November 17, 2020
What does it take to win a Search Party CTF? Not much. Just:
In this post, Team Shandyman and The Three Half Pints gives their perspective on competing in (and winning) a Search Party CTF.
-- Trace Labs Team
This article was originally published at: https://shandyman.online/blog/a-shandy-perspective-on-osint-search-party-ctfs/
The TraceLabs OSINT Search Party CTF’s are a one of a kind event. The type of event that the four of us love to take part in. They gamify the niche area of cyber security that is OSINT, and use that to help families in dire need. They offer prizes for folks who can find a lot of “flags” related to the missing person, and that draws the attention of hundreds (heck, even thousands) of competitors from across the globe. While the prizes are nice, it’s the families of the missing people who are the real winners from CTFs like this.
The numbers from these events really are staggering. Over 50,000 relevant pieces of intelligence accepted (3200 from the previous CTF alone), everything from names, to phone numbers, to passwords on the dark web. Everything and everyone contributes just a little piece towards finding missing people. Consider as well that these events are fielded by volunteers and my oh my do you get a fantastic recipe for helping those in need. I can't stress enough how incredible these events really are, and as I’m sure you may have seen me write before, I recommend everyone become a part of this truly incredible community of people.
Our approach to these events is actually pretty straightforward. As someone near and dear to most of our hearts would say: “Keep it Simple” (Gordon Ramsay….who else?). The Shandymen take a Divide-And-Conquer approach to each and every CTF and this allows us to cover a wide range of missing person cases. Dividing up the work allows us to uncover a treasure trove of information earlier than if we all focused on the same thing. We can allocate more time to “golden” missing people (individuals with a larger social media footprint), as statistically there will be more information readily available about that person.
We can take a psychological approach to each missing case as well. For example, it's a lot more likely that you will find more information regarding a 19-year old male in America, than a 55-year old male in Australia. This is due to the reliance of the younger generation on the Internet. Whereas someone a little older may not have much information online since they have aged and grown up without an online presence. It’s the younger people that we tend to focus our attention on first.
You might be surprised to know that the majority of the tools utilized by the Shandymen are just pieces of knowledge that we have picked up over time. Manually pivoting through social media profiles and Google Dorking (eg; intext:”Missing Person Name” -missing) are, in our opinion, the best approaches to initially locate data on a person.
Other tools come in to play in the next phase where we expand the scope of the missing person. Tools like Sherlock (https://github.com/sherlock-project/sherlock) and PhoneInfoGa (https://github.com/sundowndev/PhoneInfoga) can provide extremely useful information on a person in the event that you can find usernames or phone numbers on them!
Of course it goes without saying that we have a number of custom tools as well. Stuff like Dark Web data extractors, SOCMINT Correlation Scripts and a special tool that we affectionately dubbed “ISeeYou“, all of which were developed over time as we took part in more and more OSINT CTFs. Over time, you start to see where automation may make your event a lot more efficient. It's all about building or finding tools to fit the needs/wants of your team.
Of course, this team wouldn't be as effective without some excellent communication. The Shandymen have worked together in every global CTF since 2019, constantly re-evaluating our strong and weak points. Shandyman’s strong point, for example, is scanning breached data wells and creating custom tools for the team to leverage. Each person contributes a ton of skills in their own way and it’s that strong bond we have that enables us to be incredibly efficient in every OSINT CTF that we take part in.
Peer review is absolutely vital in these events. If there is something you are ever unsure of: always, ALWAYS ask your team. Heck, sometimes they will have an opinion that switches on a lightbulb above your head and allows you to look at a flag from a different perspective. I can't stress enough how important the communication and rapport with teammates is. So if you are targeting the #1 spot in these CTFs: build a team around your relationship and strengths with other people. You won't be disappointed!
This is the most important piece of advice we can give. Remember that these events have been gamified to help missing people and it’s this type of competition that you can have a lot of fun with. Have a laugh with your teammates, drink beer, chat on Discord and just have a great time being apart of something truly special like these CTFs. You will find yourself more relaxed, more focused and ready to find information.
That’s pretty much everything we have to offer on how to approach the TraceLabs OSINT Search Party CTF’s for now! We have some tools available over on our GitHub page if you're interested: https://github.com/shandymen
Feel free to reach out to us on our website. We are happy to help you with any request you have!