The Blue Team Star Challenge was a blue team (defensive) cybersecurity event comprised of three different challenges hosted by RangeForce. If you're curious about RangeForce as a platform, you can read my review of their FREE Community Edition platform HERE. This event began in mid-December of 2020 and ended in the 2nd week of January 2021.
At this point in my journey, I already knew that I wanted to be a blue team defender, so to say that I was stoked for these challenges is an understatement. CTFs are fun, and technically you can say that these are CTFs, but what made them great is that they were modeled after real-life scenarios using real-life tools. Here's a screenshot of the "Prerequisites" and "Learning Outcomes" of the challenge from RangeForce:
Luckily for me, at the time of this event, I already had some seat time with the platform in their Community Edition. So I knew how to get around the environment and how everything worked platform wise. What also worked in my favor was that I completed modules that taught me Splunk, Yara rules, and Suricata--just by coincidence! I had no idea that this challenge was going to be released. I know that some people jumped into this challenge with no security work experience (like myself), and this challenge was a struggle. I wouldn't consider this a "beginners" challenge per se. You can see from the image below that two of the challenges are considered "Intermediate" and the last one is "Advanced". The only experience I had were the handful of modules I described previously. But with a lot of research, time, and learning as you go, anyone could be successful at completing all challenges. Here's a quick run down of what I accomplished:
OBFUSCATION CHALLENGE
A malware stager was used in an attack on a Windows client for the company I worked for (this was another cool aspect of all the challenges is they put you in a real life scenario). As a security analyst, I had to unravel the malware to obtain information about its processes and provide it to my security team so that they could monitor suspicious network activity and block it if necessary.
I learned about deobfuscation techniques within ASCII text, specifically using base64 and spent a lot of time on the Linux command line using commands such as file and strings to get a baseline of what I was working with. Then I used compression/decompression techniques using gzip to piece the malware back together to where I was able to view the malware source code and identify key bits of information like the IP address of the server this stager was connected to and which port this malware service was using.
THREAT INTEL CHALLENGE
This challenged dropped me into a scenario as a rookie SOC Analyst investigating some activity on a website. Customers were complaining that their antivirus protection was alerting them that the website's downloadable catalog was being flagged as malicious. My job in this challenge was to identify potential threats that existed and find out who tampered with the website source code. The web server actually had other traffic on it as well to mimic a real-life scenario. So cool!
This challenge gave me hands-on seat time with Splunk, a security information and event management tool which I was so excited to use for the first time! The lessons I learned in the Community Modules helped me tremendously here. I was able to craft Splunk queries that allowed me to identify the source IP address of the brute-force attack, which user account the threat actors were trying to gain access to, the IP address of the threat actor themselves, and what file was being used for the exploit--all from within Splunk! Additionally, I was able to analyze the malware using VirusTotal and even found the CVE identifier attributed to this malware. I even created my own Yara rule to detect this malware using a unique signature left behind by the exploit that way this exploit could be identified in the future.
E-MAIL CHALLENGE
Last but not least was this challenge that was actually called the Multi-Attack Challenge on the platform itself. This one was the hardest of the bunch. Essentially, I was tasked to monitor, identify, and prevent threats with the use of Suricata, Fail2Ban, and Splunk stack. I also had access to the company e-mail server and had to properly configure and manage all these tools. What was different in this last challenge was that completion of tasks happened automatically as I physically performed the techniques and procedures properly and not via answering questions in a flag-type format. This was the epitome of a challenge with your "hair on fire" as I was being hit with attacks from all angles, all at the same time!
I identified a phishing e-mail and blocked the domain responsible by modifying the postfix configuration file on the e-mail server. Then, I used Splunk to identify an in-progress web attack. Using the information found during my Splunk analysis, I created my own Suricata rule to drop connections from the IP address responsible for the attacks. Then, I remediated a brute-force attack on ssh by analysis via Splunk and again crafted my own Suricata rule to drop the IP addresses of the brute-force attack. Finally, I stopped the port scanning of services at the company, again, through analysis of the port scanning via Splunk, and then crafted my own Suricata rule to block the IP address where the scanning was originating from--or so I thought. I also tried modifying the configuration of Fail2Ban to do the same. And I could see from the logs that the packets from the responsible IP were in fact being dropped, but I wasn't getting the satisfactory green check mark. Thankfully, with an assist from Mark Favata @xfavatax, he taught me how to use the iptables feature to drop the packets coming from the port scan.
TO THE VICTOR GO THE SPOILS
I forgot to mention that this Blue Team Star Challenge came with prizes for the first 100 participants to finish all the challenges before the deadline. This competition didn't even come close to going that far--I think the top 100 were solidified within the first week of the challenge. How did I do?
I came in 24th!!! And the prizes we got were pretty dope: an Acclaim RangeForce Blue Team Star Challenge Badge I could share on social media, $100 from Amazon, and a Blue Team Star Challenge t-shirt!!
CLOSING THOUGHTS
Similar to the OpenSOC CTF I participated in, this is probably the most realistic blue team challenge I've completed. It gave me hands on experience with actual tools being used in the field (and in some cases enterprise grade in the case of Splunk) in an environment with actual network traffic and attacks that you get to see and analyze in real-time. I have yet to go back onto the RangeForce platform to work on the hundreds of modules I have access to, but it is on my shortlist for sure.
Since the event has long since expired, I've included my write-ups below. Just know that they are still actual modules that are a part of their SOC Analyst 1 Battle Path.
UPDATE 06/08/2021: Since the modules that comprised this challenge are still part of active Battle Pathways, I've decided to lock down the write-ups. Again, if you are a technical recruiter or hiring manager looking for proof-of-concept, please contact me for access.
コメント