Blue Team Survival Guide

To help students get started in CyberWildcats CTF events, we’re providing this expanded edition of the original Blue Team Survival Guide that was published in 2011. The intent of this document is to give students a concrete list of preparation activities to pursue between now and the next CTF, to better hone their skills. Links to Wikipedia pages, howto’s, and exercises that the students should perform will be given.

To help students get started in CyberWildcats CTF events, we’re providing this expanded edition of the original Blue Team Survival Guide that was published in 2011. The intent of this document is to give students a concrete list of preparation activities to pursue between now and the next CTF, to better hone their skills. Links to Wikipedia pages, howto’s, and exercises that the students should perform will be given.

This Guide is intended for students of all skill levels, from novice to advanced. If a student becomes overwhelmed when attempting one of these howto’s, simply put it aside and try another or ask for help from myself or another club member.

Students should use the bullets in this document as a checklist of activities to perform from now until the next CTF. Most of the documents linked to have their own reference links. Students are strongly encouraged to consult these and search out additional practice for further experience and education.

Systems Administration

One of the key skills for doing well in CTF in fact has nothing to do with active defense. Simply knowing how to administer the operating systems used in an environment can be crucial.

Network Services Administration

Links to specific software and versions will be provided, but the student should beyond these to other, different packages.

The more practice a student has with different software that provides the same service (for example, postfix and sendmail in Linux for mail services) the better a student will be at adapting to new software they’ve never seen before.

Preventative Defenses

The best defense is the one that keeps the bad guys out. Focus on these tactics from the outset to try and minimize the damage.

  • Change passwords – quick and easy, just be sure you don’t lock yourself out
  • Firewall – lock it down, only allow the ports you need for business servicens. iptables official Howto
  • AntiVirus – install AV on anything running Windows (Clam AV, McAfee, Norton)
  • System Hardening – Turn off needless ports/services inside of the firewall as well. Puschitz Linux Howto, Win2k3 Hardening Howto
  • Know Your Environment!
    • What computers are in your network? (nmap, pscan)
    • What services are you running? (netstat -peanut, nmap, pscan, ps -aef, tasklist)
    • Are the services you’re forced to run vulnerable? Check versions and Google!
    • What accounts need to be there? What business processes are running? Watch logfiles, sniff network traffic, learn what normal processes look like!
    • Patch or upgrade – if you can with confidence that it won’t take down the affected service

Reactive Defenses

Sooner or later (probably sooner ;-), all of those stout defenses put in place to keep out the bad guy just aren’t going to cut it. So, it’s important to be able to identify when blood has been drawn. After locking down the environment adequately, focus on these measures.

  • Watch for unauthorized connections
  • know what kind of connections each system should have. Does it make sense for a webserver to be connecting out on port 22 to some random host outside of the network?
  • Where to watch from
    • The Firewall – it’s the choke point, so all connections pass through it.
    • Host monitoring – An individual host to watch for what traffic it sees
  • How to watch
  • Watch for attacks
    • Install Network Intrusion Detection – the firewall is an ideal place. Snort is an excellent tool, and Bro IDS might be good to try. Just be sure to watch the logs…Splunk may be your best bet…here’s a quick howto
    • Look at your logfiles. Found in /var/log on Linux and Event Manager on Windows

Prior Game Reviews

The pcaps of prior games are available for students to review and study, in preparation for the upcoming CTF competitions:

Use tcpdump, wireshark, argus, or snort to analyze the traffic…post to the forum what you find!

References

All links in this document were brought to you courtesy of Google. As I continuously say in CTF meetings, Google is your friend. Get in the habit of Googling any time you have a question, wheter doing the howtos, classwork, or any other endeavor.

  • Searched for google history
  • Searched for snort reading pcaps
  • Searched for windows event manager
  • Searched for linux logs
  • Searched for splunk quick howto
  • Searched for splunk howto
  • Searched for splunk
  • Searched for brother intrusion detection system
  • Searched for brother ids
  • Searched for netflow
  • Searched for wireshark
  • Searched for tcpdump
  • Searched for windows cli task list
  • Searched for nmap
  • Searched for windows portscan
  • Searched for “know your environment” information security
  • Searched for know your environment information security
  • Searched for know your environment
  • Searched for windows system hardening
  • Searched for linux iptables howto
  • Searched for system hardening wikipedia
  • Searched for firewall wikipedia
  • Searched for antivirus wikipedia
  • Searched for norton av
  • Searched for mcafee
  • Searched for clamav
  • Searched for linux account management
  • Searched for computer account wikipedia
  • Searched for windows 2003 domain account management
  • Searched for windows domain account management
  • Searched for windows account management
  • Searched for windows accounting howto
  • Searched for linux advanced cli howto
  • Searched for linux cli howto
  • Searched for nircmd
  • Searched for windows cli howto
  • Searched for command line interface wikipedia
  • Searched for RDP wikipedia
  • Searched for ssh wikipedia
  • Searched for windows domains wikipedia
  • Searched for smtp wikipedia
  • Searched for http wikipedia
  • Searched for web wikipedia
  • Searched for dns wikipedia
  • Searched for dns troubleshooting
  • Searched for windows network howto
  • Searched for networking howto
  • Searched for RDP howto
  • Searched for ftp howto
  • Searched for ftp howtoo
  • Searched for openssh howto
  • Searched for openssh
  • Searched for windows 2003 domain administration howto
  • Searched for windows 2003 domain configure howto
  • Searched for windows 2003 domain controller howto
  • Searched for domain controller howto
  • Searched for microsoft exchange install howto
  • Searched for microsoft exchange howto
  • Searched for bind howto
  • Searched for sendmail howto
  • Searched for postfix install howto
  • Searched for postfix howto
  • Searched for windows dns server howto
  • Searched for exchange howto
  • Searched for apache howto
  • Searched for iis 6 howto
  • Searched for iis howto

 

 

Leave a Reply



Login

Register | Lost your password?