When the city falls asleep ...

The opening of PHDays died down, several thousand people passed through our virtual city and slightly fewer people listened to the reports. The hall is empty, the hackers tried to crack the defenders. Defenders, in turn, tried to see the attacks in order to fight off hackers. And everything was somehow sad, if not even sad.

Who was on PHDays in the WTC (International Trade Center), he certainly remembers how everything is arranged there. Tables of hackers on the left, tables of defenders on the right. Between them, the layout of the city and several racks with equipment. In the racks is usually equipment that does not make sense or not interesting to place in the server. These are, for example, cabinets with controllers for a city layout, cabinets with equipment for an automated process control system, some access points, switches and a whole bunch of everything that is needed right here at the site. Because preparing for the event is really serious for the organizers, the main criterion for placing and connecting equipment in the rack comes down to one thing - to work.


')
So here. 10 o'clock in the evening, everyone was tired of the daily rush, loud speeches and music. Finally, it was possible to walk around the hall, stretch your legs. The attackers have long been eyeing unclosed racks with switches and then wondered: "What if you connect directly?" And let's try to connect our laptops and access points directly to one of these switches. Fortunately, the organizers did not exist or they did not explicitly interfere.

At first, our team looked from afar at these attempts to connect. But we always remembered that in order to ensure the integrity, confidentiality and availability of information, it is necessary to keep an eye on physical security. This is also because the presence of an attacking team in the segment in the immediate vicinity of our network did not at all please us. So pretty soon a group of strong defenders from several teams was formed, who politely asked not to connect their unsafe devices to the ACS network, since this could lead to an emergency, and something could happen to our virtual city, such as a fire at a refinery. The struggle went on with varying success, but the advantage was in favor of the defenders.



However, the hacker teams were decent and resourceful. While the struggle was at the racks, the attackers connected the access point directly to the organizers switch, making it relatively unnoticeable: the switch was under the table, and all the tables at the event were covered with such large tablecloths. But it did not pass by the teams of defenders. We turned off the access point and waited for the owner to come for it ...

That was the 2017th year. The 2018th in terms of the organization of space, racks and other things was not very different. Therefore, we tried to take into account the experience of past years, the tactics of polite force and include a bit of social engineering. Knowing that the attackers would try to connect to us at night, we prepared.

• Analyzed all network equipment in our area of ​​responsibility.
• We got administrative access to it (in this situation, the most daring was to reset the password on the MOX switch at night — while we were in a hurry preparing for a cyber battle, the password was lost from it).
• Configured notification in case of status changes of switch ports.
• Something else done.

And now Standoff night was already 2018. Organizers were not (at all). Everything was basically repeated. The attackers first made single attempts to connect, then they did it more and more actively. But we also learn. They didn’t guard the security, but the unused ports on our switches were turned off. So that by mistake or not to specifically disable some kind of controller, we mixed with a crowd of people who enthusiastically connected something to free ports, mysteriously listened to wireshark and tcpdump. They helped stick long patch cords, look for working ports, advised something - in general, they tried not to stand out, but to watch out for our protected infrastructure to remain unchanged in terms of network connections. There was one case: someone from the attackers connected a laptop to the port, the link did not rise, but he persistently waited for something in wireshark ...

If with physical connections in 2018 everything was fine, then with a wireless network such things did not work. And at night, the password from the access point in the closet of the automated process control system entered into the network and immediately got access to the protected network segment. After seeing a bunch of alerts, we quickly figured out which segment and port on which the attack took place and turned off the uplink to the access point. Perhaps it was not entirely fair, but the organizers were asleep, and there was simply no one to coordinate actions to prevent the attack ...

In 2019, the event organizers slightly changed the format of the CTF to PHDays, including the site. Full details of how it will look are not yet known. And perhaps the issue of physical protection will not be so acute. Nevertheless, we are promised a more interesting and challenging competition. There is already quite a bit of time left, and we will find out what surprises PHDays-2019 will bring us.

Ilya Sapunov, the head of the design group of the Information Security Center of Jet Infosystems