cyberraid 0 red team event recaps at hir

Posted on by michael

(Cool, my [work] web filter isn’t blocking HiR as criminal hacking anymore. Sweet! [Yeah, I know I can make exceptions in it since I control it, but I don’t. This is *one* reason why I’m so late in seeing these!])

Ax0n and Asmodian X have posted some excellent thoughts on their experiences during the CyberRAID 0 event in KC. I’ll follow with a couple thoughts of my own.
Ax0n (blue team): part 1
Ax0n (blue team): part 2
Ax0n (blue team): part 3
Asmodian X (red team)

Egress filtering. Firewalls were sexy 10 years ago. Ask any pentester today and they’ll say external scanning is usually pretty boring now. But for as far as organizations have come with ingress firewall filtering, far too many still suck horribly at egress filtering. I really like further evidence of that value. Yes, it’s hard to get going in a production network without making mistakes and ‘discovering’ business requirements the painful way…but this is one of the higher value efforts that many organizations still leave undone.

Pointy-Haired Boss. While many business requests end up *becoming* reasonable with some communication of the risks/costs, there are still plenty that just defy explanation and may nearly get put into place anyway, despite being bad, bad, bad. I’m glad Ax0n brought this up in part 2. Sometimes a little deception is used, to keep risks properly handled.

Defense is tough. This is an old horse, but still worth flogging. Defense involves not just fighting with attackers, but also keeping your own facilities up and properly working (scoring), backups and recovery from incidents, meeting business demands, inheriting things you didn’t create, and even learning brand new things (e.g. Asterisk) because, well, you have to. Not to mention all the soft-skills that come into play.

Attacking threats is tough. I support people in positions where they are able to actually attack threats, but most business is not in that position. The reality for most organizations is exactly what Asmodian X said, “Law enforcement is worthless unless you have done the leg work and provide them with useful information.” And yet, look out when the attackers start collaborating!