11 Ekim 2010 Pazartesi

:: NSA Cyber Defense Exercies (CDX) 2010...



Amerika Birleşik Devletleri, Ulusal Güvenlik Ajansı (NSA), her sene, ordu ve diğer güvenlik birimlerine yönelik düzenlediği Sanal Savunma Alıştırması 2010'u tamamladı...

Sanal Savunma Alıştırması bir yarışma şeklinde ve daha önce oluşturulmuş bir senaryoda güvenlik ve güvenliğin aşılması üzerine kurulu...

Ancak gözlemlenen yarışmacıların, mail, exchange, dns , web ve temel ağ güvenliğine temel araçlar kullanarak erişmelerine dayalı.
Eğitimgüvenlik konusunda profesyonelleşmekten daha çok güvenlik bilinci oluşturulması amacı ile yapılıyor...

Sonuç: Geçen 2 yıl West Point Academy kazanırken, Bu yıl Navy (Amerikan Donanması) yarışmayı kazandı.

http://www.nsa.gov/ adresinden videoyu izleyebilirsiniz. (Alt yazılar aşağıda mevcuttur...)

-------------

Cyber Defense Exercise 2010 Video Transcript

Every battle has an attacker and a defender. In this battle the Red Cell attacks networks set up by the Blue Cell teams. For four days these teams defend against Red Cell attacks as well as the activities of the Gray Cell.

The Gray Cell is a user on each network who simulates normal internet traffic - traffic that may open the door for the Red Cell to get in.

The Blue Cell team that does the best job defending their network is the winner.

This is the 2010 Cyber Defense Exercise.

"We've won the past three years." "We won it again last year." "Uh, we've won the past few years."

(Music)

Alan (Army): I'm sure they're gunning for us. There's always a bit of competition but as usual we're not worried about them.

This year I'm the CDX commander so I'll be responsible for organizing both sections of our class and leading the charge.

(Music)

LTC Fanelli: We have a lot of work to do. I'm expecting that there will probably will be the annual "yelling and screaming" phase, the "I hate you" phase, and then finally the "we're ready and let's go do this" phase, and then hopefully we'll have the "we're glad we won" phase at the end.

(Music)

Parks (Air Force): We're about two weeks out from the CDX. We're still working on getting our services up and running.

(Music)

We're looking at seeing what ports are open and what our vulnerabilities are.

Justin: This year we spent a lot of time looking at how to clean up the root kits and how to clean up the viruses and trojans that may come pre-loaded on these workstations.

Matt: We've got a little bit of a reputation of the Air Force at stake here. We're doing everything we can to prepare. You don't want to let the other guys down that have put some time into it.

Devin (Coast Guard): At the end of last year we were pretty uh, upset.

CDR Oatman: Honestly, last year was really tough. We had a good design, we had a great team. Things went really smooth once the exercise started.

James: Everything was working well.

Two days into it they felt pretty strong.

But then we got kind of cocky I would say and we started changing some things, trying to make things better.

Turns out that little last minute change to the Exchange server - our mail server - resulted in us locking ourselves out of our own system.

I heard things weren't going right. They took us out of class and we ran into the lab just to see like, error screens on the workstations was like "Oh God, what did they do?".

And then we went in and listened to the conference call and listened to Army winning and at that point every single one of us had a bitter taste in our mouths.

(Music)

We were just really frustrated because we felt like we could have won it and we had it within grasp and we just kind of lost it because of a bad decision.

I would be disappointed if we didn't win this year. I'd honestly be disappointed.

It definitely irritates me that West Point has won three years in a row now.

Brian: We've been right with there with them for the last three years and we'd really like to see Army lose. As far as Merchant Marines go, I just feel kind of bad for them.

Professor Gavas (Merchant Marines): We have about three weeks before the Cyber Defense starts and we have a ways to go actually.

Ben: I'd say that we are behind a little bit on our preparation.

We're just kind of getting our network together, settling on our network diagram.

Kris: The number one thing I think we need to do to get ready is... start.

(Music)

We tend to be very "bursty". The weekend before, the weeks before they're in all nights on Thursday, Thursday to Saturday, Thursday to Sunday. They've built up a tolerance to the 5 Hour Energy or whatever it is. We're hurried, we're confused.

I'm usually just having trouble remembering my login password name. We can't be too serious because it would just be somewhat depressing.

Starting we had like seven people. Our team went down from seven to three. So we lost a lot of people but those that we have left we're all real committed.

We have very high hopes this year - same hopes as last year. They did it last year so we're going for it again: "not last".

Any position above last place and even last place is kind of an accomplishment.

We're definitely the "David" of the group. Hopefully we have a good slingshot.

This is our year. We're gonna win it all!

(Music)

Justin (Navy): I'm pretty excited about this year. We have a pretty good design we think and a lot of good ideas and a lot of good guys working on it.

Chris: We're getting there. We're about to connect to the VPN today and start working on building our network here. Our style has been a little bit different than last year. We've been much more laid back. I think we'll do alright this year. I don't want to call it too soon. We'll see how it goes. Like I said, win or lose at the end of the day it's a learning experience for everyone.

(Loud Music)

Red Cell: All this cluster of eager looking guys - this is all Red Cell. These are the opposition force - the attackers.

DIRNSA: The bad guys.

(Music)

Red Cell: For CDX our goal is to give the academies a chance to understand what an attack would like, how to defend their networks and systems. Our Red Cell provides the adversary. What's new this year is the Gray Cell, where we're mimicking an unsophisticated user that's actually in the academy network.

Gray Cell: I click on all the e-mails that I get, I open all the attachments.

Red Cell: Some links do nothing, other links provide us the opportunity the Red Cell needs to get in there and begin building on that exploit.

Gray Cell: This machine is f'd up.

(Music)

Merchant Marines: The state of Merchant Marines as of right now. Uh, last night we had some major hardware failures. We had this box over here that was serving all of our services and now it is replaced with - as you can see - this laptop that says "the server". This is that laptop. This part of our network, like what - 25% of our entire network is running on a T42. This is the proxy server that we didn't think we were going to be able to get set up but...

(laughter)

it's set up now. It's hopefully going to help us. Nothing is being blocked so I don't know, that's probably bad. Our gateway to the internet is dying. We're not really doing a whole lot of monitoring. Otherwise, things are great!

Coast Guard: I think the competition is really between us & West Point.

Coast Guard: West Point's the only people we're concerned about.

Air Force: We're tired of seeing Army lead it. We want to take them down.

Merchant Marines: West Point's competing in this?

(Music)

Red Cell: Right now I'm assuming the school's are just going through a boatload of traffic to see what's going on. They're probably a little bit scared right now.

Coast Guard: I don't think there's any real aggressive action yet.

I don't really know what's going on. Really.

On our firewall we got some activity that they were port scanning us. Just basically looking to check to make sure what computers are in our network.

Air Force: Our firewall has been picking up a lot of malicious activity so as far as we can tell we haven't seen anything get through but we may not know about it.

Probably the most nerve-racking thing has been our configuration and standing up things that weren't prepped as much as they should have been for today. Our logs don't show anything unusual.

We're not getting root logins or anything like this. We're still waiting for the to really get going with the attacks.

Army: It is requesting excessive options and intent to degrade service.

Right when the CDX started the first attack that went off was a denial of service attack against our server. We got it like right away using our observation systems. Found SNORT. No damage but degraded service.

(Music)

Navy: Tuesday was just an interesting day all around because we were learning how to respond to things and figuring out how to integrate all the people we had. So, a very chaotic and interesting time.

Merchant Marines: I can think of a few places we certainly lost points but overall I don't think we lost anything tremendous.

There was no fewer than two catastrophic hardware failures.

We don't' actually know how much they actually do have. So hopefully they don't have much of anything but they probably have a little bit of something.

I love ya, ya little monkey.

Then again, it's only day one. We'll see how it goes.

Red Cell: So apparently one of the schools last year, that school being the Merchant Marine Academy, decided to get smart and go out to this famous hacker conference called DEFCON and they presented a presentation called "How to fight off the NSA Red Team with five people or less". They didn't seem like they'd be the right team to give it because they didn't even win in the first place but it made them a really high value target nonetheless. On night one of the exercise we initially exploited one of their workstation machines and then we expanded that influence to get on their domain controller and make ourself a domain administrator account.

Interviewer: So you can do anything?

Red Cell: We can do anything we want to the network.

Merchant Marines: What is it doing?

We got hit kind of hard on our workstations.

We haven't lost them because we just keep them down so the NSA can't attack them. So they're unplugged and they're still our's because the NSA can't get them to physically - because the cords aren't in.

Don't tell Jon that because that's specifically against the regulations.

(Laughter)

Red Cell: I would refer back to their very own briefing and they had this one bullet here that said "Don't' be afraid of your system". Well, after the NSA Red Team has been inside of it you should be very afraid of your system.

(Laughter)

(Music)

Red Cell: The results that we got back from our scans are kind of surprising. We know they're supposed to have Mail, we know they're supposed to have Web, but they have weird things like Telnet open and a bunch of other things that you go, "Well, why wouldn't you lock that down? Why wouldn't you turn that off?". Little bit of a surprise but a happy one at that. It gives us more ways to attack.

Coast Guard: I guess from my perspective since I've kind of been in and out today it almost seems like everything is falling apart at the seams.

Looks like they're targeting the dot 48 workstation.

Suddenly when we were going to our website we were no longer able to get into the database. We weren't able to get to the forums. We were getting general SQL errors which meant that something happened with our SQL database. We basically found the packets from Red Cell that had gone in. We're just trying to figure out now in those packets what they did and how they did and how to prevent it.

Oh here we go, we got some learnin' going on now!

(Music)

We're mentally and spiritually drained due to CDX.

Red Cell: Navy is doing really good. So far they haven't had any exploits by the Red Cell. Had a couple service outages but overall they are doing an excellent job.

Air Force: From our perspective everything is up and running. Traffic is being generated fine. Our services are communicating and we have interoperability with other networks, whereas last year by this time we weren't able to talk to anybody and our website was blatantly defaced.

(Music)

Red Cell: West Point is ahead at this point. They certainly do appear to be the strongest. But we'll see how things progress here.

(Music)

Merchant Marines: Passwords. Apparently we had a little couple issues with passwords. I don't know if you noticed maybe once or twice something went wrong with passwords.

How did we manage to throw away all of our passwords? I just don't understand it. It doesn't make any sense.

There was a slight error from one of our team members. I don't know who though. I'm not giving any names.

Do you have any idea what Forbenius changed this password to on eleven?

Sometimes the CAPS lock key was on and we didn't know so we don't know what the passwords are.

Why don't we know the friggin' root password?

You could say a member of our team had an error with CAPS lock.

I'm telling you, we're missing passwords. That's for the host machine - we're missing passwords.

We're headed in the right direction right now. Don't you look at me!

I've been looking for them all afternoon, morning, whatever time of day it is.

This is why we need girls. Girls are good at passwords and stuff.

We're mounting a disinformation campaign!

You know, that would be a genius idea. Write the stuff on the friggin' board.

Come on. Really? Yeah. Yeah. Yeah. Look at that. Good thing I already changed it.

Gotta be someone else's fault.

It's irrelevant because we've already changed all of these, so...

Red Cell: We've had a chance to get into a lot of the different academies. West Point and the Naval Academy are still kind of our lone standouts at this point.

Red Cell: My team is charged with going after West Point. They're hard. We haven't got much of anything at all. We're going to be asking the Gray Cell users to be either checking an e-mail or going to a website. As opposed to shooting from outside in we're going to go from inside out. We've been testing it out all morning so hopefully it will work.

Army: One of the user workstations tried to call back to port 50000. We checked the port and it's a known trojan so it's getting smacked down at our proxy but it still indicates that there are issues with the user workstation. Even though it's not getting back to them there is something on it that shouldn't be on it.

(Music)

Navy: It looked like they'd identified what we actually have on our network and how they got that we didn't see.

Red Cell: I have this file, I mean I'm on their box. I can play with them all day.

Navy: But they were hitting it with traffic from multiple sources, they were hitting it with a lot of traffic at once. They were basically trying to map out our network.

Red Cell: I mean, I'm looking at their interior addresses right here. We've mapped out all their internal IP addresses here to 172.0.0.

Navy: We're pretty confident they have a good idea what's on our network right now so it's kind of a matter of figuring out how we're going to defend and respond against that.

Red Cell: Oh well Navy!

(Music)

As we wait for them to total the points people are just walking around asking, "Have you heard anything? Have you heard anything?". And then when the conference call comes it feels like a locker room to be honest with you because everyone is just holding hands and hoping.

NSA: Alright everyone, let's do a quick roll call. US Military Academy?

Here.

I had an impression for awhile that what NSA was doing over there was magic.

You can sit in a class, you can read books, and you can stare at Powerpoints all day long, but until you get a chance to get hands-on with a network and actually see it in action it's a completely different scenario.

IAD DIR: All the reports have been read and graded and all of the scores have been tallied.

It moved out of the realm of "magic box" and into the realm of "I know what's going on there".

IAD DIR: And it is my great pleasure to announce that the 2010 winner...

Win or lose, at the end of the day it's about everyone learning something and taking away something they can use.

IAD DIR: For the Cyber Defense Exercise is... The United States Naval Academy

(Music)

Navy Everyone was going nuts. We were hopeful but no one had their hopes up. It just took our emotions pedal to the metal. It was a great day.

It felt great bringing the trophy home. We worked really hard, the team worked really hard, it just came together

and we brought it back.

I was pretty excited. I reportedly disappeared but I don't know, I think I blacked out or something. It's been a great capstone on all the work that everyone had put in. It's an excellent honor and we're really happy to have won it.

_____________________

During Credits:

Oh, hey there! Just doing a little work.

People say, "you just plug in this and it should work". And I plug in that and it doesn't work. And they say, "I don't' know, it should work".

I've gone without sleep for four years. I'm used to it.

(Music)

We didn't have a printer that worked as far as loading the printer. Basically something a normal five year old girl could do we couldn't do.

This just looks like normal traffic. How's the traffic to your brain waves?

Nil.

Everything could go to sh-t.

Do you realize that was Cooper's computer in his room by himself?

(Music)

Did you get a shot of the other guys in the lab?

NSA, you lied! You said this was going to be fun! I didn't have any fun, I lost sleep and I'm really tired, and my grades are bad now. If I don't graduate I am suing the NSA. Thank you very much!