Post-Mortem CCDC 2016: Words of advice for blue team students

This was my second year attending the Minnesota regional Collegiate Cyber Defense Competition. As a veteran to the competition it was my place to help my team prepare. Looking back on these events left me with these words of advice.

Operations

There are a few matters of logistics to prepare before.
As a team for the 2016 event we prepared print documentation as a team playbook. Content of the document included:

  • Event details
  • Cheat sheets of commands for Linux, Windows , and network administration
  • Checklist of high priority tasks
  • Import system files with descriptions
  • Network topology and address table
  • Password scheme

In addition to our print documentation, on the day of the event, we shared a GitHub repository developed during practice. Our team repository can be found at https://github.com/Ohelig/ccdcfiles under our team captains username.

Git traffic will need to be explicitly allowed through the firewall. Through git we were able to gather shell scripts for individual machines. Members from previous year contributed with linux commands from experience. The use of Git was a huge improvement over using FTP in years before.

Professionalism is the extra 10% your team needs to win. Prepare your resumes before you have access to labs and have them peer reviewed.

Business injects are the second topic of Professionalism. Have memorandum templates prepared for responding to tournament officials. Consider a team role for technical communication that can manage a windows machine. Time management is required for completing tasks on time.

Networking

It is important to have rock solid firewall rules that block everything, this is the opposite of the default rules Palo Alto is provided with.

Services are more important than security. DNS should be understood by everyone on the team, because it is necessary for operations. Services such as FTP, SMTP, and HTTP are scored highly. Practice configuring your services until you have them running within 1 hour of resetting.

Palo Alto provides an amazing firewall, but very different than most assume. Palo Alto's virtual firewall is unlike tradition firewalls where ports are allowed or denied. By performing heuristics on network traffic, applications can be categorized without depending on port configurations. Become friends with non-standard ports. You can download my rules for a starting point in securing your network.

Security

Although the competition is for cyber defense, this point comes second to networking and operations. While you are implementing your services you should naturally be adding security measures with your configurations. Plan carefully on how many reboots required in updating. The virtual machines are not friendly to rebooting without trouble.

Traffic logs can be gathered on the firewall as well as with machine firewalls to be used in reporting red team activity. To reclaim points from being compromised have an incident response planned. After you can document red team activity you can reset your machine in a network timeout zone. Do not let this box talk to other on the network before your security checklist is completed.

Conclusion

Third place was a nice reward for the time spent preparing and was certainly a better experience than having plain text passwords dumped to a users desktop. My last words of advice are to KEEP CALM AND LISTEN TO ELECTRO-SWING. Good luck, and have a fun time playing as the blue team.