Resources / / DefCon

Blue Team CTF – What’s That?

As I mentioned in my previous post DefCon 26 introduced a whole new defense focused village, the Blue Team Village. One of the highlights of this new village was a brand new CTF to experience, the OpenSOC Blue Team CTF. What is a CTF? What makes a Blue Team CTF so interesting? Why should you care? Let’s discuss.

Whats a Capture the Flag

CTFs, or ‘Capture the Flag’ events, are competitions where each participant (or participating team) has a series of progressively difficult challenges to solve. Upon solving each challenge, the participant provides proof of their solution (usually in the form of some pseudo-random string of characters). This proof is the ‘flag’ they are providing. In the information security world there are a number of CTF’s occurring regularly throughout the year which are usually free to participate in and serve to challenge and test participants across a variety of domains. (For more info on upcoming CTF’s you can participate in check here)

One thing that these CTF’s almost all have in common is that they are offensive themed CTF’s (that is, they test skills and tools common for attackers). The Blue Team Village at DC26 included a defensive themed CTF meant to expose participants to a representative defensive scenario which utilized common defensive tools, techniques and capabilities.

While this may seem insignificant I just want to take a moment and thank the organizers for setting this up, with the prevalence of available Red Team CTF’s it is incredibly awesome to see a new perspective provided and the work done to create a Blue Team CTF was impressive.
What makes a Blue Team CTF so Interesting

What did this Blue Team CTF look like you may wonder. I won’t spoil the details of the scenario but a general outline of the CTF is this:

  1. An entire ‘corporate’ network was created for the event
  2. Security devices and services were configured across the environment
  3. Centralized logging was configured for the multiple security controls in place
  4. Participants were provided login info for each of the administrative dashboards corresponding to these security systems
  5. A series of questions surrounding different activity and security incidents that occurred on the network.

This ‘representative’ network was configured in a realistic way, implementing some best practices for host and network controls using popular open source solutions. By doing this, the organizers created a live domain environment paired to an up and running security operations center (SOC). The twist being, that for the CTF we (the participants) got to play the role of SOC staff.

With the network in place various attacks were performed against the corporate environment and questions provided about each attack. Participants used the preconfigured tools and their knowledge of offense and defense to find the evidence of these attacks and submit key indicators of compromise as answers to the CTF questions.

Why does this matter

Athletes train by working out, studying footage of their opponents and having scrimmages. Surgeons train in simulators, on cadavers and artificial flesh for thousands of hours to ensure they are as prepared as possible for a real procedure. How do you train and prepare for the next compromise in your environment?

For many organizations the unfortunate answer is that defenders might take a class or certificate annually but regular and repeatable ‘real world’ training only occurs during an incident. Having a fully configured and instrumented network is a HUGE benefit for blue teamers (as well as system and network administrators). It provides us a place to exercise our processes and procedures and potentially test new techniques and tools before we find ourselves responding to an intrusion.

The closer the mock network is to our production network the better, but it doesn’t have to be exact. Similar tools and capabilities can be substituted as necessary (and in some cases this training network might allow us to test a potential new tool that we want to use in our production environment). The important thing is that we have comparable levels of visibility and capabilities to detect and respond to our simulated intrusion.

DefCon 26’s Blue Team CTF provides an example of what this kind of training network can look like and the competition itself serves as a great way to test your knowledge and learn about potentially new tools to add to your arsenal.

To prepare for next year’s event, wouldn’t it be great if we had our own environment that we could setup with these same types of tools and logging. Join me over the coming weeks as we discuss some network design concerns, tool choice and selection, and then work to build out our own SOC-in-a-Box environment using opensource software and projects. In addition to providing a great resource for next year’s CTF the process of building this SOC-in-a-Box can be expanded upon and tweaked to allow you to create a more tailored training environment for your personal or organizational needs, a sort of ‘cyber playground’ for offensive and defensive sides to come together and push each other to become stronger.

-G