The air was thick with adrenaline and action as the teams battled each other for the top spot at Microsoft’s Defend the Flag (DTF) training at Black Hat USA. The heat of Vegas seems a fitting place for such contests, pitting attacker against victim, in a race among teams to prevail as the strongest, the fiercest, the most tenacious defenders of their systems. Unlike Capture The Flag (CTF), the scoring is done exclusively on defensive capabilities. Teams are simultaneously attacking other teams’ systems, while trying their best to keep their own up and running. Take no prisoners, capture no flags – it’s a binary battle to either win or lose, and it’s all about how you play the game.
Armed with a suite of defensive techniques taught by our delivery partners, iSEC Partners, and Immunity’s latest CANVAS exploit framework, the players have the basics for what can be deemed a security pick-up game of 21. The training is delivered over two days, with day one a hands-on tutorial lab focusing on attack techniques and learning how to use the exploit framework in the morning, taught by Dave Aitel and Bas Alberts of Immunity. The afternoon of day one was taught by Brad Hill and Andrew Becherer of iSEC Partners, applying host hardening, forensics, and incident response techniques. Day two is an all-up melee-style competition, where the class is divided into teams of three or four players each. Each team has both attackers and defenders, and roles are switched throughout the day to make sure everyone gets to experience firsthand the power of modern-day attack tools, and the thrill of successfully beating back an onslaught at the front lines.
Some may wonder why we are teaching students how to use an exploit framework as part of this course. If the point is on defense, why take up time with any offense? It is to provide the appropriate framework for students (mostly IT Professionals who are new to security) to internalize the threats they face each day. Rather than spread FUD, we show a real modern commercial-grade toolkit to demonstrate just how easy it is for attackers to take advantage of unhardened systems that haven’t been updated. It is the best way to drive the point home beyond a shadow of a doubt: patch or perish; harden or get hacked.
Besides, we are not teaching new exploit techniques, but rather showing what is already widespread and publicly available. From a lock picking debate in the 1800’s regarding revealing the tricks and tools of the trade:
“Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.”
Since we know that roguery abounds, and that attacks are becoming much more sophisticated and innovative, we must keep pace by understanding their trade. We must learn how to use their tools and tricks in order to educate the next generation of Windows defenders.
But here’s the real twist – DTF doesn’t allow updating! That’s right, we throw a monkey wrench into the works by taking away one of the most effective security measures available. We toss the students into shark-infested waters and expect them to swim to safety. How? By employing defense in depth measures. Why? Because this is too often the real world reality in deployed networks. Either IT Pros can’t apply updates right away due to testing requirements, or they can’t update at all due to the risk they deem to critical infrastructure. This is the real-world dilemma, and DTF provides the tools to help IT Pros manage it in a heart-thumping, fist-pounding, tooth-grinding race to the finish line.
As the points stacked up on Day two, the tension mounted to a palpable pulse. Team “Defenders” held an early lead throughout the morning, with Team “OneEqualsOne” taking second place over Team “DivideByZero”, until “DivideByZero”’s Windows Server 2003 was pwned so badly that it had to be rebuilt from scratch. The afternoon brought new challenges, as each player had to switch out of the roles they had grown comfortable with in the morning – attackers now had to defend, while former defenders took on the attack role within each team.
There was also a bonus round with a physical twist, where each team had to play out the scenario that an intruder had gotten physical access to their systems. Each team hardened their systems as best they could, and then physically left them in the hands of the other teams, while they in turn attacked their opponents’ systems. When each team returned to home base, they had to figure out what their opponents had done during the physical access (planted Trojans, disabled firewall rules, etc.) and recover control of their systems.
It was a dead heat, with each team within 25,000 points of each other, out of a possible 300,000. Team “OneEqualsOne” almost took the lead until the physical challenge left them without a firewall enabled for a few critical minutes.
The fine line between security and functionality was tested by all teams, until finally a winner prevailed with Team “Defenders”. Their prize? A sense of what to do when they are under attack (which they really are, every day), the knowledge of how to harden their systems in the first place, and copies of CANVAS for each team member to take back to their real networks to make sure they have taken the right steps toward defending their actual flags.
Making our stand against attackers is something we must do with the help of the very attack tools that we are up against as defenders. Whether it is CANVAS, Core IMPACT, or MetaSploit, the tricks of the trade are growing more sophisticated and easier to use each day. Defend The Flag is a program that can help educate the legions of Windows defenders, even in the face of tough choices when it comes to their ability to run the latest and greatest versions of all software. In the hands of a defender, these are part of a necessary suite of tools and techniques to help tip the balance to keeping systems and networks secure.
In a world where roguery abounds, we as defenders must be doubly prepared to meet the challenges as they arise.
– Katie Moussouris
For more on this and Black Hat, join the conversation at https://twitter.com/k8em0
*Postings are provided “AS IS” with no warranties, and confers no rights.*
Update Title: 10:13am