Return to NetWars: Tournament of Champions

There’s an inherent thrill to hacking. When I find loopholes in the logic and end up somewhere I wasn’t meant to be, I feel the rush of a personal victory. But how can operators like me really know how we stack up against each other?

SANS NetWars competitions are one of the great arenas to see where your name stands on the leaderboard and to witness feats of problem solving from your peers. They are two-day Capture the Flag (CTF) tournaments that test quick thinking, problem solving, and a wide knowledge base of systems and vulnerabilities. As Ed Skoudis, the director of SANS Cyber Ranges put it, “For the cybersecurity community, the NetWars Tournament of Champions is like our Super Bowl.”

Last month, I took part in a SANS NetWars Tournament of Champions (ToC): an invite-only version of the CTF competition where winners of past SANS NetWars events power up their skills in a fun, multi-disciplinary, and collaborative environment. Let me walk you through how it felt to return as a champion. Spoiler alert: my team won.

Team Altus_BishopFox_and_Friends (I’m the one on the right). Photo credit: SANS NetWars

How it works

The most recent Tournament of Champions kicked off December 15 in Washington DC as part of the SANS Cyber Defense Initiative training conference. Over the course of six hours spread across two evenings, 288 players (including 118 returning champions) engaged in a hands-on, interactive learning scenario that stressed both offensive and defensive skills.

The event started with four levels of creative problem solving wrapped up in an entertaining scenario (e.g., blowing up the Death Star or capturing Willy Wonka’s Golden Ticket). NetWars offers players a chance to play solo or in teams, but since the scenarios can take an individual 30 hours to complete, grouping up is the way to go for serious competitors. Even when teamed up, only a small percentage of players make it through all four levels the first time they play a scenario.

If players do complete the scenario, they are dumped into a wild network known as Level 5 or Castle versus Castle. Here you must protect your team’s Linux and Windows server while attacking your opponents’ servers. Each team must maintain a total of eight services during this phase, and each of your services has at least one vulnerability that must be diagnosed and patched. Once a vulnerability is discovered, it’s a race to weaponize the exploit and launch it against opposing teams. Your team gets points for maintaining uptime on your critical services while simultaneously hacking into other teams’ servers and planting your scoring flag to steal points. When the scoreboard suddenly turns red to indicate that another team’s flag is on your service, it’s a mad scramble to kick out the attackers and restore your flag to preserve points.

Team_Altus_BishopFox_and_Friends at work. Photo credit: SANS NetWars

Humblebrag

This was the third NetWars ToC that my team (Altus_BishopFox_and_Friends) has won. The first time was in December 2018 with version 5 of NetWars, which was Star Wars themed. For the July 2019 ToC in Europe, SANS released version 6 with a Willy Wonka theme. (I love digging into the new SANS NetWars scenarios that come out every year.) After nearly completing that scenario at the European tournament, we prepped for three months to master its new puzzles for this most recent event. We wrote and tested a custom exploit framework that had integrated command and control. This system allowed for rapid exploitation, hardening, and management of opponent servers. The system also integrated with Slack to provide real-time notifications to address issues or claim opponent flags.

So when the chaos of Castle versus Castle hit in Level 5, we were ready for everything that came our way. Our team organized tasks by platforms and skill sets to maximize our time and avoid internal conflicts. We divided up the tasks of defending our castles, initial exploitation, and maintaining access to opponent servers. Having played together before, we knew each other's strengths and weaknesses and could communicate effectively throughout the event. Your heart rate really spikes when you start blocking out the rightful owners while they fight to kick you out of their system. Thanks to our system though, we could enjoy the cyber knife fights and friendly banter that come along with trading fire with competitors. We were thrilled with the results after the second evening and celebrated with the other teams. The networking and camaraderie that come after the dust settles is a truly valuable aspect of NetWars that doesn’t get enough of a mention.

The final leaderboard. Photo credit: SANS NetWars

Our golden ticket

It felt great to motor through the first four levels of problem solving and then burst out into the wild network and fight our way to the top at NetWars. But even more than that, it felt great to return to this community that introduced me to my teammates in the first place. There will always be new challengers elevating their skills to test us, and that’s good. It makes it worth returning to CTF competitions again and again.

My tips for the tournament

If you find yourself at a CTF, I recommend you keep these broader tips in mind during the flurry of the two-day event:

• Take notes! Always take and keep meticulous notes. Whether you are working on an engagement or playing a CTF for fun, notes will always come in handy. For NetWars, no matter how many challenges you play through and solve in each scenario, your system will start from zero the next time you play. The same scenario will be used for about a year, so warp back to where you left off by keeping good notes.
  
  
• Grow from the challenges. Solving a challenge isn't the end. If a challenge made you research a particular technology or tool, go back and research it some more after the event. The more you look under the hood of a particular technology, the better prepared you'll be when you see it again.
  
  
• Make friends at each event. I have a personal goal of making at least one new contact at each conference, training event, or tournament. Strike up a conversation, find a shared interest, and exchange contact information. You never know when that person’s experience or expertise might help you in the future. That is exactly how I met everyone on this winning team. These contacts are great resources when you're pushed up against a hard problem, and a great source of community as you learn and grow together.

The Altus_BishopFox_and_Friends team is a group of five hackers who met online at Capture the Flags and conferences: Nick Ippolito (@ippsec), Kyle Fiducia (@kfiducia), Eirik Nordbø (@enordbo), David Forsythe (@0xdf_), and me, Barrett Darnell (@pwneip).