Boss of the SOC: Capture-the-Flag as a Recruitment Tool
On the evening of July 17, 2023, hundreds of cybersecurity professionals milled about a ballroom in Las Vegas—grabbing snacks and beverage refills, chatting with colleagues and checking out the swag on tables in the back of the room. The atmosphere in the room was jovial, anticipatory.
At 8:00 p.m., though, the mood changed as the attendees shifted their attention to their computer screens with a singular goal in mind: To become the Boss of the SOC.
Boss of the SOC, informally known as BOTS, is a capture-the-flag competition held at Splunk’s .conf. Participants in any capture-the-flag event will search for text strings, or flags, hidden in applications and websites. The goal of a capture-the-flag competition is multi-tiered: It allows seasoned cybersecurity professionals to hone their skills, offers those new to cybersecurity a chance to show off their skills to potential employers, acts as a recruiting opportunity for organizations hoping to add to their cybersecurity team and, specifically for the BOTS competition, it is a chance for Splunk to show how its products work.
Although capture-the-flag competitions have been around for a while, Splunk introduced its version at its 2015 conference. It got its start because Ryan Kovar, now distinguished security strategist and leader of SURGe at Splunk, wanted to avoid booth duty. That first event was really a fly-by-night operation: A few dozen people showed up for credentials and then spent the rest of the conference in their hotel rooms playing on their computers.
“The next year, they were told they couldn’t do that because people were playing BOTS during .conf rather than attending sessions,” said Tom Smit, principal security strategist at Splunk and current coordinator for BOTS. Starting with that second competition and every year since, except for the pandemic interruption, BOTS is held on the opening night of the conference and is a timed event. In 2019 there were 1,000 competitors. This year, there were about half that number working in teams of no more than four people or competing as individuals.
Competitions Based on Real-Life Events
When designing each year’s game, Smit tries to keep the theme topical, based on the latest cybersecurity threats. One year the theme was the Log4j threat; another time, it focused on unpatched Microsoft vulnerabilities. This year, BOTS partnered with Okta, which was the victim of a source code hack last year, and the game showcased multi-factor fatigue. (This may have been the one thing in 2023 that didn’t focus on or feature generative AI, but Smit admitted that was because ChatGPT didn’t burst onto the scene until after planning and coding for this year’s competition was already in place. “I had a small moment of panic when one of my team jokingly said that he put all the questions and answers in ChatGPT to see what would happen,” said Smit. “Three months before we’re set to launch the event and all the answers would have been on the internet.”)
Smit and his team also added in Easter eggs and intentional mistakes (Smit said his team added a typo to see if anyone would discover it). The answers to some questions are pretty obvious (i.e., What is the name of the company that runs the game you’re playing tonight?), but there are others that require a great deal of digging and thinking outside the box to get right (i.e., a character Smit created just for the game and his fake record album were answers).
Beyond the Ballroom
For a few hours on that Monday night, that Las Vegas ballroom was the center of the action. But BOTS isn’t a once-a-year event. Splunk has incorporated BOTS into its educational material online and all of the workshops run by the company are based on BOTS competitions. They are also run on college campuses, within organizations and are sometimes community based. And these competitions are leading to opportunities to close the cybersecurity skills gap.
For example, a financial institution in Toronto held an open invite competition based on BOTS, and 400 people showed up. The institution used the results as a recruiting tool. In another competition, held internally by a company, the most points were scored by a person working at the IT help desk. Leadership took notice and that person was quickly put on track to a career in the SOC.
BOTS competitions have also opened up the cybersecurity field to women and other underrepresented voices. It wasn’t that women were excluded from the competitions, but they didn’t feel included. Kovar, who began the initiative for women-centric BOTS competitions, said it creates a space for women to talk about cool tech stuff and show off their skills, but without the heavy emphasis on competition. It is a place where they feel safe asking questions, said Kovar.
“When you’re inclusive to one person, they often bring a friend,” said Kovar.
And when they bring a friend, the world of cybersecurity begins to open up. BOTS and similar competitions are driving interest in cybersecurity careers, and that’s a good thing for the future of the industry.
“We originally just thought this was going to be a game,” said Smit. “I never thought that people would use it as a recruitment tool.”
