-
-
Save hashishrajan/1b605e8d5bca21915fceb6ae1fa4ea2e to your computer and use it in GitHub Desktop.
Meetup Madness Security Debate Melbourne & Sydney - February,2018
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The Melbourne Security Debate (Red vs Blue) - Debate Questions | |
| Question 1: | |
| (Andrew Dell) | |
| Question 1 | |
| A small company, SmallCorp, has recently been bought out by a large corporation, ACME Inc. SmallCorp has been aggressively expanding into SE Asia and the sales team frequently travel to attend sales meetings. ACME has a large, mature security team. | |
| Red Team: You wish to compromise ACME Inc’s environment, and view the acquisition as perfect opportunity to compromise SmallCorp and move laterally into ACME Inc. How would you go about this, and if successful, how do you stay quiet enough not to be found after the acquisition? | |
| Blue Team: You are ACME Inc’s cyber security team. You have been advised of the acquisition and tasked with connecting SmallCorp to AMCE Inc’s environment and having it fully integrated and functional within two weeks. How are you going to achieve this while ensuring the security posture of ACME Inc is not diminished. | |
| --------------------- | |
| Question 2: - Red Team 1st | |
| (Pamela O’Shea) | |
| It's a rainy Monday morning, you have your coffee in one hand and your low privileged shell in the other hand. You obtained your shell after successfully social engineering a middle manager's account via a dating site. Things are looking up for those targets your clients asked you to get access to, you even dodged a canary along the way! But after some time, you can't find those targets, what is going on? Have they actually segmented their network correctly you say? You take a deep breath, make a green tea and read through the documentation on the manager's share drives. | |
| You see a consultant report from a shiny consulting firm dated 2017. Hmmm and it looks like they implemented their changes. All critical systems are no longer on the LAN or WIFI, they are on a private internal 4G system. | |
| Red team: What do you do? How do you sniff this juicy traffic and gain access to those systems you were tasked with? How do you avoid detection? | |
| Blue team: How do you monitor your radio communications? What defences can you use? How do you know there are no rogue base stations? | |
| --------------------- | |
| Question 3: | |
| (Silvio Cesare) | |
| A University research team is working in conjunction with governmen, namely, ASP, the Australian Signals Protectorate, and Industry - ProjectHero, to develop the next generation of Cyber weapons, code-named spectrum and melted icecream. At the same university, researchers and developers, working with Nicta61, have source code access and commit privs to a formally verified micro-kernel used in high security applications such as military UAVS and pizza delivery drones. | |
| The researchers follow a BYOD policy at the university and use IT department provided systems for the development environment. The desktops and computer lab environments have a yearly refresh, but are otherwise untouched. The researchers and academic staff also have teaching commitments and routinely mark student papers sent to them as PDFs and Word documents. | |
| Red Team - choose your own adventure. Do you wish to play a foreign state actor, a politically motivated activist group, or a rebellious student looking for the thrill of the hack. What’s your next move? | |
| Blue Team - The senior management has given you permission to secure the environment - whatever that means. What’s your plan? | |
| --------------------- | |
| Question 4: | |
| (Annie Lin) | |
| In a DevOps conference, A bank presented their recently successful implementation of continuous delivery, the same deployment process used in all environment including production. 80% of the bank’s application are deployed through this automated process. A release manager with the right authentication and authorisation is able to approve a release from their mobile phone. They also present their choice of tooling and deployment software. | |
| As an attendee of the conference, you went home, checked the latest release notes and the list of addressed defects and known issues, you downloaded a trial version of the deployment product. You noted that the deployment software authentication mechanism uses a basic substring search to determine whether the user is requesting a restricted URL that requires authentication. You smiled. | |
| Red team, with the information provided, what are two different attacks you can perform? and what is the extent of damage you can achieve? | |
| Blue team, you are the security engineers/architect of the bank, what would you do better to avoid/prevent red team’s attack. | |
| --------------------- | |
| Question 5: | |
| (Andrew Dell) | |
| Company X stores their customer data in a highly-secure cloud environment. | |
| Before migrating their data to the cloud 12 months ago, Company X ensured their environment passed all the AWS “Well Architected” criteria. Only native AWS services have been used by the company and all native AWS logging and monitoring services that were available are enabled, however no services released by AWS in the last 12 months have been implemented. It is a an Internet facing service for employee use, but is not a customer facing a service so no content delivery network or web application firewall services have been implemented. | |
| Red team: How would you go about compromising this environment, quietly? | |
| Blue team: You receive intelligence that your cloud environment may be, or, already has been compromised. You must find what has been compromised and how. Where do you start? | |
| --------------------- | |
| Question 6: Blue Team 1st | |
| (Pamela O’Shea) | |
| Recently you have been enjoying some team building morning coffees with your blue team. This usually involves laughing at the blocked WAF attempts and the growing number of banned IPs in your expensive pew pew dashboard while your stroke your furry evil cat. That software was so worth the enormous price tag you're thinking of getting two more in the next budget to cover other geographies. Your carefully crafted wildcard and dot character rulesets are going to get you that promotion, you can feel it! Who could possibly bypass the wildcard gauntlet you set down and even if they did, they could never specify an IP address because you have blocked the dot character anyway! Muhahaha! | |
| But one attacker quietly comes back and never uses any wildcards or dots, she only uses forward slashes and question marks, so they look like regular URL characters to your WAF rules and quietly pass through. The attacker uses the long form integer notation for her IP addresses, so there is no need for dots and pops a shell. Boom! | |
| Blue team: How would you know this has happened? How do you go about finding this in your logs? How do you track down how far the hacker has reached within your network? | |
| Red team: Once the WAF is updated you may lose your future access, how do maintain your persistence? How do you avoid detection? What other protections might you be watching out for? What mapping or resources would you do to find the crown jewels before they find you and the clock runs out? | |
| --------------------- | |
| Question 7: | |
| (Silvio Cesare) | |
| Intel have introduced a new feature set in their processors. It’s known as Intel OMG, or in full, Intel 0-management-engine. It has a feature that allows a remote wipe of a computer when a computer receives a digitally signed network packet, at the end point, that triggers overwriting the bootloader on the connected hard disks. | |
| Team synonymous in conjunction with Edward Wikipeaks have hacked Intel and exflitrated a tool that will send the correct network packet to initiate the remote wipe. They have announced they will release it in 1 week. | |
| Red Team: Take the role of a New Zealand citizen or state actor launching a cyber attack on Australia to disrupt the sheep trade and raise the price of bitcoin. What do you do for maximum destruction? How do hide the source of the attack? How do you prevent quickly getting blocked or taken down? Do you need to prepare? | |
| Blue Team: Save Australia. You have 1 week. How? Disconnecting the internet? Backups? IDS? Firewalls? Tell us how. | |
| --------------------- | |
| Question 8: | |
| (Annie Lin) | |
| A retail company decided to completely rewrite their ecommerce platform, in microservices architecture. Orchestrated by Kubernetes, using prometheus, grafana, zipkin as their monitoring tracing and logging, and improved incident management response time to 90 sec. They released a beta version online, and they are working on ways to conduct live A/B testing. | |
| Red team: with the information provided, where will you start to look for vulnerabilities? are you able to hijack the beta site within 90s? | |
| Blue Team: How would you improved the design to preempt red team’s attack? | |
| The Sydney Security Debate (Red vs Blue) - Debate Questions | |
| Question 1: | |
| (Norman Yue) Red Team 1st, Blue 2nd | |
| In the course of your Internet travels, you’ve managed to compromise a cryptocurrency exchange web server - you’ve already got equivalent to code exec as www. Do you stay persistent (if yes, where and how), how do you cash out, while keeping the value of your target currencies as high as possible? | |
| Conversely, assuming a somewhat competent attacker (i.e. signature IDS and AV won’t pick them up), how do you structure your systems to prevent this? How do you plan your defense, both of your own systems, and your users’ assets? | |
| --------------------- | |
| Question 2: | |
| (Nicholas Tan) Blue Team 1st, Red Team 2nd | |
| In the context of Serverless Computing, Function Event Data Injection exploits are among the most critical/risky. Given the range of input source choices, especially non HTTP API calls (runtime code injection, NoSQL injection, object deserialization attacks etc), for the Red team, set out how you might recon/identify that a Function could be vulnerable to an exploit for a given input source and what are some examples of weaponised delivered exploits seen in the wild. | |
| For the Blue team, what good practices and approaches are recommended to identify / mitigate Event Data Injection Exploits in prod? Will traditional logging/SIEM approaches still be applicable for Serverless. What changes to existing SW delivery practices and toolchains are recommended as more teams switch to Serverless/FaaS development? Given expected additional security built into Public Cloud provider Serverless Platforms, what additional components/tech stack are recommended if deploying a roll your own soln ie Open FaaS | |
| --------------------- | |
| Question 3: | |
| (Annie Lin) Red Team 1st, Blue team 2nd | |
| Red Team: If you were to hack a bank, where would you look for the best balance of difficulty and profitability. Please provide some examples. | |
| Blue Team: Secure the bank from Red team’s attacks | |
| --------------------- | |
| Question 4: | |
| (Silvio Cesare) Blue team 1st, Red Team 2nd | |
| An organised crime group has bought a Windows kernel exploit on the black market for $100,000. The kernel exploit is based around a corrupt NTFS file system contained on a USB stick. The NTFS file format has an integer overflow when certain fields are added together by the Windows kernel, resulting in the kernel copying a larger than expected buffer and leading to memory corruption. Ultimately, arbitrary code controlled by the attacker can execute on a Windows host that plugs in the USB stick - irrespective of the controls to treat the USB device as non-executable and blocking writes. | |
| The federal police arrest the organised crime group and seize all their equipment. They go to perform data acquisition of all the seized drives and USB sticks, plugging the malicious NTFS drive into their Windows-based computers. | |
| What happens next? Can law enforcement protect against this type of attack? What type of malicious code would a crime group want to execute? What could be the potential impact during a forensic investigation that an attacker gains code execution on an analyst’s computer? Is this a reasonable threat model or completely unrealistic? | |
| --------------------- | |
| Question 5: | |
| (Norman Yue) Blue team 1st, Red team 2nd | |
| You’ve been keeping an eye on a specific target company - a large e-commerce widget retailer - for a while. Suddenly, you overhear on the train one day that this company has announced it’s a shift in strategy: maximising both local and remote synergies by accelerating towards “devops”, starting with massive automation of it’s build pipelines. | |
| What are the first things you’d look for, to take advantage of this - what new opportunities do you think this presents? | |
| Conversely, with a limited budget and limited time, what are the core controls you’d implement for this business? | |
| --------------------- | |
| Question 6: | |
| (Nicholas Tan) Red team 1st, blue team 2nd | |
| A recent Medium post from Hackernoon “I’m harvesting credit card numbers and passwords from your site - Here’s how” has gained a lot of notoriety and in setting out his chosen attack vector/distribution path, the author made the following comment; | |
| “Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.” | |
| He went on to describe a scenario where he created scraping malware that was disguised in a mildly useful/amusing (logging in colour) npm package which he spammed via several hundred Pull Requests to various front end packages - “Being helpful / fixing things”. A lot were rejected but enough now depend on his package and it has self propagated at scale and is reaping him his rewards. | |
| For the Red team, how realistic is this scenario? Is the effort worth the reward? Are there other “easy” vectors that are becoming popular (i.e. cryptojacking javascript; malware/adware) rather trying traditional entry points (i.e. XSS) that are usually more well protected. | |
| For the Blue team, across the overall Open Source community, is there such a thing as herd protection and the sloppy security practices of some can be expected to get covered by the good practices of others? Are the ‘vetted/tested’ Enterprise versions of many open source packages the most practical approach to ensuring code quality in packages? | |
| How can DevOps/SecOps teams best scan/identify, manage, track 3rd party package vulnerabilities? Is manual reporting/tracking ever/even viable? | |
| --------------------- | |
| Question 7: | |
| (Annie Lin) Blue team 1st and Red team 2nd | |
| Red team will play a cyber anarchist group trying to obtain top secret US military information and the Blue team is playing the NSA who are in charge of protecting this information. | |
| Red team please tell us strategies on how you would obtain this information and importantly how you would cover your tracks. | |
| Blue team tell me how you would defend these attacks and also how you could track the culprits down. | |
| --------------------- | |
| Question 8: | |
| (Silvio Cesare) Red Team 1st, Blue Team 2nd | |
| We all know Adobe Reader has had numerous vulnerabilities. What about the document parsers that google users to index, search, and convert formats? It’s almost certain that at regular intervals, google’s applications processing documents crash due to malformed file formats. | |
| Red Team, is it possible to gain a foothold on google infrastructure? What do you need? Source code of their document parser? A binary? Black-box fuzzing? | |
| What other cloud services do file format passing.. Cloud-based AV? | |
| Blue Team, is this a likely threat model? Do you collect crash reports from your servers? Do you sandbox? What do you do? | |
| --------------------- | |
| WINNER ANNOUNCED BASED ON AUDIENCE VOTES | |
| (Gerhard) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment