Cyber Polygon 2024
highlights
On September 10–11, 2024, BI.ZONE hosted the Cyber Polygon training. It was held within MENA International Security Conference in Riyadh, Saudi Arabia. This report provides details of the training and its results.
What is Cyber Polygon
Cyber Polygon is an international online training for raising global cyber resilience. Its main goal is to reinforce cybersecurity on all levels.
This event helps corporate teams to improve their skills in responding to cyberattacks, industry professionals to build up their practical knowledge, and the general public to boost their digital awareness.
The training debuted in 2019, and in 2021 it attracted 200 teams from 48 countries and 7 million viewers across 78 countries.
Cyber Polygon 2024
In 2024, Cyber Polygon was held online on BI.ZONE Cyber Polygon Platform and lasted 24 hours. Many international organizations took part in the training: from CIS countries, Belgium, Colombia, France, India, Indonesia, Malaysia, Mexico, Saudi Arabia, Spain, Switzerland, the UK, the USA, Vietnam, etc. The teams represented various industries, including finance, e-commerce, and education.
Scenario
Cyber Polygon 2024 was based on the scenario Intelligent assault: a game of destruction. The teams investigated a sophisticated targeted cyberattack, using classical digital forensics and threat hunting techniques.
Theme
The tasks for the scenario were chosen for a reason as they accurately reflect the most prevalent risks of the current threat landscape. Information systems are getting more complex while machine learning and artificial intelligence are increasingly integrated into our daily lives. New technologies are more vulnerable to attacks than conventional and familiar tools.
We are also witnessing trends toward deploying infrastructure in clouds and using containerization tools. In the training exercise, we emphasized the consequences for the IT infrastructure if these tools are not configured correctly.
In our scenario, we decided to combine actual incidents from BI.ZONE practice, encountered by SOC, DFIR, and CSIRT teams. The result was a complex but quite real targeted attack.
One of the key points of the scenario was an attack on the Kubernetes container orchestration system, which occupied both R&D segments: R&D Dev and R&D Prod. To investigate the attack, the teams had to:
- use Kubernetes audit and Tetragon logs
- analyze the disk memory dump from the attacked host
- access the telemetry in ELK to search for attacker activity
- examine files
- review the tactics and techniques used by the attackers
- study numerous logs and records
- search the Internet for details
Format
Response skills and a sharp eye are crucial for cybersecurity specialists to quickly repel an ongoing attack. Our main vision in designing the training format was to let the participants experience real attacker tactics and techniques in a safe environment that would closely mimic real investigative operations.
In this regard, cyber range appeared to be the perfect format. It helped the teams practice remediation along the entire attack chain. The artifacts were used to underline their importance for understanding the attack vector and preparing further response actions.
Cyber range trainings are not just an effective way to immerse your security specialists in life-like attack situations, but a chance for top management to assess the resilience of their security teams and identify the weak points in their defenses.
Plot
The participants had to investigate a cyber incident at MerkuryLark, a fictional company that is developing an application powered by artificial intelligence.
The story goes that after a successful release of the product, the company enters into several multimillion-dollar contracts. However, their AI model soon begins to deteriorate. At the same time, a competitor company announces the development of a similar product at a lower price. MerkuryLark is near collapse.
The company management suspects that the internal infrastructure has been compromised and all developments stolen. While intellectual property specialists are reviewing the competitor’s solution, the company invites a team of cybersecurity experts to investigate the incident. Each participating team took on the role of those experts and carried out an investigation of a possible compromise.
Infrastructure
According to the scenario, the teams retraced the attackers’ moves from one IT segment to another and gradually unraveled the whole chain of attack. At each stage, the teams had to use new artifacts from the provided archives and come up with non-standard solutions.
It all began with studying the telemetry. As the scenario progressed, participants had to search for answers on the Internet and social networks, as well as download and research specialized utilities. Other stages involved extracting data from a disk image, reviewing raw logs, reverse engineering and examining scripts left by the attackers.
This was made complicated as the infrastructure was partially deployed in containers, and the target company was running a machine learning model that the teams also had to research.
The segments making up the company infrastructure looked as follows:
The infrastructure had closely integrated services and applications running inside Kubernetes as follows:
- GitLab, Vault, and Harbor
- GitLab and AirFlow
- Kubernetes, Apache Airflow, and the S3 object storage (Simple Storage Service)
We also applied a workable learning pipeline for the ML model. The DMZ, Admin, and Internet segments were not operable for the scenario, but we implemented them to make the virtual infrastructure as close as possible to a real one.
Training mechanics
All activity took place on BI.ZONE Cyber Polygon Platform. The teams were asked to download and locally deploy a virtual machine image with the necessary investigation tools.
Since BI.ZONE Cyber Polygon Platform is intended for individual training, we had to customize it for corporate teams:
Process
Start and team strategies
The training began at 12:00 p.m. (UTC+3) on September 10. At that moment, we published the password to the archive with artifacts, which the participants could download in advance.
The teams almost immediately picked their own strategies. Some of them were not very successful, some, on the contrary, laid the foundation for success from the very beginning.
Some teams started by revealing all the hints at once, knowing that they would lose points for this. Others took breaks, expecting to return to the scenario with a clear mind and catch up with the others. As a result, the former would lack points and the latter would lack the time to advance forward.
The teams that had practiced solving scenarios beforehand and understood the mechanics of the platform started to take the lead. These teams would use the hints conservatively while trying to finish all the tasks and get the maximum number of points. Some teams distributed internal resources wisely: as some members unpacked and loaded artifacts into the toolkit, others tried to answer questions that did not require the use of artifacts.
The winning strategies in many ways overlapped with the strategies applied in real-life incident response. One of the response team’s primary tasks is to figure out what happened as quickly as possible: what the attacker has already done, what steps they can take, and how to prevent their further actions. Time and focus play the most important role in this process.
Results and leaderboard
- allow participants to assess and develop relevant incident investigation and response skills
- fit the allotted 24 hours
- keep the intrigue with the teams competing for top ranks on the scoreboard
- be challenging and educational for the teams and audience
- The teams were able to test and develop the following skills:
‐ cybersecurity
‐ digital forensics
‐ incident response
‐ analysis of various threats, vulnerabilities, and data from different sources
- The teams investigated the full chain of attack that we put together using real-life cases.
- The first finalists finished the track 19 hours after the start of the event.
- The scenario was quite challenging, but the teams still coped with most of the tasks. The teams that took the top three ranks scored 3450, 3240, and 3130 points respectively out of a possible 4020.
- The leading teams progressed through the scenario with a small gap between them, occasionally overtaking each other. The competition remained hot all the way through till the final moments of the training. As a result, the difference between the first and third place was only 320 points.
Rank | Team | Score | Industry |
---|---|---|---|
1 | SuperJet | 3450 | IT/cybersecurity |
2 | ASOCial | 3240 | IT/cybersecurity |
3 | ALTF4 | 3130 | Finance |
4 | FFFF | 2805 | Metallurgy |
5 | S.H.I.E.L.D | 2770 | IT/cybersecurity |
6 | BuffaloHunters | 2370 | Public sector |
7 | NLMK_SOC | 2060 | Metallurgy |
8 | YSOC | 1950 | IT |
9 | S.H.I.E.L.D. | 1535 | Metallurgy |
10 | Soliders | 1515 | IT/cybersecurity |
Conclusions and recommendations
Key takeaways
- The most successful teams used up all the time they had for the investigation, they were careful to limit their use of hints without looking for possible errors in the platform’s mechanics, and they came prepared after practicing other scenarios on the platform in advance. When investigating real cyber incidents, breaks and pauses are often unacceptable, relying on the attackers making mistakes is hopeless, and early preparation determines much of the end success.
- Better results were shown by commercial MSS providers, outperforming teams from the financial, manufacturing (metallurgy), and public sectors, which were also in the top 10.
- The teams were used to working with specialized tools like EDR, XDR, and SOAR, relying on automation, and were less likely to apply classical digital forensic techniques.
- Teams were more successful in container security and digital forensics compared to previous years. The bigger challenge was to analyze the expanded set of artifacts and to deal with modern attacker tactics such as phishing, container escape, CI/CD attacks, etc.
Recommendations for specialists
- Conduct regular hands-on training, both in teams and individually. Skilled teams can effectively repel targeted attacks and stop random attacks even when the attackers are inside the infrastructure.
- Practice classical digital forensics, master operating open-source tools and processing raw data.
- Get to know the related areas of cybersecurity: offensive, secure software development, etc.
- Study the attacker tactics and techniques. Our Threat Zone research contains much useful insight:
‐ threat actors active in different countries and their descriptions
‐ attacker techniques and tools
‐ BI.ZONE case studies
- Practice the purple team format. This approach combines the strengths of the red and blue teams through continuous interaction and information exchange between them.
- Go through the scenario again without time constraints. It is available via subscription on BI.ZONE Cyber Polygon Platform.