Confrontation Positive Hack Days: hackers will not be bored

    image

    There were only a few hours left before the Confrontation: the tension was growing, the time for preparation was getting less and less, the hackers had already warned that they were ready to take revenge and were getting ready for the fight. However, the defenders, apparently, are ready to give a serious rebuff: traditionally on the eve of the start of the cyber battle, we are trying to find out what is in store for both sides. Members of the defense teams shared their strategic plans with us.

    Open visor protection teams


    According to the rules of Confrontation, hackers are opposed by teams of defenders and expert monitoring centers (SOC). “The goal of the Confrontation is to push the two opposing sides in a more or less controlled environment to see if it wins - targeted attacks or targeted defense. Industry experts — integrators, vendors, and those who perform the IS function on the customer side ”took the role of defenders and SOC,” commented Mikhail Levin, member of the organizing committee of PHDays.

    This year, some participants openly declared themselves and represent each their own company. So, we meet the teams of defenders:

    • SPAN (national team of Servionika and Palo Alto Networks),
    • On rails! (team of information security experts, including IBM representatives),
    • Jet Security Team ("Jet Infosystems"),
    • GreenDef (CROC),
    • You shall not pass.

    SOC teams: "Prospective monitoring" and False Positive.

    Practice Above All


    Each team has its own goal of participating in the Confrontation. Some seek to test their own products and services. For example, the On Rails !, team representing IBM and practicing in-house SOC experts decided to try their hand at Confrontation with solutions from the IBM Security portfolio. The SPAN team also plans to test a number of new products in combat conditions. “Within the framework of information security at Servionics, a number of services are provided that are provided under the security as a service scheme. We have already accumulated a certain project practice for their application and we want to test a number of new solutions, including solutions from new vendors, which we are currently discussing cooperation with, ”Askar Dobryakov, team member shared his plans.

    However, in some respects the goals of the attackers and the defenders coincide: both of them came to PHDays to test the strength of the team and exchange experience with colleagues in the workshop. For example, the “Prospective Monitoring” team seeks to test its strengths, increase technological readiness to repel attacks, and also to understand which attack vectors they may overlook. For the False Positive team, Confrontation is an opportunity to “assemble a team of people who are not indifferent to information security and let them test their hypotheses.”

    There are already some kind of “old men” among the participants who have successfully tried their hand at last year’s Confrontation. “Last year, our team consisted half of the employees of commercial and local monitoring centers. This year, a couple more legionnaires will join us. All the guys come with their ideas and best practices, and we want to test the content in battle conditions - not only on the customer, but also in such a difficult, albeit artificial, situation where there are a lot of opponents and they attack very actively at the same time, ” said a member of the False Positive team Vladimir Dryukov. Or, for example, the CROC team - GreenDef. “We analyzed all the features of the Confrontation in 2016, made work on the mistakes and are ready to repulse the cyberclub with our close-knit team of defenders,” said Anton Golubkov, CROC Information Security Expert. The Cervionica team is also impressed by last year and hopes that the new tournament will be remembered for the excitement of the struggle, the complexity of the tasks and the joy of victory. And of course, no one discounts plans to enjoy the game and chat with colleagues. Yuri Sergeyev, the captain of the Jet Security Team, by the way, considers participation in the Confrontation also as a kind of team building. “To find yourself under such concentrated fire as on the Confrontation is a very interesting experience. In addition, it is not often necessary to work in such a motley team assembled from all over the department and brainstorm over a completely atypical creative task - how to protect our digital boundaries in the Confrontation, ”he explains. The Cervionica team is also impressed by last year and hopes that the new tournament will be remembered for the excitement of the struggle, the complexity of the tasks and the joy of victory. And of course, no one discounts plans to enjoy the game and chat with colleagues. Yuri Sergeyev, the captain of the Jet Security Team, by the way, considers participation in the Confrontation also as a kind of team building. “To find yourself under such concentrated fire as on the Confrontation is a very interesting experience. In addition, it is not often necessary to work in such a motley team assembled from all over the department and brainstorm over a completely atypical creative task - how to protect our digital boundaries in the Confrontation, ”he explains. The Cervionica team is also impressed by last year and hopes that the new tournament will be remembered for the excitement of the struggle, the complexity of the tasks and the joy of victory. And of course, no one discounts plans to enjoy the game and chat with colleagues. Yuri Sergeyev, the captain of the Jet Security Team, by the way, considers participation in the Confrontation also as a kind of team building. “To find yourself under such concentrated fire as on the Confrontation is a very interesting experience. In addition, it is not often necessary to work in such a motley team assembled from all over the department and brainstorm over a completely atypical creative task - how to protect our digital boundaries in the Confrontation, ”he explains. And of course, no one discounts plans to enjoy the game and chat with colleagues. Yuri Sergeyev, the captain of the Jet Security Team, by the way, considers participation in the Confrontation also as a kind of team building. “To find yourself under such concentrated fire as on the Confrontation is a very interesting experience. In addition, it is not often necessary to work in such a motley team assembled from all over the department and brainstorm over a completely atypical creative task - how to protect our digital boundaries in the Confrontation, ”he explains. And of course, no one discounts plans to enjoy the game and chat with colleagues. Yuri Sergeyev, the captain of the Jet Security Team, by the way, considers participation in the Confrontation also as a kind of team building. “To find yourself under such concentrated fire as on the Confrontation is a very interesting experience. In addition, it is not often necessary to work in such a motley team assembled from all over the department and brainstorm over a completely atypical creative task - how to protect our digital boundaries in the Confrontation, ”he explains. as in the Confrontation - a very interesting experience. In addition, it is not often necessary to work in such a motley team assembled from all over the department and brainstorm over a completely atypical creative task - how to protect our digital boundaries in the Confrontation, ”he explains. as in the Confrontation - a very interesting experience. In addition, it is not often necessary to work in such a motley team assembled from all over the department and brainstorm over a completely atypical creative task - how to protect our digital boundaries in the Confrontation, ”he explains.

    The city under the dome


    image

    The participants will be protected by a city in which a telecom operator, two offices, a thermal power station and a substation, an oil and railway company operate. The Internet of things, which is increasingly gaining popularity, was not spared: the organizers filled the city with various smart devices. Objects of protection, in accordance with the rules of the Confrontation, the defender teams distributed among themselves.

    The GreenDef team protects the office segment. Anton Golubkov comments on the choice of the team: “The office combines a large number of services and technologies, which gives us a lot of space for creativity and, as a result, practical experience in working out complex defense cases. From the point of view of intruders, the office segment is one of the tidbits of the pie, so there will be the most fierce clashes, which will undoubtedly add spice and gaming excitement. ” SPAN also chose to protect the office, as it is closer to the tasks that they face in real projects. “This is our standard object of protection, and it’s just interesting to train in order to understand in the end: all of a sudden we are missing something in our calculations,” says Denis Batrankov.

    The False Positive team will also join them, which, in addition, will monitor the security of the telecom operator. “Last year we had a very interesting joint experience with a company of telecom advocates. We worked well together and found synergistic points of interaction, so we decided to continue cooperation, but this year the circle of protected companies will be wider. The second infrastructure we have chosen is office. According to our feelings, it may be more vulnerable from the point of view of the internal factor, ”Vladimir Dryukov shared.

    The office segment will be supported by the SOC “Perspective Monitoring” team. The main object of protection of the Jet Security Team is enterprises for the production and transportation of petroleum products. Rail safety has fallen on the shoulders of On Rails!

    Need to get ready for all-round defense


    Almost all teams agreed that all infrastructure facilities would be under attack. The captain of the Jet Security Team believes that under a continuous attack will be everything that hackers can reach. Vladimir Dryukov agrees with him: “Like last year, there is a feeling that everyone will break. The infrastructure is rich, everywhere there are tricks and nuances. There is an ACS segment, which is of great interest to researchers, as well as a segment of office infrastructure. Plus, all this is very closely interconnected, so a successful attack on one team of defenders will very quickly become a problem for the rest. There is enough time for the participants of the Confrontation, including the attackers, to have time to test all their ideas in practice. ”

    Anton Golubkov explains this by the fact that the city is a single organism with a large number of interconnections between the components, therefore, attacks on all objects will be undertaken. According to his forecasts, the office and banking segments will undergo the most massive attacks, as they can potentially be the base point for attacks on the rest of the city’s infrastructure. As for attack patterns, first of all, according to Anton, attacks will be made against publicly available resources, such as web resources and wireless networks: “This will be the first frontier for securing an attacker inside a trusted segment. After that, it is likely that hackers will try to gain privileged access to the infrastructure, and use it to carry out harmful influences on key objects: this is a bank and industrial enterprises with automated process control systems. ”

    According to SPAN team members, the attack vector will remain the same as last year: “They will exploit vulnerabilities in web applications; masking, bypassing FW and IPS. Having gained access to the vulnerable web server, the attackers will try to gain access from the DMZ to the local network. ” “Rather, we are waiting for typical behavior: port scans, vulnerability scans, and multiple brute force attempts,” add Askar Dobryakov from Servionika and Denis Batrankov from Palo Alto Networks.

    The Jet Security Team believes that there will be classic network attacks, a search for vulnerabilities in the logic of information systems, and research on the security of web technologies. According to one of the members of the On Rails! Team, massive scans and attempts to exploit the vulnerabilities as quickly as possible will probably be applied. Maxim Korshunov, an expert researcher at the monitoring center of the company "Perspective Monitoring", relies on telecom and office, as their protocols and services are better known than in the production segment. Aleksey Vasiliev, head of the monitoring center for “Perspective monitoring”, is sure that we will have to deal with the classic killchain scheme with different modifications.

    “Last year, we resisted a frontal attack, when a team of opponents repeatedly tried to break through the perimeter, to get through known vulnerabilities. We were attacked quite ingenuously, although in a massive and assertive way. Now the profile of the attacking teams has changed a lot, and there is a feeling that the attacks will be slower, but at the same time more subtle and secretive. I would like this year to see the opposite vector of attacks: sleeping bots on the network, insiders in the infrastructure, etc. This will make the work of the defenders much more difficult and add dynamism to the Opposition, ”said Vladimir Dryukov.

    And almost all defenders are confident that they will have to deal with various options for social engineering. Well, whether all these forecasts will come true - we will find out literally tomorrow.

    Secret weapon


    This year, defenders will find themselves in harsh conditions of cost optimization and will be limited by a budget of 10,000 public, for which they will be able to buy the required information protection from a local distributor or get the services of monitoring centers. How will the participants distribute their budget? Nobody answered us this question ... But we still managed to find out something.

    For example, Anton Golubkov, shared a secret that they plan to "control all points of interaction between components, ensure the integrity of the infrastructure and, of course, not to forget about potential attacks on work laptops and social engineering." By the way, in order to protect the infrastructure 24/7, the team will have several shifts.

    Jet Security Team relies on basic security systems, proven classics, and has also prepared a number of specialized SCADA protection tools. The SPAN team has a similar tactic, which chose the firewall, antivirus, built-in OS and domain tools as the required means of protection. “As practice has shown, DLP systems, SandBox and anti-tamper protection systems are not particularly effective in this case, as attackers use other attack vectors,” explains Askar Dobryakov.

    Alexey Vasiliev notes that they, as the SOC team, will have to focus on the defenders: “Let's see what they choose, and we will use everything that the defenders provide, from where we can get logs for our analytical systems.”

    Maxim Korshunov promises that in their arsenal there will be intrusion detection systems for the network and node levels, anomaly analyzers, antiviruses, network equipment, a vulnerability management system, and a threat detection system. And part of the above is their own development. Team On Rails! Among the main security features used, he refers to security controls, intrusion prevention and incident monitoring of the IBM Security product line.

    Victory ... friendship?


    image

    Most participants believe that each side has a chance. “Our opponents are our colleagues in ordinary life, so in any case friendship will win. Both sides will make every effort and show their best skills to achieve the goal, ”shared Anton Golubkov.

    Roman Andreev from IBM (On Rails!) Is counting on the victory of his team: “Judging by the names of the opposing teams that have declared themselves, their track records, their chances are very high. But we will defend ourselves and, I believe, quite successfully. ” Maxim Korshunov also puts on the defenders.

    But Vladimir Dryukov is more cautious in forecasts: “We expect that this year will be much more difficult for us than in the past. The opposing team is professional pentesters with experience both against active defenders and against active SOCs. So the guys will demonstrate everything that they are capable of. Plus, restrictions on the choice of protective equipment and ensuring the safety of infrastructure introduced this year will add urgency to the Confrontation. It certainly won’t be boring. ”

    Askar Dobryakov is absolutely sure that the attackers will be able to compromise some publicly available resources. In his opinion, it is important not to let the enemy gain control of the servers in the DMZ and develop the attack further in the LAN. Yuri Sergeyev, by the way, suspects that the infrastructure of the defenders will be hacked guaranteed, as the organizers specially create conditions for the possibility of securing the attackers, imitating the “real” life when patches are not everywhere and not everything is configured according to best practices. “However, getting the maximum from hacks will already be more difficult, given the active opposition. Opponents will not be bored, ”he promises.

    Will the defenders defend the city? The game will show. One way or another, the confrontation promises to be hot. Come cheer for participants on May 23 and 24 at the World Trade Center in Moscow! Tickets for Positive Hack Days can be bought here .

    Also popular now: