Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

CCCDC Blue Teams vs Corporate Blue Team Comparision

This weekend was the Community College Cyber Defense competition at Iowa State University. I had the opportunity to be on the Red Team and as it was my first time to participate on the Red Team as part of one of these competitions, I was eager to see how the Blue Team's defense compared to what we see in industry.

The scenario for the event was a common one that we see in industry all the time. Each team was given an already existing server that was running a number of services on it. Each team was to be part of a rejuvenated security program whose task it was to implement proper security policy on the systems and secure the data. These students had a hefty budget where they could implement new servers, upgrade systems, and harden configurations in order to protect their systems from compromise by the Red Team.

What we found when we started assessing the systems was fairly representative of what we see in corporate security. The teams broke down into three distinct groups. The first group of teams had done basic hardening, but software wasn't upgraded and there wasn't a lot of additional hardening put in place. The second group had patched all their operating systems, but the software running on the machines still had flaws. The third group spent time and did a better job engineering their environment, moving from older software to the latest version, ensuring all software was patched, and deploying OS hardening beyond what was default out of the box.

The results from the competition reflected what would be expected, the teams that went above and beyond with their hardening and architected security into their environment faired the best. Even though the Red Team had valid credentials for systems in the environment, the target data couldn't be compromised, and by the end of the game, two teams had created environments that remained uncompromised by the end of the competition.

These three groups exist prominently in corporate security as well. Obviously not everyone will fit firmly into one of these groups, but they are a good generalization for three different levels of security maturity in organizations. The first group of organizations has reached a level where there is basic patch management through WSUS or SCCM but the patches that are being pushed are primarily for remote exploit vulnerabilities in Windows. These organizations usually have some level of firewall filtering ports coming into the organization, but very limited egress filtering. While the OS is being patched, we frequently see poor patch management of software in this environment, with network services and workstation applications being out of date or missing patches. With the patch management in place, these same organizations don't have good processes in place for patch validation.

The impact of these things together is that while most systems are patched, patching oversights and weak configurations frequently allow attackers into these environments. As only remote exploits are being patched, navigating these environments after an initial compromise is fairly easy, and escalation is trivial due to the lack of patching of privilege escalation vulnerabilities. This turned out to be true in the competition as well. With some systems missing patches that prevent privilege escalation and others with weak configurations that allowed for easy escalation, a number of teams were compromised across all of their services.

The second group has better hardening, some egress filtering on the network, with good patch management for operating systems. Where these networks tend to lack is still with the application management and system configurations. In Windows environments, these systems frequently have good patch management, but are running with all users as local admins, have the default cached credentials, and may be running vulnerable 3rd party software such as vulnerable Adobe products or Java.

In the competition, most of the groups fell into this category. There was some ingress(inbound) and egress(outbound) filtering on the network, but default passwords  for web applications may not have been changed, and while SE Linux may have been deployed on Linux systems, there were users that had unrestricted sudo access on the system. During penetration tests, this is also where the majority of companies fall into right now. Although the networks don't have MS08-067lying around, through NetBIOS Name Spoofing (NBNS) or Link-Local Multicast Name Spoofing (LLMNS) credentials can be captured allowing testers to get access to individual systems. In many of these cases, each user has local Administrator access to their machine, and cached credential management is poor, so while it's more difficult to get onto systems, the configuration of the systems allows for escalation and eventually full domain access.

The third group is the one that the top teams in the competition fell into. This group had excellent ingress and egress filtering, limited the access of user accounts on systems, and ensured that software did not contain default configurations. By SELinux and chroot jails under Linux, very little information was exposed. Limited Windows accounts with software white-lists made gaining any traction on Windows systems difficult. These things combined with the system hardening from the last two, allowed the top two teams to not have any services exploited during the contest.

While some of these technologies are suitable for production environment, things like chroot jails and software white-lists aren't always practical. But successful organizations are doing successful privilege limitation, network segregation, application patching, and network filtering. These environments frequently have non-essential services disabled along with un-needed protocols such as NetBIOS Name Services. The combinations of these things together make it difficult to perform privilege escalation, but we typically only see a handful of these environments each year.

One of the most encouraging things about these competitions is that these students are having the opportunity to look at some real world scenarios against real world adversaries and have to deal with these problems before they reach corporate environments. While this one was hosted at University of Iowa, there are a number of these competitions all over the US with many colleges participating. This is a great place for students and IT and Security professionals to reach out and meet students who have a good grasp of systems admin and security.

We know how the students held up, but how would your organization survive against a targeted attack? You can find out with a network, application and physical penetration tests. Trustwave offer's all three, so you can find out how your organization stacks up.

 

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More