First DEF CON, first full Virtual conference I attended. This post is going to be in different parts with with the overall experience, the things I really liked and kind of an simple overview of the OpenSOC CTF (which I thoroughly enjoyed). I am still trying to get caught up on some of the varies talks from the other villages as a lot of my time was spent working on the OpenSOC CTF and the various workshops/panels with Blue Team Village (BTV). I was hoping to do a better write up but life found away and I wanted to try and spend some extra time with my wife since me being “Out” due to DEF CON put some extra strain on her
What I really liked?:
- OpenSOC CTF: This was my first time doing the OpenSOC CTF and was not sure what I was fully getting myself into as I was used to the other jeopardy and other styled more red team focused CTFS with web-apps to break, Stenography, and some Forensics challenges but what really captured my interest was this was more like a full fledged SOC environment and you had to investigate several different incidents. The tools I have never really used before or interrupted (PF sense, Thinkst Canary tokens, OSQuery, Suricata, Greylog, Snort, Velociraptor, and Moloch). Thankfully the Blue Team Village had some early “workshops” showcases the tools and how to use them. While learning the syntax of each of the different tools (thankfully Greylog is built on top of an ELK which I do know some of the Syntax for) But once I learned the syntax and got a better idea of what I was looking for it I was able to do good on following the trail of several challenges. Which they did lead on each new “flag” was just adding another piece of the puzzle and told the story of what you were looking at.
The networking portion of looking at the events/logs from firewalls/IDS/email I did really well with (along with packets) but once we got into the nitty gritty of filtering though Sysmon (thanks to WinLogbeats) and other endpoints I started to falter a little, I know its an area I am currently working to improve on with DetectionLab. I was able to figure some events out (like power shell script running and what script was ran and was able to pull some “IOC’s” but what made this not fun, was trying to bounce between this, the workshops I signed up for and the various talks/panels…and you know eating XD (I know it was DEF CON but I’m not about that life).
I was not expecting to win or even go top 10 doing it solo but for my first time using the tools and finishing at the lower end of the 50th precedential or so I’m pretty pleased with my self and I got some weak spots I need to work on and that is perfectly ok!
- Workshops: While there was some bad as it was a FireHose at some points (and one being around 10PM EST) but these really were the bread and butter other than the OpenSOC CTF. Every since I did a splunk workshop at GrrCON last year (it was really a guided Boss of the SOC v2 AKA BOTS v2) I try to get into workshops. The ones I really liked were creating Jypter notebooks playbooks for threat hunting, NSM in the cloud (deploying Securiyt Onion on AWS..noice). and also writing Yara rules. I know I need to look back on the Yara rules and Jyper notebooks as A) I was really tired and B) in the middle of a good flow with the OpenSOC CTF XD.
Both are tools I want to get better at using/understanding to help automate some things and to build up better rule sets (in the case of Yara). There was also one with IR which was good, but it was like a CTF and I’ll guide you (which I need to find the link for as it is always up) Thankfull the slides were shared to attendees so now that things are calming down a little a gain its time to go though them again (doubly so once I finish my Detection Lab set up as I also want to add RITA from Active Countermeasures and maybe a metasplotable or OSWAP Juice box vulnerable web app) I can start really applying these and playing around with them. That is the con that if you don’t use it right away, you lose it and this was really the case as back to the normal grind of $employer I really didn’t get a chance to work with these as catching up and other stuff I didn’t get the chance to review/play around like I wanted. If this wouldn’t of been so delayed it would of helped too XD
- Talks/Panels: Part of the reason why It’s taken me so long to write this is I am still trying to catch up on talks from all the villages. I know being from the Metro Detroit area I spent some time getting some entry knowledge with automotive hacking and some of the basics of automotive networks which I was clueless about, it was good that it was pretty cut and dry simple and wasn’t overly complicated. I really did enjoy the panel talk on IR. As someone that has a rapidly growing interest in DFIR/Threat Hunting/NSM and more active defense (Decoys/Honeypots) this was really informative to listen too from people that do that for a living and get some insight. Another good talk was about BlueSpawn It was funny we just worked with this with on my intro to securtiy course with John Strand/Black Hills Information Security. It was neat to get more background on the tool and part of the reason for its development. If you don’t know Blue Spawn is an open source active defense/EDR product based in Powershell (at lest for what we used it for with the course).
not bad in itself, but made it hard
- Discord…It was nice for all the Villages and DefCON to have seperate channels. however, the alerting was so distracting with people posting in all the channels. I tried to mute were I could, but then I’d miss things or just ignore channels all together (Sorry Red Team Village). Also I’m “that guy” that has the taskbar on top set to autohide (its clutter) so everytime there was a new ping start menu would drop down and just be distracting. Granted I know this is small and really it was nice to have it “break out” like that and now they are live communities still even after DefCon. But for someone that gets distracted pretty easy or annoyed with things, this was a big no from me XD.
I know this was long over due but with work and trying to take care of some projects around the house due to DEF CON and weather that needed to be taken care of. This was probably the only way I’d be able to attended a DEF CON as I’m not sure the wife would be thrilled with me taking PTO to go fly to Vegas to attended this. Maybe if I can talk to my $employer/contract house and see if they can cover some of it. Maybe life might find away and I get head out that way and maybe score a badge (or a BTV one as well)
On-words to Wild West Hackin’ Fest in a few weeks!