Lessons from the Arena: A Personal Review of Splunk’s Boss of the SOC Challenge from V1 and Beyond
It all started at .conf 16, whispers of a Capture the Flag (CTF) competition that was going to take place during the conference. Those whispers turned into a known location and time to be there to participate, and that choice to be there changed what I became most excited about .conf for years to come.
.Conf is Splunk’s Annual User Conference which provides network opportunities, product announcements and updates, and hundreds of customer led breakout sessions which stem from platform focused to cybersecurity focused
Boss of the SOC or BOTS is Splunk’s Blue Team Focused Capture the Flag Competition in which analysts answer questions in different scenarios as fast as they can to score points. The top three scoring teams at the .Conf version of the competition are awarded trophies!
Who Are You? Why Should I Care?
That is a great and fair question and with that, I should introduce myself:
- I’ve been involved in cybersecurity for 14 years
- Splunk User/Admin/Architect for 12 years
- Currently a Senior Threat Detection Engineer, previously a SOC Analyst and a member of the Incident Response Team
- Love getting my hands dirty as I learn about new technologies, and Splunk’s Boss of the SOC (BOTS) is one of the best ways I have ever had the opportunity to learn by doing through the years.
- I’ve participated in every BOTS competition at .Conf since the first version of BOTS.
- I’ve placed second at .Conf 19 (BOTSv4)
- Third at .Conf 23 (BOTSv8)
- First in a BOTSv1 solo run
- A SANS Lethal Forensicator
- Awarded the BOTS Builder coin for my teams integrity in disclosing what we thought were found answers for the upcoming BOTS competition VirusTotal, but instead where the publicly posted questions for a previous BOTS iteration
But enough about me, let’s get into the meat and potatoes of it all. There are several reasons why I think BOTS is the best thing since sliced bread!
Capture the Flag Events Provide Opportunities for Skill Development
Let’s face it, training is expensive, and the opportunity to learn from a real breach isn’t happening every day, okay hopefully it isn’t happening every day. BOTS offers a way to test your skills against real-world breach scenarios that can occur in your organization. From learning how to navigate Splunk Enterprise Security to respond to an incident, to automation and case management in Splunk SOAR, to this year’s Splunk APM, Application Performance Monitoring, section that allows investigators to see what is going on with a web app and respond accordingly, the opportunities to get hands-on with Splunk’s product line are limitless.
Combine that with real-world attack scenarios against your supply chain, microservices hosted in the cloud, Multi-Factor-Authentication attack simulation, and even an exploit for a screenshot and you have the perfect playground to detect and investigate numerous attacks. BOTS allows your analysts to get in, respond, and learn real-world techniques that can be brought into their environment afterward.
Ok, great, your analysts can learn a lot, but what else? Great question! Let’s move into:
Teamwork and Collaboration are a Must Much Like in Real World Investigation Scenarios
While BOTS can be played solo, the spirit of the competition comes from forming your team. BOTS offers an easy-to-use site to create and join teams, pair that with the Splunk Usergroup Slack it’s easy to fill up your team of four! Now during the competition comes the fun part; breaking off into the scenarios and working through them!
But Nate, you just said collaboration! If we’re splitting off to go through scenarios, how are we collaborating? Well, that’s just in! Teams that score the highest work through the scenarios and take notes like a real investigation on a shared platform. For my team, we generally do it in a Google Doc so updates appear in real time. Pair that with either a Zoom call for virtual competition or sitting near each other in person, and you can call out things you are seeing that others may have in their scenario.
You see BOTS scenarios interweave and can have similar logs in them. At times, you may be looking through something and find a hash or domain that you jot down that could help someone in another scenario, just like in a real-world investigation. Again, the top-scoring teams are communicating and helping each other through the tricky questions to score points, and speaking of points, let’s talk about:
Capture the Flags Bring Out the Competitive Spirit in All
The BOTS competition is all about embracing the competitive spirit. With so many skilled participants vying for the top spot, it can be a great motivator to push yourself to excel. The desire to be recognized as the best is a powerful one, and it can inspire participants to work harder and smarter than ever before.
One of the great things about the BOTS competition is the potential for recognition and rewards for top-performing teams. Going for the podium, trying to achieve a personal high score, or simply the satisfaction of knowing you’ve achieved something great, there are plenty of incentives to give it your all.
Participating in competitive events like BOTS can also boost one’s confidence and drive to improve their skills. By testing yourself against other talented individuals, you can gain a better understanding of your strengths and weaknesses. This can help you identify areas where you need to improve, and give you the motivation and focus to do so.
Ok, You Convinced Me I’ll Play, but How?
Well, I am glad you asked! Currently, BOTS day is scheduled to be August 30 or August 31 depending on your timezone. According to Splunk, the competition will be held:
- BOTSv8 Virtual Session 1: 30-August-23–08:00 Pacific (UTC -7)
- BOTSv8 Virtual Session 2: 30-August-23–20:00 Pacific (UTC -7)
And you can register at the BOTS Portal
If you’re unable to make either session, make sure you still check out the BOTS portal, where you can find many opportunities to learn and explore different scenarios using previous BOTS environments!
