Today BSG has participated in the first-ever SANS NetWars tournament brought to Ukraine by USAID Cybersecurity Activity, the Ukrainian National Security Council, and the Service of Information Protection. To our immense surprise, we have won in this cyber range competition!
What is SANS?
SANS Institute is the best-known resource center for cybersecurity training, certification, and research. The institute offers over 60 courses in virtually all areas of the cybersecurity knowledge base; their comprehensive skill roadmap can help you build a career from a basic level to a world-class expert.
SANS instructors are experienced practitioners who also excel in mentoring others. After the certification, you get practical skills with modern tools and technologies and a precious certificate in the cybersecurity job market. Apart from the training programs and certification exams, SANS maintains an online Cyber Ranges facility with unique NetWars cybersecurity tournaments.
What is SANS Grid NetWars?
NetWars tournaments vary in formats and focus on diverse network attack and defense competencies. Cyber range exercises help cybersecurity experts gain practical knowledge of modern attack and defense techniques. And cyber range competitions are a great experience that allows participants to dive into a realistic cybersecurity challenge: model a cyber-attack or investigate a cybersecurity incident.
SANS Grid NetWars is a set of digital forensics and incident response challenges arranged into a realistic digital investigation scenario. In short, the legend presumes that a critical infrastructure network has been hacked, and the participants have the task of finding out how it happened, who the attackers were, how they harmed the infrastructure, and how the target can fix that.
Grid NetWars is a suite of hands-on, interactive learning scenarios that enable Operational Technology security professionals to develop, test and master the real-world, in-depth skills they need to defend real-time systems. It is designed as a challenge competition and is split into separate levels to allow players to quickly move through earlier levels based on their expertise. The Grid Netwars experience has been themed for the electricity industry and the scenario has been previously used to support multiple electric sector exercises. Grid NetWars was designed to enable participation by players at all skill levels and from any sector (not just the electric sector).
SANS Grid NetWars
Why did we participate in SANS NetWars?
It was the first time that the SASN NetWars tournament had been held in Ukraine. The format of the event was hybrid, so virtually everyone could join. The complete list of required skills and equipment is at the SANS NetWars website, but briefly, all you needed was a modern PC, VMware Player, and the will to learn. The competitors could play individually or in teams of two to five people. Of course, we decided to play as a team.
For us, it was an extraordinary experience. BSG is not known for blue-team work: we are mainly into pentesting and application security. We provide incident response services from time to time, but it is certainly not what we broadly advertise. So it was a little of a challenge for us, and as we are constantly trying to learn something new, we could not miss this opportunity.
At the tournament, we had a very unusual experience of meeting the genuine digital forensics and incident response challenge. SANS Grid NetWars is a set of exercises that recreates an investigation of a real-life cyber security incident in an Industrial Control System environment. It requires the participants’ knowledge of network, system, and operational technology. And it looks like a team of experienced pentesters who are well-acquainted with these technologies could perform related DFIR (Digital Forensics and Incident Response) tasks remarkably well.
The Challenge
The SANS Grid NetWars tournament implements a set of practical scenarios. We were excited to try our cyber defense skills and techniques against the tasks. To get a chance to win, the teams had to go through a realistic electric grid infrastructure compromise scenario. We started with detecting the signs of compromise in provided artifacts, continued through the incident response and digital forensics investigation, and landed on the remediation of identified threats and eradicating attacker presence in the infrastructure.
SANS arranges the Grid NetWars tournament challenges in four levels. Level 1 focuses on incident detection and response, so we had to remind ourselves how to parse logs and analyze network traffic dumps. On Level 2, as the next step in the investigation, the teams downloaded a virtual machine prepared by SANS to go through the endpoint compromise analysis. Going further, in the Level 3 tasks, the teams assessed the impact the attackers caused on the power grid network as a whole. And on Level 4, the teams focused on repairing the compromise and removing the attackers’ access from the infrastructure.
Our tactics were simple: everyone could hit some points at Level 1, then checked the Level 2 tasks. After getting enough points to unlock Level 3, we split into two subteams: one has remained on Levels 1-2 and continued to solve these relatively easy tasks, while another rushed forward, advancing through the more complex challenges.
The Experience
For us as red-teamers, it was exciting to look at the cyber security profession from the other side. We usually take the role of an attacker in our work. But in the tournament, we took an utterly reverse position. Instead of modeling and executing the attacks, we had to analyze the evidence of a perpetrator’s activities in the production network and then work through the incident response procedure.
Now to the big surprise part. We were planning to learn. Competing was not on our agenda: we realistically assessed our chances and decided to take as much experience from the event as possible. However, we had to reconsider a couple of hours into the process.
SANS Grid NetWars may be a defensive investigation tournament, but it turns out it has a lot in common with classical Capture the Flag competitions. And by chance, we know a thing or two about that. BSG is famous for bringing up CTF games at cyber security conferences in Ukraine and abroad. So, it was only natural that we found some similarities between the SANS tournament and the CTF competitions.
At the end of the day, it is still a cyber security job. The difference of position in relation to incident evidence is technically unimportant. It is equally necessary to think like an attacker and an investigator when moving through the security investigation. And the profound knowledge of the technology stack and the cyber attack tactics and techniques is of much use in both Red and Blue teams.
We are grateful to the tournament organizers for this opportunity and all teams who participated in the tough competition. We have learned a lot, and we have seen how much more there is to learn. And for the first time in BSG history, we seriously consider extending our work to digital forensics and incident response.
But right now, let us take a break and celebrate. Until next time, and stay safe out there.