SOC team from IT HUB Prague scored in the world championship of digital forensics and incident response

As a Security operations center in IT HUB Prague, we are celebrating tremendous success this month. All thanks to Rafael, ?imon, Tomá?, Matou? and Nikolaos, who scored at 16th place out of 50 top-notch companies worldwide in the SOC X 2021 competition, the professional world championship in the field of digital forensics and incident response. Read the unique interview and find out more about their success.

Guys, congratulations once again. Can you share with us more about your day at the competition?

?imon: The competition lasted 8 hours. At the beginning, the organizers ran three scenarios. Each of these scenarios was unfolding new and new branches with tasks. The ideal scenario was to investigate all of them. In total, it was more than 400 challenges.

Nikolaos: These 3 scenarios were about 3 different machines, laptops, let's say. Each of them stated an initial question. After responding and completing the section, more sections about other devices and different technologies unlocked.

At first, a laptop got infected from an attachment of an e-mail. Then, the attacker pivoted the infection to another machine, started another attack, dumped the hashes, pivoted, and compromised more devices. Response after response, there were more sections about more locked machines in general. Usually, this kind of investigation takes more than a week to figure out. We only had 8 hours.

Rafael: Based on each task's difficulty, we were rewarded with a certain number of points. We also had a limited number of possibilities to answer questions correctly. Some tasks were designed as single attempt questions for 100 points. Once we run out of attempts at some scenario, the whole branch locked. It means you lose all the points that were behind the branch. 

What was your strategy? Did you divide the tasks or solved everything together?

Tomá?: All the tasks were a post-mortem analysis. We all started the first scenario together. It offered us a question: "Person X has reported a phishing e-mail from person Y, can you find the e-mail?" We found the e-mail, and another question popped out: "Who else received the e-mail? Can you paste in addresses of people from this company who also received it?" Once we did that, it opened multiple branches of tasks: "Look at the computer of this guy, did he open the e-mail, what did the attachment do, did he run it, etc.?" That's where we started dividing. Nikos, ?imon, and Rafael made a team that was tackling one of the branches, Matou? was doing the second one, and I was doing the third one.

Have you come across some tasks you've never seen before?

Tomá?: One of the biggest challenges for us was that we used tools we don't use in NN. Instead, we used Kibana to search events, Moloch for monitoring and deep pocket inspection, and Osquery, which is like a weird mix between CMDB and inventory. For example, in my scenario branch, I've seen many things that I initially did not know how to solve. I had to improvise. But when you have a concept of how you think you should do it, you're able to work it out.

?imon: We were thrown into the water of unknown tools, and we had to first learn how to use them. We thought they might be easy to use, but we could not find certain features, and we were struggling quite a long time to get the correct information. For me, it took basically the first two hours.

Nikolaos: Generally, the most challenging was to use the syntax of these tools. The analyst mindset is still the same. Nevertheless, even the most difficult tasks and scenarios in this competition were challenging but still doable.

Was this contest also a possibility to team up and prepare for possible attacks like this in the future?

Nikolaos: Yes, of course, this challenge basically taught us to use new platforms and offered us playing with new challenges. Last but not least, offered us lessons learned. One of the lessons was keeping better notes. We were moving pretty fast, but we missed some things due to the lack of notes. For me, it was very enjoyable to cooperate with guys. I hope it helps us to be more successful in the future.

Tomá?: I am also very grateful that we can attend these competitions. We are not only allowed to do that, but we are also encouraged.

Are you planning to visit some more contests in the future?

Tomá?: We want to participate in the Capture the flag competition. Right now, we are building a "dream team" for that. It will be me, Luká?, Matou?, and most of the guys who attended the SOC X. We are also bringing in the Red team guys because the competition will be more complex.

I am looking forward to learning new things because guys from the Red team use a different approach. They are the attackers. We are the investigators. It will be nice to progress in the skills we already have.

?? Want to know more? Read the official recap from the competition on the blog of SOC X.