This past week, I had the opportunity to attend the SANSFire 2017 event in Washington, D.C. where I took the SEC 560: Network Penetration class. This continues work that I started with my taking the SEC 401: Security Essentials Bootcamp and DEV 534: Secure DevOps classes in December 2016.
This training comes on the heels of my move in late 2016 into applying my open source software development passion to the world of CyberSecurity. This is not an area that I had a lot of experience with, nor is it a pairing that is often made, but I’ve found some significant opportunities at their intersection.
Cyber Defense NetWars
One of the things I learned about the SANS events a bit too late when I attended Cyber Defense Initiative 2016 was the NetWars events held on Thursday and Friday night. These are 3 hour each events which allow attendees to test their skills against crafted environments, set up and run by the SANS penetration testing staff.
At CDI 2016, partially due to the fact that SEC 401 is a bootcamp course (classes run until 19:00) and partially because of my interest in several of the SANS@Night talks, I didn’t end up even poking my head into the event until the second night, where I mostly hung out chatting with the two TA’s from my SEC 401 course, but who encouraged me to give it a shot.
I actually did end up starting down the path to get set up and participate… with 20 minutes left to the event. Turns out that wasn’t even enough for me to get the environment set up and to join in. But it left a taste for the event.
When I was checking in for the SANSFire 2017 event therefore, I made sure to ask about attending the event. Unfortunately, the Core NetWars registration was full already! Not wanting to miss out on an opportunity, I took a look at the other two NetWars events scheduled, DFIR (@TODO: Find acronym expansion… “Digital Forensics and Incident Response” ?) and Cyber Defense. Not really knowing much about the forensics side of things, but with a professional role including Cyber Defense, I signed up for that event.
Showing up Thursday night for the NetWars was like getting thrown under a waterfall initially. Approximately 80 attendees had turned out for the event, filling the smaller room that we were in. Having never attended a NetWars event, I wasn’t entirely sure how to get set up initially, but thankfully the provided USB contained the information I needed to get started. In a different world though, it would have been beneficial to have gotten that USB in advance because…
One thing that immediately set me back a bit was the need to have a Windows 10 environment ready to go. I ended up taking a snapshot of the VM that I was using for my SEC 560 class and using that for the NetWars events, but had a bit of difficulty in that my VM had some strange restrictions (e.g. no Powershell help manuals, strange restrictions and tools disablements, etc) from the way it was setup for SEC 401 when I originally created it. Eventually I was able to get that VM up and going, in time for it’s use in level 3.
Having never participated in a NetWars, I quickly learned that the setup is that there are multiple levels (in this case four) and that each question answered provided points which allowed you to advance. One thing that I hadn’t realized initially was that you actually don’t need to answer ALL of the questions in a given level in order to advance, instead you simply needed to have accrued enough points. Most questions were worth 10 points, while a few were worth 15 or 20. To advance from level 1 -> 2 you needed 100 points, level 2 -> 3 you needed 200 points, and 3 -> 4 required 300 points.
The first two levels were fairly straight forward, with questions about getting information from logs, looking for particular data that a cyber blue team would need to determine what had occurred during some sort of intrusion. These provided hints to point you in the right directions, three per question, with the final hint essentially giving you the answer to the problem at hand. I personally found these levels fairly straightforward
By the time you get into level 3 though, things started to slow down. We started to work more on the network traffic side of things, leveraging both Linux and Windows systems to investigate simulated ransomware and phishing attacked, both from the Network Security Monitoring (NSM) and Continuous Security Monitoring (CSM) sides. The NSM work mainly leveraging Linux tools such as squil (which I’d never used before) and Wireshark / tshark. On the CSM side, we were using Windows tools like Windows EventLog and Powershell to dig information out of specific host systems.
The NSM side of things definitely came more easily for me, one because we were working in Linux and two because I already had some familiarity with Wireshark. The CSM side in Windows gave me a bit of trouble, not least of which I think was due to system configuration challenges. But eventually I was able to start getting some traction in both.
I ended up finishing the night out ranked #8 out of ~ 80 participants, so despite not really going in with any aspirations specifically to win, I started to think that maybe I had an actual shot. Overall though I was excited to have been doing something different and challenging; learning many new techniques and bits of information as I worked my way through the various problems
Towards the end, the instructors running the event mentioned that there were participants at previous events that had continued to work on the problems at their present level after the event had wrapped at the end of the find. Some staying up until 04:00 to keep working on the exercises. Of course, there was no way for them to know if their answers were correct, but it did make for an interested opportunity. Not wanting to miss out, and to give myself some breathing room to learn more about the tools and techniques, I ended up opting to leverage this information, and while I didn’t quite make it to 04:00 (only 03:30) I did manage to come up with answers to an additional 12 questions in level 3 (~ 8 of which were correct).
This put me in pretty good standing for the event, though clearly others had taken the same advice, and I ended up slipping down to around #10, though with some wavering of that rank thrown in. I ended up slowly crawling my way up, eventually getting to a score of @TODO and
- Finishing at #8 at the end of Thursday
@TODO – Add picture from end of night 2 (specifically the score board).
Working until far too late… 03:30
Finishing at #6
- Last minute surge by team players
My first challenge coin!
- Guess I should probably take a blue team class now ;)
Text on one side:
“I am the watcher on the walls”
And on the other:
“I am the sword in the darkness”