Christopher Chmielewski
I recently had the pleasure of attending the November 15 Splunk Boss of the SOC (BOTS) CTF event hosted by Cybersecurity Ontario and Splunk. The event organizers asked that we not share any details of the CTF scenarios, however I will share my general experience at the event.
The BOTS event is a blue team capture the flag (CTF) event, although I would call it a defend the flag (DTF) event. The event was a full mock exercise with four attacker scenarios and our task was to investigate each scenario. The investigation was simulated through a series of questions. Answers to the questions were scored according to correctness and how quickly we answered. For an idea of the scenarios see the public dataset and instructions on how to acquire the question set for a past BOTS event.
The event was an in-person event and we were arranged into teams of four. We could form our own teams, and since I didn't know anyone else going to the event I formed a team with three other people whom I'd never met before. Since I initiated creating the team via the BOTS website, I dubbed ourselves team HeavyMetal 🤘 hoping this would attract some metalheads. Although this did not work I did end up with a great team and we managed to place 5th out of 18 teams. Not bad since this was the first time any of us had attended a blue team DTF event, although I did practice Splunk leading up to the event and my cybersecurity program teaches a similar tool called Sumologic.
