Capture The Flag Battleground aim to have real infrastructure environment on which 2 teams fights one to attack (Red Team) the infrastructure and one to detect (Bleu Team) the attacks.
First session of CTF Battleground Wednesday 22th November 2018. The Battleground will be generated on Amazon AWS, the SIEM will be Splunk Enterprise.
The infrastructure team is in charge to generate the battleground which is an infrastructure for the battle. This infrastructure must push all the data to a SIEM for the defense part (Blue Team). This infrastructure must have vulnerabilities for the attack part (Red Team). This infrastructure must be functional with endpoint/entrypoint exposed on internet. Infrastructure team provides Architecture details and Security setup to the Blue Team. Infrastructure team provides Objectives to the Red Team (find and leak data, destroy target, Take control of an account ...) that are not known by the Blue Team.
Bleu team is in charge to analyse data in the SIEM to detect and investigate (potentially respond in the future) to attacks on going. Blue team must write findings summary and store evidences of their detections and investigations.
Red Team is in charge to attack the infrastructure to take control of the infrastructure. Red team must write findings summary and store evidences of their attacks with results.
- You do talk about CTF Battleground
- You do talk about CTF Battleground
- DNS Walking is prohibited (from AWS rules)
- You do not touch the Log Collector (Universal Log Forwarder) on the challenge's instances
- You do not touch ~/.ssh/authorized_keys
- You never ever get out of the subnet given
- You catch a flag you raise your hands and store evidences (Screenshots, Logs, Dump, Flag key string)
- Reds universal flag is to get root or administrator privileges
- Blues universal flags are attacks discovering
- Reds have secrets flags to catch
- Blues know their infrastructure to watch but not the challenges
- Reds activity is not always an attack (so a flag)
- Reds attack furtivity is score factor for them
- Blues discovered attack complexity is score factor for them
- Blues can perform forensic on machines only to gather data (no trap allowed)
- each flag is 1 point
- For Red it is a flag catched
- For Blue is a sequence of log showing Red attack on a machine (Successful or not)
- Bonus Flag of the battleground is x10 (if catched by Red, Discovered attack related by Blue)
- multiplicators
- For red
- if it is not a machine exposed on public ip adresse x2
- If attack is not discovered by Blue team x3
- If attack is partially discovered by Blue Team x2
- if there is a sequenced attack across machines x Nb machines not discovered
- For blue
- if there is a sequenced attack across machines x Nb machines discovered
- if reverse (crypto, binary, obfuscated code) has been done to uncover the attack x2
- if forensic has been done with findings x3
- if markers has been setuped in the SIEM and could trigger the attack identified x2 (IP addresses is excluded)