"Confrontation": how information security specialists try to trick each other

Confrontation is an annual event in which information security experts try their hand at attack and defense using various systems and software platforms. Usually there is a competition in the form of a real confrontation between two teams. The first team attacks the security systems, which are supported by a team of advocates and expert monitoring centers. The event itself is held in the framework of the International Forum on practical safety Positive Hack Days. “The goal of the Standoff is to push the two opposing sides together in a more or less controlled environment, to see what is going to win — targeted attacks or targeted defense. Industry experts - integrators, vendors and those who perform the function of information security on the customer side came to the role of advocates and SOC, ”says a member of the forum organizing committee, Mikhail Levin, about the event.

Each year, the teams participating in the "Confrontation" pursue their goals. In this regard, the current year is no different from previous ones. One of the teams, On Rails !, which represents IBM and practicing experts at in-house SOC, tried their hand at Confronting with solutions from the IBM Security portfolio. The event itself has already passed, and more than once and not two told about it on the net. The time has come for us to make a small review of the participation of the On Rails! Team in the standoff of The Standoff. The team was formed at the end of April from experts who were not afraid to go into battle against hackers: Elman Beybutov, Roman Andreev, Andrei Kuritsyn, Sergey Kulakov, Sergei Romanov, Vladimir Kamyshanov and others who wished to remain unknown heroes. Many were familiar with each other and even worked in the past in some companies, so they quickly managed to coordinate and discuss defense tactics.

The team was offered a choice of two infrastructure to protect - a railway or energy company. After a brief discussion, most of the defenders cast their votes for ensuring the safety of rail traffic. Shortly after that, the name of the team appeared - “On Rails!” - and a simple but obvious logo of a road sign with a locomotive.
')


The first moment. The team had not enough time for preparation, audit of the protected infrastructure and choice of means of protection. Plan "A" is an emphasis on closing vulnerabilities, changing default accounts and installing new versions of software in the provided infrastructure. This is the minimum set of actions that was unanimously approved and did not require any costs from an already limited budget. Intrusion detection using IBM XGS was the key security technology, and IBM QRadar SIEM was used as an IS incident monitoring system. The open source OSSEC solution was also used to detect intrusions at the host level — they were covered first of all by the defenders' laptops themselves, and they installed agents on all key servers and workstations in the infrastructure — they covered 12 hosts on the network.

Of course, when the “The Standoff” countdown began, our protection tools were not yet fully configured, and the safe configuration of the protection objects was not implemented. In fact, this is great: after all, as in real life, hackers will not wait until the security guards finally put everything in order. Therefore, in the very first hours of the fight, we had to work at an accelerated pace. As a plan "B" Sergey Romanov proposed to make a bet on Active Response and prepared a small set of scripts for automated backlash on the results of event correlation. This could be useful if the hackers managed to overcome the perimeter.

Second moment. We did not have all the accounts to the service systems. Sometimes the organizers simply did not provide them under various pretexts, so in special situations they had to be selected on their own. There were no problems with this: all the members of our team came from Kali. Now we could make changes and check them right away.



The third, most important moment manifested itself on the night from Tuesday to Wednesday, when only hackers, defenders and organizers remained of the conference participants. The night could be characterized by the phrase: “Enjoyed as they could!” The guys from “Vulners” tried to establish their “piece of hardware” in the gap with our connections. Obviously, for the organization of attacks such as Man-in-the-Middle. The other team carefully attempted to connect directly to the equipment in the defenders' racks. As it turned out, the rules even allow it. I had to do real security and chase them away.

Acting under cover of night, several participants of “On Rails!” Received additional information by simply putting on hooded sweatshirts and transferring hackers to the zone for one of the freed tables (probably some hackers decided to sleep). The outcome of such a partisan counterintelligence was the disclosure of a network map, which the organizers provided to hackers, as well as obtaining valuable information that the CARK team, the leader of the competition, had not yet reached the railway infrastructure.

The morning was also interesting. We didn’t manage to sleep at all, human resources were still limited and it was not an easy task to keep control 24x7. In the morning we, unfortunately for ourselves, found that the span port for our IDS does not work. Roman Andreev urgently switched to the continuous monitoring of incidents at IBM QRadar SIEM (we prudently brought Netflow there), and Sergey Romanov suggested that the rest be engaged in Threat Hunting. Threat Hunting implies an approach in which it is believed that the system has already been compromised, and the task is to find evidence for this.

As a result of the competition, we showed 100% SLA. Hackers did not hack us.



“Participation in such an event is very tonic. The tight deadlines, the abundance of technical tasks, both for protection and hacking, allow the experts to evaluate themselves from the outside, to understand how well you have done. Indicative is the work in the team of professionals, when each team member feels responsible for others, sees what they are doing, and independently takes on unclosed areas of work. This is an excellent experience that can be used to develop an information security team for everyone in their companies upon returning to work, ”recalls Sergey Romanov about his participation in the confrontation with the On Rails team!

“The standoff of“ The Standoff ”will allow better understanding of hackers, adjusting priorities in the technical component of protection. As a result, the preserved level of security also confirms the high level of teamwork, ”says Elman Beybutov, On Rails team coordinator!