And then there were six. Just six teams remain, competing for the title of the Best Defensive Cyber Team in the Americas. Thus far, each team has completed a set of labs and the 20 teams who moved on to the semis have experience two different attacks. In the quarterfinal, each team was tasked with completing a Coin Miner scenario. But, in the semis we wanted to make things a bit more challenging, so we brought one of the more difficult scenarios available on the Cyberbit platform: Dragonfly. 

Introducing Dragonfly – Difficulty Level, Intermediate

As in the last round, competitors were not aware of the attack type until they logged onto their machines and began exploring their Splunk and network. With over 60 components included within the enterprise grade virtual network, this task would take considerably longer than their given 4 hours without the help of Splunk, their Palo Alto firewall, and all the system logs. Even with this advantage, the Dragonfly scenario is still challenging considering it is based on the 2017 Dragonfly attack on the western energy sector (primarily focused on the UK).

With stark comparisons being drawn to Stuxnet in terms of technical brilliance and strategic execution, the Dragonfly group introduced a new malware aimed directly at energy companies. The malware has at least three different attack mechanisms and appears to be completely legitimate since it appears to be an unaltered software from trusted suppliers. However, once the malware is introduced to the control systems, it comes to life.

Initially discovered by Finnish security firm F-Secure and rediscovered by Symantec a week later (as a different malware), the Dragonfly malware was researched and initially diagnosed as a RAT (remote access tool) by Symantec.

The first was known as the Havex RAT though it has also been referenced as Backdoor.Oldrea or the Energetic Bear RAT. The malware extracts data from outlook address book and ICS related software files used for remote access from infected machines to industrial systems. Some of the more than 88 variants of the malware specifically look for OPC servers and more are continually being discovered. The similarity is that all Havex variants are used to communication different types of information.

The other piece of Malware, experience by our competitors, is known as Kragany or Trojan. Kragany gives the attackers the option to upload and/or download files form an infected machine and run executable files along with the ability to collect passwords, take screenshots, and catalog documents.

Dragonfly was executed using multiple pathways to access the control systems. First, executives and senior employees became the target of a phishing campaign which included a malicious PDF attachment. Next, the attackers set up a watering hole for employees of the energy sector. Once the site was visited, employees were redirected to a compromised legitimate website hosting an exploit kit which installed the RAT. Finally, at least three ICS vendors were compromised so that the supply chain included the RAT malware.

Once the attackers were inside the system they could sit with persistent access, measure employee capabilities, steal industrial information, and cause disruption to power systems, electric grids, and nuclear facilities.

What did we learn about our competitors?

In this round we learnt that our competitors are assuming that each scenario has one attacker behavior per TTP. However, as Cyberbit reflects reality, this simply is not true. Attackers rarely use one type of persistence and rarely only use a single script to control their actions on a network. Our top competitors all missed the same goals related to deleting scripts and removing persistence. I wish I could say more, but we can’t give everything away!

If you analyze the ATPs included in the MITRE ATT&CK Framework, you will see that almost every attack contains multiple behaviors per Tactic. For example, APT28, attributed to the GRUs 85th Main Special Service Center military unit 26165 and believed to be responsible for the Hillary Clinton campaign compromise, used five different techniques in the Initial Access phase only. Each phase of their attack flow contains at minimum three different techniques to accomplish their given goal. Only the impact has one technique highlights, the denial of service to the network.

What’s next?

It’s finals time! For this round, we’ll be pulling out all the stops, providing the remaining six teams with just three hours of competition time.  Six? But you said only six were going to the finals! You are correct! Given the six PERFECT scores in the semifinals round and the closeness of the time, we decided to add an additional two teams into the finals!

Like our previous rounds, the remaining teams will not know what type of activity is occurring on their network until they access their virtual machine. However, as my little hint to competitors, this round’s scenario will require you to rely on your technical capabilities more heavily and less on tool capabilities.

Don’t we all wonder what it could be? You’ll have to come back as we announce the winners to find out!

Post Semifinals Standings

First, we’ll give you the overall standings from the quarterfinals. ISA Cybersecurity knocked this scenario out of the park with the first sub-hour score in the competition. They seem to be getting stronger as the competition goes on! Hudson Bay Company continues their perfect scoring record, going into the finals in 3rd place by time alone. Game of Thone’s (USAF) came in 5th place after being a top contender over the first two rounds. We hope to see a quick performance from them following their continued high scoring to date.

#CompanyTeam Name
1ISA Cybersecurity INCISA Cybersecurity
2American ExpressThe Marchwardens
3Hudson’s Bay CompanyHudson’s Bay Company
5United States Air ForceGame of Thone’s
6MetlifeGrace Hopper Has A Posse
7Panasonic AvionicsDirtySOC
9Voya FinancialVoya
11National Bank of CanadaGlorious G00ns
12Global PaymentsSKYNET
13Howard Hughes Medical InstitutesRock, Scissor, or Exploit
14Plante MoranPerseverance
15City of CalgaryCity of Calgary
16IBMGone Phishing
17Synovus FinancialSynovus Financial
19East West BankBridge

Post Semifinals Power Rankings

Hudson’s Bay Company continues to be the favorite going into the finals, maintaining their perfect scoring status through the semis. They’ll need to hurry it up if they want to win in the final round! Game of Thone’s (UAF), with a near perfect score, must take the same advice as Hudson’s Bay Company if they want to finish in the top three! ISA, our fastest team in the semis, is now in 3rd place, positioning them as favorites as well to take the title of Best Cyber Defense Team in the America’s! The bottom three teams in our power rankings have maintained their spots with good performance and should look to improve their time coming into the finals as well but our three favorites to win right now are Hudson’s Bay Company, Game of Thone’s, and ISA Cybersecurity!

#CompanyTeam Name
1Hudson’s Bay CompanyHudson’s Bay Company
2Panasonic AvionicsDirtySOC
3United States Air ForceGame of Thone’s
4ISA Cybersecurity INCISA Cybersecurity
6MetlifeGrace Hopper Has A Posse
7City of CalgaryCity of Calgary
8Howard Hughes Medical InstitutesRock, Scissor, or Exploit
9Plante MoranPerseverance
10National Bank of CanadaGlorious G00ns
11American ExpressThe Marchwardens
13Voya FinancialVoya
14Global PaymentsSKYNET
16Synovus FinancialSynovus Financial
17East West BankBridge
20IBMGone Phishing

See a Cyber Range Training Session in Action