RPE-016: The Gremlins in the Cloud
RPE-016: The Gremlins in the Cloud
NOTE: We will only be accepting 10 teams for this RPE.
And the winner is…
Congratulations to Panther Labs for winning this RPE!
Maryland Innovation and Security Institute (MISI) intends to study how people can misconfigure, misunderstand, and misuse cloud services from hosting providers in this event. At no point will MISI or any participant in this event ever claim that a hosting provider is insecure. Precise details on findings and discoveries generated during this event shall be kept confidential and MISI shall ensure that all relevant rules and regulations involving cloud service interaction and penetration testing (to explicitly exclude Denial of Service) are followed to the letter.
Gremlins. Entertaining movies in the eighties but not everyone may know written mentions of the mischievous little creatures appear to possibly go back at least one hundred and four (104) years. Multiple Internet sites claim the earliest references to a gremlin appear in the British magazine 'The Spectator' which wrote:
"The old Royal Naval Air Service in 1917 and the newly constituted Royal Air Force in 1918 have detected the existence of a horde of mysterious and malicious spirits whose purpose in life was…to bring about as many as possible of the inexplicable mishaps which, in those days as now, trouble an airman's life."
The authors of the Wikipedia article on Gremlins do not appear to cite this source.
If you have not heard the stories, gremlins were supposedly responsible for unexplained problems that air crews experienced during flights. They were stealthy and, in many stories, only wished to cause damage and destruction.
Well, you may be able to imagine how a gremlin destroys a plane but what about the clouds they fly through. How exactly is a cloud exploited or hacked? More importantly, how can you hunt for hackers in your cloud? While you can make the argument that this is a form of cloud hacking, it is not what we mean.
NOTE: Participants will be required to digitally sign an acknowledgement understanding the intent of this RPE is not to hack a cloud service provider or break a single cloud service provider rule about security. Please see the disclaimer above. We are 100% serious and any indication we have about a participant breaking this trust will result in immediate exclusion from this event.
In this RPE, we are hunting gremlins in the cloud. BCR Industries survived four (4) days of coordinated hacking in November of 2020, and they are back in business. They are currently operating multiple cloud hosted services and appear to have made more mistakes in their configurations and security. We are looking for defensive participants who, with administrative access to a cloud provider, can configure security services and install software (if required) to detect previously executed attacks and monitor live to detect new attacks that are launched. We are looking to not only detect attacks but provide as much characterization as possible (e.g., source, type of attack, MITRE ATT&CK techniques).
It is important to understand we are not looking for a software package that can install on all cloud VMs and detect password brute forcing or ETERNALBLUE. The ideal participant can examine the cloud configuration itself monitoring for changes in real-time which may be indicators of an attack in progress.
Readers are strongly encouraged to review the Hack the Building Playbook for details on BCR Industries. You can download this PDF from here: Hack The Building Playbook
The cloud hosting provider for this event will be: Amazon Web Services (AWS).
At present, we know that BCR operates the following cloud services (NOTE: this list may be updated, participants are advised to review this list frequently.):
- Public Website
- DNS Domains
- Automated Source Code Building
- Source Code Control
- Cloud Storage
- Serverless Computing Applications
- Mass Notification Services
- Cloud Servers
- Cloud Database
- Single Sign-on
- Centralized Syslog
There are mistakes made in each of these services. There are no security services currently configured within the BCR cloud at this time. This is the expectation of a participant in this RPE. Because the BCR employees travel frequently, they are unable to pinpoint source IP addresses for security groups or access control. We also know that BCR Industries does not completely understand cloud service user management but has at least three (3) accounts configured with complete administrative access across all services. During a participant's time on-net, they will be expected to enable security features and monitoring and install/configure software such that attacks launched by MISI are detected within three hundred (300) minutes of launch.
BCR can provide a cloud architecture diagram to interested participants, but they should know that there will be items left off this diagram and each participant must perform an asset discovery step as part of their orchestration of the environment prior to monitoring for attacks.
We are looking for organizations and individuals who understand the cloud service provider architecture we have chosen for this event (AWS), and who can install and configure 3rd-party (and vendor provided) tools for remote monitoring. While we have opinions on which tools should be used, we want the participants provide their own perspective. A successful participant will also have practiced tactics, techniques, and procedures (TTP) for interacting with the cloud provider for obtaining real-time information, telemetry and status. No external software will be provided for participants, you must provide your own license keys for third-party add-ons you wish to install. Once you have configured the BCR cloud the way you think it should be monitored, MISI personnel will launch attacks or exploits of cloud services (again see disclaimer) for the sole purpose of determining if the participant can detect the attack/exploit within sixty minutes. We plan to launch at least 10 attacks (in total).
Participants are permitted to stand-up no more than two (2) virtual machine instances in the BCR cloud for the purposes of orchestration and security monitoring.
This event will be 100% remote. No participant is ever to travel to MISI facilities.
How Will It Work
Each participant will be evaluated separately for this event. MISI is going to stand-up the functional BCR Industries Cloud and conduct a set of at least five (5) attacks. The participant will be granted access to the BCR cloud for the purposes of installing software and orchestrating the environment for the purpose of real-time monitoring. Participants must ensure that the services and public points of presence for BCR are not disabled at any time. They cannot disable any user accounts or change the permission levels of an account. They are also not able to modify the firewall rules filtering traffic for any cloud service.
The participant will be allowed three (3) business days to orchestrate the MISI cloud at which point MISI will launch more attacks without warning. The participant should monitor the systems they have enabled and attempt to determine if and when an attack has taken place. They should then provide as many indicators of compromise (IOC) for the attack if possible. MISI will not notify the participant before or after any attack launched.
The basic sequence of events for this RPE can be summarized as follows:
- MISI configures BCR Cloud baseline
- MISI holds Q&A session with participant to distribute cloud map and answer questions.
- MISI conducts attacks against BCR Cloud
- Participants orchestrate cloud environment
- MISI conducts additional attacks against BCR Cloud
- Participant monitors real-time services and alerts if attacks are detected.
We define the following schedule for this RPE. Since each participant will be evaluated separately, the evaluation period for this event may span multiple weeks depending on the number of registered participants.
- Sept 21: Announce Event & Open Registration
- Oct 29: Registration Closes
- Nov 3: Q&A Briefing
- Nov 12: Participants will be granted access to their environment
- Nov 15: Evaluation Begins
- Nov 19: Virtual Meetings Held to Review Results
We describe how each participant will be evaluated for this event. We anticipate the evaluation period will last for up to ten (10) business days. Three days (3) will be reserved for the participant to orchestrate the BCR Cloud and then five (5) days for the participant to monitor the environment while MISI launches attacks. The evaluation criteria we define are as follows:
- Did the participant detect any attack that has been launched prior to the start of evaluation?
- Did the participant detect attacks during their evaluation period?
- Did the attack detections provide contextual information such as:
- aSource of the Attack (IP Address)
- Vector of the Attack (Storage, VM, etc.)
- Vulnerability Being Exploited
- Type of Attack
- Did the participant identify the ultimate action(s) on objective(s)?
- Did the participant provide any indicators of compromise for the attack?
In addition to measuring the evaluation criteria for each attack MISI will launch, we must record the following information:
- Did the participant install any third-party (COTS or FOSS) tools into the BCR Cloud? If so, what?
- Did the participant utilize any automated mechanism for querying BCR Cloud Services for the purposes of detecting or characterizing attacks?
The prize breakdown at this time is as follows (this is subject to change):
- $10,000.00 USD for first place
- $3,000.00 USD for second place
- $2,000.00 USD for third place