![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Security Competition!
- Thread starter breadtk
- Start date
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
My understanding is that you'll be attacked from outside your switch, so I'd mirror the uplink port and put snort on that. Or you can put it inline and have it actively block for you - but that could take a while to learn to do right. The biggest thing about snort is tuning the rules, so you'll want to have these ready to go before you arrive.
If you need for the other machines to access the internet, install squid on the windows box.
Focus on strategy and teamwork. Make sure each person knows their role, and keep your calm. Turn off unused services - they'll definetly be scanning for oddball ways to get in with some vuln (using metasploit possibly). Setup firewalls if you can. Think about the weaknesses, both from the outside and the inside. DO NOT TRUST YOUR NETWORK! Hard on the outside, chewy in the middle, right? Think about situations like if one of your boxes is compromised - what are you going to do to restore services? Have any backups?
It will be lots of fun, and you'll definetly learn a ton. Just try to account for all that you can, and expect that the first problem you'll deal with will be something you never expected!
If you need for the other machines to access the internet, install squid on the windows box.
Focus on strategy and teamwork. Make sure each person knows their role, and keep your calm. Turn off unused services - they'll definetly be scanning for oddball ways to get in with some vuln (using metasploit possibly). Setup firewalls if you can. Think about the weaknesses, both from the outside and the inside. DO NOT TRUST YOUR NETWORK! Hard on the outside, chewy in the middle, right? Think about situations like if one of your boxes is compromised - what are you going to do to restore services? Have any backups?
It will be lots of fun, and you'll definetly learn a ton. Just try to account for all that you can, and expect that the first problem you'll deal with will be something you never expected!
bigk
2[H]4U
- Joined
- Oct 16, 2007
- Messages
- 3,003
Unplug the internetz?
I was thinking of something like this --> http://www.honeyd.org/
Virtual honeypots
You are allowed to use any software publicly available right?I was thinking of something like this --> http://www.honeyd.org/
Virtual honeypots
lol, that would be awesome!
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
A local college here just returned from competion - and apparently, every host they had to protect had a problem that they had to fix as soon as they started.
In this instance, they tried running windows updates on the XP host - but it was blocked by the proxy. They figured out the patches were on one of the servers, but by that time the XP box was compromised (10 minutes).
In this case my advice would be to throw up defenses, fix what is broken, and then continue your normal plan.
In this instance, they tried running windows updates on the XP host - but it was blocked by the proxy. They figured out the patches were on one of the servers, but by that time the XP box was compromised (10 minutes).
In this case my advice would be to throw up defenses, fix what is broken, and then continue your normal plan.
bigdogchris
Fully [H]
- Joined
- Feb 19, 2008
- Messages
- 18,707
Honeypots are worthless in this because the whole point is the attacker not knowing what's there and seeing something fake. It's different when the attackers are in the same room and know what equipment/os you have.
actually, isn't that the point of the honeypot? they dont' know it's fake since they don't know the network, so they will be trying to hack something that isn't worth hacking. essentially they will be wasting precious time, giving you more time to set up your defense and fixes.
SpaceHonkey
Gawd
- Joined
- Jan 25, 2007
- Messages
- 983
+1
They don't know your setup, so a quick honeypot deployment could actually be really useful if they fall for it.
The very first thing I would do is unplug the internet connection from this box and image it's drive. I would consider this box one of their main targets.
I would also get to know the routes to your patches. Check those routes before downloading anything.
Good luck and have fun
heh, CCDC..
If you haven't read the CCSP books cover to cover you're going to get owned pretty quickly. Unless they changed it, you're going to have a router, switch and a firewall(ASA), so know your Cisco security.
Honey pots are a waste of time, they have proved to allow the red-team more time to pop the rest of your network while you're getting everything in order(this is what ive been told many times). Work on fixing the vuln. you know about. Also, have access to full disclosure sites within your grasp at all times. Have a list of all recent/"BIG" security holes that have been found within the past 5 years. You will get your network in shambles, bascially it goes like this "some IT team has hosed up this customers network, fix it".
IDS/IPS's are you friend, people have mentioned snort... excellent suggestion. Run it inline so you can have more IPS functionality. SPAN is an option if you dont want to do that.
Spacehonkey is right, they will be attacking you from the outside.. but there is a service "counting" server where it measures uptimes(this is how the score is kept). You need to have the most highly available network, so you can't just turn off something(someone recommended this, idiot). You will get requests from your "customer" to "allow" particular services mid way into the competition so that the red-team can work on poping them.
The red-team is no joke, they are seasoned security professionals(when nationals roles around). They will not only work on accessing your network, watch out for social engineering... keyboard surfing(yes, they are allow where you sit IF you let them in!), anything.... they might try and get your drunk after the first day and weasel some information out of you.... this HAS happened before. Dont get it twisted.
My old roommates team took nationals a few years ago, and was asked to join the red-team but because of work obligations he couldn't. I have never participated in these competitions but they are very easy if you stay calm, stick with your team and have a CLEAR and DEFINED leader. If you don't, you're going to get owned.
BTW, if you get to nationals(or are in, haven't followed this stuff at all. hah) the skill level of these security guys are like this... they write 0 days during the competition.
If you haven't read the CCSP books cover to cover you're going to get owned pretty quickly. Unless they changed it, you're going to have a router, switch and a firewall(ASA), so know your Cisco security.
Honey pots are a waste of time, they have proved to allow the red-team more time to pop the rest of your network while you're getting everything in order(this is what ive been told many times). Work on fixing the vuln. you know about. Also, have access to full disclosure sites within your grasp at all times. Have a list of all recent/"BIG" security holes that have been found within the past 5 years. You will get your network in shambles, bascially it goes like this "some IT team has hosed up this customers network, fix it".
IDS/IPS's are you friend, people have mentioned snort... excellent suggestion. Run it inline so you can have more IPS functionality. SPAN is an option if you dont want to do that.
Spacehonkey is right, they will be attacking you from the outside.. but there is a service "counting" server where it measures uptimes(this is how the score is kept). You need to have the most highly available network, so you can't just turn off something(someone recommended this,
idiot). You will get requests from your "customer" to "allow" particular services mid way into the competition so that the red-team can work on poping them.The red-team is no joke, they are seasoned security professionals(when nationals roles around). They will not only work on accessing your network, watch out for social engineering... keyboard surfing(yes, they are allow where you sit IF you let them in!), anything.... they might try and get your drunk after the first day and weasel some information out of you.... this HAS happened before. Dont get it twisted.
My old roommates team took nationals a few years ago, and was asked to join the red-team but because of work obligations he couldn't. I have never participated in these competitions but they are very easy if you stay calm, stick with your team and have a CLEAR and DEFINED leader. If you don't, you're going to get owned.
BTW, if you get to nationals(or are in, haven't followed this stuff at all. hah) the skill level of these security guys are like this... they write 0 days during the competition.
heh, CCDC..
If you haven't read the CCSP books cover to cover you're going to get owned pretty quickly. Unless they changed it, you're going to have a router, switch and a firewall(ASA), so know your Cisco security.
Honey pots are a waste of time, they have proved to allow the red-team more time to pop the rest of your network while you're getting everything in order(this is what ive been told many times). Work on fixing the vuln. you know about. Also, have access to full disclosure sites within your grasp at all times. Have a list of all recent/"BIG" security holes that have been found within the past 5 years. You will get your network in shambles, bascially it goes like this "some IT team has hosed up this customers network, fix it".
IDS/IPS's are you friend, people have mentioned snort... excellent suggestion. Run it inline so you can have more IPS functionality. SPAN is an option if you dont want to do that.
Spacehonkey is right, they will be attacking you from the outside.. but there is a service "counting" server where it measures uptimes(this is how the score is kept). You need to have the most highly available network, so you can't just turn off something(someone recommended this,
The red-team is no joke, they are seasoned security professionals(when nationals roles around). They will not only work on accessing your network, watch out for social engineering... keyboard surfing(yes, they are allow where you sit IF you let them in!), anything.... they might try and get your drunk after the first day and weasel some information out of you.... this HAS happened before. Dont get it twisted.
My old roommates team took nationals a few years ago, and was asked to join the red-team but because of work obligations he couldn't. I have never participated in these competitions but they are very easy if you stay calm, stick with your team and have a CLEAR and DEFINED leader. If you don't, you're going to get owned.
BTW, if you get to nationals(or are in, haven't followed this stuff at all. hah) the skill level of these security guys are like this... they write 0 days during the competition.
I only wish I was that good. oh well, I'll just keep dreaming...