SANS Security Conference 2007 and ICE ICE Baby

Published: 2007-10-14
Last Updated: 2007-10-14 14:21:20 UTC
by Deborah Hale (Version: 1)
0 comment(s)

What a time I had in Las Vegas, outstanding.  I had the pleasure of attending my first SANS conference and meeting some of my fellow Handlers in the flesh.  All I can say is that neither SANS or the “boys” disappointed me.  My extreme thanks to Dr Eric Cole for an incredible educational experience.  I took the SANS Essentials Bootcamp and let me just tell you, this is about as action packed a class I have ever taken.  After returning home it took me several days to “ring this sponge” that I call my brain and begin to assimilate what I had learned.  Now I have turned my thoughts to studying so that I can take the test and make it official.

The culmination of this awesome week came on Friday night and Saturday morning.  There were a group of attendees that signed on for the first ever Integrated Cyber Exercise (ICE).  I have to say without a doubt that this was one of the most valuable “exercises” that I have ever participated in.  There were about 20 “players” in the game.  I was on the Defenders team (The Blue Team) and what a terrific team it was.  Among the team were Chris Hoke, Jeff Tchang, Amy Hagerman, Glenn "Blue 6" Larratt as well as some that wanted to remain anonymous.  Our job was to defend our little network against the “bad guys” that were attempting to attack us and break into our computers.  Our computers included Linux and Windows based OS, both servers and workstations. The players for the attack team were Joseph Bagdon, Brandon Greenwood, and some individuals that prefer to remain anonymous.  And of course we defenders had the deck stacked against us because the attackers ( the Red Team) had a little help from some pretty powerful friends, namely my fearless instructor Dr Eric Cole, Tim Rosenburg from Whitewolf Security, the folks from F5 and Core Technologies.  The defenders used some pretty sophisticated tools to snoop on our network and figure out where our vulnerabilities lay and then unleash their evil on our network. 

I have to say, my team – the Blue Team, did a fantastic job.  We were limited in the tools that we could use.  Basically the only tools we were allowed to use were the ones offered default by the OS manufacturer. We were not allowed to install any patches or updates from the manufacturer and had no access to the Internet to download anything.  We could not plug in our thumb drives, use CD ROMS, or any other extras.  And yet my awesome team was able to stave off our attackers within just a couple of hours.  We were feeling really proud of ourselves. Then the other shoe fell.  We had to leave the room to attend a “meeting” with management.  While we were out everything we had done was undone, and a bunch of programs, holes and such were installed on our machines.  We were in big trouble they had us dead to rights.  I for one was a little irritated….  We had worked so hard and they got in anyway.  They had done a lot of damage and left a real mess behind.  They ended up, by Saturday morning completely taking us over and we were done.

When I returned home, I started thinking about the exercise and what it really had taught me.  At first I felt that it was really unfair that they were able to come in and undo all that we had put in place to keep them out. They were allowed inside our network to do their dastardly deeds.   However, is that not what actually happens in the real world?  Just one user doing one stupid thing can open the door and undo everything that you have done to secure your network. And once the bad guy’s get in, it may be too late, it may take days to find them and lock them out again. This exercise led me to realize that this was just the tip of the iceberg and in the real world the frustration level will be much worse. 

Some comments from other attendee’s:

Brandon Greenwood - I really enjoyed my experience as a part of the Red Cell and the ICE Games.  This was one of the most well put together exercises that I have been a part of.  From working directly with Eric Cole for the length of the games, the impromptu visit form some of the top SANS instructors, to being able to get some shop talk in with Tim Rosenberg and the White Wolf Security team I think allowed everyone to really take something positive away from the games and it made for an interesting time.  I plan on being back next year in either role as it was a positive experience.

Tim Rosenburg, Whitewolf Security - We consider the event a success and are working on ways to make it more spectator friendly.  We'd like to thank all who made it possible including SANS, F5, Core, Paul Asadoorian and of course the players.  We are looking forward to a bigger and better game next year and will incorporate VOIP and RFID and some more tricks up our sleeve.


I want to echo Tim and thank all of those who participated.  To Whitewolf Security, F5, SANS Institute -  Stephen Northcutt, Eric Cole,  Core and Pauldotcom, I want to give my heartfelt thanks for a tremendous experience. I highly recommend that all Computer Security personnel attend this event and I look forward to participating again in the future.

0 comment(s)


Diary Archives