Bsides 2019 Ahmed Imran

oh well hope you all enjoyed lunch I did food joyful hi everyone my name is Abaddon Brandt I am a fourth year college student with Seneca College just about to graduate and I'm gonna talk to you about an event I've been going to for twice now each or annually its c3x it was an amazing experience for me and it was an amazing experience for my colleagues co-workers and my classmates and I hope it can inspire all of you to join in some way shape or form so in 2018 that was when we were introduced to the aww topic of c3x what the event was and we were like yeah let's go let's have fun and my

professor goes no let's not just have fun let's win so with that goal in mind we went on 2018 to George Brown there are all of us there I am my goofy little face morning bright early morning of like a Wednesday at c3 X 2018 Genesis we were a part of the blue team my role in that team was the higher up management I talked to the business sector and I'll explain shortly what all of this means this is all of us in the middle of the room at George Brown with all the PCs having fun and having a go there's my stupid little face again and there's all my amazing classmates we had an absolute

blast going at the machines trying to defend them trying to you know rid the red team of their prize flags and all their malware and then this year I was not a blue team I couldn't afford to do it sadly I had too much of a priority but I still wanted to make an attempt I wanted to be there and I wanted to help advance the event in any way shape or form so I joined the white team at c3x and it was an absolute blast almost in every way shape or form did it just get bigger and better alright so as you can see here this right here are the beautiful lovely faces on the red team

going at it having fun oh man they had so much fun doing practically nothing the blue team basic yeah see these guys are laughing the blue team basically did it to themselves it was hilarious right there is Alan I can't say his last name and Leigh Leigh they were amazing people that I got to work with got to know sitting next to the Registration Board at c3x and right down there that has been Wells you will all introduce new who he is in a moment giving a talk at the very beginning on that bright Saturday morning it was a lot of energy even though we are all still trying to wake up with a bunch of coffee and

expresso but still you could feel like how ready and prepared the students were gonna be you know they had all this game face up like I'm ready move it forward this is throughout the day so on the second day I'm gonna start off with the top go to the bottom this is Cheryl she gave a wonderful wonderful wonder wonder wonderful keynote speak on the Dianna initiative for those of you that don't know about the Diana initiative I would implore you to go on Google and look at it and get some more information on it it is a wonderful wonderful thing and I implore you to support it in any way shape or form you can moving on we have

this is Fanshawe College students being interviewed by the white team for business injects get to that in a moment further down the line here we have Seneca College themselves being injected by the white team in a boardroom you can imagine how scared they were when they walked in and saw a boardroom like oh we're being interviewed here joyful this is again Seneca College going at it I trying to they're not hacking they're the blue team so they're going at it trying to figure out all the vulnerabilities and where they can help fix where they can find the red team of polar malware out this is George earth this is Sheridan this is team Sheridan and that's a happy face right there this

is team Sheridan going at it having fun doing their own thing and right there that's the beautiful manly Kagan giving a talk I think on the second day it's the red team of alright so here's how we go about today it was a wonderful wonderful experience I can't begin to describe to you people just how like amazing the event was on its own and I hope at the end of this you'll come to understand how amazing was and maybe in some way you'll want it and join it too so before I fully continue forward it's critical to know that what's the difference between this and a regular CTF because obviously I'm getting at such high praise for a CTF game what

sets this apart from a regular CTF game well a regular capture-the-flag you know you know it's competition based teams are basically trying to obtain flags they're trying to test and apply their skills no one is trying to teach you anything you have your team of however big there are a number of other teams however big and it's you versus them get as many Flags get as many points however way shape or form you can you are the red team you are the aggressor you are the attacker go at it typically it's a red versus blue exercise you are usually the red team blue team are typically automated or it's like a preset of generative logs

that will just traverse through the network on a period of time so what is c3x so the Canadian collegiate cyber exercise 3 season annex it took me two years before I found that joke all right so it's a it is a game but it's also geared towards being educational as opposed to the original CTFs which are purely test your skill go at the competition you learn and then apply your skill rather than test your skills and see what other skills you can use so it's a bit different and like I have in Asterix there it's a special red versus blue team exercise because the blue team are all students they're not an automated system right it's no preset

generated logs flowing through no automated machine trying to find your malware and all that no none of that these are actual college students like myself in 2018 going at it trying to find a team of and I I'm not joking a team of professional red teamers you know these are people that have been in the game for about 10 to 20 you name it they know their malware they know how to hack they know how to turn your computer inside out faster than you can blink and they're attacking students who can barely I struggle to turn on a PC all right you know that's a bit stacked thanks guys and the white team this is

actually the amazing part the white team are not again automated they're not some random noise flowing through the traffic they are actual mentors they are actual industry professionals they are actual volunteers there to assist the blue team however they can and that's what actually sets these games apart right so in I've actually moved it forward yeah so that's what sets us apart is that the white team doesn't just sit there in the back watching and hoping that you succeed in a traditional CTF they have to keep their mouths shut not in this not in this case they get to actually come up to the students help them out if a student can't figure out what they're

doing wrong you have that beautiful amazing mentor to sit there and say hey this is what you're trying to do this is what you're doing wrong let's see if we can teach you the correct method and you wouldn't get that in a regular CTF game right and that's just the amazing beauty of it now moving forward now you get to see the slide what sets apart in Genesis from red forest c3x 2018 versus c3x 2019 now I hope you remember earlier I said it was a massive leap and it was because the c3x 2018 Genesis format it was hosted at George Brown College and each team had to compete on a separate day sadly at George Brown they didn't have

the room to do any of the like all the people at once they only had two rooms available for us sure was a complete lab kit but you know you can't host almost a hundred people in two rooms that's just not gonna work not at George Brown like that so each team was on their own separate day I think we were Wednesday it was a full day event dead a.m. to 4:00 to 6:00 p.m. and the whole event again lasted a week so the first three days were three competitors Seneca Sheridan and George Brown then it would take Ali and whoever else to compile all the notes and everything shut down the infrastructure and it would you know

there was like a whole week's event basically there was also no formal breaks hourly business and Jack's and computers were VM provided by the event so what do I mean by this well first of all the event and this is what's amazing about it it simulates the business right you at your business at your workplace I must assume so at least for me we're never told all right it's 12:00 p.m. go get lunch don't stay here I don't want you here go get your food no you're never told that you have a job to do you do your job when you have your break you go take your break you go take your lunch at your own leisure at your own

time your own pace and these guys wanted to simulate that business environment because that's the whole point of the game is to simulate the business so that's what they did they didn't tell hey go take your lunch now it's whenever you guys feel like it have your food right out early bait our early business injects and updates so in 2018 these guys have basically told us all right every hour send two of your team members to a special boardroom and in that boardroom they would sit down in front of a panel of white team people who all of which had smiles on their face when I met them and now they had drizzled war veteran faces on it's good the crap out

of me so in that meeting it's basically exactly how you wouldn't assume it is you know you have the Security Division talking with the higher up business management alright we were told our business was hacked how are you fixing this how do you want to fix this what are you doing make us happy stop letting us be scared that's what's the whole point to this and it's critical in a couple of aspects because we're always told hey you know the the white the white team the white people they never know what we're talking about we need to figure out a way to talk to them right you need to talk to them like less you need to figure out dumb it down

you know so they can understand I how are we supposed to have that opportunity to like figure that bit out do you want to actually do that in the middle of your coop in front of a vendor what if it's a critical vendor you're not gonna test it out and that's another beauty about this event it gives you such a nice sandbox when I sat down and I made the mistake of saying the word I think wonderful wonderful man had a nice trimmed beard smile all day long then when he sat in the middle of the event oh man I got torn in two he was you think oh yeah yeah it goes what do you

mean you think so you don't know what's happening are we getting hacked are we in trouble what's going on our uses everything okay do I need to fire you and hire someone else what's happening you know it's like Kiwi little me what the hell is happening right now you know you can't afford something like that out in the real world that's the beauty of this event and computers were vm's provided by but you know the event obviously it's exactly as it says we didn't bring our own computers well we could but we had George Browns computer labs they had vm setup on the network to do everything they needed we didn't have to bring in our own machines if we

didn't want to awesome so what's different about c3x 2018 versus c3x 2019 well like i said 20 teen was a full week you had the full we get the three days of the competitors then you had the two days of them compiling their scores and then the one day of them telling us not this case two day event Saturday and a Sunday beautiful all right this was hosted at Trend Micro's office beautiful lovely office on snooker Street I loved it all team members participated at the same time quite literally the same I'm not joking right if we go back to those pictures you saw Seneca College and George Brown and their little cubicle sections right it was a section of four

you had Fanshawe you'd have Seneca George Brown Sheridan all teams went at it together at the same time and amazingly these guys had segregated all the networks and you think oh that should be expected it's a lot harder than you think trust me on this one with the amount of issues that went on the fact that the whole game didn't come crumbling down you can only get praised all right and the red team were segregated as well so why why am i saying the red team is well well last year they had a full panel of leg what was at 20/20 red team people attacking a set of 20 students you can imagine how many times they broke into

us in the blink of an eye like we didn't even we didn't even get through the morning talk without him going oh by the way I know I've been only talking for about 30 seconds but you guys have probably already been broken into low and behold as we turn on the machine Oh already five events have occurred Oh joyful what was different about this year they segregated themselves out so they had dedicated teams of about four people each team was designated a college you're taking college a you're taking college B you're taking college C right you attacked that college however your team deems it necessary right and that was nice meant that you know we

weren't getting hacked quite immediately so there were no again nor formal breaks makes sense you know the whole point of this game is to simulate the business they want to try and give students that opportunity to see hey this is what you're going to experience so of course no formal breaks now last year's we had every hour we had to produce results every every hour they did it a bit different this time because the event lasted two days they spread it out a bit more so every two to three hours you would hopefully have business injects and I say hopefully because depending on what the students had said in the middle of business injects would

they have either increased the time said hey we will come to you instead and when we have an event and then we will talk to you because otherwise you're just annoying us we're annoying you we don't want to have this or in one student's mistake and he goes I want to be as accommodating as possible to you people we will come to you every half hour yeah a couple you were chuckling and shaking your head yeah it was not a smart idea but you know that's the beauty of this event say something right or wrong nothing bad happens and at the end of the result you learn from it you you learned the mistake of shirt it's nice

to be accommodating but at the same time if you're too accommodating you can't do your own work you need time as an incident responder to be able to produce the results and not only just produce them but you have to verify the results - you can't just pull something out of a hat and say yeah it's a bunny and you pulled out a parrot right you got to verify that what you're pulling out and participants use their own laptops so a sleep up from last year majority of the infrastructure last year we had a couple services on the cloud this year a lot of the services were on the cloud which meant that students could access it via

the Wi-Fi if they wanted to obviously it was not recommended it's the Wi-Fi easier if you're just on the ethernet but still you could if you wanted to and that's the beauty of it this game had just gone from something small simple idea to much larger and much better so let's go through it so what did I like about this well first of all they were really really really accommodating to the issues again this I it was like about 10 to 12 people that made the infrastructure you know they're going to be issues they can't exactly test the infrastructure you can't just walk into Trend Micro and say hey we're gonna shut down Trend Micro we're gonna set up our

infrastructure and do what we need to do to test out the game you can't do that they're a business right so the fact that there were issues and they were accommodating to it immediately a really good thing to have you know you don't want to be sitting in the middle of like a competition or a learning exercise and you know you can't connect to the machine that you really need to be connected to right of no fault of your own and then the organizer says oh well whatever what can you do right so I was amazing to have obviously the services infrastructure was on the cloud that was a huge leap it helped a ton

because it cut back on cost it cut back on Hardware cut back on physicality we didn't have wires running everywhere obviously we did have wires to some degree but comparative to c3x 20 18 versus 20 19 you know there wasn't a giant bundle just rolling across and they had to say hey watch your step every time industry prevent industry professionals and mentors are allowed to help and teach again that's the beauty of it all right if you are a professional you're a teacher and you're seeing one of your students struggling in a traditional CTF if you walked even near the student they'd probably kick you out not at c3x right if you see your student struggling

and you walk over to help they'll look at it smile and say keep going keep helping them because it's a learning exercise it's meant for them to learn and for you to learn as well right red and blue teams are allowed to converse right most CTFs teams are probably segregated and no one ever talks to each other right you don't want information to be given out you don't want any of your tactics and all that no none of that it's a learning exercise you might think of pathway a I think of pathway B right so because of that they're two different pathways why wouldn't you want to know that both exist right why wouldn't you rather know that why

wouldn't you rather than know that maybe your method isn't the best method what if there's a better method given the situation but you are so tunnel focused on your method that you didn't realize and that's something that comes out of C 3x you know you learn you get to see the way people think you know you don't just go in with your own skill set and hope it stands the test of time and then on the way out you go why didn't it work that doesn't happen there you get to walk in with no skill in some cases and walk out with skill it's amazing the pregame information conference there's a reason why I put it up there

because it was generally well done students were able to have information it was quite well organized they were being as accommodating as possible trying to put it on the web they made videos right even in 2018 they made like a Google Docs with all the information of it they had pictures of diagrams of the infrastructure they had a slideshow of what students are gonna be doing how they're gonna be doing things what they recommend doing right if you're in a regular CTF event you're going in and blind sure to some degree that's fine but at the same time they don't really tell you much else so then yeah don't attack this this this they don't tell

you the rest of the rules sometimes and that was the beauty of it these guys were on top and making sure you knew everything so that if any issues did come up it was about the rules not I didn't know I couldn't do this the game time in format there's a reason again why I put it up there it was beautiful over the weekend didn't have to worry about work half the people had jobs right half the students they could come in nicely didn't have to work right they can enjoy their weekend at a really fun two-day event with a bunch of industry professionals all like-minded all doing the same thing it was amazing and that

just leads me and dovetails me into my last point the atmosphere oh my god you've no idea how amazing it was to be in there I was sheltered most of my life growing up I didn't get to spend time with my little friends in middle school in elementary school I didn't do any of that my interests lighting computers hardware and having fun with hockey sure hockey could have been a thing but the issue is that there were so many cars in my neighborhood I couldn't actually walk into my street so I was stuck with computers and hardware but none of my friends enjoyed that stuff so my atmosphere was so dovetailed in that when I came to this event and I've gone

to a couple events before too you know but they were just like people that just didn't really care they were like yeah whatever this place was so welcoming so happy you know if you saw a student panicking you'd have a bunch of people walk over console them maybe make a crack a couple joke or two right instead of someone walking by goes oh he's one of the capadders a good look to him it was amazing and there were two key things that you know I learned out of it right the first is teamwork we in twenty three twenty eighteen we did I did have a shouting match I had a shouting match with one of my

teammates what can you do you know it's one of those moments of the way that I work my worth ethic the way that my brain thinks and tries to move along was different from him so when he wanted one thing done but I didn't want him to do it we had a shouting match right and then afterwards and that's the beauty of this event afterwards I said okay how do I fix this what do I do right obviously there were two things happening to me one I was really stressed I was high-strung I just had a shouting match well my teammates no one was listening I was frustrated I just wanted to get out they showed me ways to

just calm down decompress enjoy the moment you know have a tiny little inner yoga session I don't do yoga don't ask but that's the beauty of it all they showed me how I can decompress and then he didn't just leave it at that he showed me how to deal with it right he showed me okay great you are on two separate wavelengths but here's the thing you're both wavelengths you both can go to it right you both want the same thing you both want to go to the receiving right so compromise right work together don't try to get along with him as friends get along with him as a co-worker work with him not against him

you know and if this was a red team event traditional CTF I don't think I would have give been given that opportunity I don't think anyone would have set aside a solid 15 minutes of his precious time to tell me how to calm myself down right and then the communication now there are three types of ways that I learned to communicate obviously the first one teammates right you can't talk with them properly just get along with them to the point that you both can do your job the second is to the business sector we're always told in college right and starting off and nowadays most people even telling grizzled veterans you know hey the business owner understands

nothing of what you say so dumb it down you supposed to know how to do that right if today you were telling someone that the highly technical details and tomorrow he says I have no idea what you were talking about can you relay me how are you supposed to know to lower the not like the lower the skill gap so that he can understand it to the fundamentals right that he can understand what you want while he's still getting what he wants right and that's the beauty of it all that's what the whole point of business injects were right when I sat down write you a lot of the students note I even did this too we talked about

ip's right oh we found this IP one dot one dot five thought whatever number right the business occurs not gonna know what that means great it's a bunch of numbers and dots anymore most Morse code you got for me right but then a little bit after we changed our way we were told oh they don't understand what's a different way you can phrase this right that IP address was a pipeline that the red team was using through our Apache service right now obviously we told them all there was this address pinning to this this would just do this this this this is missus the guy just looked at us gave a blank face and goes huh

when we went back the second time after fixing it he goes yeah so you were saying mumbo jumbo well what do you want we go so this was a pipeline you know this was an extra guy trying to take our information he opened up extra internet access and was coming in through there oh okay so what did you do well we closed it right and we put security measures to stop it from happening again oh okay that's a lot simpler than saying yeah so we have IP address one dot one dot 5.5 coming in on port 443 we think it's a malicious actor we're gonna block off the poor put a couple proxies in the

way and then hopefully we can divert their traffic over to a honeypot half of you are looking at me going all that makes sense other half are probably gonna sit there and go what and that was the point right you learn to communicate that way you both get what you want and another beautiful thing was the tech sector two yeah you're both technically inclined right but the thing is is that not all the time can you in your tech sector talk about what you know personally I'm a programmer if you come up to me about Python or Java or C++ or C sharp right or PowerShell and you start talking I'm gonna get you I'm gonna understand

completely I'm gonna love it and I'm gonna want to keep going but if you came to me about a Cisco router and tried to tell me how the Cisco router works I'm gonna want to chuck it out the window I've knock I don't understand networking right and that's the thing even though you're two separate pieces on the network you still learn to talk with someone of the business sector you can use specific phrases such as honeypot port 443 right IP address I can use that and they'll still understand while not going so technical into security that they'll lose me again this was a large opportunity for students and professionals to interact with each other and it was beautiful

you know if you're in a traditional CTF they can't interact with each other because they're not allowed they're supposed to test their knowledge they're not supposed to learn whereas here they're allowed to learn they're allowed to learn mistakes like not push their GPO policy to the absolute max and break everything right Adam promised you I'd give you a shout out another thing I noticed too and a lot of people did too it's such a quick transfer of skillsets right it's one thing to be told how you should read team it's another when you get to sit there and simulate it right when you have to simulate in that environment as a blue team you have to

do that it was much easier to transfer that skill set over into the workplace than it is to try and get it out of college now obviously there were some things that need to be fixed like for 2018 it was more competition based 2019 it had a mixture of both which didn't work too too well but you know the amazing part of Ben and Lee they realized that that it needed to have more of both but more educational right so that's one good thing another thing is better infrastructure management obviously it's all really really hard for them but if they can figure out how to work with the infrastructure better how to make it so that it doesn't break

two seconds in and to be able to roll back a lot of the changes that students make and fix a lot of the changes and that routings and blah-blah-blah-blah-blah I see this competition quite literally standing alongside blackhat sector you know DEFCON and how amazing would that be a Canadian event not a u.s. Canadian event standing toe-to-toe and it's an educational exercise pumping out more industry professionals that's my time folks thank you very much for listening to me enjoy the rest of b-sides [Applause]