Scenarios
During the online exercise, the teams will practise response actions at the moment of a targeted supply chain attack on a corporate ecosystem.
Theme

Recent years have seen a surge in the number of attacks targeting supply chains. Given the global trend towards the development of ecosystems across the business community, the vulnerability of supply chains has become a growing concern. With that in mind, the central theme of the training this year will be ecosystem security and mitigation of supply chain attacks.

Since the training proved effective last year, we have retained the existing format, with just a few changes to accommodate the wishes of the teams. The exercise will include two scenarios — Defence and Response.

Roles
Red Team
Red Team
Training organisers from BI.ZONE,
simulate the attack.
Blue Team
Blue Team
Participating teams, protect their segments of the training infrastructure.
Rules
  1. The training is open only to organisations. Please use your corporate email to apply.

  1. The training is open only to organisations. Please use your corporate email to apply.


  2. One organisation — one team. The number of members is not limited.


  3. The training is tailored for practising cybersecurity and IT professionals of various backgrounds. It would be beneficial for teams to have forensics, security analysis and SOC specialists as members.


  4. All tasks will be performed remotely: the teams will get access to a virtual cloud infrastructure.


  5. In addition to the pre-installed software, the participants are allowed to use any applications and utilities that will help to protect their segments of the training infrastructure.

  6. The training is designed as an educational exercise rather than a competition, hence its results will be anonymised.


Scenario 1. Defence

The teams will practise deflecting a large-scale attack in real time.

The teams will practise deflecting a large-scale attack in real time.


Goal

Develop skills for repelling targeted cyberattacks on a business-critical system.


Legend

During an attack, an unknown hacker group could gain network access to a segment of the virtual corporate infrastructure. This segment contains services responsible for the continuous integration and deployment of the company’s web application.

The threat actors could not gain access to the virtual servers but stole large amounts of information about the application being developed, including parts of the source code and development documentation.

The group’s main target is the user data processed by the application. To this end, the attackers are planning to use the stolen information to tamper with the development process and embed backdoors into the application. The group would then be able to proceed to the final stage: attack the application in the production environment and take possession of the desired data.


Blue Team Actions

The participants will have to:

  • contain the attack as fast as possible
  • ensure the security of the application’s supply chain
  • minimise the amount of compromised information
  • maintain the availability of the target web application and the entire supply chain

The Blue Team can apply any methods and tools to protect their infrastructure. They can also fix system vulnerabilities by improving the service code and configuration.

Scenario 2. Response

The teams will investigate the incident by applying classic digital forensics and Threat Hunting techniques.

The teams will investigate the incident by applying classic digital forensics and Threat Hunting techniques.


Goal

Develop skills in incident investigation based on a successful phishing attack.


Legend

The Blue Team protects the ecosystem of a large group of companies. One of the workstation users at the parent company reports suspicious files in a directory. The investigation identifies the vector of compromise, specifically, the update installed on a business-critical application being developed by a subsidiary.

The Blue Team will be granted access to the parent company’s Threat Hunting platform, which aggregates EDR and NTA events. The participants will be tasked with finding as many artifacts of the incident as possible by applying the Threat Hunting approach.

Further, the team discovers that the infrastructure has been compromised through a modified update installed on a business-critical application. The update was provided by a subsidiary structure in charge of software development. Therefore, the focus of the investigation will switch to the subsidiary’s infrastructure.

The subordinate organisation does not use any EDR solution. For this reason, the participants will have to resort to classic forensics and find as many artifacts of the breach as possible.


Blue Team Actions

In both cases, the Blue Team will have to solve a number of tasks, analysing the data provided, but the analysis methods will differ.


Parent company

The participants will investigate the incident by applying the Threat Hunting approach, gathering telemetry from the hosts and network server.


Subsidiary

The Blue Team will investigate the incident using the methods and tools of classic digital forensics.