Security Debate 2018 — Hackers vs Security Engineers

Last night (6th Feb,2018), Meetup Madness Group held a security debate between security engineers and hackers. The event had about 709 tickets sold and the event was hosted in NAB office in Melbourne CBD.

I had the honour of being part of the security engineers aka the blue team panel.

Red-Blue team(from left)-Matt(misisng in the pic), Tim, Michael, Daniel, Yun, Cameron, Ashish, Julian, Photo Credit: Shilpi B

Moderator -Red-Blue team(from left)-Andrew, Pamela, Silvio, Anne, Matt, Tim, Michael, Daniel, Yun, Cameron, Ashish, Julian; Photo Credit: David G

Debate Objective
The objective of the blue team was to propose defence tactics against different scenario some of which had an isolated LTE (4G) network, Intel zero day, rogue mobile apps, bypassed WAF controls, NSA level access etc. As you can imagine the objective the Hackers aka the red team was to come up with attack scenarios on infiltrating the attack surface.

Blue Team
Ashish Rajan
Julian Berton
Yun Zhi Lin
Cameron Townshend

Red Team
Matt Flannery
Tim Noise
Michael McKinnon
Daniel R.

Moderators
Andrew Dell
Pamela O’Shea, Ph.D.
Silvio Cesare
Annie Lin

Organisers
Stephen Wallace
Brad Hester

MC
Gerhard Schweinitz

Format:

• 4 questions debate
• Audience Q&A
• 4 question debate

Audience decides the winner of each question.

Questions

Some of the folks asked me for questions and I have asked the Moderators for a copy of the full scenario questions- in the meanwhile I have notes from what I remember of the questions and these are in order of how I remember not how they were asked: ##Update: The link to questions at the bottom of the article.

• Mobile app that approves/denies a deployment CI/CD pipeline (includes the production pipeline)
• Intel 0day and 1 week to release date — defend whole of Australia against this and stop the Kiwi hackers from increase the value of their sheep coin
• Product deployed in AWS last year, how will you protect a internet facing product — no cloud front or waf present.
• Someone has already bypassed the waf using / and ? instead of the * and . filter that your waf had. How would you detect, protect
• Microservices environment which is deployed using kubernatics with a service available on the internet over HTTP.
• Small company X being acquired by big company Acme. Security has 2 weeks to merge the two networks into one.
• Isolated network on a 4G network with highly sensitive data— isolated from regular network.
• University runs a patch management process once per year, they have military grade projects,

Experience

It was an epic night!

The questions were a mix of extreme scenarios and some scenarios that some of us have seen or heard of. There were no perfect answers provided by either team but the questions followed with a 30sec team huddle forced team to come up interesting out of the box scenarios for both attacking and defending a network.

The out of box ideas with only 30sec to think, highlighted the platheora of experience that both the team brought to the table.

My hope is some the ideas discussed gave some insight to the audience on the kind of defence it is possible to have (before the Machine learning cyber war starts).

All smiles before the start of the debate

Result

The blue team won :)

A special shoutout and thank you for everyone who attended and made the event a huge success.

Group Photo Credit: Cameron T

Update: 8 February,2018 — The question from both Sydney and Melbourne are available here: https://gist.github.com/hashishrajan/1b605e8d5bca21915fceb6ae1fa4ea2e