Cyber Polygon 2024 highlights

Cyber Polygon 2024
highlights

Contents

On September 10–11, 2024, BI.ZONE hosted the Cyber Polygon training. It was held within MENA International Security Conference in Riyadh, Saudi Arabia. This report provides details of the training and its results.

What is Cyber Polygon

Cyber Polygon is an international online training for raising global cyber resilience. Its main goal is to reinforce cybersecurity on all levels.

This event helps corporate teams to improve their skills in responding to cyberattacks, industry professionals to build up their practical knowledge, and the general public to boost their digital awareness.

The training debuted in 2019, and in 2021 it attracted 200 teams from 48 countries and 7 million viewers across 78 countries.

300+ organizations from 65 countries
took part in Cyber Polygon 2024

Cyber Polygon 2024

In 2024, Cyber Polygon was held online on BI.ZONE Cyber Polygon Platform and lasted 24 hours. Many international organizations took part in the training: from CIS countries, Belgium, Colombia, France, India, Indonesia, Malaysia, Mexico, Saudi Arabia, Spain, Switzerland, the UK, the USA, Vietnam, etc. The teams represented various industries, including finance, e-commerce, and education.

Participating countries
Represented industries
Represented industries
Below, we talk about the scenario, the mechanics, the process, and the leaders of Cyber Polygon 2024. We also share the conclusions and recommendations following the training results.

Scenario

Cyber Polygon 2024 was based on the scenario Intelligent assault: a game of destruction. The teams investigated a sophisticated targeted cyberattack, using classical digital forensics and threat hunting techniques.

Theme

The tasks for the scenario were chosen for a reason as they accurately reflect the most prevalent risks of the current threat landscape. Information systems are getting more complex while machine learning and artificial intelligence are increasingly integrated into our daily lives. New technologies are more vulnerable to attacks than conventional and familiar tools.

We are also witnessing trends toward deploying infrastructure in clouds and using containerization tools. In the training exercise, we emphasized the consequences for the IT infrastructure if these tools are not configured correctly.

In our scenario, we decided to combine actual incidents from BI.ZONE practice, encountered by SOC, DFIR, and CSIRT teams. The result was a complex but quite real targeted attack.

One of the key points of the scenario was an attack on the Kubernetes container orchestration system, which occupied both R&D segments: R&D Dev and R&D Prod. To investigate the attack, the teams had to:

  • use Kubernetes audit and Tetragon logs
  • analyze the disk memory dump from the attacked host
  • access the telemetry in ELK to search for attacker activity
  • examine files
  • review the tactics and techniques used by the attackers
  • study numerous logs and records
  • search the Internet for details

Format

Response skills and a sharp eye are crucial for cybersecurity specialists to quickly repel an ongoing attack. Our main vision in designing the training format was to let the participants experience real attacker tactics and techniques in a safe environment that would closely mimic real investigative operations.

In this regard, cyber range appeared to be the perfect format. It helped the teams practice remediation along the entire attack chain. The artifacts were used to underline their importance for understanding the attack vector and preparing further response actions.

Cyber range trainings are not just an effective way to immerse your security specialists in life-like attack situations, but a chance for top management to assess the resilience of their security teams and identify the weak points in their defenses.

Plot

The participants had to investigate a cyber incident at MerkuryLark, a fictional company that is developing an application powered by artificial intelligence.

The story goes that after a successful release of the product, the company enters into several multimillion-dollar contracts. However, their AI model soon begins to deteriorate. At the same time, a competitor company announces the development of a similar product at a lower price. MerkuryLark is near collapse.

The company management suspects that the internal infrastructure has been compromised and all developments stolen. While intellectual property specialists are reviewing the competitor’s solution, the company invites a team of cybersecurity experts to investigate the incident. Each participating team took on the role of those experts and carried out an investigation of a possible compromise.

Infrastructure

According to the scenario, the teams retraced the attackers’ moves from one IT segment to another and gradually unraveled the whole chain of attack. At each stage, the teams had to use new artifacts from the provided archives and come up with non-standard solutions.

It all began with studying the telemetry. As the scenario progressed, participants had to search for answers on the Internet and social networks, as well as download and research specialized utilities. Other stages involved extracting data from a disk image, reviewing raw logs, reverse engineering and examining scripts left by the attackers.

This was made complicated as the infrastructure was partially deployed in containers, and the target company was running a machine learning model that the teams also had to research.

The segments making up the company infrastructure looked as follows:

The infrastructure had closely integrated services and applications running inside Kubernetes as follows:

  • GitLab, Vault, and Harbor
  • GitLab and AirFlow
  • Kubernetes, Apache Airflow, and the S3 object storage (Simple Storage Service)

We also applied a workable learning pipeline for the ML model. The DMZ, Admin, and Internet segments were not operable for the scenario, but we implemented them to make the virtual infrastructure as close as possible to a real one.

Training mechanics

All activity took place on BI.ZONE Cyber Polygon Platform. The teams were asked to download and locally deploy a virtual machine image with the necessary investigation tools.

Since BI.ZONE Cyber Polygon Platform is intended for individual training, we had to customize it for corporate teams:

1. The scenario was split into stages
The training scenario consisted of five stages. Each stage corresponded to a specific segment of the company infrastructure where the investigation took place. Completing all the tasks in a given segment would unlock the next segment. Thus, the teams were able to examine the actions of attackers in different segments and compose an overall picture of the incident.
2. The tasks were adapted to be solved in teams
Within each segment, the participants could see all the tasks, and answers could be submitted in any order. This allowed the teams to allocate internal resources to solve different questions in parallel and to pass the scenario faster.
3. The platform was adapted for easy training from anywhere in the world
We abandoned offensive tactics that involve specialized infrastructures. Instead, we focused on defensive mechanics. This made it possible to run the scenario online and to use virtual machines with artifacts and tools without affecting the corporate infrastructure.
4. The investigation was made to mimic real cases
In addition to telemetry, we added a disk image of the attacked machine, an internal GitLab repository, and scripts left behind by the attackers as artifacts to be analyzed. This expanded the skill set that the teams typically use when investigating cyber incidents and allowed it to be applied in a practical context.
5. Proprietary software was excluded from the scenario
This time, we did not provide the EDR logs for investigation. This was done to create equal conditions for all participants who prefer different vendors. In addition, the plan was to improve the teams’ skills in classical forensics. Many of them had to recall the basics of working with open-source tools. This is important because, in a real incident, it is not always possible to apply proprietary tools as they might simply be unavailable.
6. Anonymity was introduced for the participating organizations
The teams operated under unique nicknames. This way, organizations that for various reasons avoid publicity, especially in cybersecurity issues, could participate in the training. Those who wanted publicity were free to reveal themselves in the nickname.

Process

Start and team strategies

The training began at 12:00 p.m. (UTC+3) on September 10. At that moment, we published the password to the archive with artifacts, which the participants could download in advance.

The teams almost immediately picked their own strategies. Some of them were not very successful, some, on the contrary, laid the foundation for success from the very beginning.

Some teams started by revealing all the hints at once, knowing that they would lose points for this. Others took breaks, expecting to return to the scenario with a clear mind and catch up with the others. As a result, the former would lack points and the latter would lack the time to advance forward.

The teams that had practiced solving scenarios beforehand and understood the mechanics of the platform started to take the lead. These teams would use the hints conservatively while trying to finish all the tasks and get the maximum number of points. Some teams distributed internal resources wisely: as some members unpacked and loaded artifacts into the toolkit, others tried to answer questions that did not require the use of artifacts.

The winning strategies in many ways overlapped with the strategies applied in real-life incident response. One of the response team’s primary tasks is to figure out what happened as quickly as possible: what the attacker has already done, what steps they can take, and how to prevent their further actions. Time and focus play the most important role in this process.

Results and leaderboard

The Cyber Polygon 2024 training scenario had to meet the following criteria:
  • allow participants to assess and develop relevant incident investigation and response skills
  • fit the allotted 24 hours
  • keep the intrigue with the teams competing for top ranks on the scoreboard
  • be challenging and educational for the teams and audience
How it turned out:
  • The teams were able to test and develop the following skills:

    ‐ cybersecurity

    ‐ digital forensics

    ‐ incident response

    ‐ analysis of various threats, vulnerabilities, and data from different sources

  • The teams investigated the full chain of attack that we put together using real-life cases.
  • The first finalists finished the track 19 hours after the start of the event.
  • The scenario was quite challenging, but the teams still coped with most of the tasks. The teams that took the top three ranks scored 3450, 3240, and 3130 points respectively out of a possible 4020.
  • The leading teams progressed through the scenario with a small gap between them, occasionally overtaking each other. The competition remained hot all the way through till the final moments of the training. As a result, the difference between the first and third place was only 320 points.
Top 10 teams at the end of the training:
Rank Team Score Industry
1 SuperJet 3450 IT/cybersecurity
2 ASOCial 3240 IT/cybersecurity
3 ALTF4 3130 Finance
4 FFFF 2805 Metallurgy
5 S.H.I.E.L.D 2770 IT/cybersecurity
6 BuffaloHunters 2370 Public sector
7 NLMK_SOC 2060 Metallurgy
8 YSOC 1950 IT
9 S.H.I.E.L.D. 1535 Metallurgy
10 Soliders 1515 IT/cybersecurity

Conclusions and recommendations

Key takeaways

  • The most successful teams used up all the time they had for the investigation, they were careful to limit their use of hints without looking for possible errors in the platform’s mechanics, and they came prepared after practicing other scenarios on the platform in advance. When investigating real cyber incidents, breaks and pauses are often unacceptable, relying on the attackers making mistakes is hopeless, and early preparation determines much of the end success.
  • Better results were shown by commercial MSS providers, outperforming teams from the financial, manufacturing (metallurgy), and public sectors, which were also in the top 10.
  • The teams were used to working with specialized tools like EDR, XDR, and SOAR, relying on automation, and were less likely to apply classical digital forensic techniques.
  • Teams were more successful in container security and digital forensics compared to previous years. The bigger challenge was to analyze the expanded set of artifacts and to deal with modern attacker tactics such as phishing, container escape, CI/CD attacks, etc.

Recommendations for specialists

  • Conduct regular hands-on training, both in teams and individually. Skilled teams can effectively repel targeted attacks and stop random attacks even when the attackers are inside the infrastructure.
  • Practice classical digital forensics, master operating open-source tools and processing raw data.
  • Get to know the related areas of cybersecurity: offensive, secure software development, etc.
  • Study the attacker tactics and techniques. Our Threat Zone research contains much useful insight:

    ‐ threat actors active in different countries and their descriptions

    ‐ attacker techniques and tools

    ‐ BI.ZONE case studies

  • Practice the purple team format. This approach combines the strengths of the red and blue teams through continuous interaction and information exchange between them.
  • Go through the scenario again without time constraints. It is available via subscription on BI.ZONE Cyber Polygon Platform.
We use cookies (files that store information about your visits to the website) to personalise our services and to improve your browsing experience. By continuing to use this website, you agree to our use of cookies and similar technologies. If you do not consent to the use of these files, you should adjust your browser settings accordingly.
Accept