The Blue Team Village (BTV) CTF is a cyber defense Capture the Flag inspired by a mix of trending nation-state actor kill chains and at least one custom insider threat story. You are an incident responder tasked to investigate the recent attacks against our fictitious company: Magnus Tempus Financial. Since Magnus Tempus Financial made a vital acquisition expanding its precious metals portfolio to oil and gas operational technology (OT), you will also investigate their OT environment.
Magnus Tempus does not have a security team. One Sysadmin is security conscious and tried to set up a few tools. You have Linux and Windows logs on a SIEM. Some indexes have issues, and you will see only some expected fields. Regex may be helpful. In addition, Arkime, the network monitoring tool, is not working correctly. You can issue queries but won’t be able to see the packets. Plenty of fields will populate data; you can always extract the resulting pcaps!
The CTF challenges contestants to leverage diverse cyber defense skills, including Incident Response, Forensics, and Threat Hunting. Host and network telemetry are required to solve all the flags.
BTV’s Project Obsidian crew developed the CTF to allow anyone, regardless of skill or knowledge, to participate and sharpen their cyber defense skills. The intended audience is those new to cybersecurity and those in the field for a year or two. We recommend creating or joining a team if you are new to cyber defense. While experienced cyber defenders should be able to complete the CTF reasonably fast, we hope that you have a great time!
We believe in the idea of choosing your adventure. As a result, participants can download a copy of the required evidence (logs, packets, etc.) or log into any of the 2 SIEMs we provide to hunt on.
We highly recommend participating in the BTV’s Project Obsidian workshop sessions if you are new to cyber defense. Sessions cover many of the topics on the CTF and will help you along the way!
CTF DATES and TIMES:
Friday 11th: (Opens) 10:30 PDT – 18:00 PDT
Saturday 12th: 10:00 PDT – 18:00 PDT
Sunday 13th: 10:00 PDT – 12:00 PDT (Closes)
IMPORTANT URLS
CTF URL
https://ctf.blueteamvillage.org/
SIEM, ARKIME, CREDS & MORE INFORMATION
https://github.com/blueteamvillage/Project-Obsidian-DC31
DATASETS
https://media.blueteamvillage.org/DC31/
We HIGHLY recommend you download this data before Defcon.
The CTF datasets are organized as follows:
PUBLIC_DATASETS_A.7z (Velociraptor and Raw Logs)
PUBLIC_DATASETS_B.7z (PCAPs-A)
PUBLIC_DATASETS_C.7z (PCAPs-B)
PUBLIC_DATASETS_D.7z (PCAPs-C)
PUBLIC_DATASETS_E.7z (PCAPs-D)
When extracted, you will have over 64GB of PCAPs!
Remember, you also have Arkime!
NOTE:
The CTF crew will release the datasets password on August Friday 11th, 10:00 PDT.
Blue Team Village 