On the eve of the Confrontation: the participants of PHDays VI СityF - about who who

Ten, nine, eight ... - the timer of the reverse report at a breakneck pace is approaching the start of the Positive Hack Days VI forum. A little more and we all will witness PHDays VI ityF: Confrontation , where instead of the abstract tasks of the participants waiting for a large and highly realistic model of the battle in cyberspace. According to Boris Simis, deputy business development director at Positive Technologies, “one of the important goals of the contest is to draw the attention of state and municipal authorities, information security experts to banks and financial institutions, telecommunications companies, industrial enterprises to the topic of information security in the context of functioning of the country's life. "

So, after a couple of days, teams of hackers, defenders and expert centers of security (SOC) will clash in a serious battle on the same ground - only 24 teams . Who are they? On the eve of PHDays VI ityF, we talked with representatives of the teams, heard their predictions about the outcome of the Confrontation, and even found out the details of their strategic plans. But first things first.
')

Who is who

Most of the participants in the Confrontation - in real life, real representatives of the world of information security - did not dare to give their names, citing the "military secret". Well, let's not argue. True, the two still removed the mask, and it is curious that both of them are hackers. “We are white hats, we don’t need to hide!” Commented Konstantin Plotnikov, a member of the Hackerd team.

So, we meet the heroes of the interview.

Hackers: representatives of the teams Rdot, Bushwhackers, filthy thr33, SpamAndHex, member of More Smoked Leet Chicken Vlad Roskov and member of the Hackerdom team Konstantin Plotnikov.

Defenders: representatives of the teams Green, You Shall Not Pass, Vulners, AST and the team of one of the SOC - IZo: SOC / welZart.

Fan, practice, victory

What are the teams expecting to participate in the confrontation? As it turned out, the majority of participants' goal is to gain experience: for defenders, this is the practice of detecting attacks and neutralizing them, interacting with SOC, and for hackers - attacking complex objects (automated process control systems, mobile networks). However, the old-timers CTF are not so serious, they plan to have fun and enjoy the game.

You Shall Not Pass : In the two days of participation in the competition, we will see more attacks and hacker techniques than in years of work. This is a great experience, and we simply have no right to ignore it.

AST : The main goals of our participation are practical verification of the methods used and the mechanisms of protection and increasing the level of team cohesion and organization in extreme conditions.

IZo: SOC / welZart : We are set up in a massive attack to work out the detection and counteraction to attacks, as well as the interaction of our teams: all these skills ensure the real security of our customers. Such a concentration of hackers' efforts per unit of time (and the object of protection) in real life can be obtained only in the case of total cyber war, - without which, I hope, it will do.

filthy thr33 : Our main goal is to enjoy the event :) It is interesting to look at CityF itself and how the real protection systems of the automated process control system will cope with real threats.

Konstantin Plotnikov : Of course win! And be sure to get new knowledge and fan.

"Defenders, SOC, hackers - everything is like in life!"

This time the organizers moved away from the familiar CTF format. If earlier it was a highly specialized event for hackers, now the action promises to be more spectacular: both attackers and defenders will take the most active steps. And it seems that this idea has pleased many.

You Shall Not Pass : Defenders, SOC, hackers - everything in life! The new format promises to be exciting. Traditional CTF is very specific: a simple observer from the outside is not always clear what is happening. Interactive visualization is expected on PHDays VI CityF - all visitors to the PHDays forum will be involved in the game. And everyone is curious what will come of it.

Rdot : This is an interesting format for us, because it involves a variety of tasks, most of which almost completely correspond to tasks from everyday work practice.

And only the participant More Smoked Leet Chicken sighs about the good old CTF: “I was not pleased. There is nothing better than the good old PHDays CTF (2012–2013), when teams attack both the jury (like Jeopardy) and each other (like Attack-Defense). ”

“Chef! Everything is lost!"

What is the worst nightmare of CityF? The teams have painted the worst scenarios that can occur on the playing ground. Of course, you can expect - even necessary! - anything. Insidious organizers have prepared a lot of surprises and have already warned that in the course of the game there may suddenly appear new services available for attack. But it seems that this does not scare our participants: on the contrary, they are waiting for more action from the organizers: “It is important that they add fuel to the fire in time!”.

Green : In the course of the game, problems will surely arise that can usually be avoided in real projects. Within the CTF, there are certain restrictions on the protected infrastructure: the common IP address of legal users and attackers and architectural restrictions. In addition, participants have very little time to prepare. We expect that there will be difficulties with the compromise of external services and attempts to develop an attack on the objects of the internal network. There may also be difficulties with infrastructure or security systems that may not withstand such an influx of hackers. But we have a ready plan to respond to such abnormal situations.

You Shall Not Pass : The only thing we fear is that the servers will be slow due to lack of performance, or someone from the attackers decides to “drop” the entire infrastructure.

IZo: SOC / welZart : Everything can go wrong, starting from the inoperability of the game infrastructure, ending with conflicts in the team. But we are ready for anything.

Rdot : If the rules turn out to be too complicated and complicated, then a lot can go wrong. There is not much time for the competition, the participants need to immediately understand the rules that may also be vulnerable. For example, is there some kind of protection from insiders in defense teams? ;)

Events on the site: everything will be under threat

Teams of defenders and SOC tried on the skin of hackers and told which objects of the city CityF will undergo attacks. They assume that there will be vulnerabilities in applications, web applications, operating systems and services, configuration errors, weak passwords that will be actively exploited by attackers. And of course, not without methods of social engineering.

Green : The main attack vector will be web servers, as well as other public resources, as they are always available to hackers. We expect the use of social engineering through mailing lists for the "user" segment. It is unlikely that there will be attacks on infrastructure and remedies.

AST : There are a number of critical resources in the infrastructure of the city, which we have taken under protection. These are typical objects for a bank: automated banking system, remote banking service system, corporate domain, postal system. These objects, in our opinion, should attract the attention of our opponents. In addition, we expect that during the Confrontation process itself, administrators will “put into operation” new services, including vulnerable file and web resources: in real banks this is always the case, and it will be necessary to promptly react and rebuild protection systems.

Vulners : We think that they will start attacking the web applications first, then they will switch to infrastructure servers. There are not so many contests in which SCADA systems or SS7 networks can be attacked, so they are likely to be attacked only by individual hackers.

IZo: SOC / welZart : They will attack everything, including that which cannot be attacked by the rules of the game. Most likely, most of the attacks will focus on traditional objects (bank, office, etc.), since breaking into a telecom and an automated process control system requires specific knowledge. On the other hand, if they are to be “broken”, then the most qualified participants will do it - and according to sophisticated schemes.

"We will attack the bar!"

Of course, none of the hackers are in a hurry to reveal all the secrets, but they managed to find out something. It turned out that the power plant is of the greatest interest to the attackers.

Rdot : It will depend on the motivation of the team members. I think we will aim a lot, including the bank and the power station.

SpamAndHex : I personally think that there will be vulnerabilities in critical infrastructures (for example, in power plants). There will also be configuration flaws (for example, network topology, lack of well-tuned containment policies) and real vulnerabilities in services that expose various virtual machines.

filthy thr33 : I think that there will definitely be several standard vulnerabilities from the gentleman's set of SCADA systems. Probably, the defenders will identify the exploitation of these vulnerabilities first. Well, some tasks will need to be solved with the help of 0-days, as without it.

Bushwhackers : You cannot say in advance exactly what vulnerabilities in which services will be and how they will intersect with the skills of team members. But absolutely we will attack the bar :)

"Heavy artillery" against laptops

Teams of defenders and SOC are seriously prepared for the Confrontation and plan to arm themselves with standard defenses (ranging from conventional antiviruses and IDS / IPS to FW and WAF) and non-standard ones that will become a real surprise for hackers (which, of course, the players refused to disclose before the Confrontation) ).

IZo: SOC / welZart : As part of SOC, we have deployed a number of systems for collecting, processing and monitoring information security events, such as IBM qRadar, Microsoft OMS, SecurityMatters SilentDefence. The composition of GIS is determined primarily by current threats. We have identified for ourselves the following set of information security subsystems: firewall subsystems, protection against APT attacks, anti-virus protection, information security events registration, updates.

AST : We plan to use protection tools for both the base level and a number of new tools offered by manufacturing partners (for example, protection against targeted attacks on domain user accounts, cloud-based behavioral software analysis tools).

Hackers, in this case, plan to go into battle with almost bare hands, armed mainly with laptops.

Konstantin Plotnikov : We will take with us laptops, radio communications and everything that might be useful. Last year, for example, a toner from a laser printer cartridge and a reflex camera for reading information from a magnetic strip of a bank card came in handy.
PHDays VI ityF is a lottery

Who will win? While it is difficult to predict, the teams are still restraining each other - and, of course, no one is going to give up. Well, or almost none ... However, now we can say that the battle will be hot.

Vulners : This is a new format for CTF, so the chances of all teams will be equal. Despite the fact that the defenders had been given time to study the infrastructure objects in advance, the organizers promised to prepare several surprises so that even the perfectly built line of defense could be hacked.

AST : Our opponents are highly qualified specialists, including researchers in the field of information security. And everyone has a chance to win. There are vulnerabilities in any infrastructure, but we will make every effort to reduce the chances of our opponents.

Green : My prediction is fifty to fifty. This is a lottery. We can not defend against all attacks in the current environment - and in any project. But we can provide a certain guaranteed level of security in all areas, guided by best practices and industry standards. We can build a fence around a object of a certain height, and whether attackers can jump over this fence is completely dependent on them.

filthy thr33 : I think no one leaves offended. Defenders successfully catch some of the attacks, hackers will bypass the protection systems, and SOC will record all this mess.

Vlad Roskov : We will win. We did not win came, so ... fuck it.

***

Who will be stronger - hackers or security specialists? Who are you rooting for? Place your bets and take seats in the auditorium. It will be fun! We remind you that the forum will be held on May 17–18, 2016 at the Moscow International Trade Center. Tickets for Positive Hack Days: runet-id.com/event/phdays16 .