Guest Blogger: Colum McGaley, NationalCPTC firstname.lastname@example.org
I was asked to complete a seemingly simple task; monitor a couple of endpoints during the NationalCPTC. For those not in the know, the NationalCPTC is a capture the flag style event, where the goal is not only to go as far as you can in our environment but to document any issues you uncover while doing so as lightly as possible. Penetration Testing is the name of the game (some might call it hacking), and the CPTC’s goal is to provide an environment that mimics what a real-life white-hat engagement would look like; from initial proposal to a presentation of findings to a non-technical group such as C-level executives.
The way the competition works is that each team is given a target infrastructure to engage in, and this happens from a local Windows 10 endpoint and a remote Kali-type VM. Through the power of cloud magic, each team gets an isolated environment that the competition administrators can monitor and observe. Monitoring a headless VM is simple compared to the attacking Windows 10 boxes. One of my tasks was to find a solution that would allow us to record the screen or system events of the attack platform in a way that could be played back at a later time.
This year Bill Stackpole, our fearless leader, was working with a NFS grant that was for research into how malicious actors would attack an environment. Part of this was to log everything that a few teams were doing, from network traffic to user activity, so it could be reviewed later and eventually be used to write detection algorithms.
In previous years, we focused solely on system events, such as log messages and bash history, and network traffic. This year the idea was to expand the collection scope to include data from the attacker’s attack platforms, which, in this, was Windows 10 workstations located in a lab.
Through Bill’s self-described elbow rubbing, he solicited the folks at ObserveIT to give us a 90-day license to play with during the competition. (I’d never heard of the company or the product, but to sum up the rest of this post- We used it, and we want to use it again!)
As a note, this article is in no way sponsored by ObserveIT nor did they have any input in the content or direction of this article.
Setup & Deployment
I’m not the most enthusiastic person when I don’t want to do something, and installing and configuring an endpoint monitoring software was not high on my list. ObserveIT is a Windows product. It runs Windows Server and requires MS SQL Server. I’m a self-proclaimed Linux guy, so anything dealing directly with Microsoft products is a bit foreign to me.
I’ll admit this now. I’m not sure if any of us read the documentation, but looking back as I’m writing this, ObserveIT provides all the required Powershell commands to configure Windows & IIS. During my introduction of ObserveIT, I didn’t think to read the documentation. I just tried to plug along until it worked. But ObserveIT is nicely self-contained, with only externally depending on IIS and SQL Server. After getting over the hump of getting IIS and SQLServer configured and deployed to a point where the installer passed validation, it was smooth sailing.
When you think of enterprise-grade software, I’m sure you go right to a complicated installer with a million knobs to turn that requires reams of documentation and an on-site consultant to ensure a smooth deployment. Not ObserveIT. The installer was smart enough to poll for the SQL Server connection and IIS configuration to make sure it was using the right one. Other than that, all you needed to do was provide a license file and click the install button. Afer maybe five minutes of waiting, we were greeted with a Web Interface.
A thing to note is our server configuration. I used a fully patched Windows 2012 R2 VM, that had four vCPUs (of 2012 era AMD Opteron CPUs), 8GB of RAM, and a 1TB disk. Networking was a standard campus 1GbE network.
Once the server deployed, we were ready to add clients. Out the box, ObserveIT was ready to go. That’s awesome. I’ve encountered many a product that required additional configuration after to be usable, which puts a damper on things. I was expecting to have to define storage, video settings, and turn a bunch of other knobs before it would accept agent input.
Deployment of the agent was straightforward. Launch the installer, enter the server information, and a minute later we could see and control the client in the web interface of the server. Again, nothing major to configure. It just worked. In a competition with a million things going on at once, when something just clicks into place; it stands out. Once the systems were deployed, we were able to get screen captures and pull system information.
We didn’t use this feature, but the documentation included all the required switched that would be needed if we deployed the agent via SCCM. Our workstations are deep-frozen, so an army of labbies was dispatched with flash drives to do the needful.
Now I do remember some back and forth between ObserveIT and us during setup, but as I recall it had to deal with confusion with licensing. The first box I was used for testing the agent was another Server 2012 box, which didn’t work because we only had Windows Client Licensing. I don’t recall us having any issues that required external input with the actual product.
During the competition, the attackers used a mixture of remote Kali-like VMs where they carried out the brunt of attack work, but also the local Windows 10 workstations. Our initial goal with ObserveIT was met. All we wanted was some basic screen capture of the workstations over the duration of the competition. ObserveIT provided us with a bit more than that.
Alongside capturing the user’s screen, we started to get alerts on suspicious user activity. Upon investigation, ObserveIT was flagging Google search about how to get around proxies or firewalls. And not only was this alert generated, but we were able to jump into the screen captures around that time and see what the user was going. Considering the slogan of the product, “Identify and eliminate insider threats with ObserveIT,” I think they are living up to it.
After the competition wound down, and the licence expired, there was a concern that we would be unable to use the server interface to replay the sessions we recorded. Fortunately, the system allowed us to continue to replay recorded sessions after the license expired. Yet another impressive feature of this software.
What amazes me is how little effort was required to get ObserveIT off the ground and into a workable state. For the limited amount of time I interacted with ObserveIT, I’m impressed. If I was in the position where I needed to select a product for monitoring a bunch of computers, either in a corporate environment or an educational one, I would consider giving ObserveIT a good look. In my worldview, and I know I sound like a broken record for repeating this, functionality out the box is king. Product A might be super powerful, but if Product B can get me closer to my goal quicker, being the slightly lazy person that I am, Product B will probably be my choice.
ObserveIT was our first product that we looked at, in part because we had a demo license, and after playing with it we felt that there was no need to go and look at other products. It did what we needed it to do, it was easy to set up, and it brought more than we expected it to to the table. I’m sure we just scratched the surface of what could be done with ObserveIT, but it did what we needed it to do. I’m hoping, ObserveIT willing, that we will have the option to deploy this in our scenarios in the future.