The Standoff in Abu Dhabi: citywide cyberbattle takes the international stage
Competition held at HITB+ CyberWeek in UAE, winners hail from Russia
The Standoff, a three-day hyperrealistic tournament testing the skill of more than 60 security specialists from multiple countries, has concluded in the United Arab Emirates. As part of Hack In The Box (HITB+ Cyberweek), attackers (red teams) tried to steal money from a mock city's bank, cause an oil spill, bring trains and traffic to a standstill, and make street lighting go haywire. Their efforts were opposed by defender (blue team) counterparts.
The Standoff is no generic Capture The Flag competition. Unlike traditional CTFs, it pits teams of attackers and defenders against each other. The infrastructure of the imaginary city of Kabakas was featured in a huge diorama (17 square meters, or approximately 183 square feet) so that viewers could observe the aftermath of attacks. This faithful recreation of the digital infrastructure of an entire city included modern systems and hardware including ICS/SCADA, e-banking, and building automation. This enables professionals to model real situations and hone their skills at defending systems and monitoring security. First held in 2016, The Standoff had previously taken place only in Moscow at PHDays, a conference organized by Positive Technologies.
Hack a chemical plant—or a Ferris wheel
A total of three defender teams and nine attacker teams took part. Defenders secured three different companies, responsible for the city's oil and gas, transportation, and energy. Targets included an ammonia factory and electrical substation, oil storage tank and loading terminal, railroad, traffic signal and street lighting management, heating and air conditioning, and even a Ferris wheel. The city had its own bank as well.
Mikhail Levin, one of the organizers of The Standoff, said: "Many teams, being used to collecting flags in standard CTFs, were initially at a loss for what to do. Like in real life, in The Standoff you can use practically any hacking technique that exists. What's more, only by smartly combining these techniques is it possible to achieve victory in The Standoff. Those playing for the bad guys could attempt ambitious APT attacks or even sabotage—think oil spills, lights-out on city streets, and rail accidents. These threats are international in nature and training needs to be more than just theoretical. In the real world, security teams have a limited number of tools available. So at the contest, defenders had only NGFW and WAF solutions, which still made life much harder for hackers. These automatically blocked all head-on attacks, forcing red teams to camouflage themselves and modify their standard tools. By exporting a competition originally dreamt up at PHDays, one of the largest security-related gatherings worldwide, we have succeeded in making extremely realistic hacking competitions accessible to a much broader community."
Chronology: day by day
Attackers could earn game currency in a number of ways: stealing it from bank accounts, mining it, and by participating in the bug bounty program. But mostly they made money by completing tasks. On Day 1, attacker teams scoped out targets using public sources (OSINT). For instance, they identified corporate email addresses for all three companies and sold them to spammers. Several teams informed of minor vulnerabilities as part of the bug bounty, but were unable to make use of them to escalate privileges on target infrastructures. Defenders did not report any incidents for the day.
On Day 2, attackers continued finding information of value (email addresses and phone numbers) on corporate websites and selling it to spammers. But two teams pulled ahead. Team True0xA3 (from Russian company Informzashchita), which already had prevailed in The Standoff at PHDays 9, hacked the corporate network of the oil company. There the team found confidential correspondence and information about executive salaries, yielding 500,000 points.
Another high-achieving team was Team 404, which combined silver and bronze winners from the CTF Cyber Battle of the Emirates, which had been held at HITB previously. The team obtained access to bank accounts of a third of the city's population (50 out of 150 accounts, each account holding 13,500 of game currency) and even managed to automate transfers of the money to an offshore bank. By day's end, they had racked up 660,843 points.
Among other notable events on the second day, defenders of the energy company from the team Short Notice (UAE) detected malicious activity (use of vulnerabilities and downloading of malicious shellcode) on the border of their network. They investigated this activity and informed regarding the attackers' actions. The attackers were ultimately blocked and pushed off the company network. The leveraged vulnerabilities were subsequently closed.
On Day 3, True0xA3 got onto the process network of the oil company. They interrupted operations by shutting a valve, which stopped oil from pumping through the pipes. The team also completed a second task by changing the maximum tank level indicators and causing a reservoir to overfill. This resulted in an oil spill.
The winner of The Standoff was True0xA3. Only they and one other team, n0x, found a way to mine cryptocurrency and obtain access to hosts on corporate infrastructures. This enabled True0xA3 to complete two high-value tasks and nab victory from Team 404, which took second place partly on the strength of having stolen money from bank accounts.
The highest-rated blue team was Short Notice. These defenders were the most diligent at ensuring the availability of services and regularly reported on incidents, including discovered miners and compromised accounts. They also announced detection of a stager (small payload module designed to place the rest of the payload on the victim system).
Levin added: "Our plans include working with other major cybersecurity conferences to gradually turn The Standoff into the de facto standard for security competitions. In parallel, we will be striving to make The Standoff available 24/7/365 so that teams from different companies can participate and train remotely. Two or three days is just not a lot of time for setting up multistage attacks on an unknown target or mastering complicated detection techniques. Having a resource that's always available will help everyone to get the absolute maximum out of this format."