Stop the Hacks!
You know them by name: Ghost, Heartbleed, ShellShock, ImageTragick, StageFright. Vulnerabilities so big that even your boss is worried about them. Most of us are likely passingly familiar with these big-name vulnerabilities and how they work.
But have you ever actually seen exploits for these vulnerabilities? Do you know what they look like as they traverse our networks? Could you detect such an attack?
For those that think they could detect such an attack, could you block all the various forms an exploit could take?
Welcome to Defending the Castle–a contest for BlueTeamers
Contestants create their own signatures for network-based attacks against some of the most well-known, publicly-documented vulnerabilities (or exploit kits) of the recent past.
Contestant signatures will be tested against increasingly difficult-to-properly-detect attack traffic (exploit list below). But there’s a catch: You can’t be too aggressive—you’ll get penalized for blocking legitimate traffic (just like in the real world).
- Contestants will upload signatures to Intrusion Prevention System (IPS) of their choice (available devices below)
- After network connectivity is verified, legitimate traffic must be allowed
- * no port- or protocol-based signatures
- Signatures will then be tested against a multitude of exploit variants
- * Additional points available for specifically detecting threat
- Signatures will then be tested against FalsePositive versions of the exploits (traffic that may be non-standard, but doesn’t actually exploit the vulnerability).
- * FalsePositives will lower your score
Can you protect the keys to your kingdom? Suitable prizes awarded for those who can.
* Contestants are encouraged to research and create signatures ahead of time.
** For those new to custom signature-development, signature templates will be available at the contest desk.
- 1 entry per person (1 file containing all signatures; format will vary based on IPS)
- No port- or protocol-based signatures
- Blocked/Allowed will be determined by testing device (not IPS)
- Signatures must be intellectual property of contestant
- * Winning signatures must be available to the public after the close of the contest
- Signature-based detection only; other IPS features will be disabled
- Points will be awarded based on the number of attacks blocked, with a multiplier based on difficulty.
- Points will be subtracted based on the number of FalsePositives blocked, using the same multiplier.
- In the event of a tie—at the discretion of the judges—additional points may be awarded based on style. Or they will be randomly selected.
- Contestants submitting the 3 best-performing signatures will receive a prize.
- The Grand Prize will be awarded if one or more contestants submit signatures that successfully block all attack variants—and block no false-positives.
List of exploits (ordered by difficulty-to-detect):
- CVE-2017-5638 Apache Struts ognl Remote Code Execution
- CVE-2017-0145 ShadowBrokers SMB Buffer Overflow
- CVE-2016-10045 PHP Mailer Remote Code Execution
- CVE-2017-0199 Microsoft RTF OLE Remote Code Execution
- CVE-2016-3714 ImageTragick Remote Code Execution
List of IPS devices available:
- PaloAlto (PA500)
- Cisco ASA (5520 w. IPS)
- Snort 2.9
- IBM NIPS
Prize List (provided by Ixia):
- Grand Prize: BreakingPoint Virtual Edition Appliance (BPSVE)
- 1st-3rd place: Ixia Developer Virtual Appliance
To pre-register your signatures, send an email to gmontgomery AT ixiacom DOT com
Subject: Bsides StopTheHacks Signature submission
Attach a text file containing your signatures, or a config file for the IPS of your choice
Content can also be pasted into the body of the email
* Be sure to include the IPS you’d like the signatures loaded onto