Skip to content

Elastic Security: Capture the Flag

This week we attended the Webinar Elastic Security Capture the Flag for Partners. Elastic has set up an introduction around Elastic SIEM and Elastic security in a fun but interesting way.

After the introduction about Elastic and more in depth Elastic Security, including a short demo it was time for the game.

The challenge

First we needed to register ourselves and create a team. We had to form a team and compete with other teams/persons. The battle field consisted of 11 teams with 4 people per team, some serious competition. The challenge comes with a pre-installed Elastic environment with data that will be used to detect the security risks and to analyze the data to solve the questions.

The challenge took one hour, in which we had to solve 27 questions. Per question you can earn 10 points, asking for a hint will cost you 5 points. During the game you have to solve questions from different kinds of categories (all related to security). For example: 

  • Elastic Security
  • Credential Access
  • Execution
  • Command & Control
  • Security Analytics
  • Initial Access

The biggest game changer

It is a game changer that information that is so critical to any business is at the fingertips of Dev, Ops, Sec and Business teams. Dashboards, alerts various views built by these separate teams all look at the same data from different angles. This speeds up investigation, analysis and incident mitigation tremendously.

Security data is neatly sectioned in:

Overview

  • Detection alert trends stacked by field of preference
  • External alert trends
  • Events, split in Network events and host events

Detections
Detected alerts stacked by field which immediately filters the information below in detail: 

  • Hosts: showing amount of hosts, user authentications (success vs failures) and unique ip’s sources and destinations.
  • Network: amount of network events, dns queries, unique flow id’s, TLS handshakes and unique private ip’s by source and destination. 
  • Timelines: work on timelines for future use and investigations, drag and drop fields from any of the panels mentioned above for quick filtering.
  • Cases: cases can be entered by authorized staff to report incidents, anomalies or suspicious cases. The security team analyzers can then investigate, update and report in one place without leaving the analysis space.
  • And last but certainly not least in all panels you have the option to use the well known search and filter bars. Quickly filtering and pinpointing issues you are investigating. 

Conclusion

Our team did not complete all the questions, we solved 60% of the questions. This game was a good way to introduce you in the world of Elastic Security / SIEM and what this feature can do for your organization. If you are working in a SOC team or your organization already has an Elastic subscription, then this game is a real recommendation for you. You get a good understanding of the product and you also have fun, the best way to learn new stuff. 

More information 

If you are interested in more information or you want to see what this game can do for your organization, don’t hesitate to contact us