Havoc at a petrochemical facility, false information published on behalf of the head of the state, and a sewage spill: The Standoff has come to an end

Hackers put the security of the digital state to a test but could not destroy it completely.

53,000 people from dozens of countries watched the world’s largest cyberbattle between attackers and defenders. At the Moscow cyber-range, 10 strongest white hacker teams probed the systems of the city-state for robustness non-stop for 35 hours. While the detailed summary of the contest is being prepared, let’s talk about its results and give a digest of interviews with information security professionals who participated in the event.

On November 16, attackers managed to trigger seven more unacceptable events (a total of 19 unacceptable events were triggered during 35 hours). First, Codeby&NitroTeam disrupted treatment facilities throughout State F: several million liters of sewage poured into the surrounding bodies of water. Local rivers, lakes, forests, and fields were flooded with fetid slurry. Virtual residents were filing complaints en masse to the City Housing and Utilities, demanding an urgent solution to the problem.

In the morning, residents of State F received a message from the emergency alert system. Hackers who broke into the system (Codeby&NitroTeam and True0xA3) created a false alarm about the leakage of a dangerous substance at a petrochemical facility. Residents succumbed to panic, and the work of the facility was stopped.

At lunchtime, the same team simultaneously triggered two unacceptable events at the Unified State IT Platform. As a result, the personal data of the platform’s employees went on sale on the dark market, and the head of state’s account was compromised. By the time the government’s press office had confirmed that the account had been hacked, messages posted by Codeby&NitroTeam had managed not only to cause pandemonium at the cash desks of Heavy Logistics and affect the company’s share price, but also raised questions over the reputation of the Unified State IT Platform’s security.

It comes as no surprise that Codeby&NitroTeam took first place among the teams of attackers. They are responsible for six unacceptable events. Second place went to True0×43, while third place went to SPbCTF, the team to report the greatest number of vulnerabilities and trigger the first unacceptable event in a cyberbattle.

A total of 19 unacceptable events were triggered over the course of the cyberbattle, of which six were unique. Four companies were affected: Heavy Logistics, City Housing and Utilities, the State IT platform, and OilChem. Heavy Logistics transport company was the main target of the attacks: all attacker teams were able to cause a failure of the railway passenger information system. The jury accepted 75 reports on vulnerabilities in the infrastructure of State F.

Nevertheless, red teams did not manage to actuate the most dangerous risks embedded in The Standoff scenario (with the exception of the failure at the treatment facility). A curious fact: all unacceptable events were based on real cases from around the world. For example, attackers could have disrupted hydrocarbon purification system at the petrochemical facility, which would have led to the explosion and human losses (in real life, hackers almost managed to cause an explosion at a Saudi oil processing facility). All the same, attackers did not manage to turn off the city lighting, interrupt petroleum transport to storages, or actuate other threats. Credit goes to the blue teams and the protection tools they used.

Defenders identified 173 incidents. GiSCyberTeam submitted more reposts on attacks than any other blue team. Most often, defenders indicated that they detected suspicious events using a SIEM system, NTA, WAF, and a sandbox. In industrial segments, defenders used a technological traffic analysis system. The Your shell not pass team investigated seven out of ten unacceptable events that had been actuated at the transport company. The average investigation time was 16 hours 16 minutes. The fastest investigation was completed by Your shell not pass and took 3 hours and 8 minutes.

Cybersecurity on a national level: where to start?

Dmitry Sklyarov, Head of Apps Analysis at Positive Technologies, sat down with information security specialists to chat about careers in information security and what they think can be done to improve information security on a country level. Sergey Gordeychik believes that it is necessary to start by building infrastructure resilience. We need to ensure that everything works fine without external connections. «This concerns not only network infrastructure, but also digital sovereignty, local services, and more,» said Sergey Gordeychik, calling for a focus on the most vulnerable areas: for example, federal authorities should be directed to a cloud in which centralized security should be built."

Omar Ganiev, CEO at DeteAct, mentioned a lack of expertise and assessment of the work of security professionals. He believes that it is necessary to introduce the quality assurance standards for everything that happens in information security. He also stressed that modern requirements are needed for service providers, as well as proper assessment of expertise.

Alexander Leonov, Lead information security analyst at Tinkoff Bank, thinks that both in Russia and abroad, there is a lack of full-fledged basic vulnerability management solutions that medium-sized companies could afford. If domestic vendors create an unlimited scanner that detects vulnerabilities on hosts, it will make vulnerability management more popular. He also believes that more transparency is needed in vulnerability management, as well as more involvement in the patching process.

Cybersecurity trends in heavy industry

Vladimir Zapolyansky, Director for Marketing and Corporate Communications, Positive Technologies, and Andrey Nuikin, Head of the Information Systems Security Department at EVRAZ, one of the world’s largest steel making and mining companies, discussed the most pressing challenges facing cybersecurity in the industrial sector. Andrey Nuikin told us that EVRAZ was once hit by the NotPetya malware, which led to downtime and direct losses. He also mentioned network penetration affecting the production processes as the second biggest risk for the company. Andrey Nuikin believes the main goal of EVRAZ is to ensure production continuity. He stressed that in the pandemic times, remote access became a necessity. The company’s perimeter became wider and, therefore, more difficult to monitor and protect. According to Andrey Nuikin, EVRAZ has an efficient SIEM system, and the information security department detects about 10 thousand suspicious events per month."

The SIEM market will grow by 30–40 percent, and MaxPatrol SIEM will become a basic component for metaproducts

Vladimir Zapolyansky discussed technological trends of SIEM systems, Positive Technologies’ achievements, and capabilities of MaxPatrol SIEM with Maxim Filippov, Director for business development at Positive Technologies, and Ilya Shabanov, Chief Editor of Anti-Malware.ru. According to experts, the SIEM market in Russia costs approximately 7–8 billion rubles (around $96 million—$110 million).and continues to grow rapidly due to the low base effect and the high demand of domestic companies for SIEM-products. Positive Technologies is one of the market leaders: in 2020, MaxPatrol SIEM yielded the company 1.6 billion rubles (around $22 million), and the sales increased by 85 percent. Maxim Filippov is certain that the SIEM market will grow faster than the information security market in general (at 30–40%), and the share of MaxPatrol SIEM will also grow at a comparable rate and even faster.

According to Ilya Shabanov, a few years ago a lot of people did not believe that Positive Technologies would succeed on the SIEM market because of the high competition. But the company succeeded, which was due not only to high quality of the products, but also due to the trend towards import substitution: some vendors left the Russian market, while other products became unprofitable to buy.

As for MaxPatrol SIEM, Maxim Filippov said it would become one of the basic components for new metaproducts, in particular, MaxPatrol O2 that is being live tested at The Standoff cyber-range. MaxPatrol SIEM is supposed to provide increasingly accurate information for these metaproducts to fully avoid unacceptable events.

How community impacts the development of information security and technologies

Yaroslav Babin, an event organizer on the red teams’ side and the Head of Positive Technologies’ Department of Web Application Security Analysis said: "It’s very difficult to create something great just by yourself, even with the help of friends and colleagues. Community is a way to significantly broaden one’s experience. Each expert has a different background, and they have all followed different paths to achieve what they have now. A good example of community cooperation is bug bounty: in such programs, the power of a large community becomes very useful.

Yaroslav organizes closed meetups, bringing together researchers who have already outgrown offensive security and are now involved in the improvement of security processes and technologies at various companies.

Alexey Novikov, Director of Positive Technologies Expert Security Center said: «Information technologies develop so fast that it is practically impossible to solve the whole range of problems with a limited number of specialists. There are great experts in narrow fields, and in order not to waste effort on reinventing the wheel, it is necessary to collaborate within the community.»

Vladimir Kochetkov, the founder of Positive Development User Group (over 600 participants from various companies) and one of the Positive Technologies’ key experts, believes that community allows achieving progress in border fields, for example at the intersection of programming and security. Positive Development User Group is a community of developers and other IT professionals who create secure applications. PDUG members regularly make presentations at conferences and meetups, organize master classes for developers, and discuss information security issues on their Telegram channel. Among other things, PDUG is developing an application that allows adding protection against various web attacks, including injections, all that in many programming languages. As for the benefits companies gain when supporting such communities, Vladimir mentioned that the community members are often potential users and administrators of the company’s products and can provide a very useful feedback.

The experts also discussed Community of co-investors, a mobile application by Positive Technologies, which will be released soon. Yaroslav Babin explained: «With this app, we will try to engage specialists in research and development, enhance the level of expertise, and improve our products. We want to gather the experience of the best specialists from all over the world. If we manage to motivate experts not only with T-shirts, but also with participation in conferences or with money (the application will have its own currency called „Benefit“), the idea would become a huge success.»

Vladimir Zapolyansky added: «The app currency can be converted into various benefits, including, perhaps, Positive Technologies’ shares. But this issue is still under discussion, so I cannot promise anything. »

Preparation of the city defenders

Alexey Lobzin, Director for Cybersecurity Services Development, CyberART, Innostage, said: «The goal of defenders is always different, depending on a game. At the previous Standoff, teams had the tools to change the infrastructure and fix vulnerabilities. This time, they do not have the tools to actively counter attacks.»

According to Alexey, the main goal of defenders is to ensure 100% visibility of the attack chains, from a penetration point to the actuation of an unacceptable event and business risks embedded in the game scenario. Zero-day vulnerabilities appear all the time, and sooner or later attackers will penetrate the infrastructure. However, to reach a critical system, they need to make a number of steps, and defenders must stop them along the way.

Defenders now have a new important player: a mentor. The function of the mentor is to make teams’ participation in the game the most productive possible. The mentor assists defenders at the preparation stage (teams are given a month to prepare), including familiarizing them with protective tools. The mentor also shows techniques that help defenders not to lose head in a situation where the infrastructure is under a constant barrage of attacks for many hours without stop.

CyberART specialists of the Innostage group participated in the event for the third year in a row. Once started as a defender teams, CyberART now became The Standoff’s global SOC whose mission is to monitor everything that happens at the cyber-range. To help defenders better understand the concept of cyberexercises and improve the needed skills, CyberART experts prepared a workshop called «Dead City.» According to the scenario, a city was destroyed in a hacker attack, but there are traces of attacks on its networks that specialists must investigate. The workshop was also supposed to train experts who protected The Standoff’s facilities.

Biometrics: risks vs convenience

Alexandra Murzina, Lead Advanced Technologies Specialist at Positive Technologies, and Oleg Kovpak, Product Director at ID R&D, discussed pros and cons of biometrics. According to experts, today’s attacks on biometrics are mostly targeted and unlikely to pose a serious threat to ordinary users. Biometric technologies are improving, sensors have been significantly upgraded, and many recent vulnerabilities, such as bypassing biometrics using a photograph, are a thing of the past. Oleg Kovpak talked about the collection of biometric data around the world and stressed that excessive regulation has a negative impact on the work of vendors and inhibits the creation of services and products.

The expert said: «Be careful when sharing your biometric data. Do not reveal your information if you do not trust the organization that is collecting it. Nevertheless, the convenience of using biometric data will surely boost the progress, there is no denying it, especially since in some cases it is safer than, say, the use of passwords.»

Among the main biometrics problems, experts mentioned infrastructure security, voice and video spoofing attacks, and bypassing biometric sensors.

Black hats vs white hats

Positive Technologies expert Timur Yunusov and Egor Bogomolov, Head of information security projects at Digital Solutions and Head of information security at HackerU, explained who ethical hackers are and how they differ from black hackers. Experts discussed the concept of hacking in general and cited the benefits of becoming an ethical hacker, a pentester, including creative research mission, high salaries, and being a law-abiding citizen.

Timur Yunusov stressed: «Black hacking is not a technological but an ethical problem. We need to marginalize this activity, which is no different from any other crime. There is no difference between a black hat and a criminal.»

Egor Bogomolov added: «In most cases, black hats are not highly qualified experts. They don’t analyze the systems, they just scale up attacks.»

According to Timur Yunusov, security is still a by-product of the development, and security by design will only be possible when this situation changes. «It’s not going to happen for a very long time,» said the expert. Egor Bogomolov noted the «service function» of information security and the fact that security researchers are forced to «play catch-up» with developers who supply more and more products and technologies.

Russia lacks 18,500 cybersecurity specialists

A separate technical track at The Standoff Moscow this year was intended for those who are just starting their professional path. In The Young Hats track, young cybersecurity experts talked about SSL pinning and ways to bypass it in Android applications, about the Unikernel technology, which can be used as a means of virtualization, techniques for bypassing antivirus protection and EDR solutions, about the features of exploiting vulnerabilities such as Blind Command Injection, and more.

The speakers were the finalists of The Young Hats competition, organized by Positive Technologies together with Innostage Group in order to support young researchers and give them the opportunity to present their projects and developments to the community on a par with recognized cybersecurity experts.

Malware analyst Stanislav Rakovsky told about an interesting family of backdoors, whose activity the Positive Technologies Expert Security Center has been monitoring since the summer of 2020. According to him, Forest Keeper belongs to a Chinese APT group, which is currently attacking Russian companies and government agencies. The feature that distinguishes the backdoor among the malware of this class is a huge array of complex information collected about the victim’s system, as well as various ways to check the availability of the C2 server. «None of the malware known today collects data in such a barbaric way as Forest Keeper does,» the speaker noted.

In her talk «Malware IOCs: hard to find, easy to lose,» Kseniya Naumova told about the top 10 most interesting Internet resources where you can find latest indicators of compromise for malware. Among them are Malware-Traffic-Analysis.net, VirusTotal, ANY.RUN, urlscan and, of course, GitHub and Twitter. According to Kseniya, these sources will be useful not only for novices, but also for experienced researchers.

Ransomware attacks on the largest U.S. meat producer JBS, IT company Kaseya—every day we find out how ransomware again disrupted the work of a large enterprise. Any hacker attack should be scrutinized by incident investigation specialists. Mikhail Onishchenko, a student at Voronezh State University, identified four stages in the investigation of cybercrimes that are important to follow in order to present an effective body of evidence in court: collection, research, analysis, and presentation.

«One of the advantages of computer forensic analysis is that there are no established methods today. For example, no one will demand to use the MD5 hashing algorithm in court instead of SHA-256. The main thing is that your report should be as clear as possible to people who have rather superficial knowledge about cybersecurity,» said Mikhail.

Maria Sigaeva, Director of Educational Programs and Projects, Positive Technologies, explained why it is important for cybersecurity companies to support young security experts and how this contributes to the development of the information security community: «According to a recent study by the Ministry of Labor, Russia lacks 18,500 cybersecurity specialists. The shortage of young staff is 5,000 people. In particular, there is an urgent need for administrators of information security tools.» This is the total technological debt of large IT companies to various sectors of the economy, growing year by year, and with a cumulative effect, Maria believes. If we want qualified young specialists with new breakthrough ideas to appear on the market, we should systematically raise new staff for the industry.

«Talented youth interested in cybersecurity is the most precious asset today. Supporting these young people is just as much an investment in the future as investing in a company or developing its products. Moreover, organizing various programs that support young professionals is also an investment in one’s future employees and customers.» This year, we decided to clear the way for novice researchers, some of whom are still in school, by creating a youth track for them as part of The Standoff. This coincides with the current demand of the cybersecurity industry," Maria added.

The winners of The Young Hats contest were announced live at The Standoff Moscow cyberbattle. According to the audience voting, the three best talks were those made by Dmitry Molokovich (145 votes), Sergey Antonov (135 votes), and Zhan Daurenuly (102 votes). The guys were awarded diplomas and valuable prizes. In addition, all participants of the youth track received invitations to Positive Hack Days, an international forum, which will be held in May 2022.

How a hacker can steal a painting

The second competition involved modern art. The Standoff Digital Art is a simulation of a gallery of NFT paintings dedicated to the city of tomorrow and the man in the digital world. Each painting was presented in the form of a unique NFT. Such tokens have provided CG artists with the opportunity to enter the art market and sell their artworks. Russian cyberartists Desinfo, Meta Rite, Artem Tkach, volv_victory, Anomalit Kate, and Loit were brave enough to let their masterpieces be hacked. To steal a painting, the participants had to find vulnerabilities in smart contracts by analyzing the source code.

This year, the co-organizer of The Standoff is Innostage Group. The event was supported by engineering company Prosoft-Systems, Gazinformservice, and Automiq Softech.