20-CS-[51|60]55 Cyber Defense Overview Fall 2018

Authentication, Availability, Confidentiality, Integrity, Defense Principles, Intrusion Detection, Attack vectors, more

CDX Event

You have just been hired as the network and security administrators at a small company and will be taking administrative control of their web server. You know very little about the network, what security level has been maintained, or what software has been installed. You have a limited time frame to familiarize yourself with the network and systems and to begin the security updates and patches before the red team starts actively attacking your company.

Services You Must Provide:
Your team must keep the following services available on all three IP addresses that were given to you:

  • Apache+PHP
  • MySQL (for the purpose of supporting the existing WordPress site)
  • WordPress site must continue providing the content in the MONITOR THIS entry, at the same URL (http://<Your IP>/wordpress/?p=4), and must continue to function as a WordPress site
  • The daytime service must continue providing the time of day on the server
  • FTP must continue providing anonymous access to log in and download any files hosted there
  • The print service (ipp) must be running
  • Your IP address must respond to ICMP ECHO REQUESTs (ping) per RFC 1122

The following username and password will allow you to log in to any of your VMs initially. Since these are the same for all teams, you are advised to change the password immediately:
  • username: student / password: student

The administrator of both MySQL databases has the following credentials:

  • username: root / password: (empty)
Both MySQL databases are owned by the following:
  • username: student / password: student
CDX Activities:
  1. examine the supplied VM and improve the security posture with changes to configuration files.
  2. allow the VM to undergo attack by the red team (Perfect Storm) during the CDX.
  3. submit a final report that includes a listing of all changes made to improve the security posture (and why), a Kill Chain description of cyber attack(s) against your server during the CDX period, and other items as described in the sample report below and as the team sees fit to include.

The CDX period begins at 6:00AM, December 7 and ends 8:00PM, December 7. The final report is due 11:59PM, December 14 (OK, if you are a little late and I have some other reports to read I will still accept it). A sample final report is here.

Download: CDX-2018.ova - Size: approx 2.09GB - Use "Import Appliance" in VirtualBox to install

  • SHA1sum: bce929d849de5a8bdf3a34979e6be2d032084926

Red Team Rules of Engagement:
  • It is not OK to attempt to break out of the CDX network. That is, red team members should stick to poking IP address
  • If a VM is compromised (that is, password is discovered and red team can enter the VM and become root) it is not OK to attempt to open a connection to UC's network from the compromised VM.
  • It is OK to attack after 11:59PM on November 30 and before 11:59AM on December 1 only (this has been changed to all day December 2 and all day December 6).
  • The red teams provide for scoring based on service availability and the scoring is posted via the internet.
  • The red teams provide a log of attacks
  • The red teams will generate benign traffic in addition to making attacks.

Blue Team Rules of Engagement:

  • Recovery using a snapshot is disallowed as it violates the spirit of a CDX where we are trying to improve skills of recovery from attack.
  • It is OK to block ports that are not used to provide necessary services.
  • It is OK to transfer files between the host OS and the VM but not between the VM and a UC node. This means it is not OK to transfer a file from the VM to the host then from the host to a UC node.
  • It is OK to create new accounts, change passwords, add or remove users and groups in the VM. All changes need to be documented (the change and the date and time) in the final report.
  • You must defend only through proactive configuration and defensive blocking. In other words, you cannot attack anyone, whether it is a red team or a blue team member.
  • Points are deducted where the final report indicates an attack that was actually benign traffic or has no mention of an attack that occurred.
  • It is OK to add or remove packages from the VM. For example, you may want to add some analysis tools and remove some potentially dangerous packages that are not needed.

Members    Group Name    IP addresses
Patel, Peasley, Millot PRK Resistance200-202
Mace, Gamstetter, Daugherty, Stewart Forthcoming204-206
Kramer, Koch, Camburn, Hoelle Stack Smashers208-210
Leger, Bowman, Hasler 1337h4X0r$212-214
Moeen, Ramirez, Doan, Gautam Sleepers216-218
Komaragiri, Rajani, Karkera Last Benchers220-222
Bakare, Elia, Alalade Dare, Yinka & Zack224-226
Lnu, Jaddi, Srinija, Saineni Spartans228-230
Puchala, Yarlagadda, Patel Nightfury232-234
Addai, Efosa, Alharthi Creator236-238
Farolino, Fahey, Lewis Anonymous240-242