Security Laboratory

Sec Lab: Attacks and Defense at Integrated Cyber Exercises

As in real life, there are no declared winners and losers in cyber defense games designed by WhiteWolf Security, but everyone learns something from the experience. In the real world, on real networks, the game never ends, making it impossible to declare a winner. All anyone can do is to perform their skills to the best of their ability, support the team, continue to learn and acquit themselves with honor.

View Archives »

An Interview with Alex Horan, CORE Security on his experience with the Integrated Cyber Exercise (ICE I) event at SANS Las Vegas

Oct 10th, 2007
By Stephen Northcutt

Alex is the Systems Engineering manager at Core Security Technologies. He was assisting the attack, or red cell, in the cyber exercise using version 7 of their product. Core Impact version 7 allowed the red cell to test for both server based and client-side vulnerabilities. The SANS Cyber Warfare Exercise recently held at Network Security 2007 September 28, 29, Las Vegas Caesar's Palace, was the first offensive/defensive exercise of its type. The exercise was developed for SANS by White Wolf Security as a cyber exercise environment designed to test the limits of an elite group of cyber attacker and defender skills. We certainly appreciate Alex taking the time to share his thoughts with us.


Alex, can we get your first impressions of the event please?

I was lucky enough to attend the inaugural Integrated Cyber Exercise (ICE) event at SANS Las Vegas as an observer/helper with the Red Team. The event was very professionally done, with literally a crate of servers and switches shipped to the event by the guys at White Wolf Security; they set up a very realistic corporate environment for the Red Team to attack and the Blue Team to defend.


Yes, the traveling equipment rack assembled by WhiteWolf Security is a piece of art, we have one at SANS as well, but that is certainly the big dog. At ICE, the offensive team (red cell) led by Dr. Eric Cole, continually attacked a fictitious company called GIAC Enterprises, the world's largest provider of fortunes for fortune cookies. The only relief was the three breaks. The good guys (blue cell) must continue operations while being hacked. They must keep the system operational, complete a list of services and tasks, and outscore the bad guys before time runs out! The overall lead for the exercise was Tim Rosenberg and the play coach was Dr Eric Cole who created the two teams of 5 attackers and 10 defenders. So Alex, how would you say Dr. Cole and the folks did?

 With Eric Cole coordinating it all and a variety of other SANS instructors who drifted in and out of the Red and Blue rooms giving advice to the teams, this truly was an educational experience for all who participated. Also, with Larry and Paul of PaulDotCom providing live commentary, even the observers were able to feel the excitement and tension of the event.


I'll say, there was a video feed from the blue team area and you could sense the tension when under attack and joy when they were able to successfully defend or identify an attack. The attacker portion is straight forward. For the defenders' portion based on the 3 networks it looks like there were 3 routers, 3 firewalls and 12 systems to secure. In addition to the student players, two vendors were participating, Core Security was used by the attacking red cell and F5 Network's web application firewall tools were used on the defending side. From my perspective Alex, the event got off to a bit of a slow start, can you give us an insight into what was actually happening?

The event started with the Red Team quickly gaining the upper hand, primarily because they worked together to divide and attack the network in a very efficient and systematic way. The Blue team initially struggled as each member was focused purely on their own areas, and they did not have a coordinated defense strategy. This is very similar to what we see in the real world; the cyber criminals work in groups and have a predetermined plan for how they will compromise their intended victim organization where, as in a lot of companies, the various IT people are responsible for a specific business group which can create inconsistencies and holes in the organization's defenses.


As I said before, you could see some tension on the blue team side of the house at first, but they seemed calmer and more focused in part II, what changed?

During the second half of the exercise the Blue Team elected a leader and their defensive efforts became more coordinated and effective.


Thank you for that Alex, it is amazing how a bit of leadership can alter the situation, can you tell us about the red cell and their use of CORE Impact?

Whilst the attackers were still able to exploit the targets using Core Impact, their window for deploying persistent agents, and thus taking permanent control of the machines, was drastically reduced. The Red Team again coordinated their attacks, and they were able to use Core Impact to take control of the targets and disable the defensive methods put in place by the Blue Team.


At the final debriefing, it seemed to me that all parties found the exercise useful, what was your take?

At the end of the event all of the participants were very pleased to have had a chance to take the skills and techniques they had just spent 6 days learning and use them in a live and dynamic environment – not only did it show that they had been learning current and real world lessons, they were able to reinforce that learning by seeing the effects of those lessons in action.


Thanks for sharing, one last question, would you do it again?

For myself, it was an honor to be involved in what I am sure will be the first of many ICE events and I look forward to participating in more.


Wonderful, thank you for your time Alex.

For more information about some of the groups listed in the webcast, we have attached the following supporting links:
http://www.whitewolfsecurity.com/
http://www.coresecurity.com/
http://www.f5.com/solution-center/solution-guides/application-security.html
http://www.sans.edu/resources/securitylab/f5_salchow_interview.php
http://www.pauldotcom.com/
(Eric Cole's web page) http://www.secure-anchor.com/

Questions?

Email us at info@sans.edu.

SANS 2012 - Orlando

Featured Research

Student Presentations

Expanding Response: Deeper Analysis for Incident Handlers
By Russ McRee | Nov 2011 | 622 KB

Detecting and Responding to Data Link Layer Attacks with Scapy
By TJ O'Connor | Sep 2011 | 2.44 MB

Scoping Security Assessments: A Project Management Approach
By Ahmed Abdel-Aziz | Sep 2011 | 387 KB

View More Student Presentations »

Featured Student/Alumni

TJ O'Connor STI Alumn

TJ O'Connor

TJ O'Connor is a member of the US Department of Defense and a former faculty member at the US Military Academy, where he taught courses on forensics, exploitation, and information assurance.

Click here to read more »

 

Internet Storm Center

View our Site Directory

Contact Us

Phone: (720) 941-4932
Questions: info@sans.edu
Web: webmaster@sans.edu

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role. "
- Jerome Radcliffe, SANS Technology Institute Student