Rise Of The Blue Team CTFs - Russ Taylor

code so as he said talks about blue team CCF's but very quickly I do an introduction on myself in full geeky mode as I said I understood currently I work for company called helical levity it's quite a small consultancy company but we do work closely with sons who I hope a few of you are familiar with we are currently working on a cyber discovery project which is teaching 14 to 18 year olds about cybersecurity skills we have a u.s. program which is just kicked off as well and my job at the minutes to run a team who is developing content building CTF building training platforms for people in that age group prior to that how is it

Leonarda which is had just across the road from here as a stock analyst before that I was in NATO again as a soccer analyst you will notice a pattern I was a security consultant again another small consultancy company I prefer the smaller companies to be honest larger companies I find you can become a bit of a grey person in the background so I mostly play the smaller companies this response analyst ironically then moving to a big company and before that the Airbus defence in space and if I was in the Royal Air Force and obviously like most people in this room I was born a geek you can save questions as far as I can

ask for out to be honest with the format we have here I'm quite happy to take questions either one so we're going to discuss a few points I do I'm going to apologize I don't know many Paulo's my own slides I'm going to and the transitions do go each point which I know is not particularly popular these days but I'll be honest I don't really care I'm going to talk about why the red team's ETS are typically more calm and why blue is under load how to design a blue team's CTF we're going to look at some principles on that good to talk about how we can overcome some of the common issues that you get examples of

why you need a blue team CTF and that was a last point dummy right next one so red versus blue in the past we've seen a lot of Red Team CTS and they're really cool good good fun but a lot of the time they are very contrite very much a case of go and find flag tech sits on the desk top of this machine but you need to kind of go and find it yourself we put some really odd and obscure blockers in your way and but just go and have fun and the the forensics side of things were really put in there more as a filler than an actual challenge so certainly on some of the

websites I've seen the LC forensics is a subheading somewhere and then you go and download a file and it might be an image and you're looking for least significant bit and steganography or or something on those lines and there are not very many dedicated luteum CTS so again as I say a lot of the forensic challenges there's a lot of proof-of-concept challenges out there which have their uses and can be quite valuable but at the same time don't represent the mainstream of what forensics and blue team do some of the network protocols that you have to reverse I've seen for example ICS protocols in use type of things that a very small minority of the industry will

actually see in use and people asking questions around that so you have to go and research how these work and again it has its uses but it doesn't represent the mainstream kind of stuff we want completed and why is this happening well traditionally blue tint a bit boring let's face it if you stand of doing blue team's stuff is great presenting blue team's stuff not so much you know if you found a new artifact in the Windows registry nobody cares if you found in your vulnerability and in you exploit that sounds really cool people to do that so what we're trying to do is show that the blue team's stuff can actually interesting and can be fun

some of the challenge we have is the file size it's going to quite large so if you've got windows box that you're doing the forensics CTF on the image itself for RAM for example maybe one gigabyte if you're lucky to get it that small and if you get in a Windows disk image you're talking maybe five six gigabytes minimum and that's assuming that you don't have a Windows Update let's randomly go in the background which happened to us and push one of our - 20 gig and obviously trying to download these is not easy so what should it look like it should be real well so I've been happy not about from the first place you should be trying to

get things which represent issues a forensics people or blue team people have come across in the past now the file sizes are becoming slightly less of an issue as time goes by obviously our program deals with schools so they are very much still an issue because schools still have terrible internet connections and still have about 40 firewalls with any any rules set between the outside and the school itself there is some things which we can do to help with this so there's some developing software which I'll I'll come into in a minute which can help with this process the other thing we need to bear in mind is that having a Linux box as a challenge

is great because it's easy it's free you can set it up a lot of people are very comfortable enix but the blue bars here actually representing Windows has an operating system as it's been seen from the source I grabbed this one which I can remember what it is and at the top they could see Mac is getting a bit more Mac coming along and Linux is actually gray one at the top which is very thin line so Linux is still a very small percentage in terms of user land and in terms of what a forensics personal blue team person will be doing in their day-to-day job whereas Windows still takes up the de lion's share of of the

work it is still important to do Linux don't get me wrong but we need to be looking at what the limits boxes are doing and how we represent that are they a web server are they now your T device what is it that that box is doing is it maybe you've been boiled down into some sort of firewall device that you're looking at Mac forensics also not getting enough love right now so if anybody is a bit of a Mac lover Mac Ned by all means bring out some CTFs or Mac's so if you're gonna build the CTF planning you have to plan the dumb thing if you don't you'll be very sorry very quickly so we talking about two

two ways of doing this home and business the two main avenues we go down with this but you need to plan on both it's important that you plan the challenges and then building of structures match what you want them to be don't build a nympho a bit of an anecdotal story a former colleague of mine he is building a CTF and he said our level once complete is a sweet I don't remember seeing any paperwork for level two three and four which is what is going up there's no no no you can't build level two or three or four words at level ones bill no that's the opposite of what I should be doing you need to be planning

level one two three and four and looking at how the various challenges interact with each other and how you progress through them before you start booting up as your boxes or AWS boxes or even doing VMs try and write down more than you plan to bill this is important because what we found is we wrote down ten steganography challenges and there was a we don't need tents they cannot be really boring you put tens ten challenges in there so try and kind of over over plan we have the challenge that you need make sure you get plenty down on that make sure somebody else reads them and then the and says yes that makes sense don't just kind of go

yes oh I think that's cool let's do a lot of registry stuff for let's do a lot of memory stuff because you might have your specialty area and completely neglect network for example or something oil or logs and again plan all the levels and try and build your difficulty go back to the story I just told you where you need to make sure you have all your levels planned at the beginning and as you're doing these try and think in your head how hard is this what steps are involved and it may be that the peer review works come back and say no no I think what you did there is actually really easy or that's really hard so

make sure that you kind of get your difficulty in there at the at the beginning now this one again is if you can use the same source of data it can be really good fun because you can build one box you can do whatever you need to do to that box and then start putting lots of questions in that only is one file to download the only it's much smaller in terms of physical downloads and you can kind of build a store boss the only downside is if you're using flag as your flag so for example flag : weird then people can grep without strings that or do other things I accidentally find flags before they're supposed to

find them so if you are going to do that don't put flag level 1 question 2 is because some people will just go through and grep it and then quite happily up there on all of the data the other way of doing it is to use things like time stamps as a flag filenames md5 hashes things are things that can't be easily searched for so building the CTF at home I built a couple for the cyber security challenge in the past they've they've gone down in size these days there's not as much demand to do that type of thing if you are doing from home I would recommend using a single image because you know you don't have a team around

you you're doing everything yourself it's just much easier to keep track of everything you're doing on a single image build a narrative into the CTF so the ones I've done in the past have usually been insider threat type ones because they're kind of fun you can just make stuff up be a little bit out there with a story Scott and Ledford who is one of the guys who worked for the challenge I always made him the bad guy because it was fun and that just makes it a little more interesting if people can relate to that they know who the person is and they're like oh yes Scott he's doing something else that's got fine a well system again adding Easter

eggs can be good but make sure the Easter eggs are relevant obviously and this is another one where you can put people's names in there so I might have an obscure email in there which is between Scottie and wanted one of the other people who work for the challenge which is talk about nothing to do with this competition but it's just fun to read and it can be just kind of a little conversational thing and it's just thing is these little extra pieces of information that search and look at some information because obviously using a sanitized imaging what you're doing so what you need to be doing is kind of rather than trying to emulate user

behavior in a normal way is just contrived user behavior so it is fake you may be talking about something amusing something topical but don't use real companies of people because with the exception of the obviously the guy I used t knew about it and news I didn't on the first one he found out but it did on the second I just said don't use real companies because they get quite upset about the substance and it can be hard in this out so a business CTF you you need to look at this as a as what the benefits to the company when you're doing this you can do a CTF a recruitment so this would be much more

structured much more formatted and you say that if people score well in this area then we can offer them a job in this if they're particularly weak in this area then that we maybe don't offer them the job whatsoever brand awareness events like b-sides or infra Sexson like you can put the CTF on where you know that we people that will be interested in doing the technical challenges and then you're basically said this is our company this is what we can do and again the Easter eggs will be dictated by business benefit it depends on whether or not your company will allow you to have a bit of fun with it I would always push for a little bit of fun with these

things because it can become quite dry if you don't and treat like an old business project so don't see this has just been the thing the tech team are doing see this is being we need to have a project manager on this and you're dead lining up our deliverables the usual things you'd expect from from doing a business project and as we said before some of the emerging software that's coming out which is on a slide in the moment is VNC IDP SSH protocols that work over the top of html5 so you cannot to use your own infrastructure whether that be cloud whether that be local through a VPN for people to connect to in order to do these these types of

challenges so if you are going to host this in something like a do guys these are some of the tools that you can use guacamole is quite a good one that's been around for a while now I know a couple of companies are using that know VNC and people are seeing botton that people are making their own Forks of this on github and this bottom one for example is very easy to install it is literally docker image we just run it and you've got the the machine ready to go what you can then do is with doing it this way is you put all of your information either the dock cream is your onto the edge of grass or as your

machine you'll have your image files on there you'll have your tools installed on that and they'll give it them out of resource that you feel is necessary to run that CTF then what that means is somebody could come along with a MacBook or Windows box even a Chromebook load up a browser browse to your CTF and take part so you taking away the idea that somebody has to have a forensics laptop available to them a lot of resources you're hosting the resources for them and you're allowing them to play these games regardless of where they are in the world to provide nikka to browser and for and they can browse to your website so examples and ideas for

challenges I do say try and use the latest version of operating systems and the reason for this is it prompts other people to do more research insulates operating systems Windows 10 seems to be some sort of weird chameleon that changes on every update memory addresses changing randomizer Adam loves Windows 10 it keeps his blog going recycle bin forensics does seem to be quite difficult for new people I quite like this one so on the challenge we created we we put a file a couple of files into the recycle bin and just filled in full of junk texture things all the junk text is the exact same length except for the flag so I'm sure if you think it's straight when you head

wouldn't you just strings grep type thing you can probably filter that out pretty quickly but so many people got really upset because we gave them the file name of the file that had been deleted I would see with the recycle bin that doesn't work because it changes a dollar I and dollar R and I forget which way around it is but one holds a metadata one holds the actual data so that you can't find that file name so you can't just simply look through the fastest and go I found the file and people were putting lots of spot tickets into it and go that's not there you put the wrong thing in it nope it's working fine you just need to get

good as they say you wouldn't let me say get good I wanted to volume Shadow Copy is another one very good for finding old date I know you delete something you could go back to volume Shadow Copy and you can retrieve the data that had been deleted even in the forensic Lea secured away from the from the more recent stuff registering memory that is quite a fun one getting people to extract hives out of memory you can run here on hash bumps against memory and I'm trying member the plugin and volatility it's gone from a head I know you can pull clear text passwords from memory using a plugin which name I've just forgotten mimikatz

there we go so many cats plug-in will let you pull clear text password for the windows account from memory you can also write some really simple Python scripts which will interrogate the registry hive from memory again more files from memory PST files there's no one we did where we said you know the user sent an email and all we did was provide a memory image and say what was the contact details of this user what was written in the contact details of this user pickup challenges because I love me some networking I does we had a whole host of difficulties from this everything from simply learning to follow a stream in Wireshark all the way through to kind of having a

protocol this file transfer which is that teachers netcat says FTP on there but we just jeered at Usenet cup because stripping out the data channel to see my hard work and this what this does is stop people just using the export file objects from Wireshark so we kind of getting people to use out different tools or different techniques in order to do the same type of thing that they would do normally and it teaches good tools because you're not always going to have Wireshark available to you might end up and find that someone just given you a Linux box with headless Linux box where you you've got command line you've got TCP dump off you go yeah I don't

know how to do this because anyone got Wi-Fi and protocol misuse is good fun and we have many different challenges based on that so another one we've done was to to make how do we do this so the DNS resolve was to lized using binary so it was a name but each kept a letter represented a zero or one and then you had to go through extract them all convert it figure out what the actual flag was from doing that we've also done the IP address which ended up being an elf binary we had to convert that back into binary really acting like an attacker is another good way of doing these types of things so you get your box and you hack

in and then you kind of look at it afters and go what we've got this is a little bit more it's a bit less planned than the previous version but can be more fun in some ways because you you can train your your pentesters to have a bit of fun but also to restrain themselves in what they do to maybe use slightly older techniques or slightly older tools in order to be detected of that a little bit easier or maybe you want to go full stealth and see if you can find it maybe that can be the challenge for not only for you but for the the people playing your CTF afterwards stealing data is another one

you can use us bees emails cloud ones can be interesting if you think about if you're looking at encrypted traffic how do you know if somebody's dumped something onto Google Drive on to Dropbox now you can start looking at different ways of seeing if somebody even access these sites and then look at hosts friends it seems anyway of get through those and as I said compromising the machine going through all the different stages as a pen tester and then looking back at it and say what did the what did the bad guy do on the box so some of the pitfalls make sure you use a VM do not do this on a live machine you will

regret it snapshot and I'm just say that one more time snapshots often this is something like if you don't snapchat especially if taking memory images if you don't take a snapshot before you install your tools to grab the memory you're going to contaminate your own memory image and you're gonna have to either reboot it or you have to revert it or do something else but if you've got that snapshot where you like I've browsed to the website or I've opened the file up do I need to do take a snapshot then install my tools to take the memory image does it look good yeah continue just make sure you got up yeah as I say Windows has some interesting

quirks the windows update as I said at the beginning change one of our memory just from 16 to 20 gig and our resolution to that was to wait there's not much else we could do we just kind of went it's really big okay leave the machine running walk away come back oh now it's really small magic suite and Windows just as weird things sometimes defend their updates that in URL to memory images that once cropped up a couple of times got a research piece similar to that near the end but just recently with the u.s. program was running we give them a memory image the memory image was really quite simple it wasn't a difficult task

we asked them to do and somebody ran it through autopsy which seemed a little bit odd because that was nothing to do with the the challenge at all as a memory which so bit weird autopsy one of the things built into it is a basic regex search which will look for urls email addresses things like that so they did a regex I looked at the URLs scroll down through the 3,500 URLs which is in this clean VM I hasten to add this VM had been booted up we've done the the activities to create the artifact took the image shut it down it been up for pension no time at all and they found references to to porn sites on the

memory image and I said oh my god this is disgusting you're showing this to children's no that was Windows Defender so what happened is we picked up the signature pack from Windows Defender and it got incorporated into the memory image and we had the conversation internally should we sanitize our memory images but we can't not where we can we can stick in hex editor and overwrite naughty words with good words but we're not doing that because that's a lot of work what we ended up saying was this is more of a PR issue we need people to understand that their machines also has this same date row and this isn't something we've injected we haven't gone

to inappropriate sites and then kind of gone haha maybe they'll see that we've this is something that existed in Windows we found with office 365 PST I didn't want to appear in memory not entirely sure what happened to this is office 365 installed by the way not office365 in the browser so one of our friends at scale she installed office 365 message me on slacks unless I can't find the PST file what you mean you can't find it's not in memory it has to be you just opened an email so there's a bit of research we could have done beyond that unfortunately that one we're short on time so we actually uninstalled office 365 and installed an older

version wipe FLE so why are these useful so we've run a blue team CTF in the past we gave it to the cyber Discovery Kids to look at and they said you've been looking upon there's one of her in the room was a good point about singing Maris it wasn't there was edit so they said you know you this is erotica that hit you oh my god you're looking upon so we've kind of googled it was that a bit weird than all that is so we've begun a research project which we called Holly pond because Holly was a girl who created image she was on movies been accused looking pond so we said yeah project Holly pond I'll do so we looked

at what ie TLD is which is what the artifact actually said Google came up with best answer on Yahoo she's ie8 creates a indexed data that statement is factually accurate does not help no idea what that means this was found from a forensic site and I'm not trying to diss a friend except I won't say which one it was but the the article was more just covering in summary there's like a Wikipedia cell summary of that and it said it doesn't know what it's used for this is like well we don't have to find out let's do a research project so we responded the windows 7 vm I said it was clean we don't need done what we need to do to

get the artifacts running and we know she didn't browse born because well we don't know we just think so erotica that hate you is never an IP address content dns tools that we use so we looked at some of the historical DNS tools couldn't find anything what we did find is a TLD so you can have something dr. Arata could not hate you if you devisor other entries in the same file in the index dot that file did appear to also be TL DS but not country cotija these just some t others so what is it well you've probably guessed by that internet explorer top-level domains and as already said created a list of custom

TL DS in there and we found that these were also on the Mozilla website on the public suffix so you see in here what they're trying to avoid is the idea that you can set a cookie a high level TLD and uncover any website within that TLD so obviously if it's country code C of these it's quite easy because the operating system ID knows what they are it's written in the registry and that can be done but for these TR these is a little bit more difficult so they put and the older versions of in the explore it's not on the new version of edge only the older intake Explorer versions up to Internet Explorer 8 I believe you had

this file which defines what TLDs existed in the world so we knew this was there to stop the cookies but it did allow us to find out something which as far as we could tell had not been researched before so this was showing the blue team CTF helped us soon leave that slide there for a second at a popular yes there you go but proof as to what I'm saying so sorry discovery again as I said this company is the project pre run this over here I really quite liked so which would you prefer to do blue team or red team the first time we've run this I don't unfortunately have the stats that was nowhere near an

almost 50/50 split so by running these CTFs we're allowing people to really appreciate what blue team or in this case forensics can do so quickly in conclusion right writing fun CTF does encourage more research simple as that and the hardest ETF's will allow more tools with alerts and this is important some of the forensic tools that we have now are great well they could be better and especially more modern opera operating systems people writing these tools rely on other people to do research as well as the young research they do to confirm what they're seeing is true you can build good games from home absolutely camp an amazing game some business there is a huge appetite out

there for this when we run this the cyber Discovery Kids Durham a discard server a community discard server it's not one we run and the reactions and there were one whole arias and two amazing so some people were just kind of like forensics I don't want to do that it's hard why am i downloading one gig just to find out what operating system's been run the night you went in there just kept writing welcome to forensics every time somebody moaned about a file size but on the flip side there's a load of people going this is amazing I'm really enjoying this and we got a lot of people going through in fact only me go back one on here we can

see this Detective Constable badge at the bottom is awarded to anyone who completes all of level one now our levels you only have to complete two questions to progress the next level and there's five questions per level so we know a minimum four and a half thousand people completely five questions at level one unfortunate out the stats for every level but I know I'm happy at least that four and a half thousand people played the first level any questions oh no so what about guys is doing mobile phone research at the minute and we've got the nice iPhone and androids we are looking at incorporating them but right now we don't have all of our buddies

yeah yeah I think you mean here we go see here I was a bit worried about doing no this one what we ever gotten in trouble so when can I sit it's okay it's an interesting bug after me to the Euler page of page but we have a legal team and they did not issue the creativeness well I'm not lying yeah one card in saver Adam Trese shut up any more serious question it's a serious question on that train is a manual job who loves blue CTS or any publicly available ones I hate you at the minute no this is kind of the point of presentation it's not enough really good blue team's ETF's out there are

more popping up and I would encourage you to look on the traditional red team CTF websites will quite often have them listed as as weirdo CTF so somehow that they have a category blue team but in terms of dedicated blue CTFs not really at the bottom zero team I think things every team's a little bit old now but hack the box do quite often refresh their contents as worth checking in there I think CTF DS site is it CT the IO they've got they've got a list of CTF so that you can kind of run from that but they are primarily focused red team so you have to kind of really dig through find out what's on the blue side and

they'd say oh did I see another handle that's I want more a more questions own initiative host of images yeah yes I mean do a forensics is definitely on your blue side but obviously blue team can also encompass things that sock log analysis things like that so the blue team fan of is much bigger than just the forensic side book yeah it doesn't prove it I mean there's also the network on shuffle in the name of malware pack analysis dotnet so you can download a lot of peak apps from there run them through things like Zeke and other tools to try and get to what they're forget their flights on there one of those feel

free to have a look-see we find there too bit research tweet about it let me know alright thank you very much you [Applause]