We've spent most of this week putting everything back together after a week in Singapore for the Syscan conference there. I didn't get to sit in on any of the talks as we were either setting up or managing the Capture the Flag competition there for the entire conference but I heard good things about a lot of the talks (Dave Aitel from Immunity stopped by to check on the competition periodically and share a few details about the recent talks).
This competition added some new challenges for our infrastructure and allowed us to try out some new things, as well. Everything went off without a hitch thanks in large part to our sponsors and the excellent work of Thomas Lim at COSEINC. Special thanks are due to the sponsors of the CTF at Syscan, iSight Partners, that provided the prizes for the event as well as some support. And thanks also to Ben Nagy and Cédric Blancher who killed a lot of time at the event with us.
The Event
The CTF event for Syscan was fairly similar to our previous exercises with a few differences that made this event unique. This event had 8 teams participating (max 3 members per team), 7 of the teams were from Singapore (most from various technical schools on the island) and one team flew in from South Korea to participate in the event. The teams were scored as usual for our events, a combination of service availability and integrity, responses to provided tasks and their ability to defend their networks against attackers.The big difference in this competition was that each team had once computer to use as their attacking computer, so each team had to defend their network and attack the networks of the other 7 teams at the same time. Our competitions usually have the participating teams focus solely on defense (with a dedicated "Red Cell" team that attacks all the networks), but we decided to try something different for this one. Ostensibly each team had one attacker and two defenders at any given time (that was how many keyboards they had, though their resources could obviously be shifted as necessary).
The prize for this event, generously provided by iSight Partners, was $10,000S for first place.
Challenges
This was the first event of this size and complexity that we've done internationally so it presented a few new challenges for us. When we do our exercises in the US we usually set up the entire environment in our lab and test everything, then pack up the infrastructure and bring it with us to the location. This means that we've tested all the hardware and software and know that it's working (or, at least, that it was before we left). International shipping of that much gear (including routers, firewalls, servers, etc.) just wasn't practical for this event, so instead Thomas from COSEINC provided us with a set of very nice ESX Servers on site to use for our servers, as well as 24 desktops rented in Singapore for the teams to use for the exercise. This also meant that we had to be doubly sure that we had all the servers and resources that we might need. Having someone at the office try and transfer a 6GB VM over the hotel's connection would not have worked out very well.
Language and culture were also an interesting issue for this event. Our setup (and specifically our documentation) is really written with an American mindset about the rules and how they'll be interpreted (mostly because that's what we are, and I don't know how to write in other people's mindsets). For this exercise not everyone spoke English (the Korean team had a translator to relay questions between the team members and us) and the culture in Asia is such that nobody wants to break any rules, or even potentially break any rules. We had a lot of teams questioning very specifically about things they were and weren't allowed to do (specific attacks they could use, closing ports, disabling services, etc.). Even when these things were mentioned in the documents we provided, because this was a competition many players would double-check just to make sure that it was correct.
Comments