Written by Jordan Kalm, TRU Cyber Threat Intelligence Analyst
At SOD, we annually send a group to the Defcon conference in Las Vegas, Nevada. Defcon is one of the world’s largest ‘hacker’ conventions in the world and attracts many people in computer security, penetration testing, and the federal government. Other attendees are simply interested in the concept of ‘hacking’, and everyone is encouraged to hack everything from the computer architecture to the event badges themselves. This year, due to COVID-19, the Defcon 28 Safemode conference was conducted online, and though we weren’t able to attend the conference in person, we still chose to participate in several of the events.
The Events
Defcon usually organizes quite a few capture the flag events, known as CTF’s, along with the different ‘villages’ that attend the conference as independent communities. We chose to participate in the recon villages, jeopardy-like event, where we had to use all the abilities at your disposal to search for various ‘flags’ that are located within social media profiles, dummy pages, and within the developer code on different websites with very limited clues. The questions were labeled with point totals, and harder questions gave you more points on supplying the correct answer.
The other event we participated in was the Blue team villages CTF event, which has us working in a simulated SIEM, utilizing several open source tools to trace intrusions designed after real world incidents. We then had to answer a series of questions regarding these intrusions that with correct answers, allowed us to score points and climb the scoreboard. We placed middle of the pack in the Blue Team Village CTF event, and one of our teams won the Recon Village CTF event. As a team, we determined 3 main lessons we learned when completing these challenges.
1. Work as a team
At SOD we have wildly different backgrounds, and we found early on that a roadblock for one person was usually easily solved by another. It was important that each team member had exposure to all the questions in order to utilize everyone’s individual experience and knowledge base. Teamwork helped us resolve the challenging puzzles quickly, and the only times we got bogged down was when we had less people working on the questions.
2. Learn the tools
Our team struggled to solve some of the problems, because we lacked understanding of how the tools worked. Fortunately, many of our major roadblocks were solved when we discovered an unexplored aspect of one of the tools. In one case, we waded through obfuscated JavaScript via a file carving program, then we discovered—after an hour of banging our head against a wall—that the tool we were using had an option to display the text in its native format (aka, un-obfuscated). At last, we were very easily able to find the answer. We imagine that those teams who had previously used some of the available tools in their own organization had a leg up on the competition, and we will be better prepared for those type of eye-roll situations next year.
3. Take a break, don’t get frustrated
Both events spanned over the course of two full days, and we quickly realized that burning a hole in the screen with our eyes didn’t magically solve any problems. In fact, many people who took small breaks to clear their head would come back with a fresh perspective and help us get over a hump that we had been struggling with. We also found that we have some fiery competitive personalities, and offsetting them with some more calming individuals allowed the team to be more balanced, as the toxicity that can occur with competitive individuals was offset with the easy-going nature of those who tend take a more relaxed approach. Several times we found ourselves in situations where we hit roadblocks, and getting upset at the problems didn’t solve them either.
Conclusion
The event as a whole was a lot of fun, and gave our team a ton of tools and knowledge to bring back to our daily operations at SOD. We got to experience new tools designed around learning to query a raw database via lucene and regex. These new learnings gave us perspective on how easy our tools at SOD, especially our ThreatWatch portal, are to use. The portal allows us to dive in and use our knowledge to discover alerts and events of interest without having to fight the UI and backend, or have a doctorate in abstract and fuzzy search syntax. Overall, Defcon 28 Safemode was a lot of fun, and the team is very excited and hopeful that next year we will be able to go back to Vegas and defend our recon CTF title, as well as hopefully get on the podium in the Blue Team CTF event as well.
