Look Ma…I’m on the Red Team

by kriggins on April 13, 2008

in Security testing

Imagine

You're sitting in a dark room, the only light is that coming off your computer screen. You have found a tasty looking website that you are pretty sure has some significant vulnerabilities that you can exploit. You carefully probe the system and yes, the application has a vulnerability that hasn't been patched. You fire off an exploit and all of a sudden you have a remote shell on their system. But wait, it's an account with limited permissions. Darn! Okay, how about local privilege escalation. Sure enough, the kernel is not up to date. Another exploit is fired off and BOOM you have root. You have successfully p0wned the system. Now it's time to figure out how to make some money with the what you have, right? WRONG!!!!!

Cyber Defense Competitionhttp://www.flickr.com/photos/mdpettitt/1059997337

You have just achieved what you believe to be your goal as a member of the Red Team during a Cyber Defense Competition.

A Cyber Defense Competition is a competition where teams compete to see who can best fight off a bunch of hackers and maintain service availability in the process. Actually, not really hackers. The "hackers" are experienced, and sometimes not so experienced, volunteers who play the part of hackers. This is the Red Team. These competitions can go from intra-organization events all the way up to national competitions. This is the website for the National Collegiate Cyber Defense Competition. I could go into a lot more detail about what a CDC is and how they are setup, but that is not really why I am writing today.

Why are you participating on the Red Team?

This weekend I had an enjoyable Twitter conversation with @leighhollowell and @AJolly about CDCs. During the course of that conversation I was struck by several comments that gave me the impression that the team participants often come away from a competition without useful feedback from some of the teams, particularly the Red Team. That's why you are reading this note if you have made it this far :)

The first time I had the opportunity to be on a Red Team, I thought "Cool, I get to be a hacker and can't get in trouble for it. All I have to do is show up and hack away." And that is what I did. Bad me and bad you if that is why you decide to be on a Red Team.

The purpose of the Red Team is not to give the members an opportunity to get their jollies by beating up on the teams. Yes, that is your role for the competition, but that should not be your purpose for being there.

Why should you be participating on the Red Team?

I feel a CDC should be a learning experience for the folks who participate on the teams. As such, it behooves you as a member of the Re d Team to help educate the participants.

I can hear your thoughts now, "How can I do that? I'm not a teacher." Actually, you are and it it isn't even hard. You can help educate by showing the thought processes you used to gain control of the systems you attack, by showing how they could have implemented controls that would have better protected the systems, and by trying to give them some insight into how the "hacker" mind thinks. These types of things are helpful and believe it or not educational to the folks you are working against in the competition.

Just knowing that x service got hacked doesn't help them learn, knowing how and why and what they can do in the future to stop it getting hacked does.

Okay, maybe I can be a teacher. What are some ways to do that?

We've, or at least I've, established what the Red Team's real purpose is. Not to hack, but to educate. So how do we do that. Here are a few things that can provide that extra bit to the teams:

  1. Keep good notes - It's real easy to get caught up in the moment and justTeacher start banging away. Try to resist doing so. Stop and write things down. Yes, it isn't sexy, but it sure is helpful. Also, provide those notes to the teams. They are a great way to show what your thought processes were when you were attacking their systems.
  2. Write down remedies - When you are successful at exploiting a system, write down how the team could have protected themselves. Again, it is very helpful for the team members to know how they could have protected themselves. If there was no way for them to have avoided getting hacked, i.e. 0-day, that is also helpful for them to know.
  3. Attend the debrief - Don't just go for the fun part. Stay and talk to the teams. If there isn't a formal debrief, try to take few minutes to talk to the teams. Tell them what they did right and show them what they could have been done better.

Doing these three things will turn being on the Red Team into a great opportunity to educate a group of people who may be the folks protecting your retirement accounts some day :)

Thanks for staying with me this long. I am really interested in your experiences as CDC participants, both as defenders or attackers. Feel free to leave a note in the comments or email me at kriggins _at_ infosecramblings.com.

Kevin Riggins

Previous post:

Next post: