Confrontation: results

The long-awaited “Opposition” cyber-battle took place, which unfolded on the basis of the eighth annual information forum Positive Hack Days. We speak on behalf of the direct participants of the competition - the teams of the Jet Secuirty Team and the Jet Antifraud Team, about the brightest technical details of the hacker-defenders contest. Dirty tricks of the attackers, non-standard ways of hacking, clever traps and surprises of the defenders - all this awaits you under the cut.



The participants of the competition were three structures, based on their role in the “Confrontation”:
')

• team of attackers: their goal is to gain unauthorized access to infrastructure, to destabilize the operation of systems and to clean out bank accounts;
• team of defenders: the main goal is to prevent hackers from successfully attacking the protected objects of the urban infrastructure;
• Observers: carry out operational monitoring of suspicious information security events and notify defenders about incidents.

Jet Infosystems was represented by two defense teams - the Jet Security Team and the Jet Antifraud Team. The task of the former was to protect the SCADA refinery, the latter dealt with the identification of fraud in the financial transactions of the residents of the virtual city.



The attackers were represented mainly by several CTF teams.

Confrontation, day one

On the first day, the attackers were actively engaged in the exploration of the network infrastructure and unsuccessful attempts to attack the protected infrastructure in the forehead.

The first was attacked by one of the offices of the city, according to legend, is without protection. Attackers gained access to office workstations through the now classic exploits SambaCry (CVE-2017-7494) and EternalBlue / MS17-010 (CVE-2017-0144).



Also, the attackers actively “brute” the service credentials, administrative and user accounts. They managed to access TeamViewer.

Web applications were also a tasty morsel - attackers tried to pinpoint critical content using tools like dirbuster, exploit the XXE (XML External Entity) vulnerability, and many others.

The organizers did not pass over the fresh vulnerability of Drupalgeddon2 - the attackers were able to successfully exploit this attack vector and flood the so-called. web shells to web server.

The Jet Antifaud Team team managed to block 4 illegal transactions - these were the attempts of the attackers' pen before the attack of the next day.



In addition to observer monitoring systems (SOC), it was possible to identify and muffle the activity of the attackers, using several techniques. offensive defenses against manually created (zip-bombs, bankmodule.exe module, containing back-connect functionality) to the automated system TrapX.



The TrapX Deception in Depth architecture is used for disinformation, distraction and detection of sophisticated criminals and is new generation honeypots. This is achieved through the use of masking techniques, including the creation of automatic false markers (baits), as well as traps with medium and high levels of interaction (false targets). It attracts attackers by introducing hidden traps and markers. Pitfalls look in every sense identical to real working IT assets and connected loT devices. All of these factors disorient intruders, creating and maintaining an imitation of real network traffic between traps.



The attackers managed to compromise the access point, which was included in the protected network through 2 intermediate network devices (that is why the Wi-Fi point leading to the ACS TP segment was not immediately detected). Once in the network 172.20.5.0/24, the attacker began to carefully, trying not to attract attention, to scan the network without going beyond its limits and not touching the gate.



Thanks to the deployed traps in this network segment, its scanning was easy to detect. However, no other traces on the network have been identified.

Also, when scanning on traps, an attempt was discovered to exploit the EternalBlue vulnerability, since network balls were opened on the traps without authorization.



Then the attacker began to change his IP address and scan the network again. This was repeated 3-4 times, and each time the scan was more massive, the “attacker” no longer tried to hide his presence in this network segment.



Early detection of the attacker helped to respond in time to find his connection point. Upon detection, the Wi-Fi point was immediately turned off, and then the password was changed to a more complex one.

During the night, scans within the network were also detected, but it turned out to be the organizers who inventory the network. Addresses of scanners are added to the white list in TrapX.



A more interesting case was last year. At the end of the confrontation, the organizers let the attackers into the automated process control system segment via Wi-Fi, suggesting just attacking vulnerable hosts, among which were completely outdated systems, for example, Windows XP, which was forbidden to patch. The attackers had about 40 minutes left. Going into the network and scanned it, they came across traps, attracting again with its open network resources. Watching the actions of the “intruders” in the TrapX interface, it was clear that they spent at least 5-7 minutes on each trap in order to understand that nothing useful could be obtained from this host. It also revealed attempts to exploit vulnerabilities and copy malicious files to the host. The files were automatically placed in the TrapX sandbox and analyzed. All of them could be downloaded later for a detailed analysis and investigation of the actions of the attackers. Due to the fact that the attackers are bogged down in traps, they did not have time to attack real targets.

Also, all traps were scattered bait with fake accounts and addresses of other traps. The lures were located on real hosts to knock the attackers out of the way. After the hackers tried to use their credentials, they were immediately displayed in the SIEM system.

Standoff night

Night is the time for dirty tricks. At night, the attackers launched a raid into the camp of the defenders of the virtual city and connected directly to the virtual city system. Despite the fact that they were driven away by the huge fighting humanoid robots, the attackers were able to realize several attack vectors. Including getting a password from the access point.

As I wrote earlier, the city ​​falls asleep, hackers wake up - at night the intensity of the attacks has increased significantly. The attacking teams hoped that the defenders would lose their vigilance and allow systems to be compromised.

Confrontation, the second day

On the last day of "Confrontation", hackers made maximum efforts to attack the infrastructure.

“We must pay tribute to the attackers, they were experienced and trained guys. On the second day of the confrontation, the attack team was able to gain access to the operator’s station through a TeamViewer session of the contractor who, according to legend, set up the process control system. After unsuccessful attempts to install malware, they made a network scanner using a notepad and ping command in 5 minutes. The guys off! Participation in such a competition requires a concentrate of knowledge, effort, experience and ingenuity for all members of the defense team. In this “battle,” we used the arsenal of what we use when implementing projects to protect our real customers, ”commented the participation of the captain of the Jet Security Team, Ilya Sapunov, deputy head of the Jet Systems Infosystems Design Department.

The attackers entrenched themselves at the compromised AWP SCADA and examined the subnet for new targets. What is noteworthy is that the attackers used what was at hand (since loading nmap, Metasploit, etc., blocked anti-virus tools): using the ping command, they detected “live” hosts.



One of the teams in the attacked network raised a VPN server to connect the booster from the external Internet. Others merged control programs and control system specifications from torrents.

The attackers on the financial system also became more active - the defenders from the Jet Antifaud Team team repulsed several thousand illegitimate transactions.



To prevent fraudulent transactions, the Jet Detective software was used, in which the entire volume of transaction data was analyzed using both expert rules and ML models. Jet Detective has a set of algorithms for detecting illegal actions, developed on the basis of the experience of specialists in combating fraud.

Experts were helped by mathematical models to cope with the huge flow of data. Three variants of the models were used in the solution: the classic “with the teacher”, which allows to identify events similar to the fraud previously identified; models aimed at identifying anomalies in the behavior of business objects and the flow of various processes, both trainees and experts; business process control models aimed at identifying anomalies in technological and process chains of actions that allow to assess the tolerances from the standard conduct of a particular operation or their sequence.

The business objects with which the system works are data combined from various sources into a holistic business entity (for example, “Customer”, “Payment”, “Service point”, etc.). The system forms a profile of the typical behavior of the object and identifies deviations from it. In this way, suspicious events that have not previously been recorded are detected.

Despite the hacker's active attacks on the financial system, especially those that had intensified at night, the defenders of the Jet Antifraud Team team repulsed several tens of thousands of illegitimate transactions, not allowing any of them to take place. Given that not a single component of the classical information security system was installed in the protected “bank”. At the end of the 30-hour non-stop competition, the organizers decided to turn off the antifraud system in order to give the attackers the opportunity to implement some of the attacks on withdrawing money from the accounts of city residents. Taking advantage of this fact in the end and became the winners of the "Confrontation" by the attackers.

“These were very tense 2 days. And if on the first day of the attacks there were very few, which gave us a good amount of time to train the components and pick up the statistics, then the night, like last year, was full of attacks. Someone was playing a fairly straightforward game, trying to withdraw money to the target accounts of the attacking teams, someone clearly tested our mechanisms for vulnerabilities, trying various options for operations, tangling traces through the internal accounts, - said Alexei Sizov, captain of the Jet Antifraud Team, boss of Jet Infosystem's anti-fraud solution implementation department, - It’s generally quite difficult to make quality decisions when incorrect blocking of operations is immediately reflected on your account - the organizers did a lot to get the anti-fraud l closest to the battle mode and sizable flows of legitimate operations on updating mobile operator accounts, utility payments and operations just "law-abiding citizens," did not allow analysts to relax for a minute. But the result speaks for itself: in 29 hours not a single missed operation, and for every 1000 fraudulent attempts there are only a few false positives, and after our disconnection - more than 60,000 operations and the withdrawal of all the “stocks” of the bank in just 20 minutes. ”

With the Jet Detective system running, the attacker failed to carry out any illegitimate transaction. Only after a complete shutdown of the system, were the attackers able to transfer funds to their account. This was succeeded by the Hack.ERS team at the very end of the competition, quickly taking the first place. Just like in life - if you do not protect the finances, they will be immediately taken away.

Impressions:

Alexey Sizov, captain of Jet Antifraud Team, head of the department for implementing solutions to counter fraud of Jet Infosystems: “The impressions are unforgettable, our result speaks for itself. However, in our segment, some attacking teams clearly lacked time and experience in attacking banking mechanisms. At night, I wanted to give an attacker a couple of options for attempts. Brute force allowed us to achieve a result after our disconnection, but there were still many more interesting options. We will wait for their implementation next year) "

Ilya Sapunov, captain of the Jet Security Team: “The event passed in different directions. There was a preparation in a very short time. The serious composition of the enemy kept our team in suspense and constant readiness. Unfortunately, the time for the development of attacks from the attackers was significantly limited. I hope that the next event will result in a more active and dense confrontation. ”

Conclusion

The Opposition contest is one of the most exciting events in the Russian information security community, which allows you to test your skills in real-time both in penetration and in protection of critical infrastructure, to confirm the correctness of the chosen decisions and tactics.

See you next year!