DefCon 26 - Here Comes the Blue Team CTF

tl;dr – The inclusion of a ‘Blue Team Village’ is one of the greatest additions to DefCon I’ve gotten to experience and it’s a huge step forward for the InfoSec community overall.


DefCon is many things to many people. As one of the oldest and largest hacking conferences it always attracts its fair share of great presenters and interesting personalities. Over the past few years the conference has seen relatively explosive growth more than doubling the number of attendees in the last 5 years. Whether this is because the mainstream is more and more turning to embrace hacker culture (Mr. Robot, WatchDogs, Cyberpunk 2077 I’m looking at you) or due to regular and high-profile breaches (cough Equifax, DNC, Target cough) the average American is certainly more tech-aware then they were just a few years ago.


One of the great outcomes of this is that DefCon has been changing to embrace even more interests and viewpoints of the InfoSec community. These changes are most apparent in the increase of available villages setup during the conference. For those who haven’t had the chance to attend (and you really should go at least once, if only to discover that you’re not a fan of the unique nature of the conference) villages are presentation and socialization areas themed around a particular topic. The newer villages have grown to include an IoT village where smart devices frequently get pwned, a Voting Machine Village where, you guessed it, voting machines get put to the test (and defeated), and most recently – and the topic of this first DC26 Blue Team series – a Blue Team village.

The inclusion of this village is great but for some it was unwanted. After all, they say, DefCon is a hacking conference focused on breaking things, understanding how they work, and ultimately exploiting them, why would we want to include the defenders. Well this village is an incredible addition and something that I hope gets to see continued future support. You may wonder why a defensive village at an offensive conference has me, a Red-Teamer/Pentester/’whatever you want to call someone who enjoys getting access to systems you aren’t supposed to’ excited. Wonder no more, it’s because, at the end of the day, the “Blue Team” is why I (and all Red teamers) have a job.

Securing and protecting information and systems is a necessary business function, this is why companies can hire full time defensive staff. The purpose of any offensive or “Red” actions is to help to strengthen and improve the blue team. By including the Blue Team in DefCon the conference is now allowing for the cross pollination of ideas between offense and defense.

By better understanding the mindset of a defender attackers can improve their tradecraft, and by better understanding an attacker’s arsenal and tradecraft defenders can bolster their defenses, identify gaps, and work with their business to improve. Overall the village was a blast, it was so popular in fact that on the first day you couldn’t get in 20 minutes after opening due to fire code violations.

Capture the Flag

One of the highlights of this new village was a brand new CTF to experience, the OpenSOC Blue Team CTF. Getting to meet so many new people with a different security perspective was incredibly fun as was one of the more unique CTF’s I’ve had the chance to participate in. What is a CTF? What makes a Blue Team CTF so interesting? Why should you care?

CTFs, or ‘Capture the Flag’ events, are competitions where each participant (or participating team) has a series of progressively difficult challenges to solve. Upon solving each challenge, the participant provides proof of their solution (usually in the form of some pseudo-random string of characters). This proof is the ‘flag’ they are providing. In the information security world there are a number of CTF’s occurring regularly throughout the year which are usually free to participate in and serve to challenge and test participants across a variety of domains. (For more info on upcoming CTF’s you can participate in check here)

One thing that these CTF’s almost all have in common is that they are offensive themed CTF’s (that is, they test skills and tools common for attackers). The Blue Team Village at DC26 included a defensive themed CTF meant to expose participants to a representative defensive scenario which utilized common defensive tools, techniques and capabilities.

While this may seem insignificant I just want to take a moment and thank the organizers for setting this up, with the prevalence of available Red Team CTF’s it is incredibly awesome to see a new perspective provided and the work done to create a Blue Team CTF was impressive.
What makes a Blue Team CTF so Interesting

What did this Blue Team CTF look like you may wonder. I won’t spoil the details of the scenario but a general outline of the CTF is this:

  1. An entire ‘corporate’ network was created for the event

  2. Security devices and services were configured across the environment

  3. Centralized logging was configured for the multiple security controls in place

  4. Participants were provided login info for each of the administrative dashboards corresponding to these security systems

  5. A series of questions surrounding different activity and security incidents that occurred on the network.

This ‘representative’ network was configured in a realistic way, implementing some best practices for host and network controls using popular open source solutions. By doing this, the organizers created a live domain environment paired to an up and running security operations center (SOC). The twist being, that for the CTF we (the participants) got to play the role of SOC staff.

With the network in place various attacks were performed against the corporate environment and questions provided about each attack. Participants used the preconfigured tools and their knowledge of offense and defense to find the evidence of these attacks and submit key indicators of compromise as answers to the CTF questions.

Athletes train by working out, studying footage of their opponents and having scrimmages. Surgeons train in simulators, on cadavers and artificial flesh for thousands of hours to ensure they are as prepared as possible for a real procedure. How do you train and prepare for the next compromise in your environment?

For many organizations the unfortunate answer is that defenders might take a class or certificate annually but regular and repeatable ‘real world’ training only occurs during an incident. Having a fully configured and instrumented network is a HUGE benefit for blue teamers (as well as system and network administrators). It provides us a place to exercise our processes and procedures and potentially test new techniques and tools before we find ourselves responding to an intrusion.

The closer the mock network is to our production network the better, but it doesn’t have to be exact. Similar tools and capabilities can be substituted as necessary (and in some cases this training network might allow us to test a potential new tool that we want to use in our production environment). The important thing is that we have comparable levels of visibility and capabilities to detect and respond to our simulated intrusion.

DefCon 26’s Blue Team CTF provides an example of what this kind of training network can look like and the competition itself serves as a great way to test your knowledge and learn about potentially new tools to add to your arsenal.

Next Year

To prepare for next year’s event, wouldn’t it be great if we had our own environment that we could setup with these same types of tools and logging. Join me over the coming weeks as we discuss some network design concerns, tool choice and selection, and then work to build out our own SOC-in-a-Box environment using opensource software and projects. In addition to providing a great resource for next year’s CTF the process of building this SOC-in-a-Box can be expanded upon and tweaked to allow you to create a more tailored training environment for your personal or organizational needs, a sort of ‘cyber playground’ for offensive and defensive sides to come together and push each other to become stronger.