Attending a SANS conference for a training is a very rewarding opportunity, it is quite expensive but you receive the best quality training with very qualified instructors with a lot of experience. Having the training is nice and it usually comes with some additional bonus sessions, like SANS @Night talks, social night and the best Netwars Tournament, depending on the event there may be up to three different types, Core, Cyber Defense and DFIR.

I earned the Netwars Tournament coin after winning the Netwars Core Tournament version 4 in mid 2017.

That victory also earned me an invitation to attend Washington DC Cyber Defense Initiative (CDI) 2017 event to play at the tournament of champions.

At the CDI event, SANS made an intro event for champions only where we had the opportunity to know other champions and had pizza before the tournament. We received a t-shirt and a hoodie exclusive of champions.

Playing Netwars Core version 4 earlier this year was a good experience, the CTF engine is easy to use and the questions are very clear. The flags in most cases are easy to spot and the difficulty level starts from basic questions in the first two levels. Those first levels are played using a local VM and starting in level 3 the challenges are hosted by the SANS team.
The Netwars Core version 5 was completely redesigned for what other champions told me and now is based on a Star Wars scenario.

I went to the CDI event to attend an STI master class and once there changed my mind from playing Netwars Core version 5 and instead played Netwars Cyber Defense and earned the coin for winning.

This was the first time I attended an event where this type of Netwars was available. Cyber Defense is a fairly new modality of Netwars offered mainly in the U.S. apparently.

Netwars Cyber Defense is played totally local using a custom Security Onion VM and some Windows event log files. Similar to Core, it starts with challenges to test general systems and network knowledge in level one, then level two is about easy tasks and identification of malicious activities, level three is where the fun starts, where there are four different sets of challenges, two network security monitoring (NSM) oriented with a bunch of packet captures (pcap) files and sguil alerts and the other two are end point continuous security monitoring oriented (CSM) with different types of windows event logs (evtx) from several systems, all of the four sets are related to each other and have complementary information. There are hints in the CTF engine to help solve the tasks which I never used as those are also tiebreakers. In case of a tie the user with fewer hints used will win. The lower levels have lots of hints and getting to level three, there is only one hint per challenge. Level four is the last level and there are no hints at this level, but there are some spoilers which make it easier to solve than level three as it is shorter, the levels one and two could be solved within the first two hours at the most but the third level took a lot longer than any of the four, luckily you may take the VM back to your room and continue solving the challenges until the next night for the second day of the competition.

Both types of Netwars are quite enjoyable no matter if you do offensive or defensive security. However, Core is oriented to red teams and Cyber Defense to blue teams. I spend more time on the defensive side so playing Cyber Defense was like a day at work with no worries about the impacts of the intrusion, free drinks (most events I had attended have open bar but CDI had a two free drinks limit) and snack (CDI had nachos only, others had pizza, cookies, and some other cool stuff).

There are a few areas of opportunity in all Netwars types, the answers do not change, except after a version redesign so once you play it you have all the answers if you keep some notes (that’s why some scores jump from 0 to level 3 much faster than you can read the challenges in level 1 and unpack the VM). CDI core had different scoreboards for all those that had played already version 5. It would be cool to have a single set of hashes per event so at least you have to repeat the same attack or search to find the current event answer.

Cyber Defense can be played locally without any other user interruption but at least in version 4 of Core, starting in level three uses shared systems and there is nothing stopping other players to erase or modify a flag. It happened that several flags were removed multiple times causing delays to many, long after the SANS back-end staff restored them.

All in all, Netwars is an experience that worth attending and is free for those who attend a 5 or 6-day training at the conference. I will be looking forward to playing Netwars Core version 5 and Netwars DFIR.