F1shh Sec
About me Projects Tricks Work Posts Tags
F1shh Sec

Contents

Five Minute Plan

 included in Projects
   540 words   3 minutes 
/images/fivemin.png

What Is A Five Minute Plan

When you are blue-teaming, your five minute plan refers to your plan for the first five minutes of the competition. In those early minutes, you need to try and harden your control over a device. Some strategies you may utilize are closing ports, changing passwords, and checking logs.

I am not an expert

This is the five minute plan I created for my first CSEC Competition. This is by no means a authoritative source on the subject matter. Never the less, this is how I plan on spending my first five minutes of the competition along with my rational.

My Five Minute Plan

Once the competition starts, I will:

  • Change all passwords for all users
  • Disable all accounts
  • Check and implement strict firewall rules
  • Disable services that are not essential (SSH stands out)
  • Start a wireshark capture
  • Create a copy of the logs
  • Check Scored service status and troubleshoot
  • Start threat hunting

Lets break that down

Change all passwords for all users

This is done first and foremost. I can not overstate the importance of this. The reason you change all the passwords for all the accounts is because you can not trust the security of any account. The passwords that are currently implemented may already be exfiltrated by the Red Team. If they are not already compromised, the passwords may be weak and easily guessed. Its best not to take the chance.

Disable all accounts

Expanding on the previous point, you don’t know what users you can trust. Just to be safe, any non critical user should be disabled at the start of the comp. You can then bring users back online once the security of their accounts is validated.

Check and implement strict firewall rules

Check your ports and close them. If you see that port 12345 is open and you don’t know why, close it. That port may be used by the Red-Team for their tools. Its better to be safe then sorry, close the port.

Disable services that are not essential

Shut down any un-needed services. If your box has SSH enabled and you are not being scored on SSH, shut it down. Un-needed services just serve to increase the number of ways the red-team can either gain access or hide.

Start a wireshark capture

By now most doors should be closed and you can start threat hunting. The first thing you want to do start wireshark and begin a capture. Capture EVERYTHING. Later when you have some downtime, look through the wireshark capture for anything that stands out. You might get lucky and spot some base64 or clear text going straight to the red-teams box.

Make a copy of the logs

You might get lucky and spot an artifact from when the red-team installed their tools.

Check Scored service status and troubleshoot

Now that your capturing and the box is more secure then when you found it, you should check the status of your scored service and trouble shoot if necessary.

Start threat hunting

Once your service is up and your getting score, start threat hunting. Look for red-team tools, and see where it takes you. Remember not to get distracted, and to keep an eye on the score.

Updated on 02-15-2022
 SecuritycompetitionBlue-Team
Back | Home