Cyber Defence Exercise Locked Shields After Action Report

Transcription

1 Cyber Defence Exercise Lcked Shields 2013 After Actin Reprt Tallinn 2013

2 1 Executive Summary This reprt describes the technical cyber defence exercise (CDX) named Lcked Shields 2013 (LS13). The intended target audience f the dcument cnsists f: the Blue Teams f LS13, t give them a detailed verview f the events and prvide feedback; parties wh cnduct similar exercises, t share ur experiences with the cmmunity; and the rganisers f the Lcked Shields, t identify lessns n hw t imprve future exercises. LS13 was a technical CDX executed n April Ten Blue Teams, cnsisting f up t 10 experts in IT and 1-2 legal advisrs, were the main training audience. They were acting as rapid reactin teams wh had t defend virtual netwrks against the Red Team's attacks, accmplish rders given by headquarters, fllw the lcal news and respnd t media inquiries, and analyse the legal aspects f their missin. The main bjective f LS13 was t test the skills f the Blue Team members, educate the legal experts n IT and pressure the lawyers with cmplex legal tasks. The scenari engaged the Blue Teams in a missin under UN mandate in a fictinal cuntry called Blea where the cnflict between the nrthern and suthern tribes had escalated t a level where the lcal gvernment was frced t request help frm the internatinal cmmunity. In additin t traditinal hstilities, cyber attacks began in April 2013 against the IT systems f lcal Aid rganisatins. Ten Blue Teams were requested t be deplyed in rder t prtect unclassified military netwrks and Aid rganisatins' netwrks. The Blue Teams were well prepared and were mre successful in preventing, detecting and mitigating the attacks than thse in previus Lcked Shields exercises. In the cntext f LS13, the fllwing areas were mst challenging fr the Blue Teams: Defending web applicatins. Detecting custm malicius cde. Mitigating BGP hijacking attacks. Initiating efficient infrmatin sharing. A Red Team cmpsed f ad-hc vlunteers is n lnger sufficient t prvide realistic challenges fr the Blue Teams. Mre permanent, better prepared and better c-perating teams are needed. Better tls are required t prvide feedback t the Blue Teams n the ffensive campaign. The technical platfrm fr LS13 was stable and perfrmed well. Building a Gamenet which includes mdern technlgies (e.g. mbile devices) and scenari specific cmpnents (e.g. military C&C systems) t reflect mre clsely the cmplexity f real wrld netwrks remains a challenge. LS13 was rganised in cperatin with the NATO Cperative Cyber Defence Centre f Excellence, the Estnian Infrmatin Systems Authrity, Estnian Defence Frces, the Estnian Cyber Defence League, Finnish Defence Frces and many ther partners.

3 2 Cntents 1 Executive Summary Cntents Overview f Lcked Shields Cncept Timeline Training Objectives Descriptin f the Teams Blue Teams and Legal Advisrs White Team Red Team Green Team Yellw Team Participants Scenari Scenari in a Nutshell General Backgrund Recent Develpments Technical Envirnment Cre Infrastructure Gamenet Scring Red Team Campaign Overview Red Team Objectives Tlset Client-Side Team Phase I Phase II Phase III Phase IV Custm Pre-Planted Cde... 21

4 4.5 WEB Team Phase I Phase II Phase III Phase IV Netwrk and Mixed Team Phase I Phase II Phase III Phase IV Pst-Explitatin Balance f the Attacks Cnclusins Blue Team Defence Campaign Intrductin Preparatins Cmmn Practices Blcking Access and RBL Less Cmmn Practices Questinable r Frbidden Practices Security Sftware n Windws Systems Infrmatin Sharing Scres Injects Scenari Injects Media Injects Legal Injects Legal Play Intrductin Injects Team Setup Feedback n Executin Results Recmmendatins t the Blue Teams

5 8.1 Prtecting Web Applicatins Prtecting ther Parts f the Infrastructure Reprting and Infrmatin Sharing Intrductin Yellw Team Feedback fr the Blue Teams Cnclusins Media Respnse Observatins and Recmmendatins t Imprve Lcked Shields Exercise Organisatin Scenari Teams White Team Red Team Green Team Legal Team Yellw Team Cmmunicatin Infrmatin Sharing and Cllabratin Situatinal Awareness Scring Technical Envirnment Cre Infrastructure Cllabratin, SA and Scring Platfrm Gamenet Rules Administrative Issues Acknwledgements Acrnyms

6 3 Overview f Lcked Shields 3.1 Cncept The key characteristics f LS13 were as fllws: It was a live, technical, Blue/Red Team exercise: Blue Teams had t defend netwrks against real-time attacks. It was internatinal: 18 rganisatins frm 15 natins were engaged int preparing and executing LS13. The type f the exercise was a game: the teams did nt represent the real rganisatins they are wrking fr during their daily jbs but were placed int fictinal rles. A lab envirnment was used instead f prductin netwrks. Over the curse f tw days the Blue Teams had t defend a pre-built netwrk cnsisting f rughly 35 virtual machines against the Red Team's attacks. The infrastructure was initially insecure and full f vulnerabilities. T prvide feedback t the teams and measure the success f different strategies and tactics, Blue Teams were assigned autmatic and manual scres. Each Blue Team was accmpanied by 1 r 2 legal advisrs t encurage and facilitate cperatin, cmmunicatin and understanding between the technical and legal experts. Red Team members were nt cmpeting with each ther. Their bjective was t cnduct equally balanced attacks n all the Blue Teams netwrks. LS13 was rganised by NATO CCD COE in cperatin with Estnian Defence Frces, the Estnian Infrmatin Systems' Authrity, the Estnian Cyber Defence League, Finnish Defence Frces, and many ther partners. 3.2 Timeline The timeline and main events list fr LS13 can be fund in the fllwing table. Date Event 22 Nv 2012 Initial Planning Cnference (IPC) 8-9 Jan 2013 Main Planning Cnference (MPC) 15 Mar 2013 Test Run 26 Mar 2013 Final Planning Cnference (FPC) 04 Apr :00Z (15:00 EEST) Webinar I: General Infrmatin. Strategies and tactics - lk int CDX 11 Apr :00Z (15:00 Webinar II: General Infrmatin. Reprting. Legal play EEST) Apr 2013 Preparatin Days: access fr Blue Teams t Gamenet 18 Apr :00Z (15:00 Webinar III: General Infrmatin. Scring. VSRm EEST) Apr 2013 Executin and Ht Wash-Up

7 5 Jul 2013 After Actin Reprt Review 3.3 Training Objectives The bjective was t test the skills f Blue Teams in the fllwing areas: 1. Learning the netwrk. Blue Teams were respnsible fr securing and maintaining systems previusly unknwn t them. They had t cmpile lists f assets and vulnerabilities, assign pririties t the assets, etc. 2. System administratin and preventin f attacks. Administrative tasks and hardening cnfiguratins were cntinuus activities. Day 0 vulnerabilities were simulated by nt allwing the teams t patch certain systems. 3. Mnitring netwrks, detecting and respnding t attacks. Gd mnitring skill was the key capability required t defeat the Red Team. 4. Handling cyber incidents. Priritisatin, reactin-time, and clarity f shared infrmatin were cnsidered when measuring this aspect. 5. Teamwrk: delegatin, dividing and assigning rles, leadership. The teams were verladed with tasks s that better rganised and managed teams wuld be mre successful. 6. Natinal and internatinal cperatin. Infrmatin sharing. 7. Reprting. Blue Teams were tasked t set up redundant links between their ruting infrastructures t fster cperatin between them. Cperative teams sharing valuable infrmatin were assigned bnus pints. Teams refusing t cperate were assigned a negative scre. Blue Teams were expected t cntinuusly prvide lightweight reprts t the White Team. The main aspects measuring their success were timeliness, crrectness, accuracy and clarity. 8. Ability t cnvey the big picture. Blue Teams were expected t cmpile management reprts and respnd t media requests. 9. Crisis cmmunicatin. The Media Simulatin Cell evaluated the speed, accuracy, lgic and reactin f Blue Teams' spkespeple when respnding t media requests. The legal play was set up s that there was at least ne legal advisr in each Blue Team. The training bjectives fr them were as fllws: 1. T have the legal advisrs analyse the cmplex legal issues arising in the cntext f an armed cnflict. 2. T facilitate cmmunicatin between the legal and technical experts. 3. T educate the legal experts abut IT. 4. T an extent, t educate the technical experts abut the law. 7

8 3.4 Descriptin f the Teams In this sectin we describe briefly the teams invlved in the LS exercises. Mre details can be fund at Annex I: Detailed Descriptin f the Teams Blue Teams and Legal Advisrs Blue Teams (BT) and the legal advisrs engaged with them are the main training audience f LS exercises. In LS13, Blue Teams represented military rapid reactin teams whse main task was t secure and prtect a pre-built infrastructure against the Red Team's attacks. There were tw main netwrk segments: an unclassified netwrk fr military units, and the netwrks running services fr Aid rganisatins deplyed in the cnflict area. Blue Teams were als expected t: a. cntinuusly send reprts t Headquarters t keep management infrmed abut incidents and ther events; b. respnd t media queries; c. accmplish additinal tasks sent frm the HQ. Legal advisrs had t brief ther members f the Blue Team abut their legal status, applicable law, rights and bligatins; and answer different questins n legal aspects raised by the HQ. There were als ut-f-the-game technical quizzes which the legal advisrs were suppsed t answer White Team The White Team (WT) had respnsibility fr preparing the exercise and cntrlling it during Executin. They defined the training bjectives, scenari, and high-level bjectives fr the Red Team, 8

9 wrte the rules, prepared media, scenari and legal injects and the cmmunicatin plan. During Executin, the White Team acted as the exercise cntrller's cell by deciding when t start different phases, cntrlling the executin f the Red Team's campaign, and making scring decisins. Management (HQ), user and media simulatin were als part f White Team's business. There was ne persn per Blue Team wh acted as a liaisn fficer Red Team The Red Team s (RT) missin was t cmprmise r degrade the perfrmance f the Blue Team systems. They had altgether 20 pre-defined bjectives. They were allwed t repeat sme bjectives during the next phases. The fcus f Lcked Shields exercises is t train the Blue Teams; therefre, Red Team members are mainly cnsidered as the wrk-frce t challenge the Blue Teams. In principle, the Red Team uses a white-bx apprach; technical details f the initial cnfiguratin f the Blue Team systems were available fr the Red Team befrehand Green Team The Green Team (GT) was respnsible fr preparing the technical infrastructure. GT had t carry ut the fllwing tasks: Design, set up and cnfigure the cre infrastructure: physical devices, virtualisatin platfrm, strage, netwrking, remte access, traffic recrding, VPN ruters fr the Blue Teams, user accunts, etc. Design and build the Gamenet and Blue Team netwrks. Prgram the autmatic scring bt and agents. Develp slutins fr traffic generatin. Set up slutins fr mnitring the general exercise infrastructure Yellw Team The Yellw Team's (YT) rle was t prvide situatinal awareness abut the game, mainly t the White Team but als t all ther participants. The main surces f data fr the Yellw Team were lightweight reprts prvided by the Blue Teams, reprts n the status f attack campaigns received frm Red Team members, and the results f autmatic and manual scring. The Yellw Team analyst had interfaces t review all the reprts and assign them tags based n the cntent f the reprt. Regular highlight updates were prvided t White Team leader and t the Blue Teams. Yellw Team als prepared different views and visualisatins f the situatin. 3.5 Participants Blue Teams frm the fllwing natins/rganisatins participated in LS13: DEU, ESP, EST, FIN, ITA, LTU, NATO NCIRC, NLD, POL, SVK. The White Team, Red Team, Green Team and Yellw Team were staffed with peple frm the NATO CCD COE, Estnian Defence Frces, the Estnian Infrmatin System's Authrity, the Estnian Cyber 9

10 Defence League, Finnish Defence Frces, the Swedish Natinal Defence Cllege, the NATO Cmputer Incident Respnse Capability-Technical Centre, the French Ministry f Defence, the Plish Ministry f Natinal Defence, CERT-LV, Lughbrugh University, Clarified Security, Clarified Netwrks, and ByteLife. 3.6 Scenari This sectin describes the backgrund scenari used fr LS Scenari in a Nutshell Lcatin: Blea, a failing state n an island ff the cast f Western Africa (think Smalia as an island). Cnflict: suthern tribes want t eliminate the nrthern tribes, gvernment unable t stp the fighting (think Rwanda). A UN-authrised internatinal calitin is in the cuntry with the cnsent f the Blean gvernment t stp ethnic cleansing and restre peace (think ISAF). The spring ffensive has fixed the calitin military frces in the suth. A chlera epidemic has started amng the nrthern tribes (think Haiti). Internatinal Aid rganisatins have few resurces in-cuntry, but are mbilising t deal with the epidemic. Aid rganisatins reprt cyber attacks against their systems in-cuntry and ask fr calitin assistance until crisis respnse teams fly in (ETA 2 days). BLUE: calitin military IT teams tasked t prvide and secure bth calitin unclassified systems and Aid rganisatins systems in-cuntry until Aid crisis respnse teams arrive. RED: lcal extremists (expected skill level lw t medium); pssible interventin frm internatinal terrrist rganisatin (expected skill level medium t high). Attacker's main gal is t impede the humanitarian relief peratin in the nrth and t bleed calitin resurces General Backgrund There is an internatinal calitin peratin in Blea, an island republic lcated ff the western cast f Africa, rughly 800 km nrth-west-west f Tenerife. While the size f the island is cmparable t Ireland, the climate and landscape are mre akin t Mrcc. The cuntry is pr and the lcal infrastructure is primitive, especially in terms f sanitatin, cmmunicatins, medical services and educatin. Internet cnnectivity with the rest f the wrld, fr example, is unreliable and lw-bandwidth. Cnnectivity within the cuntry is limited t urban centres, which make use f numerus free (and annymus) wireless netwrks. The cuntry has n CERT r IT-savvy law enfrcement. This frces mst internatinal actrs t rely either n expensive satellite cnnectivity r n lcally perated systems. Fr decades the Blean gvernment has been challenged fr pwer by a racist extremist mvement called Blea Is Tarnished (BIT). In 2011 BIT prceeded with a ruthless ethnic cleansing campaign against the tribes inhabiting the nrthern half f the island. In 2012 the internatinal cmmunity intervened with a UN-authrised peratin t stp the atrcities. While initially successful in securing nrthern areas, the calitin is still encuntering heavy resistance in the suth. Althugh there is n distinct frnt line, there are daily fire-fights, IED (imprvised explsive device) encunters, 10

11 suicide bmbings, kidnappings, etc. Mst f the vilence is targeted against internatinal humanitarian grups and civilians f the nrthern tribe. While generally a lcal affair, there are rumurs f weapns shipments and training prvided by an internatinal terrrist rganisatin. Accrding t intelligence analysts, this grup is interested in bleeding the resurces f the cmmitted states as part f a lng-term campaign t weaken EU and NATO. Such supprt enables the BIT t penly challenge the military might f the calitin, ften making use f unexpectedly cmplex tactics and technlgies Recent Develpments It is nw 24 April. One week ag the BIT started their spring ffensive. S far, they have managed t capture sme twns and villages in the suthern part f the cuntry. Calitin frces mved t take back the lst grund, but encuntered heavy resistance and are nw fully engaged in the suth. Three days ag, a chlera epidemic started spreading amng the civilian ppulatin in the nrth. The surce f the epidemic is prbably the water supply system. Sme BIT members were captured trying t pisn wells, s it may be smehw related t the spring ffensive. Due t pr hygiene and inadequate medical infrastructure in the cuntry, the epidemic is expected t spread if left unchecked. The gvernment immediately asked the internatinal cmmunity fr humanitarian assistance. UN and aid rganisatins that already perate in the cuntry reprt that their initial respnse capability is severely limited. Crisis respnse teams have been mbilised and are expected t arrive within a cuple f days. Calitin frces are still engaged and cannt spare significant manpwer t assist with the relief peratin. Aid rganisatins reprt that their lcal IT systems are under cyber attack. This makes it very hard t crdinate the relief effrt. Their systems are nt built with security in mind and they have n cyber security experts in-cuntry. The Aid rganisatins ask the calitin t prvide 10 IT supprt teams (cde name: Blue) wh culd assist in keeping the systems running at 10 different sites fr 2-3 days until crisis respnse teams frm the Aid rganisatins arrive. The calitin leadership agrees. Hwever, the Blue Teams must still maintain their wn systems, which prvide unclassified services (cmmunicating with the lcal gvernment and Aid rganisatins, as well as prviding welfare services) t calitin units. This means they have t perate systems in tw different sites with tw different plicies. This mrning the Blue teams deply t assist the Aid rganisatins. 3.7 Technical Envirnment Cre Infrastructure Designing and implementing an envirnment fr a technical cyber battlefield is nt a trivial task. The exercise lasts nly few days but during that perid the lads are high (mre than 400 virtual machines running simultaneusly) and Red Team is actually expected t break the systems. 11

12 LS13 infrastructure was hsted by the Estnian Defence Frces. All cmpnents f the Gamenet were virtualised. Participants gt access t the envirnment ver the VPN. This time a cmmercial slutin was chsen fr f several reasns. The main cmpnents were Cisc UCS platfrms and blade servers, EMC strage devices and VMware vsphere 5.0 virtualisatin platfrm. A detailed descriptin f the cre infrastructure is prvided in Annex II: Cre Infrastructure Gamenet Each Blue Team had t defend an identical netwrk cnsisting f 34 virtual machines (VMs): Cisc VSR 1000v virtual ruter. Endian Linux firewalls. Windws and Linux wrkstatins. Dmain cntrllers, file servers. DNS and mail servers. Linux and Windws servers fr hsting web applicatins and database servers. In additin, Blue Teams culd build 2 VMs themselves and integrate them int their netwrks. A detailed descriptin f the Gamenet and Blue Team systems can be fund at: Annex III: Gamenet. 3.8 Scring T measure the perfrmance f the Blue Teams and give them feedback, 8 categries fr the scres were defined: 1. Availability f prvided services Blue Teams had a list f required services which were cnstantly checked by the scring bt. Fr each service, a weight was defined which crrespnded t the scre ne culd get fr 100% availability f that service. 2. SLA bnus If the uptime f a service was within 90% (daily scre/8h), bnus pints were assigned fr that specific service. 3. Successful Red Team attack Every time the Red Team successfully accmplished an bjective, a pre-defined negative scre was assigned. Repeating the bjective gave half the negative pints the secnd time. 4. Lightweight incident reprting This was dne nce per hur. 5. Situatin reprts (SITREPs) t management Blue Teams had t cmpile 2 SITREPs per day, each f them were scred separately. 6. Respnding t injects (scenari, media, legal) All injects were separately scred based n pre-defined criteria. 7. VM reverts Each VM revert cst -100 pints. 8. Special scring 12

13 Bnus pints were awarded t Blue Teams fr utstanding perfrmance e.g. fr cperatin and inf sharing. Psitive pints were awarded t balance Green Team mistakes. Penalties were impsed fr breaking the in-game rules. Fr instance, remving functinality f services after a warning. If the warning was ineffective, the VM was reverted. The detailed scring table is nt published t avid Blue Teams pre-calculating winning strategies and fcusing n hw t defeat the scring system. The fllwing chart is an apprximatin f the weight f each categry. Nte that sme categries such as special scring d nt have an upper limit. 13

14 4 Red Team Campaign 4.1 Overview The ffensive peratin was divided int 4 phases. The timeframe fr each phase was pre-planned, but White Team had the final right t decide when t mve n with the campaign. Altgether 20 specific bjectives were defined. Red Team culd repeat the bjectives frm previus phases but the amunt f negative pints awarded t the Blue Teams decreased by half with every successful repetitin. After the STARTEX was annunced and Gamenet pened there was a 30-minute time windw when the Red Team was nt allwed t cmprmise any systems. Generating nise and scanning activities were permitted. At least ne Blue Team felt that this time windw was nt respected by all Red Team members, and that explitatin activities had in fact started earlier. 4.2 Red Team Objectives The Red Team bjectives are prvided in the fllwing table: nr descriptin zne intended target phase subteam 1 Deface with BIT message and pint t malware fr distractin. Media Team prpsal fr first rund: img1.jpg Media Team prpsal fr secnd rund: img2.jpg Aid_DMZ cunting.aidx.ex 1 WEB 2 Delete cntent, destry the hst as much pssible t keep BT busy in Aid_DMZ. I wuld nly steal at this phase and destry in next. Successful cmprmise can be prved by prviding the hash frm /etc/hash Aid_DMZ chat.aidx.ex 1 WEB 3 Change bank accunt numbers fr dnatins. File where the bank accunt details are written is /var/www/app/templates/dnate.t pl Aid_DMZ 1 WEB 4 Cmprmise and steal vlunteer database: database www and table vlunteers. It culd be stlen directly frm Aid_DMZ db.aidx.ex 1 WEB 14

15 nr descriptin zne intended target phase subteam db.aidx.ex r thrugh by gaining access t On the cde field each vlunteer has the same hash which has t be reprted t prve success. 5 Gain fthld in AID_INT. Steal C:\Users\Public\Dcuments\Rep rt1_aid.txt fr evidence. Prvide the MD5 hash inserted in the end f the file as a prf. AID_INT ws2.int.aidx.ex ws4.int.aidx.ex (ptinal) 1 CS 6 Spread inside AID_INT t ther hsts and set beacns. AID_INT dc.int.aidx.ex (ptinal) ws*.int.aidx.ex 1 CS 7 Cmprmise AID_INT fileserver. Steal Reprt5_aid.txt frm C:\Dcuments and Settings\All Users\Dcuments fr evidence. Prvide the MD5 hash inserted in the end f the file as a prf. AID_INT files.int.aidx.ex 1 CS 8 Insert malicius cde t MIL public website in rder t initiate water-hle attack and infect MIL_INT and MIL_WEL wrkstatins. MIL_DMZ 2 WEB 9 10 Cmprmise mail server in MIL_DMZ and steal specific s. Cmprmise mail server in Aid_DMZ and steal specific s. MIL_DMZ mail.milx.ex 2 WEB Aid_DMZ mail.aidx.ex 2 WEB 11 Gain fthld in MIL_INT, stay lw, set up beacn. MIL_INT ws2.int.milx.ex ws4.int.milx.ex (ptinal) ws5.int.milx.ex (ptinal) 2 CS 12 Cmprmise ne r mre wrkstatins n MIL_WEL. MIL_WEL ws1.wel.milx.ex (ptinal) 2 CS 15

16 nr descriptin zne intended target phase subteam Steal the reprt frm C:\Users\Public\Dcuments\Rep rt1_mil.txt. Prvide the MD5 hash inserted in the end f the file as a prf. ws2.wel.milx.ex 13 Insert fake rders in Aid persnnel tasking system leading them t ambush. Aid_DMZ help.aidx.ex 3 WEB 14 Gain and maintain access t the DNS servers. Steal hash frm /etc/hash as a prf. Aid_DMZ dns.aidx.ex 3 WEB 15 Re-gain fthld in MIL_INT thrugh any hst. MIL_INT ws2.int.milx.ex ws4.int.milx.ex (ptinal) 3 CS 16 Spread inside MIL_INT, set beacns. MIL_INT dc.int.milx.ex (ptinal) ws*.int.milx.ex 3 CS 17 Cmprmise MIL_INT fileserver. Steal reprt Reprt5_mil.txt frm C:\Dcuments and Settings\All Users\Dcument. Prvide the MD5 hash inserted in the end f the file as a prf. MIL_INT files.int.milx.ex 3 CS 18 Gain access, steal the hash frm /etc/hash as prf, maintain access. MIL_DMZ dns.milx.ex 3 WEB 19 Replace the vide feed n TV twer (via MIL_INT, MIL_WEL r directly). By default the fllwing file is streamed and therefre shuld be replaced: /var/www/stream/1.mp4 MIL_DMZ tv.milx.ex 4 CS 20 Cnduct ruting attack against MIL_DMZ. MIL_DMZ csr.milx.ex 4 NET 16

17 4.3 Tlset Fr LS exercises, Red Team members were allwed t bring in whatever tls they liked, prvided that the licensing cnditins were fllwed. Frm the cllabratin perspective it was imprtant that the tlset was at least t sme extent standardised. The fllwing lists main distributins and the mst imprtant sftware that was used t cnduct the attacks: Kali and BackTrack5 Linux. Cbalt Strike. Raphael Mudge, the develper f the sftware, spnsred the event and prvided LS13 Red Team an ptin t test it ut during the Executin. Metasplit Framewrk (free pen-surce versin f Metasplit). 4.4 Client-Side Team Client-Side (CS) Team was mainly respnsible fr attacking Windws and Linux wrkstatins using client-side explits and, after gaining fthld, trying t cmprmise the file servers and dmain cntrllers lcated in internal segments Phase I Objectives The general bjective fr the first phase was t fcus n targeting the Aid rganisatins internal zne (AID_INT). CS team was expected t fulfil the fllwing tasks: O5: Gain fthld in the AID_INT segment (wrkstatins). O6: Spread inside AID_INT t ther hsts and set beacns (dc.int.aidx.ex, ws*.int.aidx.ex). O7: Cmprmise a file server in AID_INT (files.int.aidx.ex) Targets The internal netwrks in bth MIL side and Aid side had 2 Windws XP VMs, 2 Windws 7 VMs and 1 Ubuntu Linux VM. Obviusly, this means the netwrks were extremely small cmpared t real-wrld situatins where large rganisatins have thusands f cmputers in a dmain. As the legitimate traffic generatin system typically did nt wrk, it made defence easier. Green Team tried t keep the perating systems up t date and remve nly specific patches. Same lcal administratr accunts were created n all Windws machines (ne vectr t enable Pass-the-Hash). The thirdparty sftware was ften utdated and cntained vulnerabilities. Typical suspects were Java, Adbe Flash, Internet Explrer. The file servers (files.int.aidx.ex, files.int.milx.ex) cntained vulnerabilities in bth required and nnrequired applicatins: FreeFlat FTP Server (OSVDB-88303), Oracle MySQL fr Micrsft Windws 17

18 (CVE ), Sielc Sistemi Winlg (CVE ), Sysax 5.53 SSH (OSVDB-79689). There were als typical issues like administrative user accunts with weak passwrds Attack Methds The methd f testing Blue Teams ability t cunter client-side attacks was simple. There was ne persn in White Team fr each Blue Team (called a blnde) whse task was t simulate the users f Blue systems. The blndes had t click n links t pen malicius web pages, dcuments r even executable files. As this prcess was nt autmatic the results fr different teams culd be cnsidered subjective. Naturally, mre active blndes culd cause mre harm. Opening the link triggered an attempt t explit vulnerabilities in sftware such as Java (CVE , CVE ), Adbe Flash Player (CVE ), Safari with Quicktime (CVE ), Internet Explrer (CVE ), and MS Office 2010 (CVE ). In sme cases Cbalt Strike's autexplit server was used t autmatically select the best explit. In general, this was nt needed as the targeting was easy fr Red Team members. They culd just request the blndes t pen the link r file with specific sftware. Typical paylads were Cbalt Strike Beacn and Metasplit Meterpreter. Red Team als acknwledged using DarkCmet RAT. The natural mve after gaining user-level access t Windws systems is t escalate privileges and dump the passwrd hashes. Althugh Pass-The-Hash (PTH) has been a well-knwn trick fr years, mitigating it is nt straightfrward and it very ften still wrks. PTH was tried by LS13 Red Team. CS team had in their pssessin a custm cde pre-planted int a few wrkstatins which is described in a separate sectin (Custm Pre-Planted Cde). At the end f the game Red Team als used insider attacks: VM that was cnnected int the internal netwrk simulating a cntractr's laptp Malware brught in and executed frm CD drive Results The first Cbalt Strike Beacns called hme a few minutes after 08:00Z - the time when the Red Team was allwed t start. The wrkstatins in the AID_INT zne f BT1, BT3, BT7, BT8 and BT10 cntacted the beacn servers during the first 20 minutes. Nte that, accrding t Cbalt Strike's activity lg, Red Team had Meterpreter sessins pen (these culd have been hung sessins) t wrkstatin in BT8 netwrk fr 4 minutes and BT7 fr 3 hurs during the first phase. Still, the first rund f the attack was reprted as a failure fr bth. The AID_INT wrkstatins fr all ther Blue Teams were nt cmprmised during phase I. It des nt necessarily mean that the ther teams did smething particularly clever. Often it was just nt pssible t access target systems. Main reasns fr this failure were: a. The wrkstatins were nt accessible t the blndes. b. The respective blnde was gne fr a lng time. c. After the first utbund request the target IP was blcked. d. Vulnerabilities were quickly patched r ther cuntermeasures applied s that the attempts failed. 18

19 e. Vulnerability was explitable but the Red Team was nt able t get t the shell. Fr instance, paylads were blcked by AV. The bjective t cmprmise a file server in AID_INT failed fr all the teams. The presumptin fr this attack was t have a fthld in the internal netwrk, but this was established in less than half the Blue Teams. In additin, infrmatin n the security issues f the file servers was shared between Blue Teams straight after the start f the game and all explitatin attempts failed. Gaining access using Pass-The-Hash wrked quite ften, but Red Team failed t explit it successfully as their Meterpreter paylads were detected and shell was nt btained Phase II Objectives During the secnd phase, the military netwrks als became targets. Red Team was als allwed t repeat the bjectives f the previus phase, but successful repetitin gave half the pints than it did the first time. New bjectives fr the CS were fllwing: O11: Gain fthld in MIL_INT segment, stay lw, and set up beacns (wrkstatins) O12: Cmprmise ne r mre wrkstatins in MIL_WEL Results When the secnd phase started, all Blue Teams had prtected their wrkstatins with security sftware. Sme teams had even tw different anti-virus prducts running. Mst f the Red Team members were nt prepared t use heavily custmised paylads in rder t evade IPS and AV. These security slutins d nt have any difficulties in detecting malicius executables generated by Metasplit Framewrk using the default templates. Therefre in mst cases explitatin f vulnerabilities in wrkstatins failed, dwnlads f executable files were blcked by firewalls r detected by AV/IPS, and a fthld was gained nly int the MIL_INT segments f BT1 and BT8. In the end f Day 1 members f the client-side team fund a way t kill MS Essentials under user privileges using a tl named Victr. This is ne f the reasns why BT1 and BT8 gt mre attentin and were cmprmised. In the case f ne McAfee installatin, RT claimed that a self-signed executable with a McAfee Inc string inside was sufficient t bypass it Phase III Objectives The aim f the third phase f the campaign was t achieve glbal reach targeting bth the Military s and the Aid rganisatins netwrks by repeating previusly defined bjectives and accmplishing the fllwing new nes: O15: Re-gain fthld in MIL_INT thrugh any hst (ws*.int.milx.ex). O16: Spread inside MIL_INT and set beacns (ws*.int.milx.ex, dc.int.milx.ex). O17: Cmprmise MIL_INT fileserver (files.int.milx.ex). 19

20 Results Frm the perspective f client-side attacks the situatin was similar t the previus day. Red Team members requested many new IPs fr all their attack servers and started t share links t the blndes. Typically, either the explits failed t run (vulnerabilities patched r detected by AV/IPS) r the IP addresses f the attackers were immediately blcked. Cmprmising the file server in MIL_INT failed fr all teams. In general, there were few exceptins: Windws 8 tablets in the MIL_WEL segment f BT1, BT2 and BT8 were hacked. Fthlds in MIL_INT were successfully regained fr BT1, BT4 and BT9 After lunch, nne f the Red Team members had a live Meterpreter sessin Phase IV Objectives In the final phase f the exercise, Red Team had t hack int the TV twer and replace the riginal vide feed with their wn. In reality tv.milx.ex was just a Linux system streaming a vide ver HTTP using VLC player. There were tw main attack vectrs: Backdred FTP server (vsfptd 2.3.4). Nte that Blue Teams were required t keep the FTP accessible nly frm MIL_WEL and MIL_INT althugh initially it was nt prperly firewalled. Vulnerable vide uplad service. The secnd gal f the CS team fr the final phase was t regain r maintain access t internal netwrks Results Red Team had under their cntrl ne VM inside each Blue Team's MIL_INT segment which was simulating a cntractr's laptp infected with malware. This was saved fr the last phase as the FTP service running n the TV twer cmputer was accessible nly frm internal segments. Unfrtunately fr the Red Team, the cntractr's laptp was cnfigured with similar static IP address (10.x.3.140) fr all Blue Teams. The rgue system was quickly discvered by BT8 and annunced t all the thers. Based n BT8 s bservatin it appears that instead f being quiet, Red Team started t prt scan internal netwrks, which naturally caused immediate detectin. Just befre the TV twer attack a grenade explded near the mbile cntainer where the hardware fr tv.milx.ex was lcated. This was an inject the purpse f which was t justify reverting the VMs. Blue Teams were tld that they had nly an ld backup s the machines were reverted t the initial vulnerable state and they lst all the changes. Red Team members upladed WSO Web Shell thrugh the vulnerable file uplad functinality and were able t change the streaming vide fr 6 teams. Typically, the cmprmise was quickly discvered (less than 5 minutes) and attackers kicked ff the server. The cmments fr the Blue Teams wh prevented this attack: BT2: tv.mil2.ex/uplads/ directry is nt writeable. BT3: tv.mil3.ex/uplads/ directry is nt writeable. 20