“The first thing to do is yank the cord and slap a pix on it.” -Cisco Rep in regards to the start of a Computer Defense competition.

Our crew from ISIS found this particularly amusing as none of us are IOS experts and the first thing we did was get rid of the Cisco equipment. We were given a router, switch, and Pix firewall. Many of the most successful attacks this weekend were against Cisco products. To be fair, 2-3 members of the red team came from Cisco and clearly knew lots of tricks to gain and keep access to Cisco gear.

As we began to familiarize ourselves with the network, two XP workstations got owned up right away. It was very cool to see the effects of Core Impact and how quickly it can hammer away at a network. On our end, we noticed network connection issues on one of the XP machines and got some ugly output from ipconfig and soon the machine rebooted. The other workstation was not far behind and rebooted before we had a chance to deal with it.

We had decided earlier, prior to the competition, that we should get rid of the provided router and firewall and replace them with a FreeBSD box. This was much trickier than it sounds because one of the many rules of the competition was that no workstation could use two network cards. Despite each machine coming with two ethernet ports we were told we could not use more than one, even if we sacrificed a second workstation to consolidate the nics. Luckily we had Boris on our side, a FreeBSD expert who had heard about stub routing and was excited to try it. He was able to setup a router/packet filter/server with all traffic entering and leaving a single physical network interface.

Not long after we made the router change, our switch began to drop ports in and out of service. We found out later, that the attackers gained access using a default password (duh) and were in the process of uploading an older version of the firmware which would provide more vulnerabilities for them to regain access in the future. We noticed some ports drop off and decided to power cycle the switch. Unfortunately, the reboot happened to occur in the middle of the attackers IOS downgrade and because the upload had not finished, the switch was bricked. We didn’t quite put together what happened for a quite some time and all had a chance to research the IOS command line. Finally, we were able to get a new piece of hardware to replace it after the judges were convinced we were not going to be able to reload it within the constraints of the competition. Yes, we changed the password on this one right away.

With the switch down most of the evening, we lost points for having all of our services unavailable. In the down time we were able to start off loading many of the services on the servers to the FreeBSD box and continue hardening the other hosts on our network.

Saturday was a much better day for the ISIS team. The FreeBSD machine was properly filtering all the traffic and hosting most of our services. We gradually moved more services over to the BSD box which freed up some of the other machines which could be retasked. By the end of the day, all of our services other than one e-commerce site, a chat server and AD controller were being served up on the single system. Had the competition gone on longer, now would have been the time to replicate it on another box to help mitigate the risk this single point of failure introduces.

We continued through Sunday without many other issues which freed us to focus on the various “Business Injections” or memos with work to do from our “virtual CEO.” These ranged from adding new users to dealing with the sudden loss of hardware. Additionally, any time we observed an attack we could score points for developing an incident report.

Overall, NECCDC provided an interesting weekend looking at systems administration and some of the security issues involved with managing a network. The competition definitely was longer than it needed to be. We started Friday afternoon at 1 and were told to step away from the keyboards at 7. Saturday started at 9 and ended again at 7 with a lunch break. Sunday, the network was active from 9 to 12:30 and by this time, our network was in such good shape we were reading slashdot and hoping for some more interesting attacks.

In addition to the live network attacks we were tasked with various reports to write. We managed to stay up until 3 finalizing business security policies and incident reports. Next year, I would like to see the competition compressed into a day and a half. NECCDC would be just as effective if we played all day Saturday and then wrote and handed in policies/reports/budgets on Sunday. This would definitely ease the travel for out of town competitors like those of us from NYC and the team that came down from Vermont.

I definitely appreciated the experience and enjoyed meeting some new faces. Thanks to RIT and everyone who made the competition happen!