Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

CCCDC Blue Teams vs Corporate Blue Team Comparision

This weekend was the Community College Cyber Defense competition at Iowa State University. I had the opportunity to be on the Red Team and as it was my first time to participate on the Red Team as part of one of these competitions, I was eager to see how the Blue Team's defense compared to what we see in industry.

The scenario for the event was a common one that we see in industry all the time. Each team was given an already existing server that was running a number of services on it. Each team was to be part of a rejuvenated security program whose task it was to implement proper security policy on the systems and secure the data. These students had a hefty budget where they could implement new servers, upgrade systems, and harden configurations in order to protect their systems from compromise by the Red Team.

What we found when we started assessing the systems was fairly representative of what we see in corporate security. The teams broke down into three distinct groups. The first group of teams had done basic hardening, but software wasn't upgraded and there wasn't a lot of additional hardening put in place. The second group had patched all their operating systems, but the software running on the machines still had flaws. The third group spent time and did a better job engineering their environment, moving from older software to the latest version, ensuring all software was patched, and deploying OS hardening beyond what was default out of the box.

The results from the competition reflected what would be expected, the teams that went above and beyond with their hardening and architected security into their environment faired the best. Even though the Red Team had valid credentials for systems in the environment, the target data couldn't be compromised, and by the end of the game, two teams had created environments that remained uncompromised by the end of the competition.

These three groups exist prominently in corporate security as well. Obviously not everyone will fit firmly into one of these groups, but they are a good generalization for three different levels of security maturity in organizations. The first group of organizations has reached a level where there is basic patch management through WSUS or SCCM but the patches that are being pushed are primarily for remote exploit vulnerabilities in Windows. These organizations usually have some level of firewall filtering ports coming into the organization, but very limited egress filtering. While the OS is being patched, we frequently see poor patch management of software in this environment, with network services and workstation applications being out of date or missing patches. With the patch management in place, these same organizations don't have good processes in place for patch validation.

The impact of these things together is that while most systems are patched, patching oversights and weak configurations frequently allow attackers into these environments. As only remote exploits are being patched, navigating these environments after an initial compromise is fairly easy, and escalation is trivial due to the lack of patching of privilege escalation vulnerabilities. This turned out to be true in the competition as well. With some systems missing patches that prevent privilege escalation and others with weak configurations that allowed for easy escalation, a number of teams were compromised across all of their services.

The second group has better hardening, some egress filtering on the network, with good patch management for operating systems. Where these networks tend to lack is still with the application management and system configurations. In Windows environments, these systems frequently have good patch management, but are running with all users as local admins, have the default cached credentials, and may be running vulnerable 3rd party software such as vulnerable Adobe products or Java.

In the competition, most of the groups fell into this category. There was some ingress(inbound) and egress(outbound) filtering on the network, but default passwords  for web applications may not have been changed, and while SE Linux may have been deployed on Linux systems, there were users that had unrestricted sudo access on the system. During penetration tests, this is also where the majority of companies fall into right now. Although the networks don't have MS08-067lying around, through NetBIOS Name Spoofing (NBNS) or Link-Local Multicast Name Spoofing (LLMNS) credentials can be captured allowing testers to get access to individual systems. In many of these cases, each user has local Administrator access to their machine, and cached credential management is poor, so while it's more difficult to get onto systems, the configuration of the systems allows for escalation and eventually full domain access.

The third group is the one that the top teams in the competition fell into. This group had excellent ingress and egress filtering, limited the access of user accounts on systems, and ensured that software did not contain default configurations. By SELinux and chroot jails under Linux, very little information was exposed. Limited Windows accounts with software white-lists made gaining any traction on Windows systems difficult. These things combined with the system hardening from the last two, allowed the top two teams to not have any services exploited during the contest.

While some of these technologies are suitable for production environment, things like chroot jails and software white-lists aren't always practical. But successful organizations are doing successful privilege limitation, network segregation, application patching, and network filtering. These environments frequently have non-essential services disabled along with un-needed protocols such as NetBIOS Name Services. The combinations of these things together make it difficult to perform privilege escalation, but we typically only see a handful of these environments each year.

One of the most encouraging things about these competitions is that these students are having the opportunity to look at some real world scenarios against real world adversaries and have to deal with these problems before they reach corporate environments. While this one was hosted at University of Iowa, there are a number of these competitions all over the US with many colleges participating. This is a great place for students and IT and Security professionals to reach out and meet students who have a good grasp of systems admin and security.

We know how the students held up, but how would your organization survive against a targeted attack? You can find out with a network, application and physical penetration tests. Trustwave offer's all three, so you can find out how your organization stacks up.


Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More