BOTS vs. NetWars

Both are essentially the same type of competition. You have a time limit to collect as many flags (points) as possible, which pushes you up the leaderboard. With SANS (NetWars) there are different scenarios — forensics (DFIR NetWars) or Pen Test. Personally I prefer the second; the first is quite demanding if you don't have solid Windows knowledge (FOR508). That said, a good cheat sheet helps a lot. It's two hours total and a very intense experience — made even more so by the mix of people who do this every day and people seeing it for the very first time.

BOTS gave me a similar feeling. The difference is it's partly a pitch for Enterprise Security and User Behavior Analysis. That said, even for beginners with a security background it's very good practice. The scenario is very complex — there's a huge amount of data and it's hard to make sense of it quickly. But without Splunk's magic it would be nearly impossible to manage. On one hand Splunk does a lot of pre-calculation for you; on the other, you need to know where to find things in the tool. And that, to me, is the biggest weakness. Click in the right place and the answer just falls out. No crafting complex SPL queries and refining them. Both approaches have their merits. But I feel like it oversimplifies the work to the point where it doesn't teach analysts to think. Splunk does all the thinking. And I don't think that's good. We're not yet at a point where we should hand detection solely to a tool.

I'll definitely want to keep taking part in both of these events — they give you real-world experience. And that's priceless!

Other Related Posts:

.conf18

Conference and training from the perspective of a new Splunk user

I had the chance to attend the Power User Bootcamp training at the Splunk .conf18 conference in Orlando. It was a real experience — both in terms of how such a massive event was organised, the breadth of topics covered, and the op...

5th Oct 2018