9/8/2015

Sponsored by

Using Capture the Flag and Security

Simulations to Improve Response Time,
Hone Skills and Find Vulnerabilities

2015 Monterey Technology Group Inc.

Made possible by

Thanks to
James Griffin

2015 Monterey Technology Group Inc.

9/8/2015

Preview of key
points

Capture the flag

Goals
How to plan
How to design

Related exercises

Related
exercises

Table top exercises

Live fire drills
Simulations

9/8/2015

Table top exercises

Related
exercises

Purpose: finding high level, unanticipated or blended

vulnerabilities
No hacking going on
Sitting around a table
Brainstorming attack scenarios
Considering response to an attack scenario

Have representatives from each area of IT and security

Need a challenger and an arbiter

Related
exercises

Simulations
Not about finding security vulnerabilities
More about finding vulnerabilities or gaps

Procedures
Communication
Contacts and stakeholders
Decision making capability

9/8/2015

Related
exercises

Live fire drills

Purpose test your team with your actual network being
protected
Risk to production
Hard to get approval and buy-in
Need a very professional hacking team
High risk and high value

3 types

Capture the
flag

Defense oriented
Offense oriented
Hybrid

Team options
Individual
Single player
Multiple competing players

Teams
Single team
Multiple competing teams on same side

9/8/2015

http://www.sans.org/readingroom/whitepapers/casestudies/capture-flag-educationmentoring-33018 - Jerome Radcliffe

Several teams attempting to capture flags on servers

A basic
offensive CTF
game

Flags are simple text files placed in specific locations where

teams must locate
Cool if the files, when combined form a larger message

Moderator

Facilitates
Adjudicates
Keeps score
Gives hints where necessary to make sure all teams complete
the game
Winning based on time to complete
Can also be based on highest score within time

What are your goals for the game?

Getting
started

Help people think like the offense?

Build skills?
Preserve/build confidence?
Make folks more aware/believing of the risks your organization
faces?

Held during or after work?

Support from management

Hardware
Venue
Prizes
Food

9/8/2015

Give sufficient notice

How to form teams?

Game
dynamics and
logistics

Radcliffe used 2-person teams limited to 1 computer to

encourage team interaction

How long?
All day or weekend advanced players
3 hours for entire event more appropriate for first game
Need time for getting started, and to have a post game
discussion, prizes, etc

Lay ground rules

Scoreboard

Choose your targets

Technical
design of the
actual game

Device, OS, application

Advantages for selecting
Familiar
Unfamiliar

Decoy servers?

Setup network
Isolated?

Choose your vulnerabilities to exploit

Put the flag behind these vulnerabilities

Design your attacker client PCs

9/8/2015

Choose your target

Device, OS, application
Advantages for selecting
Familiar
Unfamiliar

Choose your vulnerabilities to exploit

Flags

Put the flag behind these vulnerabilities

How many vulnerabilities and how difficult?

Enough to keep it interesting and valuable

Not too many to demoralize folks that cant complete
Be careful deciding whether its OK if not every team finishes
Time limit

If possible have the flags build on each other

Realism
not a strict requirement

Not intended for use in current games

Good examples of vulnerabilities that serve different purposes

IIS Unicode exploit

Example flags

https://www.kb.cert.org/vuls/id/111677
Nice vulnerability because its very easy to understand
Requires no special tools or programming use it right from
your browser

SQL Injection
Get application password stored in database

Hide a SSH behind a nonstandard port

Allow users to upload a program via shared folder and then
execute via IIS cgi
Decoy servers
Found passwords are a great way to build one flag off the next
Much more advanced

9/8/2015

Provide all necessary tools

Design your
attacker
client PCs

Beginner
Short amount of time
If you want to follow a one-design approach

Leave it to them to research, find and download

Advanced
Lots of time

Provide Internet access?

Lay ground rules

Start on time
Opening words
Review rules
Explain scoring
List prizes

Begin competition

Game day

Circle room monitoring progress

Help lagging teams get unstuck with hints
Keep score
Make general announcements as necessary to keep game on
track

Stop on time
Award prizes
Have post game discussion
Lessons learned
What to change for next game

Survey

9/8/2015

Bottom line
Technical skills are a factor
But mindset is the big thing

Capture the
Flag

Understanding how attackers think and work

Start looking at your network from the outside-in
Confidence

Planning
Resources
Hardware and software

Coordination
Team travel and availability

Setup
Very technical!
Creation of the flags and how to explain to participants is the biggest
challenge
Knowing how to give hints also a challenge

Capture the
Flag

Get all the benefits of Capture the Flag without any of the pain

Planning
Hardware
Setup
Design
Teardown
Not even necessary to make an event
Staff availability

Capture the Flag As a Service

2015 Monterey Technology Group Inc.

9/8/2015

Cyber Security: Simulation Platform

James Griffin (Jimmy), Stan Kiefer
Senior Managers, Product Management

Security Organizations are Fighting an Asymmetric Battle

Cybersecurity top IT skills
shortage for 4th year in a
row*
Staff unprovenlack of
hands-on experience
with a breach
Organizations are never
certain of cyberreadiness

Seemingly limitless
resources
Sophisticated, multistage attacks
Attacker tactics
constantly morphing

* ESGs annual global IT Spending Intentions survey has shown a problematic shortage of cybersecurity experts as the top IT skills shortage for four years in a row.
http://www.esg-global.com/research-reports/2015-it-spending-intentions-survey/

Copyright 2015 Symantec Corporation

20

10

9/8/2015

Security Simulation Strengthens Cyber Readiness

Engaging, immersive security training through gamification

Cloud-based, virtual training experience

Live-fire simulation of multi-staged,
advanced targeted attack scenarios
Players assume the identity of their
adversaries to learn motives, tactics and
tools

Copyright 2015 Symantec Corporation

21

Think Like Your Attacker

Hacktivist
wants notoriety, attention

Cyber Criminal
motivated by money

Reconnaissance

What
Theyre
Trying to
Steal

How They
Stole It

Cyber Espionage

Incursion
Discovery

seeking Intellectual
Property for profit

Cyber War Crimes

politically motivated,
nation states,
looking to gain advantage

Copyright 2015 Symantec Corporation

Capture
The
Attacker
Exfiltration

22

11

9/8/2015

Real-world Attack Scenarios

Scenario 1:
The EDC and RKI

Mission: Breach & Steal Information

Scenario 2:
The Coffee Shop Hack

Scenario 3:
EDC and the Lost Laptop

Scenario 4:

Skills:

Methods:

Ethical hacking

Identify targets

Penetration Testing
Forensics

Compromise network and

systems

Data exfiltration

Blend attacks

Forensics Examiner
Mishandles Evidence

Exfiltrate data

Copyright 2015 Symantec Corporation

23

Assess and Advance Your Team

Implement Skill Assessment and
Development Programs

Particip
ate
Assess
Progres
s

Particip
ate /
Learn

Assess
skills

Create
develop
ment
plan

Copyright 2015 Symantec Corporation

Focus on security strategy and

tactics, techniques
and procedures (TTP)
Manual and automated skills
assessment and performance
analysis
Prescriptive guidance for skill set
development
Conduct iterative skill development
programs for continuous learning

Identify Organizational Gaps

Identify skills requirements for

individuals and organizations
Identify gaps in team coverage
Assess skills of potential job
candidates, new hires and existing
employees

24

12

9/8/2015

Demo

Copyright 2015 Symantec Corporation

25

13