- Students will examine the issues with tracking exploits and intrusions.
- Students will implement a plan to red team or exploit a system
- Students will engage in analysis of an exploit.
- Students will determine evidence practices when detecting an exploit.
- Students will implement a defensive plan within constraints similar to a business.
Think about the basic rules of forensics. Especially consider the basic principle that all entities induce change into a system by using or interacting with that system. A simple test of that principle would be to image a system then take a hash of the disk. After that hack the system and take another hash of the hard disk. But, wait and think about all the other things that would have changed. Is that a valid test?
Your job is going to be tracking down all the systemic changes created during an exploit with certain behaviors (you choose the exploit but it must do particular things). Your job will be to do the exploit and attempt to hide your tracks. Another team will have to attempt to prove what you did. Wait, there is more. You will be doing this against each others systems. Team 1 will attack Team 2, Team 2 will attack Team 3, etc.. until Team 5 attacks Team 1. This will hold true with only one caveat at end of the laboratory. The teams must allow for connectivity either in the Citrix system of through test networks.
What you chose in the beginning is not my problem. The job of the defender is to protect the system, and the job of the attacker is to exploit the system. Wait there is much more. The systems being attacked must be Windows XP, Windows Vista, Ubuntu, or Fedora Core 8 or higher. So, the job is to attack (capture the flag) and hide your tracks.
- No attacking over the Internet use lab networks only.
- No use of exploits of mass destruction like virii.
- No requiring a system be browsed to a website.
- All exploits are to be hands off.
The defenders should only use a vendor or NIST document to secure. I as the instructor should be able to log in to the system at any time. If a team cries foul because they say the system is not running or has been artificially protected they can ask unannounced that I log in to the system. It is your job as teams to figure out how to make that architecture work. However, if a team detects an attack and can prove it they can take the system off line for 1 hour. They must email me to start the 1-hour time out. Then it must be in service for no less than 2 hours before being taken out of service again. Other than that they are not allowed to make any changes once the tasks begin.
1. Create the target system.
a. Secure the target system using NIST or vendor guidelines.
b. Provide IP to adversary team
2. Execute exploit plan
a. Utilize exploit window period to attack
b. Must leave a text file in the root directory with the following message “exploit complete system-time”
c. Attackers must hide their tracks.
d. Evidence of an attack can be obfuscated or destroyed.
e. System must function when adversary exits. No destructive exploits.
f. Exploit team must provide a detailed explanation exactly how they accomplished/failed to exploit the target system.
g. Exploit teams can complain if the target teams don’t follow the rules.
3. Forensic analysis of systems will be required
a. Teams should evaluate and see if the file exists in their root directory.
i. If the file does not exist they must email the professor and the exploit team.
ii. Upon notification by the exploit team that they in fact failed the target team is done.
b. If the file exists the target team must find evidence.
i. A full forensic analysis is not required.
ii. Analysis is the primary focus.
iii. Evidence should be evaluated for veracity.
4. A detailed analysis of all steps should be provided to the professor in the lab write up.
Timeline: (CHANGES THE SYLLABUS)
You can start building anytime.
July 22nd (Wednesday) Target system must be complete.
July 22nd 5:00PM (Wednesday) Email sent to adversary with IP address of system
July 22nd 5:00 PM (Wednesday) – July 25th 11:00 PM (Saturday) Exploit window
July 25th 11:00 PM (Saturday) Target systems taken off line
July 26th Noon (Sunday) Declarations of success/failure by teams (via WebCT)
July 29th (Wednesday) Forensic analysis of systems must be complete
July 29th 5:00 PM (Wednesday) Full lab write up due
July 31st 5:00 PM(Friday) Peer review due
1. A lab write up as per the syllabus.
2. The defense plan.
3. The exploit plan.
4. The forensic analysis.
5. There are no rules against teams ganging up on one victim.