What is Cyber Polygon?
Cyber Polygon is an annual online event which connects various global organisations to train their competencies, exchange best practices and bring tangible results to the world community.
The event combines:
- an online conference featuring senior officials from international organisations and experts from leading corporations
- the world’s largest cybersecurity exercise for corporate technical teams
- This year viewers and participants will also have access to video materials containing presentations from cybersecurity experts.
What is the theme of Cyber Polygon 2021?
The event is dedicated to secure ecosystem development.
- The conference will draw together leading global experts to discuss the key risks of digitalisation and best practices in developing secure ecosystems.
- During the technical exercise, the participants will practise mitigating a targeted supply chain attack on a corporate ecosystem.
- The expert track will feature renowned cybersecurity professionals from various countries who will explore practical aspects of protecting large corporations.
Do I need to register to join the event?
You don’t need to register to access the online conference and expert materials. The conference will be streamed to the Cyber Polygon home page, and the presentations will be posted to a dedicated page on the 9th of July. All content from the event will be available for later viewing.
If you are interested in taking part in the practical cybersecurity training for corporate teams, please submit your application or contact us at firstname.lastname@example.org. We invite you to read more about participation and the training on the Training page.
Who might find the conference interesting?
The live stream is aimed at executives, senior officials and anyone who wants to learn more about the prospects and challenges of digital transformation within the corporate ecosystem, approaches to its secure development, the digital future of states and the role of cybersecurity in these processes.
Do I need to register on the website to watch the conference?
How long will the conference go on for?
The live stream will start at 12:00 (UTC+3) and is expected to run until 18:00 (UTC+3). Stay up-to-date on the agenda.
What will the conference include?
The agenda features globally renowned experts from the World Economic Forum, INTERPOL, the International Committee of the Red Cross and international corporations. The speakers will address the security of ecosystems and supply chains, child safety in cyberspace, secure digitalisation of entire countries and the future of financial markets.
Where and when can I watch the conference?
The event will be streamed to the Cyber Polygon home page on 9 July 2021.
Will the video be available afterwards?
The full video of the conference will be available after the event on the Gallery page. You can also watch each session separately.
What will the materials for technical specialists include?
The uploaded materials will include presentations from cybersecurity experts, who will speak about the latest trends in cyberattacks, supply chain protection, cloud service security, etc.
Who may be interested in the video materials?
The content will be useful for IT and cybersecurity specialists who want to improve their practical skills.
Where and when can I watch the presentations?
The content will be posted to the Cyber Polygon website on the 9th of July. All recordings will be available for later viewing.
Who is this training for?
Cyber Polygon aims to develop the skills of IT and cybersecurity specialists. We invite dedicated teams from organisations to participate.
The online exercise is designed for companies where cybersecurity is not a core business, but who seek to develop professional skills of their internal teams. The training will not be relevant for specialised cybersecurity organisations, though they are very welcome to watch the conference and video materials from industry experts.
What will the training include?
The participating teams will train their skills in repelling and investigating an attack by going through two scenarios:
- Defence. The teams will practise real-time response to a series of targeted attacks on a business-critical system. These attacks are part of a premeditated large-scale intrusion.
- Response. The teams will gain hands-on experience investigating a successful supply chain attack. They will hone their skills in applying classical digital forensics and threat hunting techniques.
How to become a participant?
What is the team size limit?
The number of specialists in a team is not limited.
What kind of specialists are good for the team?
The training is tailored for cybersecurity and IT specialists of various backgrounds. It would be beneficial for teams to have forensics, security analysis and SOC specialists as members.
Can independent and unaffiliated teams take part in the training?
No, training participation is open strictly to organisations.
How many teams can represent one organisation?
Only one team per organisation.
Could an organisation join the exercise as a Red Team?
No, the Red Team is represented by the organisers. All participants are on the Blue Team side and work to protect their segments of the training infrastructure. The training aims to develop the skills of specialists in defending corporate systems.
Do I need to go anywhere to participate in the training?
No, the participants can join the training from anywhere in the world. All tasks will be performed remotely: the teams will be given access to a virtual cloud infrastructure to go through the first scenario and an archive with the information required for the second scenario.
How long will the training go on for?
The training will last from 12:00 (UTC+3), the 9th of July, until 12:00 (UTC+3), the 10th of July. Since this year we have added more tasks, the Blue Teams will be given more time and will be allowed to take breaks.
How to prepare for the training? Will any additional resources be required?
Participation in Cyber Polygon requires no additional resources.
In order to better prepare for the training, we suggest reading a series of articles on the Publications page: this will help to get some knowledge on practical cybersecurity. Our online library is constantly expanding. Sign up for news and stay up-to-date on new publications.
When will access to the virtual cloud infrastructure be provided?
The infrastructure will become available on the 9th of July at 12:00 (UTC+3), i.e. 1 hour before the start of the first scenario.
However, the Blue Teams will be given VPN access 1 week in advance to check the connection (but the infrastructure won’t yet be available).
Further, 2 days before the exercise, the Blue Teams will get access to their private accounts, which also will include the rules for the training.
Do I need to install any software to connect to the cloud infrastructure?
Each team member needs to install the OpenVPN client to prepare for the first scenario. An installation and setup guide will be emailed to the registered participants. You better check beforehand that OpenVPN is not blocked by the corporate security rules.
How many participants can connect via VPN at a time?
Each team will have a dedicated OpenVPN account, which does not limit the number of simultaneous connections. However, the recommended limit would be 10 connections at a time.
Will the teams receive any instructions or hints on what needs to be done to solve a particular task?
In their private accounts, the Blue Teams will find:
- scenario rules
- description of the tasks within each scenario
- hints and additional materials on the topic
With the help of these materials, the participants must understand how to cope with the tasks by themselves.
Will the teams receive any technical support during the exercise?
Yes, the Blue Teams that have encountered technical issues with their account, VPN connection, etc. can contact the organisers via a special messenger in their private account.
Will the Blue Teams have root access to interact with the servers?
Yes, we will provide root access to the participants.
How will the participants access the server?
The Blue Teams will first connect to the training infrastructure via OpenVPN and then to the server via SSH.
Will the servers have public IPs or only be accessible from a private network?
The servers will only be accessible via a VPN. Around 1 week before the event, the Blue Teams will receive instructions and credentials to set up the VPN.
Scenario 1. Defence
Will the Blue Team have a list of vulnerabilities similar to that of the Red Team (according to the legend)?
The Blue Team will not have a list of vulnerabilities. The Blue Teams should independently analyse the service code and the Red Team’s network activity to determine which attack vectors the Red Team is using.
How is the service performance monitored? What are the accessibility criteria (port availability, response code, accessibility of a page with specific text)?
The service must function as intended by the developer. If there is a registration page, the user must be able to register successfully with the correct set of input parameters. If there is an intended messaging feature, messages must send correctly. If there is a file upload form, files of the permitted format and size must load to the server successfully.
The application functionality is fully tested: if at least one component does not function properly (for example, the Blue Team removed the API endpoint for uploading files), the service will be rendered unavailable.
Files can be uploaded to the server through the API endpoint
/ upload. An attacker can upload a file with the
.php extension and execute arbitrary code on the server.
Correct solution: add filtering by type of uploaded files (prohibit uploading files with the extensions
.php, .php3, .php5, .phtml). In this case, legitimate files (for example, images) will be uploaded to the server, and the service will not be marked as unavailable.
Wrong solution: disable the API endpoint. In this case, legitimate files (for example, images) will not be uploaded to the server, and the service will be marked as unavailable.
In order to determine which functionality is legitimate and what changes will affect service performance, we recommend following sound logic :)
How much time do the Blue Teams have to install and configure their security tools? Are they given a handicap for fixing vulnerabilities?
We give the Blue Teams 1 hour to prepare before the start of the scenario.
Are the Blue Teams allowed to use packet filtering (firewall) — for example, to block the attacker’s IP address?
Packet filtering is permitted. It is also possible to block the attacker’s IP address, but this will render the service unavailable since the checker traffic (which can be considered as legitimate user traffic) and the attacker traffic are indistinguishable at the network level (both have the same IP address). In this situation, the Blue Team will lose SLA points but keep HPs. Thus, with the right approach, blocking the attacker’s IP address can improve the final result.
Is it allowed to carry out DoS/DDoS attacks on the infrastructure and services?
DoS/DDoS attacks on the infrastructures of either the Red Team or other Blue Teams are strictly prohibited and can end in a zero result for the task. The Red Team will not be using DoS/DDoS as an attack method.
How is service availability controlled during an attack?
The Red Team won’t carry out attacks that may affect service availability. The availability of the service may only be affected by the actions of the Blue Team (for example, misconfigurations of the defences or incorrect changes to the service code).
What tools will be available for the first scenario?
The Blue Teams will be given full access to their Linux-based virtual machine and will be able to apply any tools and defences they prefer. Virtual machine configurations and a list of technologies recommended for the task will be published later.
What technologies and software will be used in the first scenario?
Indicatively: Docker, Docker Compose, Git, GitLab, Harbor, Jenkins, Scala, ReactJS.
Scenario 2. Response
What is the Threat Hunting platform? How can the participants get access to it?
The Threat Hunting platform contains free Kibana and Elasticsearch products pre-installed in the virtual machine image. Each Blue Team will receive this image in advance.
The participants will need to import the image to their preferred desktop virtualisation software (VMware Workstation, VMware Fusion, Oracle VM VirtualBox) and use it to create a virtual machine. This virtual machine will contain a password-protected archive with EDR and network sensor data. The password to the archive will be unlocked in the private account at the start of the second scenario. After unpacking, import the archive to Elasticsearch according to the instructions.
Do the participants receive a short guide or a demo of the Threat Hunting platform?
The platform will be built using free Elasticsearch and Kibana products, so no special instructions are needed. It is enough to be able to make search requests in the Kibana interface and analyse the results. The Blue Teams will be given access to a virtual machine with the Threat Hunting platform a few days before the exercise. They can use the test data in the virtual machine to practise interaction with the Kibana interface.
Will EDR be constantly collecting telemetry from the hosts and sending it to the Threat Hunting platform during the scenario?
No, there won’t be any telemetry collection. All the data from EDR will be uploaded to the Threat Hunting platform in advance, before the training starts.
Will the participants receive documentation for EDR to be analysed using the Threat Hunting platform?
A few days before the training all Blue Teams will be given access to online EDR documentation, which describes all types of events and their fields.
Is there any retribution for wrong answers? Is the number of attempts to solve the task limited?
Blue Teams are not penalised for giving wrong answers. The Blue Teams will have 5 attempts to answer each question. If a team fails all attempts to provide the correct answer 5 times, the task is withdrawn.
All Blue Teams start off with the same points (e.g. 200). Each hint is worth, say, 40 points. If the task is solved without any hints, the full 200 points are awarded. Is the value of used hints deducted from these points otherwise?
All Blue Teams start off with 0 points. Correct answers add the points for the question to the total score. If hints have been used, the points for the question are added together, minus the deductibles.
Are the hints revealed in order or at random?
The hints can only be opened in order. For example, the Blue Team solves all the tasks without turning to the hints and gets stuck on the final problem — by using the hint for the final problem, the Blue Team loses all rewards for that question.