Moving on to Blue Team

I completed the first phase of the “red team” portion of my purple team course. The machines are setup and ready to be exploited, although some require manual intervention at first boot. If phase 2 happens, i’ll look to script the refresh of all the machines. One of the web servers seems to fail when it’s scanned, so I’m going to add some resources and hope for the best. I’ve learned new things about Windows/Linux share permissions, and further enforced my knowledge by directly exploiting the misconfigurations. With a group a students, I’m hoping to cover the exercises in 1.5-2 hours, take a break, then transition to the blue team portion.

To prepare for the blue team portion, I setup Security Onion, Splunk, and integrated logs from my FW, IDS and each vulnerable host. The IDS picks up mostly web attacks and scans. My privilege escalation attacks and internal credential sprays went largely unnoticed. I deployed OSSEC to monitor user directories, and splunk forwarders to gather OS info and commands issued. I started going through the IDS alerts in more detail (via pcap analysis), and hope to correlate data with related logs in Splunk.

I’d like to generate a dashboard/report that chronologically highlights each action, and describes a story that management can digest. During Phase 2, I hope to add a Splunk dashboard that allows every user to lookup traffic related to their IP. If I ever submitted this course to a con, I’d have to consider adding ELK to the blue team portion. Splunk is a great to tool get quickly up and running, but has obvious limitations being a commercial product. My setup required tuning logs to minimize ingest, and likely won’t support a number of users hammering on the network for a few hours. More things to consider…

Leave a Reply

Your email address will not be published. Required fields are marked *