Just over a year ago (Feb 2020) I started running weekly internal training CTFs @work.
These were aimed at the various levels of analysts in the SOC as well as the folks in Incident Response. It ultimately allowed us to test and train analysts in a question-answer style CTF, validating understanding of the tools and systems used in everyday work. One of the great things about it for me was that we were using actual data and tools from our own environment. I could see how analysts were answering questions, which for me is a great way to identify gaps in either technical knowledge or (mis)understanding of tool output.
Since then, I’ve long wanted to launch something similar in the public domain. A CTF aimed at SOC and DFIR (Digital Forensics and Incident Response) analysts. But, just to get a decent amount of data generated on which you can build a public CTF is a fair amount of work. Since the start of this year I kept coming back to the idea of running a public training CTF and have now made work of an MVP (Minimum Viable Product).
So say hallo to SocVel:
The name SocVel is derived from the well known South African term Stokvel. But more on that at a later time… MVP right.
What is the aim of all this?
For those new to the field
Most infosec vendors will have some training available to help you understand how to interpret what is on the screen when using their tools. Whether that is an AV solution, EDR, SIEM, SOAR or SNAFU. (The last one is not a real infosec term, although in this day and age, that could be deemed an acceptable way to refer to the industry.)
But, one of the main gaps I often see is the ability to link all the bits of information together. Some analysts may get overwhelmed by the noise in their environment, and struggle to identify the golden needles in a stack of more needles.
For me, it often comes down to asking the right questions about the situation in front of you, and being able to devise plans to answer those.
In addition, you need to be able to formulate these answers you’ve found during an incident to tell the story of what happened. Whether that story needs to be communicated to a colleague, a level up in the SOC, or an overworked CISO who really just wants to know if this is the big incident that finally pushes them over the edge.
For veterans
If you are a veteran SOC or DFIR analyst, this is a great way for you to test your abilities as well as tooling. Challenge yourself by not having the data necessarily in the way you are used to get it from your EDR, SIEM or Triage Scripts.
What makes this different from most DFIR ‘conference’ CTFs?
Time Pressure
There is no time pressure. Each SocVel CTF should remain open for a month or so, depending on the number of participants or general interest.
Oftentimes the time zones when CTFs are presented aren’t ideal. Yeah I know they can’t cater for the entire globe, but, doing a CTF between 01:00 and 07:00 local time on a Saturday morning is not my idea of fun.
Even if the CTF is in a respectable timeslot, the line of work most DFIR or SOC analysts find themselves in doesn’t always guarantee they’ll have the consecutive hours available to complete it.
Barrier To Entry
Sometimes CTFs are just plain whack in their asking (especially general hacking ones). Allow me to quote a post from hatsoffsecurity.com, referring to people who create CTFs:
“The challenge should be hard because the subject is hard, not because you’re being a d***”
My target market with SocVel are both experienced DFIR veterans and entry-level analysts. To that end, most questions in a SocVel CTF will have an unlockable hint available. This should be helpful enough for you to derive how to get to the answer.
You’re not going to learn anything if you get stuck at a point, and there is nothing or no one there to guide you in understanding what needs to be done.
Guessing
Again, my aim for SocVel is to be a training CTF.
In an online conference CTF which took place last year, there were no limits on the amount of incorrect answers you could submit. This was the stats for the winner:
- Correct Submissions: 22 (5.49%)
- Wrong Submissions: 379 (94.51%)
As a strategy for winning CTF’s, that will probably get you there. If the question is: “Which browser was used by the attacker”, you just start submitting browser names until you get it right. However, I don’t want someone working on incidents that have a mere 5.49% success rate.
To combat this, SocVel will deduct points for each incorrect submission. You can still try and try again until you get it right, but it will cost you.
Ready?
And with that, the first investigation (Pooptoria) is live:
The notorious threat actor Fancy Poodle has done it again! This time striking at Strikdaspoort Wastewater Treatment Plant in Pretoria, South Africa…
Do you have what it takes to solve the investigation while only using limited triage data? All before the license-dongle-wielding forensic analysts have checked their write blockers out of storage?
Head over to www.socvel.com for instructions to give it a go.
