Last week I was at a major technology lab for their first Red Team Blue Team event. This was hosted by White Wolf Security and is essentially a mobile hacker fest. White Wolf Security sets up these events all over the world for government, higher education, enterprise clients, and at conferences.
The Red Team is made up of the “bad guys” and the Blue Team is made up of the “good guys.” In this case, the good guys consisted of three different groups and many other observers from different labs and agencies around the country. The base players for the Blue Team are from different labs and a key law enforcement agency. The Blue Team was subdivided into three areas with two separate networks, which each subgroup had to defend and work with the law enforcement agency. The Red Team consisted of security level 3 lab personnel for malware identification and intrusion detection.
White Wolf Security’s scoring system monitors all assets on the network including mail services, web services and even workstations. When the bad guys get in, it triggers a token and they get points. The Blue Team is awarded points based on prevention, incident resolution and saving additional resources from the same attacks. In this case they added a law enforcement layer, where it was necessary to provide the evidence needed to make an arrest or issue a warrant.
This was the first time White Wolf had full packet capture available as an asset to the Blue Team. Solera Networks provided a Solera DS 1150 network forensics appliance and a consultant to teach them how to use the solution effectively. We also supplied the Blue team with plug in code for their SNORT box to link to via an API to the Solera DS appliance. Team Two also brought their own GROK box for their side of the network.
War was declared by the fictional country of Hackistan at precisely 13:00 hours. Within 10 minutes, three analysts from Blue Team One were using the Solera Networks solution to start looking for attacks. Blue Team Two was still trying to determine what was being attacked. By 13:40 Blue Team One was downloading filtered PCAP files to see what was being attacked on their Exchange server.
By 14:10 hours, Blue Team Two was asking how to get connected to and use the Solera forensics appliance. It turned out that most of their network was down, including GROK.
At the end of day one, there was a quick debrief. Blue Team One identified the major system breaches:
1. The first breach was to their exchange server. They used the Solera DS appliance to determine what was going on, but the Exchange server was ultimately left down, with no resolution.
2. Then they noticed the VoIP PBX was having issues. They used the Solera appliance and they were able to get evidence to take to the law enforcement agency and also figured out how to fix the problem.
3. Their last issue was their XP workstation that was un-patched. They used captured traffic and PCAPs from the Solera appliance to take evidence of malicious behavior to the law enforcement agency to get a warrant.
The Blue Team Two debrief was much more daunting. They did not have analyst workstations to determine what was wrong. They had no immediate information on the attacks, and before they could really react their entire network was encountering problems.
In a game where the odds are stacked against Blue Teams, both were getting hammered as expected, but the team using the Solera network forensics solution fared much better than the team without it.
