AlexandraTenney

[Music] so I wanted to start off this presentation by saying I'm not an expert I've only been working in the industry for about six months so I really qu uh I don't really have the expertise to propose Solutions in the industry for you but I wanted to get a conversation going about how we can use these games that I really really like in order to create more collaboration in the workplace a problem that I see so who am I again a lot of you know me but a lot of you don't so my name is Alexander chenny as I said I go by Alex um

my are I did quite a few papers and research about the Trump and Obama cyber security strategy things like that so I came from a very arts background and um writing um so one day I decided that I wanted to understand a lot more of the technical aspects of cyber security so I added a few comsite courses into my course load that year to try and understand at least the basics if I was going to be writing policy I needed to understand the basics uh from there I actually really liked computer science to my own surprise I had never really considered myself a technical person or a science person um but I liked it so

much that I added it as another major um and went through that stream as well in conjunction with my political science degree in University I had a couple of friends in University uh two of them who were also really interested in information security but we didn't really know what information security was we were just students we had no mentors in the field or anyone that we knew did this thing so we didn't know what the skills were or even what a job in cyber security would look like so we all decided to come together and found the first Club at the University of Calgary um the University of Calgary information security club there's quite a few of them here or

at least ex Executives um so we again didn't know what it meant to be an information security uh we didn't know what kind of technical skills we we needed so we but one of our friends one of my co-founders um had heard of this thing called a CTF um and a CTF stands for capture the flag but it is a cyber security competition that I will get into later so we decided if we didn't know anything else we would base our entire Club on this aspect so I started playing ctfs back in 2019 you can see this was our team at the time and Z's magpie's um a professor's name that we stole without his permission um and uh

we started playing immediately then and that's just what I based my entire cyber security career off of especially when I was a student uh so what is the problem that I've come to speak to you guys about today um the problem is that since my internships and my entry play entry into the industry I've noticed that teams have a lot of a hard time collaborating with each other uh and this leaves us worse in our cyber security posterity in general uh cyber secur is a team sport as a lot of you have heard but if we're not working together we're not truly able to secure our organizations so in actual organizations I find that teams are really siloed um and they're

unaware of the work being done on other teams this can create duplicate work duplicate solutions to problems but also gaps in your Solutions because you're not talking about what is or is not being done within those teams and so you're unable to even know what needs to be done generally I just see a lack of collaboration between teams there's a lot of reasons behind this um one of the big reasons is there's just a lack of time to talk to other teams collaboration isn't a valued output in your organization um and spending that time to get to know people is an a Val valued output so people aren't doing it um because there's a lack of time to

talk with other teams you don't really understand the skill sets that exist on those teams um and this means that you when you're solving problems you might not be getting the most the best person on a particular team to help solve that problem with you um and you get used to solving problems with only particular members of your team usually your internal team so you might always pick this one person to work with on a problem together even though their skill set isn't the best to solve that

problem so I talked a little bit about ctfs at the beginning but ultimately what is a CTF there are two kinds of ctfs that are very popular um the first one is jeopardy which I'm going to give you a little introduction into so Pico CTF was actually the first CTF I ever played um it's made by Carnegie melon University um and it's made to try and give uh high school students and entry level uh University students in entry CTF to play in um so FICO CTF is really popular um it's grown quite a bit over the years um and this is what it will look like in any general CTF when you navigate to the main page you're going

to see a lot of challenges which I will get to in a minute and you can almost instantly start interacting so what is a challenge a challenge is typically a website a piece of software an application or a file that you are asked to hack into they're intentionally vulnerable and they want you to hack into it hidden inside these applications is something called a flag so a flag is a unique string of characters that essentially prove that you were able to do what they asked of you that you were able to hack in you submit that flag for

points so like an actual Jeopardy game Jeopardy CTF is broken down into categories so each challenge is separated further into categories the main original or typical categories are web exploitation binary exploitation sometimes known as pone uh forensics cryptography and reverse engineering uh Jeopardy has gained a lot of popularity over the years and they've grown in size a lot so there's a lot of extra categories that sometimes get added into these ctfs a common ones that I've seen but definitely not all of them are networks programming open source intelligence ENT or just a Miss category as a catch

all so before I continue I want to get something straight I love Jeopardy ctfs again I said for the majority of my Years playing ctfs I was playing purely Jeopardy ctfs it's accessible um and I think it really helps develop skills that are required in a lot of technical cyber security Fields so I'm not trying to say in this presentation that Jeopardy ctfs are bad um their Pros in terms of collaboration are that it helps have multiple team members on a team to solve different challenges and bounce ideas off of um it's also unlikely that one person is good at all categories someone who's really really good at binary exploitation might not be as good

at web exploitation challenges a lot of the scills are uh anical to each other but also it's just hard to have that depth in every single category um and lots of people are playing in them so if you wanted to play in a je CTF it's likely that people that you already know or members of your team have already played one before or can quickly understand the idea of the cons of Jeopardy CTF is it's not really like the real world uh it's not very Dynamic you're asked to Simply hack into one thing um and there's no greater uh gameplay to that so it's quite stat a game um and it's not great at cultivating team um teamwork between

members I have seen a lot of very excellent hackers a lot of excellent CTF players who can do incredibly well in a Jeopardy CTF all on their own so they don't need those other team members to do quite well so up on the screen right now I have two screenshots from a website called CTF time CTF time is a website that tries to cultivate all of this ongoing ctfs at a given time so these two screenshots on your guys' left is all of the Jeopardy ctfs that happened in 2023 that are on CTF and on your right all of the attack defense so all of the Jeopardy cpfs do not fit in one screenshot and I could not count them I

tried um but there are over 400 Jeopardy ctfs that happened in 2023 uh so it's very very popular on the right hand side is all the attack defense ctfs that happened in 2023 uh there are 18 on that screen however only seven of them were playable by everyone so plenty of them were you had to be in person at an event to play like a bsides or something or you had to qualify and you had to be a finalist to actually play these so only about seven je or attack defense ctfs play are playable during the year which is why part of the reason why it's much less popular and I just wanted to show how

much more popular Jeopardy is and before I continue I wanted to give a a shout out to uh Giants whose backs I stand on uh so these are three attack defense CTF organiz their groups that are building uh attack defense ctfs that are playable by everyone so star CTF their CTF is actually tomorrow if anyone wants to try a late registration um they're one of a big German team actually all these teams are German um ironically uh Eno Wars uh actually makes uh another separate CTF called Bambi CTF which is geared towards beginners trying to get and attack defense CTF um and also F CTF F CTF is where a lot of the screenshots from this

presentation come from part of that reason is spous tries to open- Source all of their infrastructure for these games and tries to make it really understandable um also f is just the most recent attack defense CTF I've played so it was the most readily available for me to take screenshots

with so how does this game actually work when you log in to and Jeopardy CTF you're going to get this page this web page where you're basically instantly able to start playing in start comparison when you navigate to an attack defense CTF uh there's just a bunch of text on the screen none of this is actually allowing you to play this CTF in any way you only get a VPN config so this is a network diagram taken from SAR CTF um that tries to explain how this game works but at its core in a two word two sentence description um everyone gets an identical vulnerable machine every team gets an identical vulnerable machine and on that machine

there are Services running which are the vulnerable Parts all teams are trying to attack other teams to gain flags from those services and defend their own

machine so there's a typo in this uh only noticed it last night so I apologize but I wanted to really drive this point home um if you get lost during this presentation in me explaining what an attack defense CTF is what you need to remember is that all teams attack each other and every team has an identical machine this statement will probably get you through the entire presentation and so I'm going to take a sip of water while you all sit on

that so to try and demonstrate the dynamicism of this game I created a flowchart um so as it is right now it's very overwhelming and I'm going to try and go through the flowchart piece by piece um and explain how this game works so you don't have to understand it right now this is just to see what we're building towards so when the game starts the network is closed but what does this mean I created a little diagram to try and explain this concept so imagine in this scenario that you are team one you have suspicion somehow that team 2 has a web server running on their machine at 4 80 so you might try and navigate to that

web server to see what's on it the gam the game router is going to drop that request and block it you cannot actually see their web server yet um so that's what it means when the network is closed no teams can interact with other teams machines or Services yet you can only interact with what is on your machine so you might be thinking how do I play this game if no one can interact with each other um and you are going to start with something called source code analysis so I said earlier that you get a VPN config to start interacting with this game um you get root administrator access to your team's machine for this

game so the first thing that you're going to want to do when the network is closed and when this game starts is you're going to want to start understanding the services that are running on your machine you're going to want to understand them at a very deep level um so you might first off try and find where all this source code for these Services is stored um and then you're also going to want to understand the ports that those services are running on so you can predict what ports the other team services are going to be running on again the machines are identical um and you're also going to be able to look through this source code so

in this instance having the skills to read through code is particularly important but you're going to want to understand the logic behind how these different Services work

so these are just two examples of two Services um one is from F 2022 and one is from F 2023 so these are the type of services that might end up being running on the machine uh the one on your guys's left is just a web server um or website and then on your right is a binary that you're able to neet cat into and then interact with it gives you a menu um something to note about these services compared to something that you would get in a Jeopardy CTF is they tend to be quite wellmade and full-fledged so you're looking at something that is like 3,000 to 4,000 lines of code and is actually a fully interactive service or

application uh so that's a big change between the two types of ctfs so now that you've understood how these Services might work and how their logic is laid out you might find some flaws in the applications again they're intentional vulnerable so there are intentional claws built in at this point in order to defend your machine from other people before they can access your machine you're going to want to do something called patching so this is an example of a piece of code that essentially allows for a SQL injection on the top you can see that we are concatenating user input without sanitizing it which in this case because it is running a SQL query against a database would allow for a SQL

injection so so that is unpatched code um you during the game might notice that this is vulnerable to a SQL injection um and change it to something that is below which does sanitize the input and doesn't directly concatenate user input into the query uh that would be indicated as

patched you might also understand the exploits that you would be able to run against other teams the network is still closed so you can't yet run them against other teams but you are able to start understanding the logic and the flow that your exploit is going to take in order to attack against other teams and you can test against either your own machine or you can bring the services up locally on your local computer um to test that flow

yourself the best way to secure a service would be to Simply take them offline kill no if no one can access your service uh it's not vulnerable at this point so you might be thinking this is pretty anti-game that's not the point of the game is to just turn off the machine and simply not play um So to avoid this problem organizers of attack defense cpfs have implemented something called SLA which as simply means up time your services have to stay up during the game or else you actively lose points so when you get into your machine of the game you might notice that um not all services are running I have a feeling I'm missing some slides no I'm

not um you might notice that not all of your services are actively running you're going to want to get those up as soon as possible in order to make sure that you don't lose these SLA points when the network opens you're also if you create a patch you're going to have to recompile or rebuild that service and redeploy it or else the old unpatched service is the only thing that's running uh so you might be using skills like pipelining uh you might have to understand Docker and Docker composed in order to do this um but you want to keep them up so the network typically stays closed in this hack defense CF for about an

hour so you have to do that all in an hour um at this point you have eight hours of your network being open so now teams can interact with other teams machines and you can start exploiting against them to gain a plague so this is a stipp it from the scoreboard I'm going to go into the scoreboard um more in depth later um but what's important here is I talked about maintaining up time earlier in SLA and the first thing you're going to see is you're now going to be able to see if the game server thinks that your services are up or down so in this scenario this is from bous again um your

options for services are that they can be up they can be faulty they can be recovering or if you somehow manage to remove the flag from the service because they don't want you doing that either uh your flag cannot be found um so I mentioned it was really important to try and get as many exploits uh done during the network closed portion as possible um when the network opens you're going to want to try and exploit at least one team as quickly as possible and this is because of first Bloods first Bloods exist in Jeopardy um but they're very important in attack defense essentially first blood is the first team who is able to exploit a service or a vulnerability um

often you get extra points for being the team to First Blood of service uh sometimes you just get money straight up so it's pretty important to try and do that as quickly as possible at the beginning of the game so now that the network is open um teams are actually able to interact with each other's Services which means there's now actually Network traffic that is running through your machine so at this point you might want to do some packet analysis uh I know there was a wi shark 101 uh Workshop earlier yesterday um so wire shark is a great tool to do this um you also might do it with your own tool but you're able to inspect um packets

from traffic to particular services or just your whole machine and start to understand how other teams are interacting with your service and how they might be trying to exploit something uh this is from F 2023 um and it's actual Network traffic against a service that we were running at the time when you're analyzing packets um you might not have been able during the network closed portion to understand what the exploit was in the code but you might be able to see how other teams are actively exploiting your services um and then you might be able to do something called exploit reflection exploit reflection is a little bit of a complex topic so I created a diagram yet again to explain

this topic so in this scenario your team would be team two so team one runs a SQL objection against team two on their web server in this scenario your team did not know there was a SQL injection running on that service so they're going to get a flag back because your service was unpatched but you're now monitoring your network traffic so you're going to notice as team two that they ran a SQL injection against that service um and you're going to notice oh there's a SQL injection so you might run it against team three where you're now able to get a flag if they haven't patched it um and successfully reflect that exploit this is a tool that was made um

by the European cyber security team for the international cyber security competition of 2022 uh the first one it's called tulip it's based off a tool previous to it called flower but it's specifically made for attack defense ctfs essentially it's an a packet analyzer um that specifically made for attack defense CTS that will tell you if there's a flag and it's got built-in features where it's able to run through uh the packet and copy that as a script to either python requests or python phone tools so people are really good at reflecting exploits really really

quickly detection and response so again there's Network traffic now running through your machine and people are interacting with your services they might be intentionally trying to take those Services down the services are vulnerable which means that sometimes they're a little funky to deal with um and also you have just a machine that you need to deal with keeping up so you might want to go through system logs or Docker logs to try and diagnose behavior of services and you also want to watch your machine um this is two screenshots from my team's fooling server um and we actually run um metrics against also our tooling server because it fills up with pets really really quickly um and we have to make sure that

it has enough storage um so in this scenario we are using the grafana Loki Prometheus stack uh simply because it's open source and we like it um to monitor these Docker logs system logs and also uh machine metrics um so just to bring the two different flowcharts together that I've discussed so far because I'm going to start talking about how they interact together and um I don't want you to get too overwhelmed now that there's so much on the screen so I talked a little bit about exploits but I was talking about them being very manual at this point in the game you are going to need to automate your exploits or script your exploits um

and to explain why I need to explain another function of the game in the game there is something called a tick um and a tick is Essen a cycle of the game Loop ticks typically happen every 1 to two minutes and every tick flags are replaced on each service there's also something that happens during the tich where a script called a checker will go to all of your services and make sure that they are still up functional and that the flag was there so why do you need to automate if you think about it there might be 200 teams playing this game there also might be you now also have to run an exploit every 1 to two minutes against 200 teams

that is not feasible by manually trying to exploit things so you're going to have to program usually in Python but any other language that you're used to um and program these exploits to make sure that you're able to successfully get these flags and then submit them to the server to Aid this automation effort uh attack defense ctfs always provide a Json Json file alsome off often called teams. Json which provides you all of the team IPS um and also a little hint to uh where Flags might exist on the vulnerable services so if you're running a SQL injection and you're trying to steal a user's password maybe it was stored in plain text on a database it's

going to tell you which user you have to steal that password from um so this is used so you can actually put those variables into your exploits when you automate them

finally from doing your packet analysis and your exploit reflection you might now have greater insight into what is vulnerable about a particular service and again you still have to defend your own machine uh so you have to patch those exploits um and figure out how where they exist in that source code to change that source code I talked about the scoreboard a little bit earlier um but this is the entire scoreboard and I'm going to to go through it piece by piece to explain how it works but typically in an attack defense competition this will be up on a monitor the entire time because it is a very important feedback on how you're doing in the game and how other teams

are doing so at the top of the screen you can see all the services that are running on all the machines in the game and as I talked about earlier you can also see everyone's services and whether they're up down faulty Etc for each individual service you get three scores so the top score with a little fire Emoji um is actually your tax score so this is related to how many flags are you stealing from other teams for that service and submitting to the server successfully the second the middle uh score is your defense score with the little chest piece um so this in this particular scenario is actually a negative score so for every flag that

you lose from that service you lose points and then the bottom score is is your uh SLA your uptime score so in this case it is the seconds that this service is up and running as expected in this

game for each service those scores are added up and you get a total offense Total Defense and total SLA score and then based on some function that the organizers will decide they will calculate your total score and that indicates how well you're doing in the game so I know this seems really really complex already but how complex can this game get and the answer is veryy there are people and teams out there that are very good at these ctfs so I talked a little bit about it throughout this presentation but pre-built tools is really important for doing well in this game so this is another example of a pre-built tool my team uses um it's called uptime Kuma and

essentially it does is it checks that our services are up and running as expected and it's a little quicker at that than the scoreboard is so it gives us indication if we try and build a patch and it breaks the service we will immediately know if it's

broken this is an example of a tool called Atta which uh essentially helps Aid the automation of your exploits so you're automating exploits during the game but they're running every 1 to two minutes maybe of eight exploits going against 200 teams it's really essential that this code is efficient and is submitting very fast and then that they're all running in conjunction quite well so attacka is a pre-built tool that helps it says run exploits fast essentially because you don't want to miss submitting a flag after it's old even though you already exploited it that sucks um this is a screenshot of a talk from the F CTF organizers that they did for an ha proxy conference

um so one of the strategies that goes above the game um that teams have started to try and Implement is if you can let no one hit your machine except the game server that is checking if your services are up and running you win um you done it um so they're trying to fingerprint the game server and figure out who exactly is making those requests and block every other request so the organizers then have to respond and try and make it impossible to fingerprint this game so uh so there's quite a bit of uh give and take between the competitors and the organizers and how they build this competition so who are the players that

I see actually playing in this CTF in an organization obviously the red team and the blue team it's an attack defense CTF you want your attack and you want your defense but also with all the packet analysis and the different network traffic the network team developers who are doing source code analysis and also patching Dev Ops for the deploying and the maintaining of up time and also QA to test your patches to ensure that your services are still up and running I think we should try this game in businesses and

organizations attack defense ctfs are really good at forcing collaboration between a team who is playing you have to understand the skills of several other people why as a red teamer is able to attack a service I might not know how to patch it I might not have that great understanding of code I also don't have maybe the greatest understanding on how to spin something up and how to maintain uptime between services so I think a Tax Defense ctfs are really great at understanding the skills of different teams and employing them in a way that is safe you're not going to break prod if I try and deploy a patch and find out I can't but I am going to learn that

there's someone else in my organization that is is really good at doing that and I can call on them the next time that this happens in a real world scenario and I know that they can do

it so there's a lot of games in cyber security that we use to try and create this collaboration and do runthrough of our organization um in in scenarios of an incident but why is this different um so people know tabletop simulations um tabletop exercises I find that tabletop exercises often call upon very senior leadership they're not calling on the individual analysts who are doing that hard work it's also exactly it's a simulation it doesn't actually ask you to physically do these things uh and actually replicate the real world that well there are C games like elevation of privileges or back doors and breaches but these are very domain specific exercises in cyber security so they're testing your

incident response capabilities or your threat modeling capabilities but they're not calling from all those teams and they're definitely not calling for teams who are not in cyber security like your developers like your quality assurance I also have to give credit where credit is due there are organizations like haab box and Huntress who build ctss for companies who want their teams to play in something like this typically and I've yet to see it they are Jeopardy ctfs and again I love Jeopardy ctfs but I don't think they're as good at collaboration as an attack defense CTF so then the question is how does this fit how does this fit in a workplace that doesn't value um building

taking time away to build this collaboration between teams um is this something we could even do uh that is a question I have for you guys um I again don't have enough experience in industry but I wanted to to propose the idea that we start doing these games in Industry to try and gain better collaboration so I invite you to come talk to me throughout this uh conference or come up to me after this talk and tell me what you think um but this is my question for you uh that's the end of my presentation uh does anyone have any

questions well done great message okay awesome thank [Music] you