During the week I had the opportunity to attend a ‘Cyberattack Simulator Workshop’ hosted by Trend Micro. The event was proposed as a way to learn about cyberattacks in the modern hybrid cloud environment, whilst competing in a series of Capture the Flag challenges with other local information security professionals. Each team consisted of 3 members, and 10 total teams made for a reasonably sized playing field. Although I was somewhat nervous beforehand that my beginner skills wouldn’t stack up to those of a seasoned professional, the majority of attendees were in a similar position which made the competition aspect more casual and subsequently enjoyable.
The day was split into two halves, Attack and Defence, with points accumulating across both sections for an overall team score.
Phase 1: Attack
By far my favorite section (for reasons that will become clear below), the attack phase essentially took us through the stages of a penetration test in the form of capture the flag challenges, where the difficulty progressively increased at each stage. The challenges were technically easy, but required problem solving skills and it was not uncommon for my team to go marching down the wrong path, especially when the program had a multitude of red herrings and dead ends. This made the emphasis more on our mindset and perspective, where we were constantly having to ask ourselves ‘what can we do with this new piece of information that we couldn’t before’? I found these challenges to be extremely enjoyable, as this type of thinking is something I have lacked in my own studies, having placed far more emphasis on the technical details of penetration testing in the past.
In terms of the technical aspect of the challenges, the were fairly straightforward. Using mainly on ftp and ssh on the command line to browse and retrieve information, most people were able to keep up and provide input or ideas. As previously mentioned, navigating the red herrings was often more difficult than the answers themselves. On multiple occasions we found ourselves barking up the wrong tree as we attempted more complicated SQL injection attacks. Sometimes the answers really are as obvious and easy as they first appear!
A brief list of Linux commands used throughout the day are as follows:
- ssh – used to connect to a remote server securely
- ftp – client tool to connect to remote ftp server
- ifconfig – display IP address information
- nmap – port scanner to determine hosts and port information
- mget – command to download ftp files onto local server
- sudo – run a command as root user
- ls -al – display all files
- cat – print contents of a file
- ncrack – password cracking tool using a preset wordlist
- lsb_release-a – display information regarding operating system
- Basic SQL syntax – e.g ‘SELECT FROM *’ etc
Our team managed to do fairly well in the attack phase, completing 11/14 challenges available. The main thing we struggled with was time towards the end, and I’m sure we would have been capable of completing the remaining 3 if given an extra 30 minutes.
The main console of the capture the flag games. The attack challenges are on the left, with the defence challenges on the right
Phase 2: Defence
The second section, titled defence, was mainly a way for Trend Micro to showcase their flagship security product Deep Security. This is a security solution ranging across physical, virtual and cloud servers, and aims to protect enterprise applications and data from breaches or disruptions. Using the Deep Security console, we configured settings, implemented rules and monitored logs to combat different types of malicious attacks. Unfortunately, I found this section far less engaging than the previous, as we were not given information and control on the attacks we were defending, and instead worked exclusively with the Trend Micro product. The challenges in this section were also not progressive when compared to the attack section, which took away from the race aspect of the competition as teams selected the order of challenges at their convenience.
Overall, I don’t have much else to say about the defence section of the workshop. I hope those in attendance who were interested in the Deep Security software found value in the in depth, hands on demo of the programs various capabilities.
As I always try to do with events and workshops such as this one, I reflected on what could be my main pieces of learning I can take from the experience. I was easily able to come up with two main ones:
It’s so important in penetration testing to keep an open and inquisitive mind. Constantly think about other ways of approaching a problem or using a piece of information, and don’t ever think you are on the right track until you achieve the result you were seeking.
It can be easy to go reach straight for the ‘heavy weaponry’ of penetration testing, when the answer may be as simple as inputting a set of default credentials. It’s important not to overlook these ‘obvious’ answers and take due diligence in starting from the basics first. Only after all options have been exhausted should the level of complexity be increased.