This weekend was the Community College Cyber Defense competition at Iowa State University. I had the opportunity to be on the Red Team and as it was my first time to participate on the Red Team as part of one of these competitions, I was eager to see how the Blue Team's defense compared to what we see in industry.
The scenario for the event was a common one that we see in industry all the time. Each team was given an already existing server that was running a number of services on it. Each team was to be part of a rejuvenated security program whose task it was to implement proper security policy on the systems and secure the data. These students had a hefty budget where they could implement new servers, upgrade systems, and harden configurations in order to protect their systems from compromise by the Red Team.
What we found when we started assessing the systems was fairly representative of what we see in corporate security. The teams broke down into three distinct groups. The first group of teams had done basic hardening, but software wasn't upgraded and there wasn't a lot of additional hardening put in place. The second group had patched all their operating systems, but the software running on the machines still had flaws. The third group spent time and did a better job engineering their environment, moving from older software to the latest version, ensuring all software was patched, and deploying OS hardening beyond what was default out of the box.
The results from the competition reflected what would be expected, the teams that went above and beyond with their hardening and architected security into their environment faired the best. Even though the Red Team had valid credentials for systems in the environment, the target data couldn't be compromised, and by the end of the game, two teams had created environments that remained uncompromised by the end of the competition.
These three groups exist prominently in corporate security as well. Obviously not everyone will fit firmly into one of these groups, but they are a good generalization for three different levels of security maturity in organizations. The first group of organizations has reached a level where there is basic patch management through WSUS or SCCM but the patches that are being pushed are primarily for remote exploit vulnerabilities in Windows. These organizations usually have some level of firewall filtering ports coming into the organization, but very limited egress filtering. While the OS is being patched, we frequently see poor patch management of software in this environment, with network services and workstation applications being out of date or missing patches. With the patch management in place, these same organizations don't have good processes in place for patch validation.
The impact of these things together is that while most systems are patched, patching oversights and weak configurations frequently allow attackers into these environments. As only remote exploits are being patched, navigating these environments after an initial compromise is fairly easy, and escalation is trivial due to the lack of patching of privilege escalation vulnerabilities. This turned out to be true in the competition as well. With some systems missing patches that prevent privilege escalation and others with weak configurations that allowed for easy escalation, a number of teams were compromised across all of their services.
The second group has better hardening, some egress filtering on the network, with good patch management for operating systems. Where these networks tend to lack is still with the application management and system configurations. In Windows environments, these systems frequently have good patch management, but are running with all users as local admins, have the default cached credentials, and may be running vulnerable 3rd party software such as vulnerable Adobe products or Java.
In the competition, most of the groups fell into this category. There was some ingress(inbound) and egress(outbound) filtering on the network, but default passwords for web applications may not have been changed, and while SE Linux may have been deployed on Linux systems, there were users that had unrestricted sudo access on the system. During penetration tests, this is also where the majority of companies fall into right now. Although the networks don't have MS08-067lying around, through NetBIOS Name Spoofing (NBNS) or Link-Local Multicast Name Spoofing (LLMNS) credentials can be captured allowing testers to get access to individual systems. In many of these cases, each user has local Administrator access to their machine, and cached credential management is poor, so while it's more difficult to get onto systems, the configuration of the systems allows for escalation and eventually full domain access.
The third group is the one that the top teams in the competition fell into. This group had excellent ingress and egress filtering, limited the access of user accounts on systems, and ensured that software did not contain default configurations. By SELinux and chroot jails under Linux, very little information was exposed. Limited Windows accounts with software white-lists made gaining any traction on Windows systems difficult. These things combined with the system hardening from the last two, allowed the top two teams to not have any services exploited during the contest.
While some of these technologies are suitable for production environment, things like chroot jails and software white-lists aren't always practical. But successful organizations are doing successful privilege limitation, network segregation, application patching, and network filtering. These environments frequently have non-essential services disabled along with un-needed protocols such as NetBIOS Name Services. The combinations of these things together make it difficult to perform privilege escalation, but we typically only see a handful of these environments each year.
One of the most encouraging things about these competitions is that these students are having the opportunity to look at some real world scenarios against real world adversaries and have to deal with these problems before they reach corporate environments. While this one was hosted at University of Iowa, there are a number of these competitions all over the US with many colleges participating. This is a great place for students and IT and Security professionals to reach out and meet students who have a good grasp of systems admin and security.
We know how the students held up, but how would your organization survive against a targeted attack? You can find out with a network, application and physical penetration tests. Trustwave offer's all three, so you can find out how your organization stacks up.