Competition detailsIn the scenario for NECCDC 2013, teams were hired to replace the IT department of a small company. The students were given a potential outline of the network, which included switches, routers, servers, workstations, operating systems and IP addresses. However, teams were not given information about the current security posture or what services were functional. During the event, students handled day-to-day tasks (such as adding users and changing passwords), wrote reports, and implemented new services such as VoIP phones, VPN access, and IPv6. At the same time, an experienced offensive team attempted to disrupt the operations of the students' network and steal sensitive data that the students must protect. Members of the Dell SecureWorks Counter Threat Unit™ (CTU) and Security Operations Center (SOC) volunteered on both the judging team and the offensive team. Every year that Dell SecureWorks has been involved, several teams have impressed with their ability to act under pressure and meet the challenges brought before them. One of the most impressive aspects is how the students can translate the simulated threats into applicability in the real world. Every competition presents new challenges and vulnerabilities for teams to overcome, ranging from technical to organizational. Three vulnerabilities and challenges from this year's event are worth highlighting.
Loose lips sink ships and bad passwords lose wars. Password authentication can act as a layer to help thwart unauthorized access to systems and data. However, this barrier fails when the passwords are either weak or nonexistent. When students enter the event, they often encounter a network rife with default credential or non-enabled passwords. Like their counterparts in the real world, successful teams enter the competition with a password plan. The plan includes answers for what the passwords will be, who holds that information, when the passwords expire and who will change them. This mindset helps close one of the most easily exploited vectors. However, some teams fall short with user accounts that have administrative privileges and weak passwords. Year after year, domain controllers that control a network's security transactions are broken into without the need for a zero-day vulnerability. The vulnerability almost always involves a user account with too much authorization whose password is cracked in minutes. According to the 2011 CWE/SANS Top 25 Most Dangerous Software Errors, missing authorization ranks as number six. Additionally, until the introduction of Windows Server 2008, basic password requirements were not enforced by default in the Active Directory Group Policy. Prior to that, users would have been allowed to use any of the most commonly used (and compromised) passwords.
Lack of internal deterrents
The second most common weakness that teams must overcome is a lack of internal defenses and detection after an adversary penetrates their perimeter defenses. By pivoting through compromised systems, the offensive team can gain unimpeded and unmonitored access to any internal resources. The pivots allow the offensive team to enumerate internal services on the network and take over trusted systems to further bypass network defenses. The starting point for securing an infrastructure is almost always at the border of the Internet. Firewalls and intrusion detection systems help identify and alert on traffic into and out of a network. However, these defenses are not always implemented internally because the quantity of internal networks can drastically increase the complexity and cost. One option is to set up detection systems around critical internal resources such as database servers and Active Directory servers. In the past, several NECCDC student teams have created successful internal monitoring systems by using unneeded client machines as basic intrusion detection systems. By watching for unusual traffic (e.g., internal scanning, web requests to other client systems), teams flagged and isolated compromised systems before they caused further damage. This concept translates to corporate networks. When the resources are not available to monitor every subnet, it is advantageous for businesses to position resources around critical infrastructure. Having a monitoring system in critical areas can also help analysts watch for any anomalies that may indicate malicious activity.
Failure to integrate indicators into defenses
During this year's event, the offensive team preemptively deployed backdoor malware. The students' web servers were loaded with an open-source PHP web shell and an Internet Relay Chat (IRC) Trojan horse. All of the teams identified and removed these backdoors within the first few hours. The student teams also wrote incident response reports, which detailed the scope of the damage, and in some cases attributed the infections to an offensive team member. Although the students neutralized the immediate threat, they lost an opportunity. Throughout the event, several of the offensive team's command and control (C2) servers used the same top-level domain included in the IRC bot. Many of the student teams simply identified the domain as malicious and included it in the incident response report. If the students had used the malicious domain information to track how its corresponding IP address changed, they could have maximized the value of the data by supplying their firewalls with a continuously updated list of IP addresses to block throughout the event. The same tactic could have been applied to the PHP web shell that the offensive team deployed. Monitoring the webserver logs for web shell path requests could have yielded a treasure trove of adversarial IP addresses to block at the firewall level.