Team Mint Security participated in the BOTS or BOSS of the SOC event which took place in Helsinki on the 13th of March. BOSS of the SOC is a Capture-the-flag (CTF) event using Splunk technology in an environment with a huge amount of data. The participants then uses Splunk to complete a variety of SOC-related questions and tasks.

BOTS is about the Blue Team

Unlike many other CTF events, BOSS of the SOC is about the Blue Team rather than the Red Team. This means you play on the defenders side of the table to find out about various cyber attacks instead of being the attacker. As the event progresses, the questions  and challenges become more and more complicated. Many external sources of information and tools must be utilized. The correct answers may be hidden and found in a binary attachment inside a smtp stream. Of course you must first find the right smtp stream…

The team

The Mint team consisted of Teemu, Saku, Putsi and Thomas. In the team, only Putsi had any kind of previous CTF experience and only Teemu and Thomas had experience with Splunk longer than “a couple of weeks”. With typical Finnish modesty we arrived with a winning mindset, but when it turned out that there were a total of 14 registered teams – and some were even organized as primary and secondary teams- we had to back off just the slightest.

Team Mint at BOTS 2019 Helsinki

The event

Quite soon we were on the top of our game and the team posted tips in Slack to each other back and forth. Each team member contributed to the winning points but in many cases cooperation and coordination was the clue to finding the right answer. Nobody took the time to have snacks during the event. We ended up third overall. Two Swedish teams took first and second place – according to strong rumors, they came to Helsinki to improve and “rematch” from a previous BOTS event. We can conclude that we lost in the international series, but as far as Finnish competitors go, we took first place. We take serious pride and joy in that:)
BOTS results top 10 teams
BOTS timeline for results

Lessons learned

In the aftermath of the BOTS competition (and with a bottle of high quality French red wine), we all concluded that we learned more during this event than we would normally do over several months in our normal line of business. Ultimately, a CTF competition as a Blue Team differs significantly from our everyday work. We work with architectures, situational pictures, dashboards, and alarms and those are the things that will produce indicators for Blue Teams. The work of the Blue Team itself begins when one of the indicators are triggered. Reacting to indicators and acting on triggered events was what this event was about and that is why it is called BOSS of the SOC.

Read more about Splunk

Splunk header
siem
Thomas

Minted by Splunk

Mint Security provides a vast range of überconsulting for Splunk. From a single server to clustered multisite setups with integrated SSO and 2FA.

Lue lisää »
Latest news
@mintsecurityfi

contact us

Please do contact us. We most likely respond faster than you thought,