Training
During the online exercise at Cyber Polygon 2021, the teams will practise response actions at the moment of a targeted supply chain attack on a corporate ecosystem.
Theme

Recent years have seen a surge in the number of attacks targeting supply chains. Given the global trend towards the development of ecosystems across the business community, the vulnerability of supply chains has become a growing concern. With that in mind, the central theme of the training this year will be ecosystem security and mitigation of supply chain attacks.

Since the training proved effective last year, we have retained the existing format, with just a few changes to accommodate the wishes of the teams. The exercise will include two scenarios — Defense and Response.

Roles
Red team
Red team
Training organizers from BI.ZONE,
simulate the attack
Blue team
Blue team
Participating teams, protect their segments of the training infrastructure
Timing

12:00 (UTC+3), 9 July: the virtual infrastructure for the first scenario will become available. The blue teams will have 1 hour to prepare.

12:00 (UTC+3), 9 July: the virtual infrastructure for the first scenario will become available. The blue teams will have 1 hour to prepare.

13:00 (UTC+3): the red team will start a simulated attack on the blue teams’ training infrastructure. The first scenario will run for 4 hours.

17:00 (UTC+3): the participants will be given their credentials and access to the second scenario, including the necessary materials. They will have 19 hours to go through the scenario, which should ideally include breaks.

The training will finish on 10 July at 12:00 (UTC+3).

Rules
  1. The training is open only to organizations. Please use your corporate email to apply.

  1. The training is open only to organizations. Please use your corporate email to apply.


  2. One organization — one team. The number of members is not limited.


  3. The training is tailored for practising cybersecurity and IT professionals of various backgrounds. It would be beneficial for teams to have forensics, security analysis and SOC specialists as members.


  4. All tasks will be performed remotely: the teams will get access to a virtual cloud infrastructure.


  5. In addition to the pre-installed software, the participants are allowed to use any applications and utilities that will help to protect their segments of the training infrastructure.

  6. The training is designed as an educational exercise rather than a competition, hence its results will be anonymised.


Scenario 1. Defense

The teams will practise deflecting a large-scale attack in real time.

The teams will practise deflecting a large-scale attack in real time.


Goal

Develop skills for repelling targeted cyberattacks on a business-critical system.


Legend

During an attack, an unknown hacker group could gain network access to a segment of the virtual corporate infrastructure. This segment contains services responsible for the continuous integration and deployment of the company’s web application.

The threat actors could not gain access to the virtual servers but stole large amounts of information about the application being developed, including parts of the source code and development documentation.

The group’s main target is the user data processed by the application. To this end, the attackers are planning to use the stolen information to tamper with the development process and embed backdoors into the application. The group would then be able to proceed to the final stage: attack the application in the production environment and take possession of the desired data.


Blue team Actions

The participants will have to:

  • contain the attack as fast as possible
  • ensure the security of the application’s supply chain
  • minimise the amount of compromised information
  • maintain the availability of the target web application and the entire supply chain

The blue team can apply any methods and tools to protect their infrastructure. They can also fix system vulnerabilities by improving the service code and configuration.

Scenario 2. Response

The teams will investigate the incident by applying classic digital forensics and Threat Hunting techniques.

The teams will investigate the incident by applying classic digital forensics and Threat Hunting techniques.


Goal

Develop skills in incident investigation based on a successful phishing attack.


Legend

The blue team protects the ecosystem of a large group of companies. One of the workstation users at the parent company reports suspicious files in a directory. The investigation identifies the vector of compromise, specifically, the update installed on a business-critical application being developed by a subsidiary.

The blue team will be granted access to the parent company’s Threat Hunting platform, which aggregates EDR and NTA events. The participants will be tasked with finding as many artifacts of the incident as possible by applying the Threat Hunting approach.

Further, the team discovers that the infrastructure has been compromised through a modified update installed on a business-critical application. The update was provided by a subsidiary structure in charge of software development. Therefore, the focus of the investigation will switch to the subsidiary’s infrastructure.

The subordinate organization does not use any EDR solution. For this reason, the participants will have to resort to classic forensics and find as many artifacts of the breach as possible.


Blue team Actions

In both cases, the blue team will have to solve a number of tasks, analysing the data provided, but the analysis methods will differ.


Parent company

The participants will investigate the incident by applying the Threat Hunting approach, gathering telemetry from the hosts and network server.


Subsidiary

The blue team will investigate the incident using the methods and tools of classic digital forensics.

Scoring

The total score of a team is the sum of points earned in the two scenarios. Each scenario uses its own scoring method.

The total score of a team is the sum of points earned in the two scenarios. Each scenario uses its own scoring method.


Scenario 1

Points are awarded for two indicators: SLA and HP.

SLA (Service Level Agreement) indicates the integrity and accessibility of a service. It is measured as a percentage.

The resulting SLA value is calculated as the percentage of successful checks (when the service is available and fully functional) to the total number of checks.

The checker can access any service several times per round, but each team’s services will be checked an equal number of times.

HP (Health Points) indicates the presence of vulnerabilities in the service and the ability to withstand attacks. It is presented as a simple numerical value.

Before the start of the attack, each participant will receive the same number of HP, which is equally distributed between application vulnerabilities. Every time the red team successfully exploits a vulnerability in the service and captures the flag, the blue team will lose HP.

The more vulnerabilities the red team is able to exploit, the more HP will be lost. HP is deducted once per round.

The final score is calculated as SLA x HP.


Scenario 2

The number of points awarded for the answer depends on the complexity of the task.

Each task has several hints available. Using these hints will reduce the number of points for the answer. The hints can only be opened in the listed order.

The hints can include references to some detailed sources to help the participants expand their knowledge on the subject. The last hint provides a detailed description of actions that will bring the team close to the answer.