I've recently had the challenge of building a fully immersive scenario to test red teamers’ offensive security skills for this year’s DEF CON Red Team Village. After hosting over a dozen Capture the Flag (CTF) tournaments for tens of thousands of players in the past, I decided it was time for me to “level up” and branch out. Leveling up in this case meant hosting a corporate Windows Active Directory environment that allows red teamers to showcase their strengths, use advanced tactics and tooling, and ultimately, walk away with improved offensive security testing skills.
So I teamed up with my fellow CTF builders and the DEF CON Red Team Village to deliver the CTF at this year’s DEF CON Safe Mode. We used the cult classic “Office Space” as our inspiration and built a corporate network that mimics the infamous Initech company. And yes, our CTF is complete with stapler jokes and other references (Michael Bolton, anyone?). We added an open source intelligence component, so you can put those skills to the test, too. Go out and find Peter, Michael, Samir, and Milton and send them a friend request (they’ll be very appreciative).
CTFS AS A ONE-OF-A-KIND TRAINING AID
Personally, I like to think of CTFs as a type of “training aid.” Even the most advanced pen tester can benefit from taking some time to shore up their offensive security skills. I highly encourage security professionals to participate in CTFs as often as possible. I’ve been in security for more than a decade, and I still am a frequent participant in these competitions.
Often, CTFs will help you become familiar with a new technology or platform in a short amount of time. The process of voraciously consuming everything you can to learn how to build and then break the latest framework is something that builds up your pen testing repertoire. This sort of urgency mimics the real world of consulting – where sometimes you need to pick up a new technical skill in a limited time frame. For me, it’s an exercise that I practice consistently. Especially when it comes to a discipline such as red teaming, it’s important to ensure your skills stay sharp. At Bishop Fox, we recently launched a new service line strictly dedicated to red teaming – and for the consultants involved, keeping their skills sharpened is essential to ensure the highest quality engagements for our clients.
If you’re seeking an additional challenge, try building a CTF from scratch. In my experience, there is no better way to learn the internals of different systems than building them and coming up with creative solutions to “hackproof” them (except for the intentional vulnerability or two). Additionally, it’s a great experience to take a modern system with security safeguards and disable them, which gives you an unparalleled understanding of the internal schematics. For example, depending on the Linux kernel, there are a number of safeguards you can disable to allow for some classic exploit techniques. Sometimes you fall back to an older kernel; sometimes they are compile-time controls, but finding out which is which is an enjoyable challenge.
Although this year will be a departure from DEF CONs past, the spirit of the conference is very much alive in this new all-virtual format. I fully expect our DEF CON Red Team Village CTF to be just as enjoyable – and certainly as competitive – as prior ones.
Interested in attending the CTF? Read what you can expect below:
Who's the best red team in all the land? Do you think your group of offensive security ninjas are up for a challenge? During DEF CON Safe Mode, the Red Team Village will host a unique capture the flag (CTF) tournament. The event will take place in three parts starting at 0900 PDT on 6 Aug. The first 24 hours will be a qualifier event with a traditional Jeopardy board style. The top teams will then advance to the finals that will take place the following 48 hours. First, the finalists will conduct recon on the client https://initech.business and then conduct a red team engagement against a fully immersive enterprise network.
I hope to see you there!
Don’t forget: Bishop Fox’s Ankur Chowdhary will be presenting “Autonomous Security Analysis and Penetration Testing (ASAP)” on August 9, 2020 as part of the DEF CON Red Team Village. At Black Hat USA earlier in the week, Rob Ragan and Oscar Salazar will be speaking, sharing their talk “SmogCloud: Expose Yourself Without Insecurity - Cloud Breach Patterns.” Their talk will focus on leveraging AWS security services and metadata to translate the raw configuration into patterns of targetable services that a security team can utilize for further analysis. The open source tool SmogCloud will be available shortly after their presentation as well as a corresponding technical write-up.