SESSION ID:SESSION ID:

#RSAC

Dave Farrow

From Boot-to-RootA Method for Successful Security Training

HUM-W11

Senior Director, Information SecurityBarracuda Networks, Inc.

#RSAC

The Stakes

#RSAC

3

Ignaz Semmelweis: a familiar story…

#RSAC

WHY?!?

4

Bad news triggers the grief cycle: Denial, anger, bargaining, depression, acceptance

Hygeine (security) is only indirectly part of their primary purposeThe doctors were there to deliver babies… and not infect their patientsDevelopers are here to deliver features… and not introduce vulnerabilities

#RSAC

Aha!

5

We all agree that we must “First, do no harm”

Q: So how do we (the security team)Avoid the mistakes Ignaz madeWhich perpetuated the mistakes the doctors were making?

A: Invite them (the developers) into the “club”…before there is a crisis

#RSAC

Joining the club

6

Inducts developers into the attacker’s dark art

Removes the mystery which had fueled the grief cycle

Creates a connection between security and developers

Security starts to become second nature and

the grief cycle is short circuited

#RSAC

Our invitation: boot2root

7

Well known security gaming exercisesParticipants start with a VM created with specific security flawsThey boot the VM and proceed through a variety of challengesEventually winning by gaining root access on the VM

Related to, but different from, Capture the Flag contests

Virtual machines allow us to “manufacture cadavers to autopsy”

Take that, Medicine!

#RSAC

Preparing the Training

#RSAC

Steps for preparation

9

1. Set objectives2. Create a narrative3. Build the exercise and training material4. Practice coaching

#RSAC

Example Objectives

10

OperationalSSH key forwardingKeeping a clean shop

CodingSQLiCMDi

Post exploitationPrivilege escalationSystem misconfigurations

#RSAC

Narrative step 1: find the machine

11

#RSAC

Narrative step 2: bypass authentication

12

#RSAC

Narrative step 3: command injection

13

#RSAC

Narrative step 4: reverse shell

14

#RSAC

Narrative step 5: low priv user - psimon

15

#RSAC

Narrative step 6: low priv user - agarfunkel

16

#RSAC

Narrative step 7: Qapla!

17

#RSAC

Building silence

18

Built using a 32-bit linux OS for max supportability

Package for VMWare and Virtualbox

Automate the build – you will end up building it repeatedly

Test the boot2rootWatch for unintended “ways forward”Validate the playabilityClean up!

Leave easter eggs!

#RSAC

Presentation materials

19

Use (and reference) existing online materials

Present materials in the same order as the narrative

Develop some demonstration scripts

Balance offensive with defensive information

#RSAC

Game Day

#RSAC

Game day

21

LogisticsReserved 4-6 hoursInvited entire technical team in the locationTook 4-5 members of the security team to support/coach

ObservationsOnce the boot2root started, it was heads down… the whole timePeople work alone or in small groups; but everyone had their own machineAs we got better at coaching, more people completed the entire exercise

#RSAC

Lessons Learned

#RSAC

Responses from participants

23

Post event surveys indicate: boot2root has what developers crave

Some participant feedback:“I had wanted to hack but didn’t know where to start”“I grabbed another boot2root from vulnhub on my own last weekend”“I’d like to be involved with building the next one”“I’m now officially terrified of what is possible. And I’ll be calling you about my own code”

Many participants who didn’t finish the first time enthusiastically came to the next event to make more progress

#RSAC

Challenges

24

Getting participants up and runningStandardize on a supported VM platformHand out the image early so people can set it up before the trainingParticipants should come to the exercise with prerequisites installed

Game dependenciesMake your exercise completely stand alone

Insufficient timeConsider alternating teaching and applyingDon’t expect attendees to finish the entire exercise the first time

#RSAC

Coaching: where the magic happens

25

By proctoring the exercise and offering one-on-one coaching, your security team can…

Develop the language to communicate effectively with developers

Create for developers a positive association with security and your team

Reveal how your security team really feels about vulnerabilities

#RSAC

Coaching basics

26

Do the exercise yourselves before you deliver a boot2root

Be prepared for a wide variety of experience

Don’t spoil the fun… or the impact

Manage frustration

Too many coaches spoil the soup

Stay engaged

#RSAC

27

Coaching example

#RSAC

Our next steps

28

TechnicalBuild fixing into the exerciseBreak tool setup into stand alone exercisesConsidering using docker

OrganizationalSet up recurring training opportunities for existing and new hiresSet up company scoreboardHave success with exercises contribute to job/career advancement?

#RSAC

Resources

29

Complete source for Silence and the related training is available upon request

I can be reached at:dfarrow@barracuda.com

AcknowledgmentsMatt Trimble

#RSAC

What happened to Ignaz?

30

#RSAC

Apply: your next steps

31

Create the pull to join the club, then welcome the developers inAnd respect that they still have features to deliver

If you choose to use boot2roots to do so:Identify your objectivesCreate a narrativeDevelop the materialsPrepare to coach

Boot2roots are achieving these goals for us. We’d love to hear what works for you.

#RSAC

Questions?