Disclaimer: This is based off experience with Minnesota State and the Midwest Regional Competition.
There are tons of great tools that fit really well with the CCDC environment. Features that typically are very important in the real world don’t really apply here. For example, a tool might work great but if it sucks at alerting, it likely isn’t that useful. Especially in an organization with 30,000 plus employees.
Most of the tools that we have found useful over the years are included in Black Hills Security ADHD tool collection. Some of the tools listed there would be awesome to use but would also be grounds for disqualification (Hacking back at CCDC is not allowed, although it would be awesome if it was). The biggest problem with tools is the setup, your entire team has to be well versed in installing and configuring them or else they can actually be a detriment. Many times, the red team feedback includes the whole “many of you were your worst enemies” since they would see services go down and stay down with out any red team interaction.
To use these tools, the saying “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” comes into play big time. You should be able to go into the competition, wget your bash/python/whatever script and run it. Inside the script, it should apt-get/wget/git whatever the tool is, wget the config file that is already configured on your public server, and the cp the config file over the default one. If you go in planning to manually do that, there is a good chance that it will not be up and running until the competition is almost over. In a Derby Con talk, Rob Fuller (Red Team Captain) mentions that they have a good idea who will win within the first few minutes of the competition. Those teams that do well have everything scripted and are likely repeat competitors who have a strong understanding of the competition environment.
Treat it like a game. It is not a real business network, it is a game and it should be treated as such.
Disallow outbound connections to Private IP addresses. This blocks connections to the red team if they are using their internal IP addresses. This works since the competition uses private IP addresses for the entire competition. This is included in my PA script on Github.
To prevent DNScat, just block all outbound DNS and resolve IPs from your host device outside of the environment. The DNS service is scored by resolving internal addresses so it should not affect that scored service (they will likely change this in future competitions).
Script the firewall, going into the competition, you know what the topology looks like for the most part. At midwest regionals, we used Palo Alto firewalls. Write the entire config out before hand and copy paste into an ssh session, or just script the entire thing.
My Palo Alto Config: This links to my Github, it is a Python tool that generates a config based on your team number.
Some of the tools we have found useful:
Human.py – detects “Human-like” behavior on service accounts. Looks for misspelled commands etc.
Ossec – File integrity monitor
Rubber Glue – Like honey ports but redirects traffic back at the attacker.
Honey Port – Blackholes IPs that connect to a specified port.
Artillery.py – Honeypot and FIM