As I mentioned in an earlier post, I was able to attend the second Integrated Cyber Exercise (ICE II) hosted by White Wolf Security this weekend in Las Vegas. ICE II puts a group of Red Cell hackers against multiple teams of Blue Cell defenders. Each defending team is given a small network infrastructure with a router, firewall, servers and desktops. The Blue Cells are responsible for keeping their network alive and functional with real services such as email, e-commerce and DNS. The Red Cell is responsible for attacking the Blue Cell network.

As a “Security Professional”, I know that training is a VITAL component to staying a razor sharp asset to my company, however I have found that without constant practice a lot of the learned techniques can be lost over time. The US Military is well known to constantly run “drills” that simulate an active attack in order to keep their soldiers ready & know how to handle themselves when the real thing occurs. Since most of our companies wont allow you to attack them “to learn”, most in the security field either make virtual machines or illegally attack IPs hosted in other countries such as Brazil or Canada. The problem with VMs is that since you set it up, you immediately know how to attack it, and how to properly defend, they problem with attacking Canada is that they only have three computers. (I kid I kid). It is still good practice but most leave wanting more. This is where ICE2 Came in.

The guys at White Wolf setup up a fictitious company (3 actually) whose System Admins were likely fired for incompetence. There are all kinds of servers, RedHat 7.2, Windows 2000 SP0, Windows2003 and everything in-between hosting all kinds of services. Web Servers, internet aware daemons, applications, telephony & power (SCADA) are hidden behind a firewall with an ANY/ANY/ANY PERMIT rule waiting to be discovered by either team. Who will find it first to either be harden it or exploit it? Sound fun yet? Let me throw this last little bit in, neither team (Red or Blue) knows exactly what they have to protect or attack until the game gets started, and their is no means of patching via the internet. Yes you heard me correctly, as a defender you have to harden your boxes WITHOUT PATCHING.

The first night I chose to team with Larry Pesce, and be on the defending team mostly due to the fact that I am a defender during the day. ;) Starting at 5:30pm my night was full of stress and panic as we set to hurriedly disable unneeded services & general system hardening. In the beginning the odds are stacked in the attackers favor, as the defenders do not have any access to network devices, only the systems and servers they have identified. As the night progresses the odds finally shift to the defenders, as they one bye one granted access to their firewalls & Intrusion Prevention Systems. Sheer hatred burned in me as I heard the Red team shout “WOOT I GOT A ROOT SHELL”, and as the night concluded @ 10pm I was exhausted. What a night.

The second night I was surprised to see many of the same defenders back, this time prepared to battle. I wont give any secrets away — but George had come-up with a brilliant plan that could give the Blue team a slight advantage at the beginning, a crucial time for the Red team to score. Wanting the full experience, I decided it was time to jump ship and go hang-out w/Paul Asadoorian and the rest of the Red Team. Immediately you could feel the environment difference, the red team was still very busy, but relaxed — with Beer & bumping techno. (I-Hacked Sponsored of course =) Cheer replaced rage at the notion of root shells, red team was working Metasploit, Immunity Canvas, & Core Impact with skill. Sure it is frustrating when your shell session gets dropped by those Blue Cell guys, but its ok, they still have not found your rootkit yet. :) Best part of the night was watching the carnage as @surbo unleashed old school Nimda on the blue teams network. As the game came to a close for night 2 I felt refreshed, aware I needed to brush up on some metasploit kung-fu but mostly ready to hit the town. (and boy did we!).

Night three: I intended to sit this one out and simply observe. But Asadoorian made some comments and wrote some pimp core agents that got me thinking.. I wasnt done making the lives of that blue team hell yet — bring it. Red Cell again! The AirForce was there observing — and a few times right over my shoulder. It is an ODD FEELING pivoting to box #3 off of a netcat reverse shell over port 80 with the military behind you.

The games were over and I left with a ton of experience. It is VITAL that you practice your craft as much as possible so when a real attack comes at you, you are prepared. By night three the blue cell was operating as finely tuned machine. They knew what they needed to do, and what took priority. I was constantly amazed by the ingenuity they showed, and how well they did. The same with the Red Cell, after three days they learned what to attack, what will be successful and what is important to hold. By the end of night three, I am happy to say that I brought home the wakizashi sword trophy for attacking. (Paul still kicked my ass though)

I would encourage anyone reading this to attend the ICE III — I know I will be there, this time much more prepared and ready to battle, but which side will I choose? =)

Special Thanks To: White Wolf Security, PaulDotCom, Fortinet, SANS, Immunity Canvas, Core Impact, And the US Airforce As well as all the other sponsors that gave away great prizes!