Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Introducing New XSOAR Capture the Flags!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member

Title_Introducing-New-XSOAR-Capture-the-Flags_palo-alto-networks.jpg

 

This blog written by by Sasha Sokolovich.

 

 

Introduction

 

Does the game of capture the flag bring back childhood memories?

 

Well, we have infused the fun element of the game into our capture the flag (CTF) content packs which take you on an interactive “treasure hunt” in Cortex XSOAR.

 

How Are Capture the Flags Used in Cybersecurity?

 

CTF challenges are cybersecurity competitions where participants tackle hands-on tasks, solving security-related puzzles and navigating through simulated scenarios to capture "flags." These flags represent sensitive information, and these exercises allow participants to showcase their prowess in areas like penetration testing, cryptography, and incident response.

 

CTFs can bridge the gap between theory and practice. Participants not only learn about cybersecurity concepts but also apply that knowledge to solve intricate problems. This approach cultivates problem-solving skills, critical thinking, and adaptability – crucial attributes in the ever-evolving field of cybersecurity.

 

Introducing the XSOAR CTF Playbooks

 

In this case, participants explore Cortex XSOAR as security analysts investigate and respond to an incident.

 

Since XSOAR delivers SecOps automation through its playbooks, which are automated sequences orchestrating security processes, we built these CTFs using playbooks. As participants navigate through the CTFs and tasks that mirror the complexity of real-world incident investigations, they will understand the underlying structure and components associated with building automated workflows. The modular and extensible nature of XSOAR playbooks empowers users to tailor challenges to specific learning objectives.

 

Preparing for the XSOAR CTF Challenge

 

Each CTF content pack comes with a playbook guiding you through setting up the CTF for your participants. This playbook ensures that your environment has all the requirements enabled to run your CTF.

 

Our CTF contains two different challenges:

 

  • The first CTF challenge walks participants through XSOAR 8, SaaS version
    For many customers, XSOAR 8, released in Jan 2023, is built on a new unified Cortex architecture and is a fully cloud-native SOAR solution. The CTF tasks guide the user through the system, introducing them to the key features of XSOAR.
  • The second CTF challenge allows participants to wear an analyst’s hat and investigate an incident using XSOAR
    Our mission with this CTF is to acquaint analysts with using XSOAR to respond to incidents, including identifying the type of malicious indicator detected in the incident, related indicators associated with the same campaign, severity of the attack, etc.

 

Fig 1: One of the gifs in the CTFsFig 1: One of the gifs in the CTFs

 

Using the CTF Content Packs

 

First, you need to download the Capture The Flag 01 pack. In this pack, you will find the following playbook that will assist you in preparing your environment and setting up. The playbook name is - “Prepare your CTF”

 

Fig 2: Prepare your CTF playbookFig 2: Prepare your CTF playbook

 

You may run it as an incident or directly from the Playbook debugger section

 

Fig 3: Running the Prepare your CTF playbookFig 3: Running the Prepare your CTF playbook

 

The playbook will guide you through the setup tasks, including integrations and other settings required. In the example shown below, two missing integrations need to be enabled. You need to navigate to your integration tab in XSOAR to configure the integrations.

 

Fig 4: Missing integrationsFig 4: Missing integrations

 

The end goal is to run this playbook without any stops or errors until you reach the final task which informs you that you are set.

 

Fig 5: Successful playbook runFig 5: Successful playbook run

 

Starting the CTF

 

To start interacting with the CTF, run the first CTF playbook by creating a new incident with the following playbooks - “CTF 1 - Get to know XSOAR 8”.

 

As a part of the game, participants will be required to search for clues (or flags) throughout XSOAR (such as in integration settings, reports, or playbooks). They will answer a series of questions related to their quest and the playbooks will prompt them with the correct answers.

 

Fig 6: Sample task in CTF with promptsFig 6: Sample task in CTF with prompts

 

If a participant gets stuck on a specific task, they can use the hint option to get a quick hint about the flag. If their answer is incorrect, they can re-run the task and check their answer as many times as they like - although this being a competition, there is a timer to determine who is the fastest at retrieving all the clues or flags.

 

Scoring Progress

 

The pack allows you to run this game for multiple users on the same tenant while providing a dashboard where you can see their progress.

 

Fig 7: Scoreboard using XSOAR’s incident dashboardFig 7: Scoreboard using XSOAR’s incident dashboard

 

Using this dashboard, you can track who finished the CTF and sort it by completion time (to determine the winner of the game). Note: An SLA timer starts when an incident is triggered.

 

Interested in trying it for yourself? Join us for a free CTF event and pit your skills against your peers while learning how a SOAR solution automates the incident response process.

  • 3565 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels