PaulDotCom mailing list archives
Blue Team Tactics
From: trklisted at networksamurai.org (mOses)
Date: Tue, 28 Jul 2009 11:45:00 -0400
For shame for Shame! There are definitely 'defensive tools' that are lacking in some of the CTF games! The attackers are coming into this to 'win' how come the defenders are not also preparing to win? - If you know your being attacked from the 'network', how come there are no sensors involved? Maybe its a time contraint that we don't have IDS? That is a real life item that should be given to defenders. IDS an also do some TCP resets and shunning, which can be valuable. While the attackers can evade IDS this maybe a nice little stop gap. The question is, can you prepare ahead of time with an IDS sensor? The 'attackers' are preparing ahead of time with their tools? - Patching is an OK option, but yet again not 100% fool proof right, Software will be insecure so you can't solely rely on patching. - Logging and Correlated Logs will be important to a blue team, but if its not available even a basic BASE console will be enough for IDS eventing, or maybe the free Splunk platform? - There are the SysInternal tools. Procmon, Filemon, Regmon. ProcessExplorer, NetMon. - What about things like GMER, Rootkit Revealer and other items to look for the existence of nasties? - If you are a defender in a game, maybe it would be prudent to setup tools like 'flow' analysis to look at netflow - What about leveraging some scripts from NMAP. nmap scan the network and do diff's. If you see new ports opened or listening, maybe you've been comprimised! I love the conversation. The real value in these CTF games and Pentests is not for the attacker all the time, the real value is in understanding how to do 'live' defense. On Jul 28, 2009, at 8:54 AM, John Strand wrote:
Please! PSW land! Share your Blue Team tactics! What tools, scripts, and techniques do you use as part of Incident Response and Blue Team Activities? I have sat in on one to many Red/Blue/CTF games where the Red team gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture techniques (including IronGeek's rubber hoses) and the the Blue team gets.... "An un-patched Windows 2000 box and a slew of un-patched software!!!!!'' Please see the following video for reference: http://www.youtube.com/watch?v=Y77n--Af1qo Yea.. Thats right.... As of today the Blue Team is what you get assigned to when you are caught stuffing peas up your nose. This stops today!!! There are a few rules. Tricks and scripts must be able to run at the command line of your operating system of choice and all tools must be freeware or open source. Thats it!!! Look, the Blue Team can rock!!! So please share your tricks. I am going to collect and add to them so we have a solid list and this will serve as the playbook for the Blues going forward. Be expecting this on the PDC site soon. strandjs _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Blue Team Tactics, (continued)
- Blue Team Tactics Bradley McMahon (Jul 29)
- Blue Team Tactics Jim Halfpenny (Jul 29)
- Blue Team Tactics Tim Mugherini (Jul 29)
- Blue Team Tactics Nathan Sweaney (Jul 29)
- Blue Team Tactics Albert R. Campa (Jul 29)
- Blue Team Tactics John Strand (Jul 29)
- Blue Team Tactics Carlos Perez (Jul 29)
- Blue Team Tactics John Strand (Jul 28)
- Blue Team Tactics xgermx (Jul 28)
- Blue Team Tactics Russell Butturini (Jul 28)
- Blue Team Tactics mOses (Jul 28)
- Blue Team Tactics Chris Clymer (Jul 28)
- What's you Wifi Pentesting Gear? Bradley McMahon (Jul 28)
- What's you Wifi Pentesting Gear? Nils (Jul 28)
- What's you Wifi Pentesting Gear? Nicholas B. (Jul 28)