I first read about OpenSOC in a Discord chat specific to Blue Team resources. As soon as I clicked the link to their website, I saw this picture on the homepage and I was hooked! I was new to the field (I'm not even "in" it!), and it was during this time that I found myself really curious about the Blue Team. Prior to this event, I was all about being a Pentester, and the projects I was getting into were all based on red team activities.
TL;DR this CTF event is what solidified my love for the Blue side of Cybersecurity.
So, what exactly is OpenSOC? Straight from their website:
OpenSOC is a free blue team defensive competition that is as close to "the real thing" as it gets. We run it at a series of infosec community events throughout the year to give back to the infosec community, promote the open source projects that we love, and support infosec events like DEFCON and BSides. This isn’t just another CTF. We’ve built this platform to train real-world responders to handle real-world situations. Our environment is a fully functional replication of an enterprise environment, complete with all the trimmings - Active Directory, Exchange, distributed networks, various sensors, log aggregation, end-user simulation, and more.
The event that I participated in was during this year's GrayHat Conference. And the OpenSOC CTF is run and created by Recon Infosec who provide this exact same training to corporations. And I'm thankful that they do these events for free several times a year because the use of this Network Defense Range usually costs $1,000/day!
What makes this CTF unique, other than a realistic environment, is the fact that the entire platform is based on free open-source cyber defense tools:
The tools I was able to get hands-on time with were Graylog, Arkime, and osQuery.
Graylog was my first experience with any Security Information & Event Management (SIEM) tool. I learned about how queries in a SIEM worked, and how to create and manipulate them to obtain the information I needed. I was a bit worried that I would get "lost in the sauce" with regard to how queries needed to structured before giving any useful information, but Graylog queries were very user-friendly and intuitive. A really cool feature that helped me answer a lot of the challenges was the "Field" section, and then using those fields and utilizing the "Quick View" feature to parse data even further.
Arkime is a full packet capture and search tool of the network environment. This was also the first packet capture tool I experienced (at the time; I've since used Wireshark as well). One thing I experienced right away is the syntax difference in the queries between Arkime and Graylog. It wasn't too difficult to overcome, just something to be aware of as I switched back and forth between the tools. I was impressed at how much information was packed in each packet, and how Arkime broke it down in a way that was easy to read. Again, I learned that query syntax and time interval manipulation to get the data you need is paramount.
Finally, osQuery was the hardest to grasp out of the three. It is considered an operating system instrumentation framework that uses the operating system as a high-performance relational database using SQL to explore the data. Hence, the learning curve for me was large because I didn't know what SQL was and what it was used for. It goes without saying that I learned a lot about databases, fields, tables, commands and how they all relate to each other to obtain information about the OS. In the case of the CTF, I used it to query Windows event logs and registry keys. This is a tool I'd like to practice with more because I had a hard time properly constructing the queries, and by the time I started to get the hang of it, the queries proved to be useless because I was trying to query a compromised computer where the commands were essentially disabled.
Another thing I learned a lot about, and that I realize is VERY important for those monitoring Windows-based networks, is Windows Event IDs! These numbers put your findings into perspective and helps navigate your thought process better knowing the type of alert you're looking at. If you have an affinity toward the blue team and a career as a security analyst, do yourself a favor and bookmark this website now.
So how did I do?
I believe there were 150 participants in this event. I worked solo and have never seen or touched a SIEM, didn't know SQL, and never used a packet capture tool. I'm super stoked on this! This following Tweet was sent to me by one of the Recon Infosec members after the event finished and everyone was chatting on their Discord:
The link below will take you to the write-ups of the challenges I completed. It will be hard to tell from those write-ups, but this event was the MOST fun I've had in a CTF (even to this day since I'm writing this post weeks after the fact). A lot of it had to do with the interface of the environment -- it is exactly how it would be in a professional environment if they were using the same tools! And everything just worked well together. No hiccups. . .nothing going down. It was a great experience, and I plan on attending every single one they have every year. Here's a tip if you're interested in this CTF and you've made it this far: go to their website and look at their calendar. Then setup your own alarm to remind yourself to sign up, because the slots are limited, their reputation in the industry is well-known, and they usually run out of slots within the first 24 hours.
EDIT 12/7/20: Since OpenSOC's "LittleFoot" Challenge is still an active challenge, I decided to change access to my write-ups and make them password protected out of respect for ReconInfosec and OpenSOC. If you're a prospective employer, recruiter, or talent acquisition specialist wanting proof-of-concept of what I did at this event, please contact me for access.
Comments