The MidAtlantic Collegiate Cyber Defense Competition (MACCDC) is one of the many regional CCDCs that includes a somewhat unique aspect: law enforcement and investigations. For those unfamiliar with CCDC’s, they are live network security competitions where schools face off against each other, and a red cell of pentesters, to build and maintain a secure network. While fending off attacks the teams are responsible for creating new servers and services while performing business operations, such as running database queries for a business need. If the respective database is misconfigured, or hijacked by Red Team, then the query cannot be performed and teams suffer major score losses.
There are multiple regional CCDC competitions across the entire country as well as the National CCDC where the winners of each regional competition join to face off against each other. While each regional follows the same structure of competition, each can make slight adjustments to how they determine a winner. A law enforcement (LE) component was built into MACCDC years ago as a method to help expose competitors to the unique and frustrating challenges of fully documenting attacks.
In many competitions, schools practice on being extremely responsive to attacks and, in many cases, aggressive in their responses to remove an adversary as quickly as possible. While that effort is commendable, it does not translate into the actions taken by a real-world security team. In the event of a compromise, theft of data, or denial of service attack, corporate senior leadership will not be content with a message of "We were attacked, it’s been fixed."
Questions will arise:
- Who attacked us?
- How did they get in?
- What did they steal?
- How long ago did they get in?
- Are they still there?
- Is this an attack also seen by industry partners?
Therefore, the role of MACCDC LE is to provide students the resources necessary to collect this evidence and document an incident that can be used to adequately describe the attack. Additionally, though infrequent, a well written incident report that clearly and accurately describes an attack, shows full logs of where the attack came from, and notes exact times of attack, can allow for Exercise Control to authorize a firewall block and a possible arrest of the Red Teamer involved.
Attacks are documented using a standard form that is supplied to the students at the start of the competition: the US Secret Service Incident Response Form 4017. This is a form that is used in actual investigations for law enforcement use, and was chosen as it contained an adequately wide number of scenarios to meet every attack used by Red Team.
In recent years, each team competiting in MACCDC has a requirement to complete at least two incident response forms by the end of the competition. While there is no limit to the number that can be submitted, each form does take time away from their other duties and each is additionally graded on the “worthiness” of law enforcement. They are then left to document any incident of their choosing with as much possible detail as they can.
Many teams who struggle often limit themselves with reports on suspicions of an attack. They see errant log entries, or information that doesn’t look appropriate, and immediately jump into IR mode. After 30 minutes of detailing the log entries, they then learn the hard pressure of proving an attack to law enforcement.
There are many categories in which LE scores each team’s submissions, with an ultimate value of 140 points given. These include 10 points in each of the following categories:
- Attack clearly defined
- Scope of attack clearly defined
- Time window clearly defined
- Source of attack identified
- Delivery mechanism identified
- Damage assessment provided
- Remediation efforts explained
- Appropriate evidence provided
- Timeliness of report
- Clarity of submission
- Clear handwriting and presentation
- Understandable grammar
- Accuracy of report
Based on these categories, here are some pitfalls and suggestions for teams:
Who attacked us?
It’s easy to say “The Red Team over in the next room attacked us”, but can you provide exactly who it was. Can you provide IP addresses that are unique to a certain attacker subset?
Can you prove the attack and actions taken?
Did they have the evidence of the attack stored? Are there logs or screenshots available? Are they in a method that can be given to law enforcement? If not, then they have no evidence of the attack. Some teams scramble to transcribe logs as quick as possible, while others take screenshots and copy log files to a separate system. In the case of the latter, we stop by with a USB drive, collect the data, and review it along with the incident report. Best action is that as soon as you see signs of an attack start collecting logs, especially before they’re erased by Red Team. Toward the end of the competition, when Red Team becomes more brazen, it becomes even more important for Blue Teams to take screenshots. After all, how do you appropriately describe literal ghosts following your cursor on the screen or that your Exchange server was replaced with a flying nyan cat? That’s also the time when Red Teamers often get lax in OPSEC, making connections from their raw systems, using their personal handles in their attacks, or bragging about them on Twitter.
Can they prove that the actions were malicious activity by an adversary and not the mistakes of an insider? “This is my team, we didn’t do that.” That’s what they all say, prove it to me. Guess what? As LE, we can just go casually talk off-the-record to Red Team and verify if they did the attacks. Can they prove that it came from a very specific IP address, and that the IP is unique to an adversary and not to something like Scorebot?
Can you identify the source and delivery of an attack?
For Windows, can you find events within Event Logs to show signs of access, such as Type 10 logons (Remote Interactive Sessions) and Type 3 (connection to a shared CIFS/SMB folder). A Windows server that’s come back from a reboot will have it’s SYSTEM hive freshly stored to the hard drive, containing details from ShimCache to show commands executed.
Can we make our indicators shareable?
In recent years we have experimented with methods to implement threat intel into the competition, including methods for sharing indicators. As each team represents a business within the same industry as others, there’s an expectation of shared attackers targeting their vertical. In the past we’ve made use of notifications similar to the FBI Flash Alerts. If a specific indicator or TTP is identified by at least two teams then a high level description of that TTP is provided to all teams.
Tools for analysis
CCDC events have great restrictions on the software that can be used in competition. However, most tools that are needed are already on the system or available as open-source. In the field, one’s best tools are simply grep and awk. Grep will be used continually to find entries in log files, and works best with the -A, -B, and -C options which are, in order, show X lines after the match, show X lines before the match, and show X lines before and after the match. Even Windows has similar with findstr.exe!
lsto see times. Move beyond that. Use
statto see all meta for a given file. Use
findin creative ways to watch for attacks.
find ~/ -type f -mtime -1will quickly show any files modified within the last day while
find /etc -type f -cmin -10will show every file from /etc created within the last 10 minutes.