Bryan Owen

Cyber Security ‘buzz’ @VCL12 (part 1) – Security Hackathon

Blog Post created by Bryan Owen on Dec 3, 2012

 “What’s Wally doing? Kill Wally!” was overheard from Team 4 during the VCL12 Security Hackathon Day 0 event.

 

The team was referring to a possible breach of their PI System by an intruder (OSIsoft red teamer’s Bryan Pope and Luis Moux-Dominguez) using commandeered accounts.  The cast of accounts for the faux company were based on Dilbert cartoon characters. In this challenge, Wally was supposedly off duty and many teams picked up on the unexpected login.  Hooray!

 

Too bad Wally’s account had domain administrator rights.  Blue teams competing in the security hackathon practiced facing a nightmare scenario – a totally ‘pwnd’ domain. 

 

Each blue team had an embedded OSIsoft engineer providing technical support (shout out to Brian Deslatte, Dan Fishman, Gary Lee, Hahnming Lee, Jonathan Silvestre, Lily Wong, and Mariana Sandin). Many lasting friendships were made over the course of the 8 hour event… perhaps some rivalries too! 

 

About half of the security hackathon involved preparing for the red team challenges (instrumenting the system baseline, creating operational dashboards, and adding defenses). Teams could earn points by documenting what they did to prepare.

 

During the challenges points were awarded based on PI System health and sustained operation. Scoring factors relied on basics like archival rate, connections, uptime, and % good data. Performance indicators were periodically delivered as PI notification content to an automated scoring server.

 

The day is long and competition intense for a hackathon.  I saw this first hand as teams continued to detect and defend even with the lure of the opening reception during the last two challenges.

 

At the end Team 2 were top point earners and prize winners.  During the debrief session it was especially interesting to hear about what defenses seemed to work best.  The red team reported once people started changing passwords on the domain accounts it really stopped a lot of things.

Outcomes