IT430 Information Assurance

1
IT430 Information Assurance

• Lesson 14 Cyber Defense Exercise

2
Why Exercise?

• Prepare for the Enemy in a controlled
  environment
• See how technology, policy, people hold up under
  stress
• Fix problems

3
Why should you care?

• CJCS policy Jun 05
• Every Joint Exercise Must Include IA
• Navy NETWARCOM
• Operate the Global Information Grid as a Weapon
  System

4
IA Exercises

• Goals
• Planning
• Execution
• Lessons Learned

5
The People

• Planners
• White Cell
• Referees with the script
• Trusted Agents
• Let in on a part of the script
• Red Cell
• Aggressors
• Participants

6
Cyber Defense Exercise

• Goals
• Enhance IA Curriculum
• Hands on Defensive IA
• Realistic Environment
• IA Decisions in Heightened Threat

7
Cyber Defense Exercise

• Planning
• NSA White Cell
• Academy Faculty Trusted Agents
• Academy Students Participants
• Starts 6 months prior
• Senior Level Support
• Logistics
• Funding
• Exercise Events to meet goals

8
Execution

• 4-Day Exercise
• Directive spells out Dos and Donts
• Measured Tasks (IA Model)
• Operations Keeping the network up
• Security
• Reporting

9
The CDX Scenerio
10
Required Configuration

• Domain Con W2k3
• E-Mail MS Exchange
• Web Server Fedora Core 2
• File Server FC2 and Samba
• Clients XP

11
Required Configuration
12
USAFA Network Architecture
13
USAFA Web Server Defacement

• The US Air Force Academy
• - Winner of CDX 2006
• - Root compromise of Web Server
• Attack Progression (from Red Cell Blog)
• 1030 - RT Begins scanning the USAFA Network.
  They identify 7 boxes.
• 1530 - RT uses "apache module" backdoor to gain
  non-root access to webserver (secondary)
• 1545 - RT gains root access on webserver
• 1550 - RT copies shadow file from webserver,
  cracks passwords
• 1605 - RT has full control of the webserver.
• - NEXT DAY -
• 1030 - USAFA pulls Webserver offline

14
USNA Network Architecture
15
USNA A Balancing Act

• The US Naval Academy
• - Great Command Structure,
• - Team management, Organization.
• - Task Prioritization key to network
  defense.

16
USMA Network Architecture
17
USMA A Complex Network

• The US Military Academy
• - Complex
• - Well Designed
• - 1 Router left insecure
• Attack Progression (from Red Cell Blog)
• 1028 - Scan started by RT
• 1029 - Scan revealed that 10.1.100.251 was a
  Cisco device with a Web Interface.
• 1234 - RT got level 15 access to the router .251
  using the default password. RT creates a username
  and password (for continued access).
• 1337 - Router enable password changed to
  battl3ship. Telnet enabled and the prompt
  message changed to GO_NAVY_BEAT_ARMY.

18
9 Most Exploited Vulnerabilities

• Patches
• 1. Microsoft Windows LSASS Buffer Overflow
  Vulnerability
• 2. Microsoft DCOM
• Passwords
• 3. Use of the LM Hash
• 4. Use of Weak Passwords
• 5. Use of the same password on Multiple Systems
• Policy
• 6. Microsoft Windows Default Administrative
  Shares
• 7. Rich Text Format / HTML Email
• 8. Access to System Executables
• 9. Use of Unnecessary Services / Accounts

19
Student Best Practices

• 1. Know the Network and Keep it Simple
• 2. Deny by Default Policy
• 3. Remove Unnecessary Services, Software, User
  Accounts
• 4. Plan for Contingencies