OpenSOC @ DEF CON 28 Safe Mode
Some of you may remember our last event, Camp COVID. That was the biggest event we had ever run.
UNTIL LAST WEEK: DEF CON 28
The stats speak for themselves... and so does the participant map above :)
8M Graylog queries
91K+ scoreboard submissions
150GB+ endpoint telemetry
10K+ osquery queries
20+ hours of content
GLOBAL participation: AGAIN. this was epic.
A remote DEF CON meant people from everywhere were jumping in, and we're stoked that we were able to have that kind of reach and participation.
Since DEF CON is a 3 day event for us, we've had luck in the last 2 years running 2 days of a general round, with finals on Sundays. In this case, we let the top 20 teams compete in the Sunday finals.
We opted to not run overnight, similar to last year. Most of the team was toast, and after some discussion, I think going forward we will adhere to the con hours in order to remain at all functional.
We know this was a bit disheartening to players participating in other time zones, but we are a tiny team, and we need sleep too. Especially since we had just come straight out of 4 days of Black Hat, and an IR prior to that.
This was heightened even more by the fact that we had discord tickets coming in non stop (to get approved on our network, for help with challenges, for kicking off Velociraptor hunts, you name it). I fear that with less sleep, those tickets would've gotten a lot more colorful.
We decided to use discord this year. The con was already using it, BTV was using it, and we already use it internally for training events. SO. Naturally, it made sense to move OpenSOC events to it as well.
As I mentioned--there were tickets. Like 1500 of them. The YAGPDB bot handled all the things, and we had a process down for all of them coming in. It was just a matter of divide and conquer after that.
Easier said than done during some parts of the day(s), but we managed! :)
If you didn't get to make it to this OpenSOC event, you should probably just join our discord anyway and get in on our future events :) Just sayin.
Scenarios & Validation
- to be validated after playbooks were run
- to have validation queries solidified and tested
- answers found/double checked/triple checked in the scoreboard
- regex's tested
And finally, huge kudos to our top teams!
And our top 3 solo players!
- Milagros Coldiron
We hope you all had a great time. We love running OpenSOC--it is really a labor of love for this team, and it takes a lot of it.
We thrive on giving back to a community that has provided us with so much of what we use and rely on, so thank you for helping us continue to grow that. Especially during a year as crazy as this one.