
Confrontation: a new format and a new reality

Positive Hack Days VI died. Now that his events have become a page of the past, it's time to take stock and chart the course for next year. The leitmotif of the sixth PHDays was the confrontation: the idea that from the first days of the creation of PHDays roamed in the heads of the organizers, finally found its embodiment in the form of “ PHDays VI CityF: Confrontation ”. The forum’s key competition has evolved from a highly specialized hacker game into a two-day megabyte.
The first attempt to change sails and bring practical competitions closer to real life was made last year, at the fifth PHDays. In the story, each CTF team was a group operating in a fictional state. All events were tied to an underground labor exchange, at which participants received orders to hack certain objects. This year, the creators of the forum went further and diluted the hacker brawl with teams of defenders and expert security centers (SOC). The organizers of the game involved real representatives of the world of information security with a light hand - those who build security systems in life, counteract attacks, and investigate incidents.

Cisco Security Advisor Alexey Lukatskynotes that the event is a kind of "new word in organizing events on real cybersecurity." “CityF differs from traditional cyber warrants and CTFs living under certain scenarios in that both sides participated in the confrontation. In essence, we are talking about the principle of red team vs blue team, when one team attacks the company and the other defends it. In the case of CityF, the mini-city that was built was chosen as such a company, and representatives of the information security market who could in fact, and not in words demonstrate their competencies in ensuring information security, were chosen as red and blue teams, ”he explains.
Moscow was not built in a day…
All events unfolded in a city F , which functionally practically did not differ from an ordinary millionaire. A bank, a telecom operator, an electric power company, a large holding office and a smart home worked in it. On the territory of the city was deployed its own Internet with news and entertainment sites and social networks.
The creator created the world in six days, but the construction of the city F took much more time - the builders took as much as six months. Thanks to the joint efforts of the organizers and partners in record time, it was possible to deploy all the mock-ups and stands, which in technical terms were as close as possible to life. It turned out to be a surprisingly complex infrastructure in terms of information security.

In particular, new solutions were used: Cisco APIC (Cisco Application Policy Infrastructure Controller), Cisco Nexus 9000 switches, Cisco ASA 5585 firewall, Check Point Next Generation Firewall.
“We have a long-standing relationship with Positive Technologies - not only professional, but also friendly. Therefore, we have been happy to help organize the technical infrastructure of PHDays for many years. This year the task has become more ambitious, since it required a much larger number of network equipment and servers than it was in the past. But we did it. I can’t say that we pursued any special or commercial goals. It was just a desire to help good people in organizing a good business, ”says Alexey Lukatsky.
It should be noted that not only large companies took part in the preparation of the competition - there were real startups among the participants. For example, Loomoon provided its City RB system with a CityF bank. Most of the “smart home” layout was prepared by Advantech and PROSOFT.
The immediate heroes of the confrontation were no less seriously prepared. Under the terms of the game, the defending teams got access to the infrastructure in advance to configure the means of protection for their facilities, and there were no restrictions for them. The key tools of the defenders were the application level firewalls they tested in practice, network perimeter protection tools, attack detection and prevention, correlation analysis tools, and even SIEM. Vendors were also presented, as they say, in the range: they used HP ArcSight, IBM QRadar SIEM, Microsoft Operations Management Suite, Qualys, Bot-Trek TDS, a system based on Security Onion, Balabit Shell Control Box, Windows Server Update Services, various IDS / IPS
However, some of the defending teams and the SOC could not deny themselves the pleasure of trying out non-standard solutions in the combat conditions of CityF. For example, the False Positive team used several proprietary developments to investigate incidents, and the You Shall Not Pass team even came up with an old Motorola C118 phone and Ubuntu virtual machine to monitor a GSM network.
If the defenders armed in earnest, then the attackers, on the contrary, rushed into the battle with bare hands, armed with laptops and a standard hacker kit. These were mainly tools for attacking Burp Suite web applications, scanning Nmap IP networks, capturing and analyzing Wireshark network traffic, recovering Cain & Abel passwords, creating and debugging Metasploit exploits.
Breaking live

Of course, any such event is fraught with difficulties. Fortunately, we managed to overcome the difficulties that have arisen, and, despite all the ups and downs, most participants positively assess the experience gained during the competition.
“Despite some confusion in the organization, related both to the scale of the event and to the change of format, we were charged with drive a year in advance. In the CityF process, there were some overlaps and misunderstanding of the rules and principles for determining the account, but the award removed all questions, ”commented Ivan Melekhin, technical director of Informzashita , which, by the way, sent two teams to CityF - izo: SOC and weIZart (defenders and SOC).
However, some still did not have enough light: some wanted to compete not only with hackers, but also with colleagues in the shop. Of course, there were those who are closer to the principles of the good old CTF.
“The impressions of the game are ambiguous: an interesting idea, practical tasks have been prepared, but the game interaction and the system of points and penalties are not well established (especially for defenders),” said Omar Ganiev, a member of the Rdot team . He is supported by filthy thr33 participant Kirill Shilimanov : “The competition left mixed feelings. The first day for the attackers was practically wasted, because the services simply did not have access. When they opened and hacks began, it became much more fun. Note that the services were prepared complex, interesting, for which many thanks to the organizers. "
30 hour battle
The confrontation lasted about thirty hours, it was a real marathon to counter massive attacks. The participants had five facilities at their disposal that defended five defender teams and three SOC teams. In two days, the judges recorded from 3 to 20 thousand security events at each defense object and only about 200 serious attacks, most of which led to significant results.
In 99% of cases, attacks were concentrated on the perimeter of the protected objects. As in real life, attacks on the web have become the most common vector. However, this was not a surprise for the defenders, they had foreseen such a course of events and were ready for defense.
“We protected the office infrastructure, with particular emphasis on securing web servers. As it turned out, it was not in vain: hackers used a lot of tools for the pentest, and if they coped with exploits for operating systems IPS, then sophisticated attacks on web servers and attacks on the application logic could be detected only in manual mode, analyzing WAF logs, web servers and advanced logs of operating systems, ”says Dmitry Berezin, information security expert at CROC, a member of the Green team .
Contrary to the expectations of the defenders, another popular vector in practice - attacks using social engineering - was not actively involved by the participants in the confrontation. Only one team of hackers took advantage of the inattention of the enemy and photographed logins and passwords from the internal forum of the defender's team. However, these data did not lead to any serious incident. “We really looked forward to the application of social engineering, but the attackers practically did not use such technologies,” lamented Vladimir Dryukov, Solar JSOC director of Solar Security, a member of the False Positive team.
Later, the defenders admitted that they were preparing for the worst, so they were armed to the teeth and prepared traps. Expected absolutely everything: exploitation of vulnerabilities in applications, web applications, OS and services, configuration errors. In fact, everything turned out differently.
“Our team protected all objects - operator workstations, servers, corporate mail, domain, remote banking, video conferencing systems, electronic document management and instant messaging. A significant part of the prepared defense lines was not useful: hackers did not penetrate the internal network. We did not see attacks on the Kerberos network authentication protocol such as Golden Ticket and Pass-the-Hash, attacks through trojans and backdoors. Also, hackers did not climb on any prepared honeypot. None of the hackers even tried to break the vulnerable proFTPD server, ”says Inna Sergienko, head of the AST Group, a member of the ACT team .
The False Positive team boasted that the attackers managed to get only one flag on the infrastructure they protected: “The organizers introduced about seven new services on the perimeter at the same time, and the defenders and I were a bit late to ensure the security profile of the last system, setting up the other six. But the attackers did not celebrate the victory for long: in a couple of minutes we managed to restore the state of the system and its security. ”
By the way, in the framework of the game, the joint work of the teams of defenders and SOC has shown its effectiveness. According to the judges, all the SOC teams collected the most complete picture of what is happening at the facilities, while the defenders were forced to quickly respond to incidents. For example, in a situationwhen, according to the conditions of the game, the defenders of industrial systems turned off the defense, the SOC team monitoring the industrial system studied in detail the actions of the attackers, the beginning of the attack, and its implementation. In real life, this would correspond to the possibility of prompt action to curb attacks even without the intervention of defense tools.

“The Information Protection team defended a hydroelectric power station and substations of 500 and 10 kV. According to the scenario of the game, on the evening of the first day of the competition, we began to weaken the defense, by the end of the day almost all the SPIs were turned off. Only the SOC monitored. While the facility was under protection, not a single successful attack on the infrastructure was carried out. All other hacks and floods occurred when the infrastructure was not protected, ”participant Ivan Melekhin comments on the events .
Total hackers successfully succeeded:
- hijack accounts, including multiple domain ones;
- carry out attacks on the physical equipment of the automated control system (water was discharged, lines were disconnected, power lines were burned);
- penetrate the technological control system network through corporate network vulnerabilities;
- conduct network attacks on smart home systems (disconnect equipment from the network);
- steal money from a bank (about 22,000 rubles) and receive bank card data;
- steal and in some cases delete backup copies of system files, disks, archives belonging to the CorpF office;
- conduct attacks on GSM / SS7 with the subsequent theft of money by faking USSD-requests;
- to carry out mutual attacks on both defense team employees and attacking teams (hackers, using social engineering methods, stole the password from the defenders forum, and the Vulners defenders team hacked hacker computers );
- deface multiple web resources, including the CorpF office site;
- discover one insider - a CorpF office employee.
Summary
The forum clearly showed that information security specialists are able to provide a very high level of protection without disrupting the process. The final goal - to capture the domain of the city and win the competition - was not achieved by any team of hackers. This outcome was unexpected for the organizers: they predicted the victory of hackers. As a result of the game, the jury could not name the obvious winners , the prize places were taken by hacker teams , which turned out to be the best during the game. Defender and SOC teams have been awarded in various categories .

We can definitely say that PHDays VI was a success, and the director of the PHDays forum, Victoria Alekseeva , agrees with this :

It is still difficult to predict under what slogan the forum and contests will be held next year, but the organizers intend to develop the concept of confrontation. They say that the development of the game plot awaits us: there will be more action, social engineering and events related, for example, to the dismissal of an employee, more changes in business processes, day and night scenarios will appear. And, of course, in the future CityF promises to become even more “populated”.

Already, many partners and teams have expressed their willingness to participate in the following competitions. For example, Alexei Lukatsky proposes not to discount Cisco's plans for PHDays VII: “I think that this format has brilliant prospects and CityF has set a very high bar for CTF, which will be organized in the future. And if the geopolitical situation in the world does not worsen, then Cisco will once again become the technology partner of PHDays. Of course, it is worth considering us as speakers of a future event and, possibly, even as defenders of any segment of CityF. But we still need to think about this idea within the company. ”
What will PHDays VII be, time will tell. However, now we can confidently say that the seventh forum to be!
