Confrontation: a new format and a new reality

Positive Hack Days VI died. Now that his events have become a page of the past, it's time to take stock and chart the course for next year. The leitmotif of the sixth PHDays was the confrontation: the idea that from the first days of the creation of PHDays roamed in the heads of the organizers, finally found its embodiment in the form of “ PHDays VI CityF: Confrontation ”. The forum’s key competition has evolved from a highly specialized hacker game into a two-day megabyte.

The first attempt to change sails and bring practical competitions closer to real life was made last year, at the fifth PHDays. In the story, each CTF team was a group operating in a fictional state. All events were tied to an underground labor exchange, at which participants received orders to hack certain objects. This year, the creators of the forum went further and diluted the hacker brawl with teams of defenders and expert security centers (SOC). The organizers of the game involved real representatives of the world of information security with a light hand - those who build security systems in life, counteract attacks, and investigate incidents.

“As a rule, only hacker teams take part in CTF. While the people responsible for the security of real objects, for example, integrators, SOC, information security experts, do not participate in this competition. Most of the information security industry was offside. The goal of PHDays VI CityF: Confrontation was to make as many people as possible aware of the practical side of security. We found the format very interesting when highly specialized defense and attack teams do what they are masters of: defense teams and SOC build defense systems and fight off attacks, and hackers attack, ”comments Boris Simis, Positive Technologies’s deputy general director for business development .

Cisco Security Advisor Alexey Lukatskynotes that the event is a kind of "new word in organizing events on real cybersecurity." “CityF differs from traditional cyber warrants and CTFs living under certain scenarios in that both sides participated in the confrontation. In essence, we are talking about the principle of red team vs blue team, when one team attacks the company and the other defends it. In the case of CityF, the mini-city that was built was chosen as such a company, and representatives of the information security market who could in fact, and not in words demonstrate their competencies in ensuring information security, were chosen as red and blue teams, ”he explains.

Moscow was not built in a day…

All events unfolded in a city ​​F , which functionally practically did not differ from an ordinary millionaire. A bank, a telecom operator, an electric power company, a large holding office and a smart home worked in it. On the territory of the city was deployed its own Internet with news and entertainment sites and social networks.

The creator created the world in six days, but the construction of the city F took much more time - the builders took as much as six months. Thanks to the joint efforts of the organizers and partners in record time, it was possible to deploy all the mock-ups and stands, which in technical terms were as close as possible to life. It turned out to be a surprisingly complex infrastructure in terms of information security.

TellsProduct Promotion Manager Positive Technologies, member of the organizing committee of PHDays, member of the organizing committee of PHDays Mikhail Levin : “It was a real city in terms of computing power. We needed colossal resources - network, server, software. We built the city on our own, but, of course, our partners, Cisco and Check Point, who provided the necessary equipment, and also actively helped in its installation and configuration, provided great support to us. ”

In particular, new solutions were used: Cisco APIC (Cisco Application Policy Infrastructure Controller), Cisco Nexus 9000 switches, Cisco ASA 5585 firewall, Check Point Next Generation Firewall.

“We have a long-standing relationship with Positive Technologies - not only professional, but also friendly. Therefore, we have been happy to help organize the technical infrastructure of PHDays for many years. This year the task has become more ambitious, since it required a much larger number of network equipment and servers than it was in the past. But we did it. I can’t say that we pursued any special or commercial goals. It was just a desire to help good people in organizing a good business, ”says Alexey Lukatsky.

It should be noted that not only large companies took part in the preparation of the competition - there were real startups among the participants. For example, Loomoon provided its City RB system with a CityF bank. Most of the “smart home” layout was prepared by Advantech and PROSOFT.

The immediate heroes of the confrontation were no less seriously prepared. Under the terms of the game, the defending teams got access to the infrastructure in advance to configure the means of protection for their facilities, and there were no restrictions for them. The key tools of the defenders were the application level firewalls they tested in practice, network perimeter protection tools, attack detection and prevention, correlation analysis tools, and even SIEM. Vendors were also presented, as they say, in the range: they used HP ArcSight, IBM QRadar SIEM, Microsoft Operations Management Suite, Qualys, Bot-Trek TDS, a system based on Security Onion, Balabit Shell Control Box, Windows Server Update Services, various IDS / IPS

However, some of the defending teams and the SOC could not deny themselves the pleasure of trying out non-standard solutions in the combat conditions of CityF. For example, the False Positive team used several proprietary developments to investigate incidents, and the You Shall Not Pass team even came up with an old Motorola C118 phone and Ubuntu virtual machine to monitor a GSM network.

If the defenders armed in earnest, then the attackers, on the contrary, rushed into the battle with bare hands, armed with laptops and a standard hacker kit. These were mainly tools for attacking Burp Suite web applications, scanning Nmap IP networks, capturing and analyzing Wireshark network traffic, recovering Cain & Abel passwords, creating and debugging Metasploit exploits.

Breaking live

The confrontation was a challenge not only for the organizers, but also for the participants, who were new to the rules and the game world. Abstract tasks remained in the past, this time the participants had real goals. According to the head of the banking systems security department of Positive Technologies, member of the organizing committee of PHDays Timur Yunusov, “The classic CTF, in spite of all its advantages, is still divorced from reality: it all comes down to solving puzzles and completing artificial tasks.” The main task that the organizers pursued was to clearly demonstrate how they actually break and protect living systems (and even so that what is happening is understandable to those who are not familiar with the hacker world). As tasks, hackers were offered to steal money from the bank, provide themselves with unlimited mobile communications, arrange an accident at a hydroelectric power station, leave a smart home without light, and defender and SOC teams to resist the attackers. Actually, everything is as in life.

Of course, any such event is fraught with difficulties. Fortunately, we managed to overcome the difficulties that have arisen, and, despite all the ups and downs, most participants positively assess the experience gained during the competition.

“Despite some confusion in the organization, related both to the scale of the event and to the change of format, we were charged with drive a year in advance. In the CityF process, there were some overlaps and misunderstanding of the rules and principles for determining the account, but the award removed all questions, ”commented Ivan Melekhin, technical director of Informzashita , which, by the way, sent two teams to CityF - izo: SOC and weIZart (defenders and SOC).

However, some still did not have enough light: some wanted to compete not only with hackers, but also with colleagues in the shop. Of course, there were those who are closer to the principles of the good old CTF.

“The impressions of the game are ambiguous: an interesting idea, practical tasks have been prepared, but the game interaction and the system of points and penalties are not well established (especially for defenders),” said Omar Ganiev, a member of the Rdot team . He is supported by filthy thr33 participant Kirill Shilimanov : “The competition left mixed feelings. The first day for the attackers was practically wasted, because the services simply did not have access. When they opened and hacks began, it became much more fun. Note that the services were prepared complex, interesting, for which many thanks to the organizers. "

30 hour battle

The confrontation lasted about thirty hours, it was a real marathon to counter massive attacks. The participants had five facilities at their disposal that defended five defender teams and three SOC teams. In two days, the judges recorded from 3 to 20 thousand security events at each defense object and only about 200 serious attacks, most of which led to significant results.
In 99% of cases, attacks were concentrated on the perimeter of the protected objects. As in real life, attacks on the web have become the most common vector. However, this was not a surprise for the defenders, they had foreseen such a course of events and were ready for defense.

“We protected the office infrastructure, with particular emphasis on securing web servers. As it turned out, it was not in vain: hackers used a lot of tools for the pentest, and if they coped with exploits for operating systems IPS, then sophisticated attacks on web servers and attacks on the application logic could be detected only in manual mode, analyzing WAF logs, web servers and advanced logs of operating systems, ”says Dmitry Berezin, information security expert at CROC, a member of the Green team .

Contrary to the expectations of the defenders, another popular vector in practice - attacks using social engineering - was not actively involved by the participants in the confrontation. Only one team of hackers took advantage of the inattention of the enemy and photographed logins and passwords from the internal forum of the defender's team. However, these data did not lead to any serious incident. “We really looked forward to the application of social engineering, but the attackers practically did not use such technologies,” lamented Vladimir Dryukov, Solar JSOC director of Solar Security, a member of the False Positive team.

Later, the defenders admitted that they were preparing for the worst, so they were armed to the teeth and prepared traps. Expected absolutely everything: exploitation of vulnerabilities in applications, web applications, OS and services, configuration errors. In fact, everything turned out differently.

“Our team protected all objects - operator workstations, servers, corporate mail, domain, remote banking, video conferencing systems, electronic document management and instant messaging. A significant part of the prepared defense lines was not useful: hackers did not penetrate the internal network. We did not see attacks on the Kerberos network authentication protocol such as Golden Ticket and Pass-the-Hash, attacks through trojans and backdoors. Also, hackers did not climb on any prepared honeypot. None of the hackers even tried to break the vulnerable proFTPD server, ”says Inna Sergienko, head of the AST Group, a member of the ACT team .

The False Positive team boasted that the attackers managed to get only one flag on the infrastructure they protected: “The organizers introduced about seven new services on the perimeter at the same time, and the defenders and I were a bit late to ensure the security profile of the last system, setting up the other six. But the attackers did not celebrate the victory for long: in a couple of minutes we managed to restore the state of the system and its security. ”

By the way, in the framework of the game, the joint work of the teams of defenders and SOC has shown its effectiveness. According to the judges, all the SOC teams collected the most complete picture of what is happening at the facilities, while the defenders were forced to quickly respond to incidents. For example, in a situationwhen, according to the conditions of the game, the defenders of industrial systems turned off the defense, the SOC team monitoring the industrial system studied in detail the actions of the attackers, the beginning of the attack, and its implementation. In real life, this would correspond to the possibility of prompt action to curb attacks even without the intervention of defense tools.

“The Information Protection team defended a hydroelectric power station and substations of 500 and 10 kV. According to the scenario of the game, on the evening of the first day of the competition, we began to weaken the defense, by the end of the day almost all the SPIs were turned off. Only the SOC monitored. While the facility was under protection, not a single successful attack on the infrastructure was carried out. All other hacks and floods occurred when the infrastructure was not protected, ”participant Ivan Melekhin comments on the events .

Total hackers successfully succeeded:

• hijack accounts, including multiple domain ones;
• carry out attacks on the physical equipment of the automated control system (water was discharged, lines were disconnected, power lines were burned);
• penetrate the technological control system network through corporate network vulnerabilities;
• conduct network attacks on smart home systems (disconnect equipment from the network);
• steal money from a bank (about 22,000 rubles) and receive bank card data;
• steal and in some cases delete backup copies of system files, disks, archives belonging to the CorpF office;
• conduct attacks on GSM / SS7 with the subsequent theft of money by faking USSD-requests;
• to carry out mutual attacks on both defense team employees and attacking teams (hackers, using social engineering methods, stole the password from the defenders forum, and the Vulners defenders team hacked hacker computers );
• deface multiple web resources, including the CorpF office site;
• discover one insider - a CorpF office employee.

Summary

The forum clearly showed that information security specialists are able to provide a very high level of protection without disrupting the process. The final goal - to capture the domain of the city and win the competition - was not achieved by any team of hackers. This outcome was unexpected for the organizers: they predicted the victory of hackers. As a result of the game, the jury could not name the obvious winners , the prize places were taken by hacker teams , which turned out to be the best during the game. Defender and SOC teams have been awarded in various categories .

Alexey Kachalin, Deputy Director for Business Development, Positive Technologies in Russia, member of the organizing committee of PHDayscomments on the results of the confrontation: “Everyone won - both the organizers and the participants. This is a unique event and it is difficult to develop clear rules without playing. We hope that those who took part this year will come to us next time and help in preparing the game. We will engage defense and attack teams to form the rules and format. ”

We can definitely say that PHDays VI was a success, and the director of the PHDays forum, Victoria Alekseeva , agrees with this :

“PHDays are first and foremost the people whose enthusiasm this event takes place. For a whole year, more than 100 people did everything to make the forum not just an “event”, but a real holiday. Each time, we, the organizers, overcome ourselves, take a step forward, set new records. I believe that everything was successful: 4200 participants are proof of this. “I want to thank everyone who helped us organize PHDays!”

It is still difficult to predict under what slogan the forum and contests will be held next year, but the organizers intend to develop the concept of confrontation. They say that the development of the game plot awaits us: there will be more action, social engineering and events related, for example, to the dismissal of an employee, more changes in business processes, day and night scenarios will appear. And, of course, in the future CityF promises to become even more “populated”.

“We see how the world around us is rapidly changing in recent years. Cybersecurity is increasingly penetrating everyday technology. Threats are becoming more complex, attacks are more sophisticated, and the damage from them is becoming more noticeable. It is no longer possible to build protection systems in the old way - it is necessary to quickly improve protection methods, but to develop ourselves even faster. To match this, PHDays is changing. We are glad that this year our conference found another meaning: to give various industry representatives the opportunity to participate in the confrontation and gain real experience in protecting critical infrastructure facilities. And the burning eyes of the guys after 30 hours of battle are the best reward for us. But we don’t want to stop there,- Yuri Maksimov, CEO of Positive Technologies , shares his ideas .

Already, many partners and teams have expressed their willingness to participate in the following competitions. For example, Alexei Lukatsky proposes not to discount Cisco's plans for PHDays VII: “I think that this format has brilliant prospects and CityF has set a very high bar for CTF, which will be organized in the future. And if the geopolitical situation in the world does not worsen, then Cisco will once again become the technology partner of PHDays. Of course, it is worth considering us as speakers of a future event and, possibly, even as defenders of any segment of CityF. But we still need to think about this idea within the company. ”

What will PHDays VII be, time will tell. However, now we can confidently say that the seventh forum to be!