Last Month, I had to opportunity to participate in the NYC Infraguard Capture the Flag event provided by WhiteWolf Security and sponsored by Tenable Network Security .
The Capture the Flag (CTF) was made up of two teams. The red team (attackers) and the blue team (defenders). The Blue team was given an unprotected network with unpatched hosts and was asked to defend them to the best of their ability. To complicate matters, business injects were used to simulate the real world (i.e. – The CEO wants a website up and running by the end of business). A mock FBI field office was available to report a compromise and loss of data. The blue team was not allowed to use commercial products during the event. The red team's goal is to gain access to those systems and steal the data. Points are given for each compromise and data theft. As you might expect the odds are in the attackers favor. One could argue that this is true in the real world too.
The winning competing blue team was organized, well versed, and remained calm. Each team member seemed to have expertise in a particular area or operating system. They coordinated their defense and when they did get compromised they went into incident response mode, and gathered the logs and proof they needed for reporting the compromise to the FBI field office. By the afternoon of the first day, they were completely locked out of their own systems. They chose to restore their systems from backup and all of their systems were up and running again within an hour. Because of this they won the competition.
It demonstrated the importance of not only defense in depth but having good Incident Response and Disaster Recovery plans in place. It is not a question of if the attackers get in, it is a question of when, so be ready!
It was a great experience and learning opportunity. If you have not had the opportunity to participate in a CTF, I fully recommend it!