Preparing for disaster is critical for responders who work in many industries. It is the reason why we practice first aid, why you learn ‘survival swimming’ fully clothed, and why we have Business Continuity Plan (BCP) exercises.
In the realm of information security, there is a series of exercises thinly disguised as games called Capture The Flag (CTF). While these are commonly offensive in nature where participants attack their targets, in the Computer Security Incident Response Team (CSIRT) / Computer Emergency Response Team (CERT) community you will find incident response (IR) CTFs.
In April, Warren Finch, Jake Flint, and I represented APNIC at an IR CTF run by the Joint Cyber Security Centre (JCSC) in Brisbane, Australia, as part of the larger Australia Cyber Security Centre (ACSC), which now includes CERT Australia. The scenario presented was:
“The Wind In-case of No Daylight Corporation (WIND Corp) need your help! A critical application supporting their wind turbines has ceased to function, causing the turbines to lock and stop producing electricity. WIND Corp are already suffering reputational damage as customers lose power. Can you investigate the cause of the issue and get the turbines running again?”
Participants (either individuals or teams of two-three) had six hours to investigate what had occurred and restore functionality to the wind turbines using open-source tools.
After being assigned the team name ‘Bottom Ocelot’, our first job was to download and copy the forensic artefacts including a memory dump from a Windows workstation and a network packet capture (PCAP) that contained all of the malicious traffic mixed among plenty of legitimate traffic.
More than 40 cyber security incident response gurus took part in today’s Capture the Flag event at our Brisbane Joint Cyber Security Centre #ozcyber #cybersecurity pic.twitter.com/yxDqKkUz6f
— Australian Cyber Security Centre (@CyberGovAU) April 24, 2019
While waiting on the downloads, we looked through the large list of ‘flag’ questions we had to answer, and discussed splitting up the tasks among the team. Through the intense (and very quick) six hours we were able to capture several flags before any other team but ran into problems with timezones. By the end of the exercise we had earned enough points to place fourth overall.
Participating in a hands-on exercise such as this is a good reminder that preparation is key when needing to respond to incidents, especially under pressure. It also reminded me of the need to:
- Be familiar with your tools.
- Use scripting for common tasks.
- Bring snacks to save time going out for food.
- Not get stuck down a rabbit hole for one question when there’s several other questions to work on.
Overall, we thoroughly enjoyed our time at the competition, with Jake and Warren gaining new insight into the practical side of incident response, and furthering our involvement with the JCSC and ACSC.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.