Skip to content ↓ | Skip to navigation ↓

Spending time in Las Vegas in July to attend a hacking class is like asking someone to stick their tongue to the North Pole…you know its going to hurt like hell but its such a unique experience you can’t pass it up…especially when you win.

It was kind of like that when I stepped off the plane to attend the 2012 Black Hat convention. My first reaction…holy crap it’s hot…my second reaction…this is going to be a lot of fun. I was signed up for two tasks on this trip: first was to attend the Real World Security class by Peak Security. The second was to be a booth babe for Tripwire at the trade show portion.

The class it turns out is a two day Red Team/Blue Team hacking contest. Day one had my team as the defense. The premise? We were a security team contracted to protect a group of servers. The problem? The entire IT department we were hired by was killed in a tragic BBQ accident. Essentially we had to hack our own servers to protect them… My partner in crime was SANS certified mentor Alex Cox, a fellow Tripwire employee and we quickly got to work.

As the team gained access to various servers we installed a Tripwire Enterprise agent on each one and pointed them to a Tripwire Enterprise console I had installed on the laptop Peak Security had provided. Once installed, we baselined the servers and used Tripwire Enterprise’s Security Configuration Management capability to find the security gaps in each host so that we could close them.

At the same time we installed Tripwire Log Center on Alex’s laptop and began sending syslog traffic from each host to it.  The SIEM immediately lit up with brute force attempts and other nefarious deeds perpetrated by the opposing team. As we uncovered each attempt the rest of our team worked to shut them down.

Day two got really exciting…this time we were the offense and the moment the game began we began to enumerate and footprint the environment. Alex uncovered a poorly designed web page and convinced it to give up its secrets. What followed was a quick RDP war trying to plant our backdoor before they shut us down. At the same time, I found myself with root level access, having blasted away at it using Metasploit, on a Linux web server and uncovered several Easter eggs the instructors had planted while the rest of the team was working on cracking the rest of their hosts.

Time was winding down and the points were close and I planted one last little nugget…it was cheap and easy from a hacker standpoint but it was considered an Easter egg to have done so…I defaced their “public” website… I know…not very ninja but it turns out it was just enough in the final analysis to give us the win…by one point…

I love events like this. You can take all the hacker classes, study all the security courses you can find but Real World Security events like this at Black Hat or Netwars sponsored by SANS are an invaluable experience. It is the opportunity to see just how well you picked up the techniques a hacker would use and how you would defend against them.

Alex and I credit our usage of Tripwire Enterprise and Tripwire Log Center with providing us with both the file integrity and the security configuration management as well as the log alerting that allowed the rest of the team to shut the opposition down just enough to prevent them from stacking up the points and the Easter eggs. Their lack of access to these tools allowed us to get free reign on their hosts and find these points and eggs to get the win.

Alex Cox in the end won the team MVP award and was presented with a shiny one ounce silver medallion and a new laptop.  Look for him at the SANS Netwars Tournament of Champions later this year.

Compared to this, the trade show was tame. Lots of big names in security were present like RSA. We had lots of folks stopping by the Tripwire booth, many of them were participants in the contest, to talk to us about our products…either that or they were jonesing for the shiny robot pens we were giving out.

Black Hat…despite the fundamental flaw of being held in Las Vegas in the middle of July is a must attend event if you take IT security seriously at all. Now I will probably have to wrestle my colleagues for a spot next year when Tripwire makes its presence known…



Chris Orr