Today BSG has participated in the first-ever SANS NetWars tournament brought to Ukraine by USAID Cybersecurity Activity, the Ukrainian National Security Council, and the Service of Information Protection. To our immense surprise, we have won in this cyber range competition!
What is SANS?
SANS Institute is, of course, the most known resource center for cybersecurity training, certification, and research. The institute offers over 60 courses in virtually all areas of the cybersecurity knowledge base; their comprehensive skill roadmap can help you build a career from a basic level to a world-class expert.
The interesting fact is that instructors of SANS are experienced practitioners who also excel in mentoring others, so after certification, you get practical skills with modern tools and technologies and a precious certificate in the cybersecurity job market. Apart from the training programs and certification exams, SANS maintains an online Cyber Ranges facility with unique NetWars cybersecurity tournaments.
What is SANS Grid NetWars?
NetWars tournaments vary in formats and focus on diverse network attack and defense competencies to profoundly specialized knowledge of ISC, SCADA, and power grid security. Cyber range exercises help cybersecurity experts gain a practical understanding of modern attack and defense techniques. And cyber range competitions are a great experience that allows participants to dive into a realistic cybersecurity challenge: model a cyber-attack or investigate a cybersecurity incident.
SANS Grid NetWars is a set of digital forensics and incident response challenges arranged into a realistic digital investigation scenario. In short, the legend presumes that a critical infrastructure network has been hacked, and we are tasked with finding out how it happened, who the attackers were, how they harmed the infrastructure, and how we can help the target fix that.
Why did we participate in SANS NetWars?
For us, it was an extraordinary experience. BSG is not known for blue-team work: we are mainly into pentesting and application security. We provide incident response services from time to time. But it is certainly not what we broadly advertise. So it was a little of a challenge for ourselves, and as we are constantly trying to learn something new, we could not miss this opportunity.
Today we had a very unusual experience of meeting the genuine digital forensics and incident response challenge. SANS Grid NetWars is a set of exercises that recreates an investigation of a real-life cyber security incident in an Industrial Control System environment. It requires the participants’ knowledge of network, system, and operational technology. And it looks like a team of experienced pentesters who are well-acquainted with these technologies could perform related DFIR tasks remarkably well.
It was exciting to look at the cyber security profession from the other side. We usually take the role of an attacker in our work. But in the tournament, we took an utterly reverse position. Instead of modeling and executing the attacks, we had to analyze the evidence of a perpetrator’s activities in the production network and then work through the incident response procedure.
Now to the big surprise part. We were planning to learn. Competing was not on our agenda: we realistically assessed our chances and decided to take as much experience from the event as possible. However, we had to reconsider a couple of hours into the process.
SANS Grid NetWars may be a defensive investigation tournament, but it turns out it has a lot in common with classical Capture the Flag competitions. And by chance, we know a thing or two about that. BSG is famous for bringing up CTF games at cyber security conferences in Ukraine and abroad. So, it was only natural that we found some similarities between the SANS tournament and the CTF competitions.
At the end of the day, it is still a cyber security job. The difference of position in relation to incident evidence is technically unimportant. It is equally important to think like an attacker and an investigator when moving through the security investigation. And the profound knowledge of the technology stack and the cyber attack tactics and techniques is of much use in both Red and Blue teams.
We are grateful to the tournament organizers for this opportunity and all teams who participated in the tough competition. We have learned a lot, and we have seen how much more there is to learn. And for the first time in BSG history, we seriously consider extending our practice to digital forensics and incident response.
But right now, let us take a break and celebrate. Until next time, and stay safe out there.