Confrontation: new format and new reality

Has died down Positive Hack Days VI. Now that his events have already become a page of the past, it's time to take stock and chart the course for next year. The keynote of the sixth PHDays was the confrontation: the idea, which from the first days of the creation of PHDays was wandering in the heads of the organizers, finally found its embodiment in the form of “ PHDays VI ityF: Confrontation ”. The key forum competition from a highly specialized hacker game turned into a two-day megabit.

The first attempt to change the sails and bring practical competitions closer to real life was made last year, on the fifth PHDays. In the story, each CTF team was a group operating in a fictional state. All events were tied to the underground labor exchange, where participants received orders for hacking of certain objects. This year, the creators of the forum went further and diluted the hacker small party with the teams of defenders and expert centers of security (SOC). Thanks to the organizers, real representatives of the world of information security were involved in the game - those who in their lives build defense systems, resist attacks, investigate incidents.
')
“As a rule, only hacker teams take part in the CTF. While the people responsible for the security of real objects, for example, integrators, SOC, information security experts do not participate in this competition. Most of the security industry was out of the game. The task of “PHDays VI ityF: Opposition” was to make sure that as many people as possible saw the practical side of security. We found a very interesting format when highly specialized defense and attack teams do what they are masters of: defense teams and SOC build defense systems and fight off attacks, and hackers attack, ”comments Boris Simis, deputy business development director at Positive Technologies .

Cisco security consultant Alexey Lukatsky notes that the last event is a kind of “new word in organizing real cyber security events.” “CityF is different from traditional cyber attacks and CTFs living according to certain scenarios, in that both sides were involved in the confrontation. In fact, we are talking about the principle of the red team vs blue team, when one team attacks a company and the other protects it. In the case of CityF, a built mini-city was chosen as such a company, and representatives of the IS market were able to act as red and blue teams, who could actually demonstrate their competences in ensuring information security, but not in words, ”he explains.

Moscow was not built in a day…

All events unfolded in a certain city ​​F , which functionally practically did not differ from the usual one million people. It had a bank, a telecom operator, an electric power company, a large holding office and a smart home. The city has its own Internet with news and entertainment sites and social networks.

The creator created the world in six days, but it took much more time to build the city of F - it took the builders a full six months. Thanks to the joint efforts of the organizers and partners, in record time, it was possible to deploy all the models and stands, which were technically closest to life. The result was a surprisingly complex infrastructure in terms of information security.

Mikhail Levin, a member of PHDays organizing committee, PHDays organizing committee member, says : “In terms of computing power, it was a real city. We needed enormous resources - network, server, software. We built the city by our own efforts, but, of course, our partners, Cisco and Check Point, who provided the necessary equipment and also actively helped in its installation and configuration, provided us with enormous support. ”

In particular, new solutions were used: Cisco APIC (Cisco Application Policy Infrastructure Controller), Cisco Nexus 9000 switches, Cisco ASA 5585 firewall, Check Point Next Generation Firewall.

“We have a long-standing relationship with Positive Technologies - not only professional, but also friendly. Therefore, we are happy to help the organization of the PHDays technical infrastructure for many years. This year the task has become more ambitious, as it took a much larger amount of network equipment and servers than it did in the past. But we managed. I cannot say that we were pursuing any special or commercial goals. It was just a desire to help good people in organizing a good cause, ”says Alexey Lukatsky.

It should be noted that not only large companies took part in the preparation of the competition - there were real startups among the participants. For example, the company Loomoon has provided the CityF Bank with its own remote banking system. Most of the “smart home” layout was prepared by Advantech and PROSOFT.

No less seriously prepared and the immediate heroes of the confrontation. Under the terms of the game, the defense teams got access to the infrastructure in advance to configure the means of protecting their objects, and there were no restrictions for them here. The key tools of the defenders are the application-level firewalls that they have proven in practice, network perimeter protection, detection and prevention of attacks, correlation analysis tools and even SIEM. Vendors were also represented in what they called in the assortment: HP ArcSight, IBM QRadar SIEM, Microsoft Operations Management Suite, Qualys, Bot-Trek TDS, Security Onion, Balabit Shell Control Box, Windows Server Update Services, various IDS / Ips.

However, some of the teams of defenders and SOC could not deny themselves the pleasure of trying out non-standard solutions in the battle conditions of CityF. For example, the False Positive team used several in-house investigations into incidents, and the You Shall Not Pass team even used the old Motorola C118 phone and the Ubuntu virtual machine to monitor the GSM network.

If the defenders armed themselves in earnest, then the attackers, on the contrary, rushed into battle almost with their bare hands, armed with laptops and standard hacker set. These were mainly tools for carrying out attacks on Burp Suite web applications, scanning Nmap IP networks, capturing and analyzing Wireshark network traffic, recovering Cain & Abel passwords, creating and debugging Metasploit exploits.

We break on live

The confrontation was a challenge not only for the organizers, but also for the participants who found themselves new to the rules and the game world. Abstract tasks remained in the past, this time the participants had real goals. According to the head of the banking systems security department at Positive Technologies, a member of the PHDays organizing committee, Timur Yunusov , "the classic CTF, despite all its advantages, is still divorced from reality: it all comes down to solving puzzles and performing artificial tasks." The main task, which the organizers pursued, is to visually show how living systems are actually broken and protected (and even so that what is happening is understandable to those who have little knowledge of the hacker world). As tasks, hackers were offered to steal money from a bank, secure themselves with unlimited mobile communications, arrange an accident at a hydroelectric power station, leave the smart home without power, and command defenders and SOC to oppose the attackers. Actually, everything is like in life.

Of course, any such event is difficult. Fortunately, the difficulties encountered were overcome, and, despite all the vicissitudes, most of the participants positively evaluate the experience gained during the competition.

“Despite some confusion in the organization, connected both with the scale of the event, and with the change of format, we charged the drive a year in advance. In the CityF process, there were some overlaps and a lack of understanding of the rules and principles for defining the bill, but the award removed all questions, ”commented Ivan Melekhin, Technical Director of Informzaschita , which, by the way, sent two teams to CityF - izo: SOC and weIZart (defenders and SOC).

However, some still did not have enough light: some wanted to compete not only with hackers, but also with colleagues in the shop. Of course, there were those who are closer to the principles of the good old CTF.

“The impressions of the game are ambiguous: an interesting idea, practical tasks are prepared, but the game interaction and the system of points and fines are not well established (especially for the defenders),” said Odmar Ganiyev, a member of the Rdot team . Kirill Shilmanov, filthy thr33 participant, also supports him : “The competition left mixed feelings. The first day for the attackers was practically wasted, since the services simply did not have access. When they opened and started hacking, it became much more fun. We note that the services were prepared complex, interesting, for which many thanks to the organizers. ”

30 hour battle

The standoff lasted about thirty hours, it was a real marathon to counter the massive attacks. The participants had five objects at their disposal, which were defended by five defense teams and three SOC teams. In two days, the judges recorded from 3 to 20 thousand security events at each object of protection and only about 200 serious attacks, most of which led to significant results.
In 99% of cases, attacks were concentrated on the perimeter of the protected objects. As in real life, attacks on the web have become the most common vector. However, this was not a surprise for the defenders, they had previously assumed such a course of events and were ready for defense.

“We defended the office infrastructure, paying special attention to the protection of web servers. As it turned out, it was not for nothing: hackers used many tools for pentest, and if they managed to exploit IPS for operating systems, sophisticated attacks on web servers and attacks on application logic could be detected only manually, analyzing the WAF, web servers and extended logs of operating systems, ”says Dmitry Berezin, information security expert at KROK, a member of the Green team .

Contrary to the expectations of the defenders, another popular vector in practice - attacks using social engineering - was not actively involved in the opposition. Only one team of hackers took advantage of the inattention of the enemy and photographed logins and passwords from the internal forum of the team of defenders. However, these data did not lead to any serious incident. “We were very much looking forward to the use of social engineering, but the attackers practically did not use such technologies,” laments the head of Solar JSOC of Solar Security, Vladimir Dryukov, a member of the False Positive team.

Later, the defenders admitted that they were preparing for the worst, so they were armed to the teeth and prepared traps. They expected absolutely everything: exploitation of vulnerabilities in applications, web applications, OS and services, configuration errors. In fact, everything turned out differently.

“Our team protected all objects — operator workstations, servers, corporate mail, domain, remote banking systems, video conferencing systems, electronic document management and instant messaging. Much of the prepared defense lines did not come in handy: hackers did not penetrate the internal network. We did not see the attacks on the Kerberos network authentication protocol such as Golden Ticket and Pass-the-Hash, attacks via trojans and backdoors. Also, hackers did not climb on any prepared honeypot. None of the hackers even tried to break the vulnerable proFTPD server, ”says Inna Sergienko, head of the AST Group, a member of the ACT team .

The False Positive team boasted that the attackers managed to get only one flag on the infrastructure they were protecting: “The organizers entered about seven new services on the perimeter at the same time, and we were a little late with the defenders to ensure the security profile of the last system, setting up the other six. But the attackers did not long celebrate the victory: after a couple of minutes we managed to restore the state of the system and its safety. ”

By the way, in the framework of the game, the joint work of defense teams and SOC has shown its effectiveness. Judges estimate that all SOC teams collected the most complete picture of what is happening at the facilities, while the defenders were forced to respond promptly to incidents. For example, in a situation where, under the terms of the game, the defenders of industrial systems turned off the defense, the SOC team, which monitors the industrial system, studied in detail the actions of the attackers, the beginning of the attack, its implementation. In real life, this would correspond to the possibility of prompt action to curb attacks, even without the intervention of defense tools.

“The team of Informzashchity protected the hydroelectric power station and substations of 500 and 10 kV. According to the scenario of the game in the evening of the first day of the competition, we began to weaken the defense, by the end of the day almost all GIS were off. Only SOC monitored. During the time the object was protected, no successful attack on the infrastructure was carried out. All other hacks and flooding occurred when the infrastructure was not protected, ”participant Ivan Melekhin comments on the events.

Total hackers successfully succeeded:

• hijack accounts, including several domain names;
• conduct attacks on the physical equipment of the ACS (water discharge was carried out, lines were disconnected, power lines were burned);
• penetrate the process network of the automated control system through corporate network vulnerabilities;
• conduct network attacks on smart home systems (disconnect equipment from the network);
• steal money from a bank (about 22,000 rubles) and obtain bank card details;
• to steal and in some cases delete backup copies of system files, disks, archives belonging to the CorpF office;
• conduct attacks on GSM / SS7 with the subsequent theft of money by faking USSD requests;
• conduct mutual attacks on both defense team members and attackers 'teams (hackers, using social engineering techniques, stole the password from the defenders forum, and the Vulners defenders team hacked into the hackers' computers );
• Defecate multiple web resources, including the CorpF office site;
• discover one insider - employee office CorpF.

Results

The forum clearly showed that information security specialists are able to provide a very high level of protection without disrupting the process. The final goal - to capture the domain of the city and win the competition - no team of hackers was reached. This outcome was unexpected for the organizers: they predicted the victory of hackers. According to the results of the game, the jury could not name the clear winners , the hackers' teams took the prizes, which turned out to be the best during the game. The teams of defenders and SOC were awarded in various nominations .

Alexey Kachalin, Deputy Director for Business Development at Positive Technologies in Russia, a member of the PHDays organizing committee, comments on the results of the confrontation: “Everyone won - both the organizers and the participants. This is a unique event and it is difficult to work out clear rules without playing. We hope that those who took part in this year will come to us next and will help in the preparation of the game. We will involve defense and attack teams to form the rules and format. ”

Definitely it can be said that PHDays VI was a success, and the director of the PHDays forum, Victoria Alekseeva , agrees with this:

“PHDays are primarily people whose enthusiasm makes this event. For a whole year, more than 100 people did everything to make the forum become not just an “event”, but a real holiday. Every time we, the organizers, overcome ourselves, take a step forward, set new records. I think that everything was successful: 4200 participants are a confirmation of this. I want to thank everyone who helped us in organizing PHDays! ”

It is difficult to predict the slogan of the forum and contests next year, but the organizers intend to develop the concept of confrontation. They say that we are expected to develop a game plot: there will be more action, social engineering and events related, for example, with the dismissal of an employee, more changes in business processes, day and night scenarios will appear. And, of course, in the future, CityF promises to become even more “populated”.

“We see how the world around us is rapidly changing in recent years. Cybersecurity is increasingly penetrating everyday technologies. Threats are becoming more complex, attacks - more sophisticated, and the damage from them - all tangible. Building the protection systems in the old way is no longer possible - it is necessary to quickly improve the methods of protection, but we should develop even faster. PHDays is also changing. We are pleased that this year our conference acquired another meaning: to enable various representatives of the industry to participate in the confrontation and get real experience in protecting critical infrastructure facilities. And the burning eyes of the guys after 30 hours of battle for us the best reward. But we don’t want to rest on our laurels, and next year we will expand the list of participants in the confrontation with professional pentesters and other representatives of the IT industry, ” Yury Maksimov, CEO of Positive Technologies shares his ideas.

Already, many partners and teams have expressed their willingness to participate in the following competitions. For example, Alexey Lukatsky suggests not to discount Cisco in plans for PHDays VII: “I think that this format has bright prospects and CityF set a very high level for CTF, which will be organized in the future. And if the geopolitical situation in the world does not deteriorate, then Cisco will again become a technological partner of PHDays. Of course, we should consider us as speakers of the future event and, perhaps, even as defenders of some segment of CityF. But we still need to think about this idea inside the company. ”

What will PHDays VII - time will tell. However, now we can confidently say that the seventh forum to be!