Meet the winners of the Corelight CTF tournament

By John Gamble, Director of Product advertising and marketing Corelight

This summer time Corelight hosted a digital CTF event the place lots of of gamers raced to resolve safety challenges utilizing Zeek information in Splunk and Elastic. After the preliminary rounds,  we invited the highest performers again for a champions spherical and topped the event winners.

Missed the event? You may nonetheless signal as much as compete in one in all Corelight’s bi-monthly CTF video games right here:

Listed below are the winners of Corelight’s summer time CTF event:

Zander Work – 1st place

How did you hear about Corelight CTF?

Vlad Sokol from Corelight reached out to me about it to share it with the OSU Safety Membership.

Are you able to inform us about your safety background?

I’m about to enter my senior yr of undergrad at Oregon State College learning CS with a give attention to cybersecurity. I’ve labored within the cybersecurity area since 2014/2015 with a few internships in highschool and I’m at the moment working within the SOC at OSU as a scholar staff lead on the community safety and monitoring staff.

Did you have got prior expertise with Zeek?

Sure! We now have a big open supply Zeek cluster monitoring a 100 Gigabit pipe on campus that’s been operating for 4-5 years. And I went to Brocon after they introduced the challenge identify change to Zeek. I’ve numerous alternatives to do cool issues with Zeek at work, which is plenty of enjoyable. It’s an superior device, and I like utilizing it. I’ve additionally been operating it on my house community, and I’ve written some Zeek scripts and plugins as nicely.

How would you describe the safety worth of Zeek?

Zeek lets you get tons of actually good information about your community with out having to do full PCAP, so that you don’t need to have petabytes of disk area put aside. It’s additionally a great way to guard person privateness, particularly within the college surroundings. Zeek permits us to achieve center floor the place we will do our job successfully to establish safety threats within the surroundings, however college students are capable of keep privateness. It’s one factor I actually, actually like about Zeek.

How would you evaluate Zeek vs. PCAP or Netflow as a safety datasource?

We use Zeek along side different kinds of log information, however after I have a look at Zeek information I have already got the netflow information, DNS information, and so on.  Zeek additionally has the SSL log, which is superior, particularly for those who’re utilizing JA3. The one time I’ve to drill into software logs (past Zeek) is for HTTPS visitors since I don’t get that URI or host info. It’s uncommon that I discover myself taking a look at Zeek logs and considering “oh I want I had extra info”. The entire Zeek protocol analyzers are rather well fleshed out. There are solely uncommon cases the place I discover myself wishing I had the total PCAP. For 99 p.c of the time, Zeek logs are superior (and PCAP shouldn’t be wanted).

The Zeek SSL log proves plenty of good details about certificates and encrypted visitors seen over the wire and offers info so you’ll be able to pivot to search out good versus dangerous visitors. JA3, the Zeek bundle written by John Althouse and his staff at Salesforce, performs extra fingerprinting on SSL visitors they usually additionally present an inventory of identified fingerprints. For instance, Firefox 78 on Home windows has this particular JA3 hash and so for those who see that hash in your visitors you’ll be able to assume it’s a benign shopper and never one thing that requires additional investigation. Should you see a bizarre JA3 has or one thing the group has recognized as dangerous, like a Cobalt Strike C2 certificates, then that hash is one thing you’ll be able to simply drill down on despite the fact that the visitors is encrypted. There are tons of metadata nonetheless being uncovered in encrypted visitors that Zeek collects and analyzes.

Raven Demeyer – 2nd place

How did you hear about Corelight CTF?

I used to be invited by a buddy. I’ve been collaborating in CTFs nearly weekly now, particularly within the final couple of months as a result of there are such a lot of on-line occasions. I actually take pleasure in CTFs. Most of them I attempt to do in staff format. Corelight’s was fairly enjoyable.

Are you able to inform us about your safety background?

I don’t have a proper cybersecurity background. I’m a physicist and nanotechnology engineer, however I’ve been taking some safety lessons lately as cybersecurity and safety have been a passion of mine. This yr I began my first job in cybersecurity.

Did you have got prior expertise with Zeek?

I didn’t have any prior Zeek expertise earlier than the Corelight CTF Event. Earlier than the event I needed to research for the ultimate spherical and I took a while to study Zeek and the syntax. I additionally began wanting up issues like JA3, which is new to me and I discover actually fascinating. I do know sufficient about cryptography, however I didn’t find out about JA3 and it’s very helpful.

JA3 along with the HAASH convert plenty of completely different information factors right into a single string that ought to be distinctive and makes connection fingerprints “human readable”. The idea of fingerprinting has existed for a very long time however I feel it’s a extremely helpful function right here. It’s not a 100 p.c dependable as there are some edge instances, however for normal evaluation it’s going to be actually quick to make some impressions based mostly on JA3/HASSH fingerprint evaluation.

How would you describe the worth of Zeek information?

I actually favored how intuitive it was and I used to be impressed the way it was attainable to make assumptions based mostly on analyses of the information. The inferences that had been added by Corelight (Encrypted site visitors Assortment) the place you can analyze the visitors behaviors and add that on to the dataset makes it extra intuitive for an analyst to see what’s taking place. That’s fairly spectacular and one thing I actually like about it. Zeek has a reasonably pure syntax, and it’s fairly quick to study. I feel it’s actually helpful in follow.

Auner Moncada – third place

How did you hear in regards to the Corelight CTF?

A coworker of mine despatched it by Slack. One other former coworker had heard of you guys and was making an attempt to push administration to buy gear from you guys.

Are you able to inform us about your safety background?

Most not too long ago, I used to be a SIEM engineer at Norfolk Southern Firm. This included all the pieces from the designing of the infrastructure to the precise implementation and onboarding of a number of information sources. My safety ardour lies in penetration testing as I spend plenty of time enjoying CTFs and breaking weak machines and VMs and such. I similar to the aggressive nature (of CTFs) and the educational side. I attempt to study one thing new on a regular basis.

Editor notice: You will discover him on LinkedIn right here:

Did you have got prior expertise with Zeek?

Sure, I’ve labored with Zeek log information as a safety analyst, utilizing Sguil to comb by Zeek datasets.

How would you describe the safety worth of Zeek?

The output of Zeek is plenty of priceless info. It’s simply digestible for analysts to look by, correlate by way of connection IDs and get to the purpose of with the ability to establish a menace or malicious exercise.

How would you evaluate Zeek vs. PCAP or Netflow as a safety datasource?

Zeek has a manner of summarizing info, but in addition presenting sufficient info so you’ll be able to shortly comb by and correlate. In contrast to PCAPs, with Zeek you don’t need to spend time filtering out an excessive amount of info and you may paint the image of what occurred. Netflow? It tends to summarize info a bit an excessive amount of.

*** This can be a Safety Bloggers Community syndicated weblog from Shiny Concepts Weblog authored by John Gamble. Learn the unique publish at: https://corelight.weblog/2020/09/15/meet-the-corelight-ctf-tournament-winners/

corelight ctf 2020,corelight reviews,russ corelight,corelight 1001,corelight use cases,corelight pdf,corelight capture the flag,broala,corelight customers,corelight research,corelight documentation,corelight logs

You May Also Like