Over the course of the national competition on November 22-24, we collected more than 9TB of raw data, plus about 4TB of data for the regional events! One of the tools we used to help us deal with all that data was Splunk software.
I’ve had vast experience working with Splunk, from Managed Splunk Services customers at Hurricane Labs to building my own Splunk administration training, all of which has helped me use Splunk to enhance this event.
All the Data
In addition to the Google Drive audit data discussed in Part 3 of this series, we collected an enormous amount of data from the competition systems throughout the competitions. We’re currently working to make this data available for public release and research; we believe it may be one of the most comprehensive and complete data sets ever made available.
Once this is published, this dataset will be available for download on http://mirrors.rit.edu/cptc. I will be making this available as Splunk frozen buckets, which can be imported into your own Splunk instance and searched.
I’ll also be writing up instructions on how to use this data, as well as some write-ups from other Hurricane Labs employees on interesting findings they’ve located in the data over the coming months. This will be a great source of training data for identifying attacker activity by searching in Splunk.
Some of the data that will be made available include:
- Linux Bash History
- Windows Powershell command execution history
- Windows Security, System, and Application logs
- Suricata IDS logs
- DNS, HTTP, TCP, and UDP metadata via the Splunk App for Stream
- Regular snapshots of system state via system reporting tools (eg, ps, lsof, netstat, etc. on Linux hosts)
We’ve seen some exciting research come from the 2018 dataset, such as this one on characterizing attacker behavior. I’m looking forward to seeing what else can be discovered with the new data we’ve collected from 2019.
Resources for Future Competitors
The fundamental mission of CPTC is education, and we want to do everything that we can to better prepare future competitors for success in the event.
To this end, we have and are planning on doing the following:
- Teams have been sent all of the written feedback we’ve collected on their performance. This includes report feedback, presentation feedback, and interaction feedback.
- Recorded presentations have been sent to the teams that participated in the national event.
- The competition organizers have had a half hour feedback call with each team following the event.
- We’re looking to release examples of team reports, as well as some commentary, in the upcoming months. This will help everyone understand what makes an excellent pentest report, and we hope it will increase the overall quality of the submissions.
What else can you do? Glad you asked!
We try to be pretty open about the event and our goals (within reason, given that it’s a competition, after all). You can find out a lot of information about the CPTC event and our vision behind the events in our DEF CON 27 Packet Hacking village talk.
The archived live stream of the 2019 National CPTC keynote, build team presentation, and awards ceremony is available, so make sure to check that out. There’s a ton of information about the banking environment and custom apps we built for this year’s event in this presentation.
Looking Forward to 2020
It’s been incredible watching the growth of this event over the past 5 years; it’s nothing short of amazing seeing this competition transform from a small regional gathering of a handful of upstate New York schools into the international competition that it is today.
We’ve been hard at work planning the 2020 event and building the fictitious company: Next Generation Power & Water. We’re partnering with some additional industry sponsors to help build this event and make it the most immersive CPTC competition to date.
If you have any questions about the event or want to help us out as a volunteer in the future, feel free to reach out to me @tomkopchak. You can also follow the CPTC competition on Twitter @NationalCPTC.
Finally, we’ll be giving a lightning talk about CPTC at the annualWiCyS conference in March. If you’re a woman in information security that is interested in helping form a team, talk to us then.