Just over a year ago, having participated in a few Digital Forensics and Incident Response (DFIR) Capture The Flag (CTF) challenges, I started an internal one at work.
This was aimed at Security Operation Center (SOC) and DFIR analysts, while using actual alert data from our environment. The great thing about this was the ability to present analysts with the same data they work on during normal operations. This meant we could test their understanding of what they were seeing, all while having the added excitement of playing in a CTF.
Since then, the idea stuck with me to start a public Blue Team CTF… so say hallo to SocVel.
Before we continue, if you are one of my family members or non-infosec friends reading this, I thank you and I apologise for all the acronyms used thus far. You would then also appreciate to know who or what the “Blue Team” is. This infosec term is commonly used to group and describe the cyber defenders in an organisation. That is, the ones responsible for helping upper management sleep at night by knowing the company’s cyber defenses are in good hands. The Blue Team also has to deal with the Red Team. These are often narcissistic types who get paid good money to simulate attacks against companies in order to test defenses, improve on the overall security posture and generally torment Blue Teamers. (Naturally, this is said in jest, but really.)
Let’s get back to SocVel… The name was derived from ‘Stokvel’, a term which originated in the 19th century when English settlers in South Africa held “stock fairs”. These were auctions for cattle and other livestock where farmers and labourers would gather and pool money together to make purchases. Today, Stokvels are still common in South Africa, but have evolved as clubs where members would contribute money to a common pool. This money would then get used depending on the club’s purpose, such as investments or buying groceries. So our term, a SocVel, can thus be a place where cyber defenders come together to pool their knowledge.
How does SocVel work?
Each SocVel challenge presents the analyst with a specific scenario. As of writing, we have two challenges available, each consisting of 30 questions required to be solved. These scenarios are based on what is currently happening in real world cyber attacks. The first challenge, #Pooptoria, deals with an internet connected host at a Wastewater Treatment Plant that was compromised and resulted in a disastrous aftermath. The second challenge, #DikBek, plays out at an intelligence research agency where confidential research into the Dikbekkanarie bird got stolen and leaked to the public.
For each challenge, analysts are provided with a triage pack from the compromised host(s). This triage pack contains already processed log data to remove any barriers of entry such as the need for tooling. Analysts are then presented with a set of questions to guide them through the investigation. The questions are in line with what we would often expect of an analyst to answer during such investigations:
- How did the attackers get in?
- What did they do on the host?
- Did they pivot to other systems?
- What IOC’s are available to identify if any other systems are compromised?
Who should be SocVelling?
The actions taken by the attackers simulated in the SocVel challenges are based on known Tactics, Techniques, and Procedures (TTP) of what is currently going on in industry. That is, if the cyber threat intelligence providers are telling us attackers are getting in via exposed RDP, SocVel has got you covered in getting experience in investigating such attacks.
At SocVel, we enjoy seeing seasoned professionals as well as newcomers to the field take on the challenges. All questions have hints that can be unlocked, so if you are trying to break into the field, this is a great way for you to get some experience.
Having started in April 2021, we now have signed up close to 150 players from 30 countries in less than two months. We also just breached 3000 answer submissions!
How Do I SocVel?
So, if you made it to here, the question probably lingers: How Do I SocVel?
Easy: Head over to www.socvel.com, click on one of the live challenges and follow the instructions to get going.
You can follow SocVel on Twitter at @socveldotcom.
Also consider supporting us by buying us some coffee over at https://buymeacoffee.com/socvel
Remember: Don’t Delay, SocVel Today!