Confronting Positive Hack Days: Hackers won't be bored

Only a few hours are left until the Confrontation: the tension is increasing, the time for preparation is less and less, hackers have already warned that they are determined to take revenge and are preparing for the fight with might and main. However, the defenders, apparently, are ready to give a serious rebuff: traditionally, on the eve of the start of the cyber battle, we are trying to find out what is in store in the sleeves of both sides. The members of the defense teams shared their strategic plans with us.

Defense teams with open visor

According to the rules of Confrontation, hackers are opposed by teams of advocates and expert monitoring centers (SOS). “The goal of the Standoff is to push the two opposing sides together in a more or less controlled environment, to see what is going to win — targeted attacks or targeted defense. Industry experts - integrators, vendors and those who perform the function of information security on the side of customers came to the role of advocates and SOC, ”comments Mikhail Levin, member of the PHDays organizing committee.
')
This year, some participants openly declared themselves and each represent their company. So, we meet teams of defenders:

• SPAN (team of Servionika and Palo Alto Networks),
• On Rails! (team of information security experts, including IBM representatives)
• Jet Security Team ("Jet Infosystems"),
• GreenDef (CROC),
• You shall not pass.

SOC teams: “Prospective Monitoring” and False Positive.

Practice above all

The goal of participation in the Confrontation of each team is its own. Some seek to test their own products and services. For example, the On Rails! Team representing IBM and in-house SOC practicing experts decided to try their hand at Confrontation with solutions from the IBM Security portfolio. The SPAN team also plans to check out a number of new products in combat conditions. “As part of the information security direction at Servionica, a number of services have been developed that are provided under the security as a service scheme. We have already accumulated a certain project practice of their application and want to check out a number of new solutions, including solutions from new vendors, we are discussing cooperation with them now, ”team member Askar Dobryakov shared his plans.

However, in some ways the goals of the attackers and defenders are the same: both of them came to PHDays to test the strength of the team and exchange experience with their colleagues. For example, the Prospective Monitoring team seeks to test its strength, increase its technological readiness to repel attacks, and also to understand which attack vectors they may have overlooked. For the False Positive team, Confrontation is the opportunity to “assemble a team of people who are not indifferent to information security and let them test their hypotheses”

There are among the participants and already a kind of "old men" who successfully tried their strength in last year's Confrontation. “Last year, our team consisted of half the staff of commercial and local monitoring centers. This year another pair of legionaries will join us. All the guys come with their own ideas and ideas, and we want to test the content in combat conditions - not only on the customer, but also in such a complex, albeit artificial, situation where there are a lot of opponents, and they attack at the same time and very actively ”, - told team member False Positive Vladimir Dryukov. Or, for example, the CROC company team - GreenDef. “We analyzed all the features of the 2016 standoff, made work on the bugs, and are ready to repeatedly fight back the cyber club with our close-knit team of advocates,” said Anton Golubkov, an expert in information security at CROC. The Servionics team is also impressed by the past year and hopes that the new tournament will be remembered for the excitement of the struggle, the complexity of the tasks and the joy of victory. And of course, no one discards plans to enjoy the game and chat with colleagues. Yuri Sergeyev, captain of the Jet Security Team, by the way, regards participation in the Confrontation as a kind of team building. “To be under such a concentrated fire as on the Confrontation is a very interesting experience. In addition, it is not often necessary to work in such a motley team gathered from all parts of the department, and storming over a completely atypical creative task - how to protect our digital frontiers in the Confrontation, ”he explains.

City under the dome

The participants will be defended by a city in which a telecom operator, two offices, a heat and power plant and substation, an oil and railway company are operating. The Internet of Things is also gaining popularity. The organizers have filled the city with various smart devices. Objects of protection, in accordance with the rules of the confrontation, the teams of defenders distributed among themselves.

GreenDef team protects the office segment. Anton Golubkov comments on the choice of the team: “The office combines a large number of services and technologies, which gives us plenty of space for creativity and, as a result, practical experience in working out complex protection cases. From the point of view of intruders, the office segment is one of the most tasty pieces of the pie, so there will be the most violent clashes here, which will undoubtedly give spice and gaming excitement. ” SPAN was also chosen to protect the office, as it is closer to the challenges they face in real projects. “This is our typical object of protection, and here it is just interesting to train to understand as a result: what if we are missing something somewhere in our calculations,” comments Denis Batrankov.

They will be joined by the False Positive team, which, in addition, will monitor the security of the telecom operator. “Last year we had a very interesting joint experience with the company of defenders of telecoms. We worked very well together and found synergistic points of interaction, so we decided to continue cooperation, but this year the circle of protected companies will be wider. The second infrastructure we have chosen is office. According to our feelings, it can be more vulnerable from the point of view of the internal factor, ”shared Vladimir Dryukov.

The Perspective Monitoring SOC team will support the office segment. The main object of protection of Jet Security Team is an enterprise for the production and transportation of petroleum products. Railway safety fell on the shoulders of On Rails!

Need to prepare for all-round defense

Almost all the teams agreed that all infrastructure facilities would be under attack. The captain of the Jet Security Team believes that under a continuous attack everything will turn out to be what hackers can reach. Vladimir Dryukov agrees with him: “As in the past year, there is a feeling that everyone will break. The infrastructure is rich, everywhere there are tricks and nuances. There is a segment of automated process control systems, which is of great interest to researchers, as is the segment of office infrastructure. Plus, all this is very closely interconnected, so a successful attack on one team of defenders will very quickly become a problem for the rest. There is enough time for the participants of the Confrontation, including the attackers, to manage to test all their ideas in practice. ”

Anton Golubkov explains this by the fact that the city is a single organism with a large number of interconnections between components, so attacks on all objects will be undertaken. According to his forecasts, the office and banking segments will be subjected to the most massive attacks, since they can potentially be a basic point for carrying out attacks on the rest of the city’s infrastructure. As for attack patterns, first of all, according to Anton, publicly accessible resources such as web resources and wireless networks will be attacked: “This will be the first frontier for securing an attacker inside a trusted segment. After that, hackers will probably try to gain privileged access to the infrastructure and use it to carry out malicious effects on key objects: this is a bank and industrial enterprises with an industrial control system. ”

According to the SPAN team members, the attack vector will remain the same as last year: “They will exploit web application vulnerabilities; masking, bypassing FW and IPS. Having gained access to a vulnerable web server, attackers will attempt to gain access from the DMZ to the local network. ” “Rather, we are waiting for typical behavior: port scanning, vulnerability scanning and multiple brute force attempts,” adds Askar Dobryakov from Servioniki and Denis Batrankov from Palo Alto Networks.

The Jet Security Team team believes that there will be classic network attacks, the search for vulnerabilities in the logic of information systems, the study of web technologies security. According to one of the members of the On Rails! Team, it will be possible to use both massive scans and attempts to exploit the detected vulnerabilities as quickly as possible. Maxim Korshunov, an expert-researcher at the monitoring center of the company “Perspective Monitoring”, relies on telecom and office, since their protocols and services are better known than in the production segment. Alexey Vasilyev, the head of the Monitoring Center for Perspective Monitoring, is confident that he will have to face the classic killchain scheme with various modifications.

“Last year, we opposed a frontal attack, when a team of opponents tried to break through the perimeter, to get through known vulnerabilities. We were attacked quite ingenuously, albeit massively and forcefully. Now the profile of the attacking teams has changed a lot, and there is a feeling that the attacks will be slower, but at the same time more subtle and secretive. I would like this year to have a reverse vector of attacks: sleeping bots on the network, insiders in infrastructure, etc. This will make the work of the defenders much more difficult and add to the confrontation of dynamism, ”said Vladimir Dryukov.

And almost all defenders are confident that they will have to deal with various variants of social engineering. Well, whether all these forecasts will come true - we will find out literally tomorrow.

Secret weapon

This year, advocates will find themselves in the harsh conditions of cost optimization and will be limited to a budget of 10,000 public houses for which they can buy the information security tools they need from a local distributor or receive the services of monitoring centers. How will the participants distribute their budget? No one answered us this question ... But we still managed to find out something.

For example, Anton Golubkov, shared the secret that they plan to "control all points of interaction of components, ensure the integrity of the infrastructure and, of course, do not forget about the potential attacks on working laptops and social engineering." By the way, to ensure the protection of infrastructure 24/7, there will be several shifts in the team.

Jet Security Team relies on basic security systems, proven classics, and also has prepared a number of specialized tools for SCADA protection. A similar tactic for the SPAN team, which has chosen a firewall, antivirus, OS and domain built-in tools among the required protections. “As practice has shown, DLP systems, SandBox and unauthorized access protection systems are not particularly effective in this case, since attackers use other attack vectors,” explains Askar Dobryakov.

Alexey Vasilyev notes that they, as a SOC team, will have to be guided by advocates: “Let's see what they choose, and we will use everything that defenders provide from where we can get logs for our analytical systems.”

Maxim Korshunov promises that their arsenal will include intrusion detection systems at the network and nodal levels, anomaly analyzers, antiviruses, network equipment, a vulnerability management system, a threat detection system. And part of the above - own development. Team On Rails! Among the main security tools used are security controls, intrusion prevention and incident monitoring from the IBM Security product line.

Will win ... friendship?

Most participants believe that there is a chance for each side. “Our opponents are our colleagues in the workshop in ordinary life, therefore friendship will win in any case. Both sides will make every effort and show their best skills to achieve the goal, ”shared Anton Golubkov.

Roman Andreev from IBM (On Rails!) Is counting on the victory of his team: “Judging by the names of the opposing teams that have declared themselves, their track records, they have very good chances. But we will defend ourselves and, I believe, quite successfully. ” Maxim Korshunov also puts on defenders.

But Vladimir Dryukov is more cautious in his forecasts: “We expect that this year will be much more difficult for us than in the past. The team of opponents is professional pentesters with experience both against active defenders and against operating SOCs. So the guys will demonstrate everything they can. Plus, the restrictions imposed this year on the choice of means of protection and ensuring the safety of the infrastructure will add to the opposition to severity. It definitely won't be boring. ”

Askar Dobryakov is sure that the attackers will be able to compromise some of the resources available to the public. In his opinion, it is important not to allow the enemy to gain control over the servers in the DMZ and develop an attack further in the LAN. Yuri Sergeyev, by the way, suspects that the defenders' infrastructure will be hacked guaranteed, as the organizers specifically create the conditions for the possibility of attacking the attackers, imitating the “real” life, when patches are not everywhere and everything is not set up according to the best practices. “However, getting the maximum from hacking will already be more difficult, given the active opposition. Opponents will not be bored, ”he promises.

Will the defenders be able to defend the city? Show the game. One way or another, the standoff promises to be hot. Come to support the participants on May 23 and 24 at the World Trade Center in Moscow! Tickets for Positive Hack Days can be bought here .