« Warning: Web Proxies May Result in Unexpected Consequences | Main | Don't Want To Give Up Your Encryption Keys? That'll Be 2-5 »

October 07, 2008

Ice II Wrap-up

Well, we finally made it back from a long week in Las Vegas. A lot of interesting things happened while we were out there but, most of all, ICE II went extraordinarily well. I don't think the exercise could have run any smoother, the participants were outstanding and everyone seemed to have a great time with it and, hopefully, got something out of it.

For those just getting information about the event now the information page is still available on our site. As soon as we can compile all the logs, reports and photos those will be posted, as well. I'm going to try and keep the writeup of events fairly brief, in an attempt to keep it interesting for those that weren't there to see it. Huge thanks to SANS, for hosting the event and giving us plenty of room and equipment to work with (especially the A/V guys, who willingly ran around finding all sorts of electronic gadgets that I forgot). Special thanks to Larry Pesce and Paul Asadoorian from the Pauldotcom podcast. Larry captained the defending teams while Paul captained the attacking teams, and both took on the unenviable job of organizing a group of participants into an effective IT team. Thanks also to Bill from i-hacked who came out to be a press guy, as well as participating as both an attacker and defender on various nights.

For those interested in a participant's perspective: Paul did a write-up from his perspective as captain of the attacking teams, and Bill did a writeup of his experiences from both sides of the exercise.

** EDIT **: Larry has also posted his experiences as captain of the defending teams.

The Setup

For the event SANS graciously gave us 4 conference rooms in Caesar's Palace for the game. 2 rooms on one side of the hallway and 2 rooms directly across from that. Caesar's Palace also helped us out by setting up VLANs for us on their switches, so we didn't have to run cables across the hallway (although I'm sure no Red Cell guys would ever attempt to mess with the Defenders physical cables in an open hallway...).

On one side of the hallway were the players. Separated by a movable wall, and a few sets of velvet ropes (to keep the spectators from wandering around, as well as to make the players feel downright classy) were the Red and Blue Cells. The Red Cell, our hackers, were stationed on the left, their room generally filled with a sense of calm determination and covered with relaxing techno-beats and beer. For hours on end they attempted to wreak havoc, cause mayhem and generally infuriate the defenders.

On the right side we had the Blue Cell, our defenders. Their room was filled with bustling energy and a lot of movement and covered with the soothing sounds of Whitney Houston (not a joke, though I believe this was psychological warfare against the Red Cell). Imagine that you're in a room with a door that has no lock, and outside are a pack of velociraptors, and you know that, given only a short time, they will learn how to operate the door handle. It was a lot like that. For hours on end they attempted to prevent the wreaking of havoc, deny the causation of mayhem and generally to resist infuriation.

Night 1

As you would expect, the first day was mostly about getting acquainted with the game network. Especially for those that ended up participating on multiple nights, it was all about learning what was in play, as well as what aspects of the networks were easy or difficult (to either attack or defend). Attackers from Core Security and Immunitysec worked with the SANS attendees to break in to machines and cause general havoc. All what you'd expect from a hacking exercise.

The one big event of Night 1 came near the end of game time. As I mentioned above the only barrier between the participants and the outside world was a set of velvet ropes. While velvet ropes are an effective visual barrier, their effectiveness as a physical barrier is wholly restricted to the honor system. Near the end of Night 1 the honor system of the velvet rope broke down into what some might call "simple assault" and I'll refer to here as a "lack of civility". Alright, so it sounds much worse than it actually is. In a fit of gloating Paul came to the Defender's side and hopped the velvet rope, the defenders then euphemistically "requested Paul leave the area", by physically carrying Paul out of the room.

Paul was not amused, and Night 2 began with a strict "No physical contact, not even thumb wrestling" rule.We'll know better for next time.

Night 2

The setup for Night 2 was almost identical to Night 1 with a couple minor additions. First was the addition of a wireless access point to defend (already encrypting traffic with WPA2) as well as the addition of spectator computers. A set of laptops was set up that spectators could use to browse the websites of the teams, as well as VoIP phones that could be used to call the teams if there were problems. These laptops were the source of fun for Night 2.

One of the spectator laptops was connected wirelessly to the defending team's access point. This was our legitimate roaming client. About halfway through the night, once the defender's began to really lock their systems down tight, we allowed the Red Cell to simulate an infected client by running a single executable on the laptop. The Red Cell turned this laptop into a pivot point, using some Immunitysec tools, and started routing attacks through the, now infected, host.

Night 3

On Night 3 we decided to replace their large standard looking access point, with a tiny access point hidden underneath the Defender's table. Let's see if they notice the difference...

Again, after the Defender's really started to lock down their networks we dropped hints to the Red Cell that there might be a hidden "rogue access point" in play. The defender's reactions to this play were especially good. The mini wireless access point has a default IP address of 192.168.1.1, so several defenders watching traffic saw this address but had no idea what it was, and just chalked it up to attackers trying to phone home to an incorrect address. There were about 45 minutes left in the game when the Red Cell got to play with the access point, and at the very end Tim called the defenders on their VoIP phone to tell them where to look for the access point.

We've got some great photos of an entire team of Red Cell members watching Blue Cell guys crawling under a table to try and find this hidden access point.

Wrap-Up

Overall the games went extremely well. We had about 100 participants over all 3 nights (with some repeat offenders) as well as a couple hundred spectators that came through just to watch parts of the game or see what was going on. At a conference with about 950 people, that's pretty impressive numbers for a hacking exercise. To those participants that might be reading this, thanks for making this an awesome exercise and having fun with it. If you attended the conference, or participated in ICE II please leave us some comments, we're always looking for ways to improve the game and the experience for those playing.

And huge thanks go to Fortinet, our IDS Sponsor, for providing IDS/IPS services for the teams, as well as showing traffic analysis and trending for the game traffic in real-time. Awesome stuff, and we hope to see even more people next year!

Posted at 02:10 PM in Cyber Exercises |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e008ca3130883401053569cb25970c

Listed below are links to weblogs that reference Ice II Wrap-up:

Comments

The comments to this entry are closed.