In my ongoing blog series “Hacker Mindset,” I’ll explore an attacker's assumptions, methods and theory, including how information security professionals can apply this knowledge to increase cyber-vigilance on the systems and networks they steward. In this article, I share my thoughts on NetWars – a live interactive Capture the Flag training exercise at SANS Rocky Mountain 2016. NetWars is an excellent way to arm your team with knowledge of offensive tools employed by hackers. Earlier this month, I had an incredible opportunity to facilitate Rocky Mountain SANS 2016 with a small group of other volunteers and SANS staff. The SANS Institute specializes in information security courses and certifications, cybersecurity Master’s degrees and end-user awareness training. Focusing on the proficiency of candidates through a wide range of programs, such as security administration, forensics, incident response, audit and management, SANS is an excellent way to keep your skills cutting edge. The SANS NetWars tournament took place three hours a night over two days, featuring training situations simulating vulnerability hunting, malware discovery, memory and disk forensics, as well as other network defense and penetration methods. Let's recap what happened... Last Thursday night kicks off with participants and their laptops filling up the conference hall. Everyone takes a seat and begins to load the custom virtual machine they’ll use for the first two levels of the competition. I get my VM up and running in VMWare Fusion and log into the tournament website with everyone else. Level I of the contest tests your Linux knowledge with simple challenges to ease you into the game. Getting stumped on a question or tasks is no problem. The entire series is guided and allows for increasingly helpful “hints” that anyone can complete regardless of skill level. I move into level II using THC-Hydra for cracking the login of an FTP service running on my target machine. From there, I use John The Ripper to accomplish the task of cracking a hash to move further into my attack. Then, I gain root access to the Linux target to make progress into the next level of competition. It was very exciting to answer the questions and earn points with the correct answers. When stumped on a question or task, I ask the system for a hint. It is such a great atmosphere to learn how hackers operate. As the evening goes on, the chat volume of all the team members collaborating increases.
The last day is pretty lively with music and a sense of urgency to win. The top five teams and top five individuals receive a NetWars challenge coin similar to ones used by military personnel, as well as an invitation to attend a “NetWars Tournament of Champions” later on in the year. One of the first tasks I perform on the second day is a forensic memory capture analysis using Volatility Framework, followed by a captured packet analysis looking for the cause of two hosts experiencing communication failure. Again, the hints are great if you're not a fluent pentester; it's fun for all skill levels. Before the tournament ends, I catch up with Jeff McJunkin from Counter Hack, the creators of NetWars. We speak about the benefits to this type of live training and how it arms information security professionals with real-world knowledge to fight hackers who invade corporate and government networks. The NetWars model brings a broad range of training scenarios benefiting managers to incident responders. Another learning track involves a scale city, dubbed "NetWars CyberCity.” This mini town of critical infrastructure provides a backdrop to simulate attacks to prepare the U.S. military for any contingency. Being prepared for a cyberattack may just need to involve not only your incident response plan but also your real-world skills to understand how a hacker penetrates into systems and gains evaluated access. The NetWars learning experience drove it home to me how we need to change our mindset for the security controls we put into place. Knowing the steps to a cyberattack may just help you plan to prevent a real one in your organization. What do you think? I welcome your feedback and ideas of how you handle your organization's security and combat the hacker mindset.