Capturing the Flag

Yaacov Apelbaum - Who Knows What Evil Lurks in the Heart of a Cyber Attacker

If you are a typical cyber security practitioner, you most likely catch-up on the latest developments by visiting on-line sites like News Now and by periodically attending various vendor workshops. For the majority of InfoSec managers, the daily work grind and life/work balance challenges diminish the prospects of going back to school and plowing through hands-on in-depth training.

Over the past two decades, the corporate cursus honorum for IT management has been the much coveted MBA degree. In a large number of Fortune X00s, having an MBA from a top school was considered a prerequisite for an executive promotion. An MBA attested that an individual possessed all the current business acumen and the polish needed to take on any future leadership responsibility, it was the ultimate professional endorsement of merit.

This trend—other than having the end result of a glut of MBAs on the market—has also resulted in a shortage of highly technical cyber security managers. Consider some of the wholesale data breaches in some of the largest US retailers for 2014 alone. Check out the biographical backgrounds of some of the CISOs of the impacted companies. Not surprisingly, you will find no shortage of MBAs from top tier schools. What appears to be missing are individuals with vocational specializations in information and cyber security, and I’m not referring to rank and file CISSPs.

Of course, a common counter argument to this is that as a manager you are not supposed to know the ‘nitty gritty’ details of every technology in your corporate inventory and instead are expected to delegate to and draw on the expertise of others.

I don’t agree with this argument. Cyber security unlike databases or ecommerce, is almost entirely a low level technical play and as such, a security manager should not have gaping holes in his knowledge or overly rely on subordinates to make sense of risk, threats and counter measures. In a corollary it would be unacceptable for a airline pilot to have gaping holes about his aircraft operations and him delegating the actual flight responsibility to the cabin crew.

I’ve recently had a chance to witness just how limited classical enterprise defenses have become. This is especially true when it comes to Advanced Persistent Threats. In one incident that eventually became the catalyst for me going back to school, I witnessed how a one cyber attack managed within minutes to defeat all of the traditional enterprise defenses and counter measures without even braking a sweat. Amazingly, even after the debriefing and root cause analysis, the security team was no closer to understanding how a properly configured and maintained brand name FW and an IDS/IDPS failed to stop the attack, let alone even detect it.

If you are thinking that this couldn’t happen to you, think again. In the incident that I just described, all target boxes were patched, there were strict access control measures in place, the network was sub-netted, and there were effective audit and password management systems in place.

After recovering from my momentary shock, I had an epiphany and realized that I urgently needed to re-hone my skills. I’ve heard about the SANS Institute from a number of colleagues and after checking it out, I decided to enroll in their Penetration Tester program. After juggling my bank account, my work schedule, and their course availability, I selected the following four courses:

  1. SEC504 Hacker Techniques Exploits & Incident Handling
  2. SEC560 Network Penetration Testing and Ethical Hacking
  3. SEC575 Mobile Device Security and Ethical Hacking
  4. SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses

The SANS courses tuition is on the expensive side, ranging from $6000-$9000 USD per course. Add travel and accommodations and you are looking at about $12K per class. Each course is delivered in about a week (40-60 hours of classroom activity). Classes are divided into lectures and hands-on labs with heavy emphasis on getting down and dirty.

Though it took me several months to complete the coursework, I have found the whole experience to be uplifting. In addition to getting access to practical, real-world expertise from some of the world’s best penetration testers, we practiced the gray art of performing detailed reconnaissance on would-be targets including mining a social media, and infrastructure data from blogs, forums, search engines, social networking sites, and other Internet resources.

In each course, we used the latest cutting-edge attack tools as well as the traditional low budget techniques that are still quite prevalent. The aim of the course was to push the envelope in each domain and not to merely teach a handful of hacks and tricks. Another great component was exploring various administrative questions such as legal issues associated with responding to computer attacks, employee monitoring, working with law enforcement, and the collection and handling of evidence.

SANS Capture the Flag Las Vagas 2015

When it came to performing the actual exploit, we got to use the best tools on the market. This included both, COTS components and custom written utilities and scripts. In each class we learned dozens of methods for exploiting target systems and how to gain access to the systems post-exploitation. Just to illustrate the extensive hands-on approach that SANS adapted in teaching Penetrating Testing, here is a list of tools and techniques that we used in just the SEC 504 course:

– RootKits and detection
– Hidden file detection with LADS
– HTTP Reverse Shells using Base64
– InSSIDer for Wireless LAN discovery
– Nmap Port Scanner and Operating System fingerprinting tool
– Nessus Vulnerability Scanner
– Windows Command Line Kung-Fu for extracting Windows data through SMB sessions
– Sniffers, including Tcpdump
– Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
– Netcat for transferring files, creating backdoors, and setting up relays
– Metasploit, Metasploit, Metasploit Lots of Metasploit
– ARP and MAC analysis for ARP cache poisoning attack detection
– Password cracking
– Cross-site scripting and SQL injection web application attacks
– Intercepting and forging session cookies
– Detecting and executing DoS attacks techniques
– Detecting backdoors with Netstat, lsof
– Covert channels using Covert TCP
– clandestine network scanning and mapping
– Exploitation using built in OS commands
– Privilege escalation
– Advanced pivoting techniques

The great thing about the SANS curriculum is that they go pretty far down into the rabbit hole. A few of the classes required hard core coding skills (you get to write/execute some buffer overflows). Other classes were procedural and got down to the wire in terms of the inner functioning of RFC and protocol. For example, in the Wireless Ethical Hacking we had comprehensive coverage of WiFi, cordless telephones, smart devices, embedded home devices, mash technologies like ZigBee and Z-Wave, Bluetooth, DECT, and NFCs.

In the Mobile Device Security we practiced reverse-engineering iOS binaries in Objective-C, reverse-engineering Android binaries in Java and Dalvik Bytecode, evaluating mobile malware threats through source-code analysis, defeating Apple FairPlay encryption for application binary access, and overcoming anti-decompilation techniques.

SANS Capture the Flag Washington DC 2015

The participants in the classes came from diverse backgrounds, including three letter agencies, LEA incident handling team members, and security administrators. The classes are well-suited for anyone with a good command of TCPIP and networking and they would also benefit architects and technical leads involved in security operations and R&D.

The delivery of the material is completely immersive. You go from 0-90 in one second.  Each course is equivalent to a traditional graduate semester course of 4 credits so we had to complete an average of one textbook per day.  At times, you feel like you are drinking and showering from a fire hose at the same time.

Taking good notes and hitting the books at night will help you stay afloat. It goes without saying that the instructors were outstanding; they offered unlimited tutoring and were always available—even during lunch and after hours—to help answer questions and work through the practice labs.

Yaacov Apelbaum - SANS SEC504 Yaacov Apelbaum - SANS SEC560 Yaacov Apelbaum - SANS SEC575 Yaacov Apelbaum - SANS SEC617

Several interesting sessions in each class revolved around learning how to avoid being caught through various tactics and strategies for covering your tracks such as: File and directory camouflage, piggybacking on existing user Internet sessions to avoid detection, event log tampering and pruning, and performing memory cleanups.

For me, the best part of each course was the final session called “Capture the Flag”.  There, in a culmination of all of the hard work, we got to practice everything we had learned over the previous week. Each class had different parameters for capturing the flag, but they tended to follow the same patterns.

We needed to do some reconnaissance, reconstruct the network layout of our target, map our victim’s equipment and software inventory, and then proceed to execute the attacks. Once you breached the target, you would perform some additional exploits and start pivoting between hosts and ‘living off the land”. The overall objective of this exercise was to collect flags that had been placed on various locations on the victims’ network by the instructor. Some of these flags contained encrypted files or messages that we needed to decrypt and use as clues for other attacks, others involved passwords that were being sent over VOIP, in memory session information, or data hidden in binaries.

SANS Capture the Flag Boston 2015

The capture the flag event usually lasts a full day and ends when one team successfully recovers all flags. At that point, the competition is stopped, the results are verified, and the winners are awarded the coveted challenge coins.

Yaacov Apelbuam SANS 575 Capture the Flag Token  Yaacov Apelbuam SANS 617 Capture the Flag Token  560-capture-the-flag-token

If you are a computer security practitioner, I highly recommend that you take all four courses. Even if you can only afford one, go for it. It will change your prospective on pen testing forever and help you take a proactive role in keeping your company safe and out of the negative limelight.

Performing a good penetration test is much more than just hiring some outside help and rubber stamping an audit. Anyone can throw a bunch of attacks against an organization and regurgitate the output of some automated tools in hundreds of pages of reports. Verifying the integrity of your corporate security takes more than just kicking a few InfoSec tires and lifting the hood these days.

Participating in hands-on structured training will help you avoid this trap and allow you to grasp your company’s security needs so that you can prioritize and formulate the appropriate plan of action in the most cost effective and timely manner.

Going through the meat grinder, you get to witness first hand the process of hot dog making. It’s not a pretty sight, but its an informative one. One of my most profound takeaways from this whole experience was answering the existential question of the spoon. Yes, the spoon does exist, but only for the end-user, sysadmin, DBA, and auditors. There is no spoon if you are a proficient attacker. With the right strategy and tools, concepts such as access control, event log integrity, and passwords are meaningless and are but chaff before the wind.

Yaacov Apelbaum - There is no Spoon

I keep my three hard earned challenge coins on my office bookshelf as a reminder that there is likely someone out there right now who is targeting my network through some kind a a clever attack. He/she has all the right tools and resources and are as determined and hard working as I was to get his coins.

And as far as my earlier MBA comment is concerned, if you are curious to know just how many managers attended the classes, the answer is just one. None of the 20-40 participants in each classes had managerial responsibility. In fact most of the folks I spoke to were surprised that a CTO would take time from his schedule and opt to get his hands dirty instead of just delegating this to one of his directs.

After all, ‘Isn’t that what a manager is supposed to do?’

© Copyright 2015 Yaacov Apelbaum All Rights Reserved.

4 thoughts on “Capturing the Flag

  1. Hi JD,

    on the high side, about $40K USD (plus travel and lodging to the 4 course locations), but it was worth every penny :-)


Leave a Reply

Your email address will not be published. Required fields are marked *