segregation, applicationpatching, and network filtering. Theseenvironments frequently have non-essential services disabled along withun-needed protocols such as NetBIOS Name Services. The combinations of these things togethermake it difficult to perform privilege escalation, but we typically only see ahandful of these environments each year.
One of the most encouraging things about these competitionsis that these students are having the opportunity to look at some real worldscenarios against real world adversaries and have to deal with these problemsbefore they reach corporate environments. While this one was hosted atUniversity of Iowa, there are a number of these competitions all over the USwith many colleges participating. This is a great place for students and IT andSecurity professionals to reach out and meet students who have a good grasp ofsystems admin and security.
We know how the students held up, but how would yourorganization survive against a targeted attack? You can find out with a network, application and physical penetration tests.Trustwave offer's all three, so you can find out how your organization stacksup.