Live Visualization of the S4x19 CTF

First Some Quick News: WeHack4Booz, the two-time defending S4 CTF champion team from Booz Allen Hamilton will be back to compete in the S4x19 ICS CTF. Who will take them down?

One effort we have tried, and failed, over the last 3 years at the S4 ICS Capture The Flag (CTF) competition is in live visualization of what is happening. Of course the scoreboard is available to see the flags being captured, but there was no way to see the network traffic, types of attacks, status of devices or even the ability to drill down and look at specific effort to capture a specific flag. And we did a poor job of showing the limited information available.

We have looked at past failures in this area and are approaching it differently this year in two important ways.

  1. We are assigning a person full time to the CTF to pump out screen shots, videos and updates via a variety of social media channels. We will also be able to show some of these during the break slides and in some after event analysis. This is the easy improvement.
  2. CTF sponsor SecurityMatters will have their SilentDefense product connected to the network to capture attempts to capture the online flags.

We have had other CTF sponsors attach monitoring and detection products to the CTF network in past years, but they did not have the right preparation or people involved to make use of the product. For S4x19, Reid and the team developing flags are sharing this information with SecurityMatters so that they will know what will be attacked and at least some of the likely attack methodologies. In addition, SecurityMatters will have analysts skilled in the use of SilentDefense on hand in the CTF room.

In addition to the general monitoring, they will focus on efforts to capture certain flags at certain times and report out the results. This will also allow non-competing S4x19 attendees to see attack paths and the type of data that can be used in a detection program.

Like OSIsoft, SecurityMatters will also be contributing flags to the CTF. These flags will embody the traditional CTF spirit, but with an educational twist. They plan on trying to make their flag environment as realistic as possible to provide an authentic view of the ICS. There might be some pivoting on dual homed devices, but there might not be. There will be memes and music files, steganography, and just plain crypto.

And of course Reid will producing his creative online and offline challenges that are new for S4x19. There are usually about 50 flags in the CTF. And we will be adding some Cabana session flags, but we will write more about that later.