ICS VILLAGE - A CTF That Teaches: Challenging the Next Generation of ICS Ethical Hackers

Video thumbnail (Frame 0) Video thumbnail (Frame 2874) Video thumbnail (Frame 5923) Video thumbnail (Frame 19092) Video thumbnail (Frame 23563) Video thumbnail (Frame 24630) Video thumbnail (Frame 30223) Video thumbnail (Frame 34036) Video thumbnail (Frame 40334) Video thumbnail (Frame 41435) Video thumbnail (Frame 42934) Video thumbnail (Frame 43971)
Video in TIB AV-Portal: ICS VILLAGE - A CTF That Teaches: Challenging the Next Generation of ICS Ethical Hackers

Formal Metadata

ICS VILLAGE - A CTF That Teaches: Challenging the Next Generation of ICS Ethical Hackers
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Web page Web 2.0 Point (geometry) Slide rule Bit Right angle Förderverein International Co-Operative Studies Figurate number Mereology Information security
Suite (music) Presentation of a group Building Multiplication sign Range (statistics) 1 (number) Open set Mereology Malware Bit rate Different (Kate Ryan album) Flag Cuboid Förderverein International Co-Operative Studies Endliche Modelltheorie Information security Physical system Cybersex Area Injektivität Boss Corporation Enterprise architecture Flow separation Social engineering (security) Type theory Order (biology) Server (computing) Service (economics) Sequel Open source Motion capture Student's t-test Drop (liquid) Event horizon Portable communications device Twitter Wave packet Revision control Hacker (term) Operating system Energy level Focus (optics) Inheritance (object-oriented programming) Demo (music) Expert system Plastikkarte Vector potential Film editing Software Logic Personal digital assistant Finite difference Password Local ring Window
Boss Corporation Slide rule Server (computing) Randomization Data storage device Plastikkarte Bit Limit (category theory) Event horizon Neuroinformatik Motherboard Computer hardware Hard disk drive Flag Cuboid Software testing Router (computing) Error message
Server (computing) Building Length System administrator Multiplication sign 1 (number) Motion capture Student's t-test Disk read-and-write head Steganography Twitter Wave packet Term (mathematics) Förderverein International Co-Operative Studies Information security Boss Corporation Prisoner's dilemma Bit Instance (computer science) Flow separation Process (computing) Vector space Software Password Right angle Bounded variation
Group action Server (computing) Touchscreen Demo (music) Multiplication sign Feedback Line (geometry) Mereology Disk read-and-write head Software Hacker (term) Logic Computer hardware Cuboid Förderverein International Co-Operative Studies Table (information) Metropolitan area network Reading (process)
Real number Virtual reality
Module (mathematics) Revision control Demon Code Operating system Counting Reading (process)
Multiplication sign
next figure up is Brandon working teen he's from security matters and he's gonna talk a bit more about what cts is here in place and also in CTF in general challenging the next generation of ICS security professionals Thank You Larry Thank You Larry I appreciate the opportunity to speak here you'll notice there's actually two people on the title slide that's because my colleague Harry Thomas actually it was instrumental in creating the CTF that we're going to talk about his wife is about two weeks away from giving birth to their first child and so in the interest of not getting divorced he did not come to DEFCON we are both ICS security engineers at security matters we're a company that focused on ICS security and we're happy to be a part of the ICS village that's this year we're part of the CTF right next door so what I'm going to talk today about it's kind of three points why did we build the CTF some problems and solutions that we've ran into as we were doing this and especially this weekend there were several and some tips and tricks for that last part is really focused on how you can use a CTF to be more educational rather than just a contest so the first question is why build the CTF I looked at the DEFCON web webpage the contest page and there's 29 to tf's at DEFCON listed on their contest pages it's here so why did we do another one that's a lot well the main reason is because ICS is a very specialized niche and a lot of CTF s-- are focused on
really that high level person so for example the DARPA cyber Grand Challenge it was at DEFCON a couple years ago that was focused on artificial intelligence and you really needed to be a expert level person in both AI and malware and all that in order to be successful at that or even to compete in it the DEF CON official CTF or whatever they call it that's the same thing it's a contest to find the best at CTF and then there's Meech ones like the social engineering capture-the-flag where ICS has not really talked about so we wanted to create something that was really focused on IT s41 one huge rate reason some other reasons but the huge reason is because there's this well-documented phenomenon that the talent shortage of IT security professionals this little tweet thing it's from a couple years ago now but the L Peterson it runs ICS focus security conference and his guess was 5,000 ICS security professionals in the US with most of those hit in a way where we never hear from them what this means is that it's a really small community and so I always like to throw this one if I'm talking at a place it is not necessarily ICS security people that may be general IT security people I like to point this out because it's a small community you can get involved you can meet people really easily and it's just a great great way to get involved I personally only been involved in the ICS stuff for about five six years and within a year I knew most like a ton of people who gave talks at Def Con and stuff on ICS security because it's such a small community it's a really great community to become a part of I've talked about ICS one of the
problems when you're talking about ICS security is industrial control system security there's lots of acronyms if you come from an enterprise security background I'm sure you deal with that in other ways but we talked about IT and Oh teeth so when I said IT security that means your traditional like sequel injection attacks or password cracking things that a hacker a generic hacker might do that there's some things that we a security professional who's comes from the IT world may not be able to get away with if they come to the ot world such as some devices if you scan them in the ot world they will fall down and cry into a little ball on the OT side it's just a different skillset because they have different requirements and there's other people here this week are talking more about that but I just wanted to point that out there's some ICS focused capture-the-flag stuff Reed Whiteman is right outside he does one at the s4 conference every January there's some other ones but there's not a whole lot of them so we saw this we saw a kind of a opening for something like this so we built our capture the flag we call it the lights-out hacking challenge DEFCON it's a little different because we're a part of the ICS village got for the flag so we have flags and all that kind of stuff to it you get points for and our other events where we do this like this was from besides Orlando and March maybe if we caught the lights out hacking challenge where the winner is the first person to turn out the lights in Gotham City to turn out the lights in Gotham City so that's a Mike Mitchell was our first winner of the lights out hacking challenge we'll hear from him at the end of this presentation these are all people from the college students in Florida so we were very happy that they participated and won the first CTF we did now I'm gonna go into like the second area of my talk the problems with creating an ICS focus CTF just in case you want to the first problem I'm going talk about is the operating systems when I did CTF at b-sides several years ago with the pros versus Jose everything was virtualized because you're attacking and defending Linux and windows boxes that kind of thing in the ICS world we don't run many times we don't run just your traditional Linux Windows Mac operating systems we run four type proprietary operating systems that do a certain thing well hopefully if they do it well but they but it's it's a different operating system you can't just go use the same the same tools with them and so virtualizing them can be much more difficult so you kind of have to have some real-world stuff it makes it a much better of a CT yet and that gets into the next problem which is money ICS devices can be super expensive this was off the rack i just googled siemens s7 device and took the first price I saw 4,000 that's out of the range if of somebody who wants to just build a CTF for their local makerspace or their local 'besides or something like that so that was the first problem that we had to overcome and so we did that with our business credit card because that's how can solve a lot of problems I've we created our lights-out CTF here's a picture of it so we can look at something prettier than a credit card we created this and it has several different use cases so one of them is CTS at B sides here we use it for CTFs another use case is for trainings and besides Las Vegas just this week my boss gave a one-day training on network security monitoring focused on industrial control systems and this is a non vendor-specific this is a non vendor-specific using all open-source tools that kind of stuff just as a public service type thing it sounds kind of cheesy but we want to give back to the community in that way but then we also can take this to trade shows which if your which we take the same things we take it to a trade show and we do demos for potential customers and so by making it a business thing that we use for business we were able to build this actually I should say siberut goal do we see oh you don't quite see there it is sigh vehicle built that snare an engineering firm based out of New Orleans who we contracted with to build to build gotham city for for us and then we use it to buy using it to drive that business use case we're able to then also do things like those b-sides trainings and capture the flags and that kind of thing the next problem we get into is shipping this is a big problem sometimes like yesterday I'll get into that in a minute shipping this can be kind of expensive it costs a lot of money to ship a giant 150 pound box across the United States we did we put it in a Pelican case we have multiple felon cases with custom-made liners and all that kind of stuff to make the model fit the model suits and the liners and stuff and then we have a portable server rack that you can see outside or on the other side of the wall I have the portable server rack that's Anna belacan case to try to minimize any damage that comes from shipping sometimes it's unsuccessful when FedEx loses a hundred and fifty pound giant black case I don't know how they do that but they did and ended up being a good thing because we were able to then make version 2.0 of our case and we were able to switch out we started with a dell one use server which was fine but it didn't handle the shipping very well and we were able to go switch to a Super Micro ruggedized Box were able to put a new KVM and that was more ruggedized so we were able to kind of upgrade learn some lessons and take the insurance payout from FedEx and build a new box so version 2.0 would be more more hearty as we shipped it I'm sorry how many four thousand dollar Siemens boxes were in that hour great question come out and we'll show you we have APL and allen bradley micro logic VLC as SEL sraight sir engineering our TAC and it's writes or relay drop doing them yeah we ensure we ensure we insure it every time so FedEx cut us a nice check you actually found the box but and after they cut the check and so they told us we could either send the check back or or get our thing back when we're like well we don't know what you did with it for the last two months so we better just who might have been sitting outside or whatever who knows micro logics is a brand name for Allen Bradley yeah Allen Bradley yeah so shipping sometimes helps you but it can cause problems and then anytime
you do something like this with technology you're going to have technical difficulties and you're going to have user errors and we've we've had both of those we went to when we went through our first CTF at besides Orlando we got there and our Wi-Fi router that we use for participants to get on was broken and so luckily my boss is always prepared and he had his travel router with him and so we were able to use that at the second at that first CTF I told we actually have another person who works in our company who's related to my boss and I told her about the that I was putting the Boy Scouts slide up and she said oh no he's a Coast Guard person they're always prepared I never knew that Coast Guard goes Guardian I don't know well you whatever you whatever you call a Coast Guard person he's he was in the Coast Guard and so he's always prepared of course then we went to our next event and he was not there and we didn't bothered to buy a router so that one was definitely user err on that one so again once again we have the business card and we have Amazon to our delivery to the dimmer hotel so we were able to solve that problem by spending more of my CEOs money and then we have this week and I've talked to some of you about what happened yesterday and today we came in yesterday at one o'clock in the afternoon to set up our CTF like we planned to and that right there is where that super micro 1u ruggedized computer is supposed to be this was after we started looking at it for a while that is where it is that's where it's RAM is and that's where it's hard drive is it was shattered you can see the weld the metal welds that came apart from FedEx shipping our box to us that we found out yesterday at one o'clock in the afternoon that it was totally broken so if you're going to have that happen somewhere this is the place to have those kind of issues because my boss did a training at besides and he had somebody he trained there who he talked to a little bit and this guy was going to come test out our CTF for us run through all the flags make sure everything is working wonderful instead he showed up with three of his friends and this guy is a hardware like genius the guy I think the guy in the blue shirt that you can kind of see in the back is apparently Ubuntu genius and they with my boss they went to fries they bought Ram motherboard everything they built a server for us last night
which is why we were able to do the CTF this morning we've we got everything networked and working all the VMS on it at about 9:45 this morning for the 10 o'clock CTF after working late into the night last night and honestly it would not have happened without these random people from DEFCON who we never met this guy fries did not want to sell my boss that - 32 gigabyte RAM sticks that we needed for it because they were the only two they had in the store and the only two that would work with that motherboard and so one limit one per limit so he put he put one on his own credit card for us
so we could buy that and do it I mean that this community is phenomenal so so but everything is working now so now we're into it we actually have a CTF going so one of the problems you have with a CTF is having to protect the devices so what we did was we enumerated all the attack paths that we might have which we determined which ones provided too much access to the players and then we limited the risk from those attack paths and we did that in a couple ways the easiest way maybe not the most effective is to make it out of scope so like we said don't take out the host hypervisor we're not in the business of defending hypervisors so that's that's out of scope for the contest most people are pretty cool except for the guy who was messing with everybody's DHCP server earlier this morning but most people are pretty cool in this kind of thing and so they respect that kind of thing the other thing we did is we made the attack vector too difficult to compromise so for example we have a admin panel that might have a 30 plus character path randomized password because in a 2-day CTF realistically nobody's going to crack that and in a CTF so even though we say nothing is unhackable realistically for the CTF that's a that's something that we don't have to worry about being compromised I'm sorry I'm sorry yeah the length so 30 plus I said yeah that's why I didn't say 27 or 36 all right so with our lights-out challenge and the titleist talk is creating a CTF that teaches with and that is near to me I used to be a teacher I thought middle school in high school for several years my boss does trainings all around the country like you said he likes to teach like I said earlier he likes to teach people we want to do things that really drove the educational side of this so that if we brought the CTF to somewhere like this people are getting introduced to ICS devices so I'm going to throw a couple educational terms at you so the first one is scaffolding so just like you might imagine on when you're painting a building the scaffolding builds you up so you can reach what you're doing scaffolding and education is providing supports that allow the students to be successful so for instance my colleague Harry during the first CTF we did he put out the tweet about our friend Krusty has taken up a new head hobby steganography here's a tenth hint to somebody the artist or the participants let them know hey if I find a picture maybe I should look into some what the steganography thing is so we get we give hints we we work with people to build them up another thing we we do is a guided questions so we'd like to talk to the participants what are they doing talk to them about what they're doing talk to them about where they're having problems especially like I said in Orlando when we had the college students that was like we were in Nirvana with that one we can ask them what worked so that they can kind of get Reena if you talk through what you've done then that helps you remember it better so they can that helps them give them ideas for where to what to read up on when we close for the night might
talk to people about that we've done that in the past kind of give the those guided questions to kind of give people hints on where where they should be looking another thing another kind of tactic is reinforcement we can introduce skills early in the challenge and then we can build on them or require more advanced use of those skills later in the challenge so for example if we have the password prison and our for something and know this is not one of our passwords we might have that as early in the CTF and then later on we might change that password to something where they have to manage the password a little bit and we can talk to them about how they can automate the process of changing out those characters making very password variations on how to so that as they they use a skill then they come back learn a little bit more about that skill and build on it later on so that kind of reinforcing as you go on through the process another thing we've done is collect traffic captures and honestly this is partially selfish because we like to see the attacks are going on because we're in the security business but participants can see what they've done and then this one's really big for for me when I've done I did a CTF a few years ago where that was actually focused on this was the only thing they really focused on was seeing artifacts of what you did it's very helpful when you do an attack what network artifacts are occurring on the in the peak apps that the defender is unable to see so that if you're on the red team side you learn what you have you might be might learn how to avoid those artifacts or and if you're on the blue team side you can learn what kind of checks you might want to look for and it also allows us to improve the CTF over time we the more data we have about what worked and what didn't that the better we can do so that hopefully things improve over time so I mentioned the guy from Orlando Michael Mitchell was was his name the winner of the first out he was the one getting that challenge coin he said one of only two CTF that I have ever participated in that were designed to teach participants
rather than test them which was awesome that's what we were going for the little
time I had to compete in that CTF taught me far more than I was ever expecting so he put this out on his blog after after the fact it would that was the best feedback we could get that honestly if somebody like Larry or read white man next door if they win our CTF I think we might be doing something wrong because our goal is to introduce people into the ICS world not to just prove who the best ICS hackers are so thank you I'm just about out of time my name is Brandon working teen my invisible colleague Houdini and fossick Houdini like I said I could not have done it without him for this weekend I could not have done it without the DEF CON community stepping up and helping us save that server that got destroyed by FedEx please go check out the ICS village CTF or if you don't want to do the CTF check out the demos there's like an airplane cockpit or something that I saw in there I mean it's it's insane what they have here at DEFCON now and are there any questions yes sir that we do not have a Siemens device in our portion of the CTF I do not know if any other groups the way that ICS villages ETF is and there's like three or four or five different people who all created parts of it so the part that we did we have the allen-bradley device for allen-bradley micro logics PLC and then we have an sraight sir engineering relay and Troy tore engineering our tack that so the Schweitzer stuff is a blue box if you look at our demo rack the blue box boxes are there Schweitzer stuff they control the electric city part the PLC that's sitting out on the table because it fell out of the server rack is it controls the ping-pong balls flipping up and up and down question we can't afford hardware stuff like you guys have great question he asked if there was any virtualized integrate things that he can do for like a college cybersecurity Club the first thing that pops into my head on something like that is called sigh body cyb ATI that's run by a professor from I believe DePaul University named at Llewellyn who's a great guy he's been at the village before I don't know if he's here today as well is the last time actually the last time I downloaded it was probably a year and a half ago and it and it was like twenty eight gigabytes or something like that so it's a hefty VM but because he because he has that educational background as well he has a virtualized Network with a bottle filling thing so you can make it's a it's a virtualized thing you can see the little bottle going across the screen he has reference material the reason the the VM is so big is because he has a lot of reference material built into that so that you it's all ready to go and that he you get it through a Google Group so it's but Matt Matt Llewellyn's sigh body is probably the the top of the line virtualized thing I've ever seen yeah yes again
so the the for something like that in the virtualized environment I think the biggest benefit is it generates the traffic captures for you so you're able to then see what is happening so you're you're able to see even though you don't have that real-world experience of actually working with a real PLC you're
able to see the network traffic yes yeah coat so he mentioned that code assists Co de sys has a Raspberry Pi version of their operating system so you can get count Callie has a Modbus module I'm sorry the wasseo yeah yes and that yeah any other questions or comments yes
like people who do that that you want to talk to it's a pretty small community but I think it's a very accessible community so there are people who do that and there's people who do read demon that kind of thing who are the top company well we are blue team note work
were completely passive blue team so red seal is one most of it yeah yeah talk to talk to people over there yeah yeah I talked to people on the other side of the wall any other questions all right thank you very much for your time I hope you all have a good con [Applause]