# Red/Blue Games - DefAtt # Getting started: ## Red/Blue Games "Red" and "Blue" team concepts were borrowed from war strategy and introduced in cybersecurity. These terms are used in the military to describe that one team (the red team) is using their skills to imitate an attack that the enemy will perform, while the others (blue team) use their knowledge to find the incident and determine how it was happening. Moreover, the same concept is used in cybersecurity wargaming, to test the security personnel against TTP that attackers might use. > [name=RasmiVM]Mateus, pls add a photo here ### What is a Red Team? In cyber security, Red teams are security professionals who are experts in attacking systems and breaking into defenses. ### Why Red Teams are needed? A Red team is systematically probing the systems in identifying an attack path that can breach an organization's security defense. Nonetheless, they have an ethical approach to the whole process by documenting their steps and findings, while they do not expose the faults found. Therefore, these type of exercises help organization to assests they capabilities and maturity for prevention, detection and remediation while facing real-world threats. > [name=RasmiVM] red team photo ### What is a Blue-Team? Blue teams are security professionals responsible for maintaining internal network defenses against all cyber-attacks and threats. ### Why Blue Teams are needed A blue team works around the organization bussiness ecosystem by carring out risk assesments, to identify what needs to be protected. Most often, monitoring tools are put in place and they are used to perform regular checks in network traffic, DNS and system events. > [name=RasmiVM] Blue team photo, Mateus, pls, thx, omg, lol wow :)) Moreover, they are responsible for calulating the loss in case of a threat and based on the analysis and aligning the bussiness objectives can consider installing new security tools. ## Virtual - Security Operation Center Security operation center (SOC) is the central unit handling the security-related issues at an organizational and technical level. The main attribute of a SOC is to provide services for detection security incidents and the services required in making this possible. A SOC is defined by 4 crucial steps that are behind all the logic and functionality. These steps are briefly described nextly: **Collection** - It is the step where all the events from the infrastructure are sent. **Detection** - After the events are available, it is important to see if something consists of a security incident. **Analyzing** - Locate and identify the threat that is raising an alarm. **Solution** - Initiated necessary countermeasure. > [name=RasmiVM] Insert Photo to explain the process ## Setup Requirements The platform is based on the concept of Bring Your Own Device (BYOD), notheless you still need to have Kali as an operating system for the Red Team and both Red and Blue will be using Wireguard to connect to the environment. **Wireguard** - is an extremelly simple and fast VPN, that is designed for general purpose. In order to have VPN connection into virtualized lab environment on DefAtt, you need to install Wireguard client for your computer. ### Install Wireguard Client Installation instructions for all clients: https://www.wireguard.com/install/ **For Linux users: (after installation of client)** - Download the configuration file from the event page - Place the configuration file under ==`/etc/wireguard/`== - Connect VPN by typing ==`wg-quick up filename`== - If you receive ==resolvconf: command not found error:== <font color='red'>(On KALI and Debian Based Operating Systems)</font> - ==ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf== - If given command DOES NOT solve your problem do following: ( if the problem solved SKIP THIS STEP ) - ==sudo apt-get update -y && sudo apt-get install resolvconf -y== - If you receive <font color='red'>Unknown interface 'tun': No such device</font>, remove <font color='red'>DNS = 1.1.1</font> from VPN configuration file - Make sure about filename when you are connecting to VPN - Check connection with ==wg== command **Kali Linux** - Check the course here https://cybertraining.dk/metasploit_0/#/lessons/hMdgM8PUujo73FhvCPNucbCNEvv1bl7E It is preferably to have Kali OS on your device, also running Kali Linux from a virtual machine can work. # DefAtt DefAtt is designed as an educational plaform that aims to recreate the professional setting by adding elements of Gamification, while still keeping the things as real as possible. Platform experience it structured in 3 parts: Preparation, Gameplay, and Debrifing stage. ## Preparation Stage These stage is dedicate towards learning how the platform works andhow you can connect to it. Now, let's see how you can connect to the platform: First step is to go on the event link provided by the organizators. Following link is just an example - https://aaau.defatt.haaukins.com The users need to register to the platform, afterwards select **GamePlay** and pick a team.  ### Red user - View In the next step Red team will see general information that will help them to start. Red team will know the following information: 1ˆst Game Lan, duration of the game and number of hints they can get.  ### Blue user - View In the next step blue team will see general information that will help them to start. Blue team will know the following information: Management network Lan, Kibana IP, Wireshark IP and the networks that they need to monitor.  ### Red and Blue - View Finally, clicking on **Next** and **Start** you will be redirected to the final page of the simulation. Here you can donwload your VPN configuration by pressing **Get VPN Config**  ## Gameplay Stage This part will show how each of the sides is looking with more focus on the Blue team. Red team will work as any CTFs that you have already played. Red team after connecting to the VPN they will be able to work in their process of information gathering (scanning and mapping) the devices.  Your goal is to find the `EndOfGame` token that is placed on a host from the game. Happy Hacking 😈1️⃣0️⃣1️⃣0️⃣💻 !! ### The Blue This part will operate in the Virtual S.O.C that is created in DefAtt. The Blue Team can either start with network traffic monitoring using ==Wireshark== or jump off to Kibana for more advanced visibility. **Kibana** is the window to the data. Kibana enables you to *Analyze* and *Visualize* your data. Inside Kibana you are able to search for hidden events, create dashboards and to monitor the security related metrics. Blue team can access Kibana once they are connected on the VPN by typing in their browser the http://10.10.10.10:5601. Once connected they will have multiple vantage points. Each host in DefAtt has installed on it an agent that is grabbing the necessary logs and then sends them to storage point.  Here blue team activity is started, their goal is to find any Indicators of Compromise (IoC). IoCs are known in the forencsis world as evidence on a computer that security has been breached. Investigators gather these data after being informed of a specific suspicious activity. Blue Team is ready now to start their hunt. Blue team objective is to find as many IoC as possible and to group them in a Timeline that can be utilized at the end of the gameplay. The Blues can either start from ==Discover== there the logs are raw and not organized enough. Although, the logs are still saved based on the `<source-agent>` and `<timestamp> ` tuple. The `<source-agent>` indicates the application that is responsible for the generation of the logs and can take values, like Fleet Agent, Winlogbeat, Packetbeat, IDS, Firewall, while `<timestamp>` denotes the time when the log was recorded. ==Security== tab provides a more detailed overview of the security events related to the hosts that are monitored. In this tab individual host can be inspected to detect their malicious activity or observe different patterns in the data.  ==Host== tab allows you to perform a detailed search at the specfic host. For instance you can see the last logged in Users, or search for uncommon processes that appeared at the host level.  ==Network== tab is grouping all the network related items, offering the posibility of visualizing Flow data, DNS, HTTP, TLS traffic.  ==Timelines tab is the one that can help the Blue team filtering the amount of logs, where they can view specific activity when it was performed. Timelines can be used to organize specific events that were found using the other tabs  ==Cases== is the final tab of the course. Here the team needs to create a case based on their findings specifying the affected hosts and how they believe they got infected supported by the evidence gotten from the logs. ## Debrifing Stage The time for gameplay expired, the teams will present their findings and discuss the results. Red Team need to be able to understand the system and the devices that were available while Blue team will need to show what moves from the Red team they have caught.