It's the age-old debate in the cybersecurity realm: experience versus fresh perspective. This year's BSides Las Vegas conference showcased this in an exciting Capture the Flag (CTF) event called "Pros V Joes." A classic contest of wits and skills, the contest pitted seasoned security professionals against amateurs.
For the uninitiated, a CTF is any competition where the goal is to score points by breaching an enemy’s defended perimeter and capturing their flags. A cybersecurity CTF is no different, although the “flags” can take many forms: files, strings in code, the “right” error message, etc.
For this event, however, things worked a bit differently. This type of competition could be classified as an “availability” CTF: we had a slew of services (web servers, SSH, mail, etc.) that are connected to a central scoring server (aka Scorebot). When the services were available (i.e. not taken down by an attacker), we scored points. Conversely, if Scorebot was not able to address these services, we are not scoring points.
The premise was electrifying. On the offensive security front, the Red Cell had their deck stacked with security experts equipped with years of experience and deep knowledge of the most evil exploits. Their mission? Breach the fortresses of the four defensive blue teams (the Joes). mostly fresh faces in the world of cybersecurity. But they weren't entirely on their own; each blue team had a captain or two (their own Pros) leading them, helping them navigate and try to deal with the onslaught. The event was tailored to give newcomers an easy entry into the often-intimidating world of CTFs. We were lucky to have a healthy smattering of disciplines and experience levels, ranging from Pros heavily steeped in current IR gigs, to Joes that had never worked a day in cybersecurity. While I truly enjoyed meeting and working with everyone, one of my favorite teammates was a fellow Windows admin, “ip3c4c,” who, when not crushing CTFs, spends his time saving lives as an Oncologist.
I applied to participate as a blue team Pro and was lucky enough to be accepted. My background is mostly on the offensive side but have had my fair share of blue team gigs, most recently (in 2021) building and running a security operations center for a midsize multinational software vendor.
Day one of the competition was primarily defense-focused. Before our team, named “The ImpoSTARS,” could defend ourselves, however, we needed to try to kick the Red Cell out.
That’s right; one of the mechanics of the game was that the Red Cell had unfettered access to our environments weeks, if not months, prior to the competition. They had plenty of time to instrument persistence techniques, or mechanisms that they could employ to regain access if they were to lose it. A common example of persistence would be for the attackers to create a user or two of their own, or maybe create a fake “guest” account with elevated permissions. Or, in our case, more than 200 accounts all named “BillyMays.” 😅
Teams were tasked with safeguarding their systems against the relentless onslaught of the Red Cell. Against all odds, the ImpoSTARS shone brightly, leveraging a robust defense strategy that catapulted us to the lead after the first day of battle. We stood tall, having thwarted numerous attempts by the red team to compromise our environment.
However, day two introduced the “purple phase,” a whirlwind of a challenge where teams not only defended against the Red Cell but also went on the offensive against fellow blue teams, with us trying to score points by getting shells (remote access) on their machines. Adrenaline pumping, we were elated to be the first team to score points by getting shells on one of the other team’s machines. With our machine count growing from the initial 8 to 37 over the course of the game, defense became harder as new machines (and thus, new problems to solve) were introduced and our team kept getting spread thinner.
However, by the end of the purple phase, fortune took a swift turn, and we found ourselves at the bottom of the leaderboard. 😢
Then came the climactic "scorched earth" phase. An apt name, as it felt as though the earth beneath our feet had been set ablaze. As we soon realized, we had underestimated the Red Cell. The barriers that had previously restricted their techniques were lifted. The battlefield became a free-for-all, with the Red Cell employing tactics that were previously off the table. They breached the game's scoring server, transforming the status indicators into a disco of rainbow colors, and launched a series of fierce, seemingly unstoppable denial-of-service attacks.
The aftermath? A team of Joes, humbled but hungry for more. We might have been bested in this battle, but the war, the journey of continuous learning, is far from over. For every system compromised, for every shell gained, a lesson was learned, a strategy was revised, and a new defense was conceived.
Beyond the points and the leaderboard, the real win was the experience. The new entrants to the field soaked up invaluable knowledge. And while the Red Cell pros had their share of giggles (rightfully earned!), the camaraderie and spirit of the competition were undeniable.
In the end, the Pros V Joes CTF was not just about winning but about growing, learning, and fostering the next generation of cybersecurity professionals. As for the ImpoSTARS, watch this space. We'll be back, brighter and stronger.