The Standoff wraps up; Attackers breach perimeters of all six organizations and gain access to corporate networks

November 19, 2020

The Standoff, an online offensive/defensive competition in which defenders (blue teams) compete against attackers (red teams) to control the infrastructure of a simulated digital city, has concluded.

The event took place Nov. 12-17, 2020, pitting information security veterans against skilled hackers in a battle to hack mock banks, utilities, airports, downtown hubs, IoT systems, cargo and public transportation, telecoms systems and more. The Standoff’s unique virtual city environment contained actual infrastructure components representative of common real-world business and industrial systems, such as:

Port with rail terminal
Natural gas pumping station
Chemical plant and fire station
Oil refinery and storage facility (including wind turbines)
Amusement park
Airport
Electrical plant and substation
City business and financial center

These systems and platforms were simultaneously targets for the attacking teams to hack and valuable assets for defending teams to protect. At the event site, an active round-the-clock Security Operations Center (SOC) was equipped with the latest security tools. The SOC, in conjunction with specialists from the Positive Technologies Expert Security Center (PT ESC), helped to make the virtual action at The Standoff visible to all.

In the cyber-range competition, the winning attacker team was Codeby (27,123 points), followed by back2oaz (24,463 points) and DeteAct (18,508 points). Collectively, the attackers were able to trigger 47 percent of all the risks that had been designed. Of the 24 unique triggered cyber-risks, 2 were novel and unanticipated by the organizers. The jury accepted more than 50 task completion reports from attacker teams.

Defender teams were able to detect more than 200 security incidents on their respective infrastructures. Incident detections were highest for the teams IZ:SOC and CT&MM. The teams performed 21 investigations. The average investigation took 11 hours and 50 minutes from start to finish.

All of the mock city's companies had to grapple with the aftermath of cyberattacks. Here are some of the most serious cases:

At the Nuft petrochemical plant, an accident led to toxic leakage. Attackers were able to gain access to the plant's controls and closed the refrigeration intake, which caused overheating and disrupted the chemical manufacturing process. Soon after, the attackers were able to halt the process entirely.
A cyberattack disabled oil extraction equipment, causing production to stop. The attackers also accessed the oil storage controls and disrupted the process for transport of oil to storage tanks. They later were also able to disable the controller responsible for managing petrochemical transport.
At the 25 Hours amusement park, the Ferris wheel fell over. A team gained access to the controls and increased the rotation speed to the highest value, causing the Ferris wheel to collapse. They finished by disabling the Ferris wheel's controller and turning off lighting to prevent visitors from leaving.
Bank attacks enabled theft of funds from individuals' accounts, as well as theft of data regarding bank clients (name, account balance, card PAN, etc.).
Valuable documents were stolen from two companies. Employee personal data was stolen from five companies.
During the closing minutes of the competition, back2oaz accessed climate controls for the office buildings and could change the temperature settings.
Some risks were made possible by poorly protected corporate websites. These include disruptions to the amusement park's online ticketing offices, as well as plane ticket sales and passenger check-in systems on the airport website.
However, the majority of risks required first accessing the company's local network. Here, too, we see that attackers started by looking for vulnerabilities in web applications in order to breach infrastructure. Defender teams reported on successful attempts to exploit such vulnerabilities.
The first vulnerability was found by n0x in a Nuft system just 19 minutes after the start of the competition. The jury received a total of 433 bug bounty reports. Almost half were SQL injection, while a quarter involved remote code execution. Two thirds of all vulnerabilities were found at the city's Nuft and Big Bro Group.

The largest number of risks (8) was triggered at 25 Hours, the mock company that owned the city's business center, HVAC system, traffic lights, and amusement park. The runner-up, with seven unique risks triggered, was oil company Nuft. Only the railroad and port escaped unscathed.

At the same time, The Standoff was also a cybersecurity conference with talks, workshops, and demos from global cybersecurity experts. As a cybersecurity marathon under The Standoff brand, the event started in the U.S. and went through Europe, the Middle East, and Asia, before ending in Russia. The Standoff unites different audiences and countries with one agenda and one idea — improving cybersecurity through real-world offensive and defensive exercises.

Here’s a selection of some discussions that were thought-provoking:

"The cyber-range overview. Evolution" Denis Baranov, Andrey Bershadsky, Yury Maximov
"How have IS industry and community changed over the years and what are they developing into? What are the ways for people involved to progress within the industry?" Alexey Sintsov, Boris Savkov
"Red teaming simulation: unique attacks of lateral movements," Lawrence Amer
"How to gain profit from information security? Does this imply pursuing industry evolution or being a global leader?" Sergey Matsotsky, Alexander Galitsky, Yuri Maximov
"Kr00k: serious vulnerability affected encryption of billion+ Wi-Fi devices," Robert Lipovsky
"Vulnerabilities of machine learning infrastructure," Sergey Gordeychik
"Penetration testing communication systems: nowadays," Moritz Abrell
"We hacked 5G, now let's protect it," Dmitry Kurbatov
"Windows 10 hardware security mechanisms," Artyom Sinitsyn

Didn’t have time to catch everything you wanted to? All recordings have been made available here.

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and more. Within her role at Security, she works to produce stories for the monthly issue, Newswire articles, Web Exclusive features, as well as manage social media, the 5 minutes with series, and the Today’s Cybersecurity Leader and Security enewsletter. She graduated from the University of Illinois at Urbana-Champaign with a bachelor’s in English and Creative Writing.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.