We just did a quick interview with Andre about creating blue team challenges. He already created “PDF Analysis” and “Suspicious Browser Extension” on LetsDefend. People really like these challenges.
Can you introduce yourself?
Andre: Hello, My name is Andre. I am a 2020 Cyber security graduate from the UK. I’ve previously worked as threat hunter and currently I have been working as a SOC analyst for almost a year now. I have also produced red team and blue team challenges for various platforms.
Why the blue team?
Andre: I originally started out red teaming and did enjoy it. However, I was always intrigued by the tools and techniques defenders and analysts used to detect attacks. I also wanted a more balanced view of security and believed that by learning blue teaming it would enhance my red teaming knowledge to weaponize to stronger attacks. For example, whenever I would launch a payload or some attack, I would always wonder: “How do the other guys detect and mitigate against this?” “Is there any way I can make my attacks stronger? Why did this payload not work? And how did they detect and prevent my attack? When I started learning blue teaming I fell in love with the forensic and analytical processes and tools. That’s when I decided to permanently transition. Blue teaming really teaches me the science of why and how in the security world; it is like a crime mystery puzzle that one needs to put to together and the feeling of piecing it all together feels satisfying.
How to create a challenge for blue team members?
Andre: When it comes to making a challenge you need to allow your curiosity to drive your ideas. For example, I asked myself: “What makes a browser extension malicious”? At the time I had no idea how browser extensions even worked but I wanted to. So I began watching youtube videos of people explaining the basic functionality of browser extensions. This then led me to research past malicious browser extensions and their various techniques. Browsing through the different extensions, my creative ideas began to flow and eventually I came up with the idea that I did. The point is, you need to read all about the techniques of these malware to get the creative juices going. Once the idea has been formed, experiment as much as possible in a virtual machine; download and analyse real samples if you need to. And if you don’t know how to analyse these samples then read lots of blog posts of how others have analysed them. Real samples can be found on websites like bazaar.abuse.ch/, malshare.com, the zoo (github) and so fourth. Definitely make sure you have experience with analysing malware and performing forensics before you start making anything though. You need to be somewhat experienced first. Steps:
1. Form an idea using your research of pre-existing threats/malware/attacks
2. Learn the basics of how that technology works (eg; how do normal browser extensions work)
3. Experiment in a virtual machine such as REMnux or FlareVM
4. Add some bad lines of code and obfuscate it using online obfuscaters (your analysis of real samples should guide you on this step)
5. Write down some Questions and answers
6. Get your friends to test the challenge and use any feedback for improving it.
Do you want to create a blue team challenge?
Do you want to introduce challenges that you think people will have fun and learn new things to and contribute to the community? You can use LetsDefend to bring your challenges together with the blue team community. You can reach us on the Discord channel to publish your challenges on LetsDefend without paying any fee: Join the Community