Just one week ago, nearly 300 cybersecurity pros on close to 100 teams received their login credentials to Cyberbit and began the process of qualifying for the ICL: America’s Cyber Cup. Thus, the hunt to find the best cyber defense team in the Americas kicked off!

Each team, made up of 2-3 cybersecurity professionals from an enterprise, military, civilian government, or MSSP, was responsible for completing a set of three “cyber labs.” Each lab required approximately 60 minutes to complete with each team member completing a unique lab in the 3-lab set. A cyber lab is a micro-environment (one machine or a micro network) designed to train or test a specific individual skill. In the case of the ICL: America’s Cyber Cup, we specifically chose labs to test the specific skillsets the pros would require through the rest of the competition. Over the last week, over 300 labs were completed by our competitors, giving us a strong baseline of their future performance.

The three labs included were:

  1. Threat Hunting – Data Leakage
  2. SMB Protocol
  3. Threat Intelligence – Keylogger Investigation

Scoring on the qualifiers round is based on the competitor’s ability to answer the questions included within each lab. The top 40 teams have qualified for the ICL and begin their competition in the quarterfinals against a live simulated cyberattack!

Performance Breakdown by Lab 

Lab #1: Threat Hunting – Data Leakage
Difficulty Level – Easy

Threat hunting is fast becoming a skillset required to excel in the SOC (security operations center) or incident response team. In the Threat Hunting – Data Leakage lab, competitors were asked to identify significant bulk traffic flowing through the network but do not have any alerts in their SIEM. Using a fully licensed version of Splunk Enterprise Security (Splunk’s SIEM product), each team was asked to proactively search and track malicious activity on the network, confirming a brute force attack that ultimately led to data being leaked from the simulated network to an outside server. To accomplish their goal, competitors had to build queries inside Splunk using various commands to discover the amount of data transferred to an outside address including the destination port, discover the type of malicious activity occurring on the network, filter traffic from different log types, and rebuild a complete attack flow to answer the questions included in the quiz. 

Lab Stats: 

Average Time – 48:44

Highest Score – 100

Average Score – 59

Lowest Score – 0

Wrong Answers – 367/912

Lab #2: SMB Protocol  
Difficulty Level – Intermediate

During the SMB Protocol lab, competitors were asked to investigate a PCAP file containing the usage of the EternalBlue exploit (CVE-2017-0143) over the SMB protocol of the provided simulated network. Even though the EternalBlue exploit only affects Windows operating machines, every old version that makes use of the SMBv1 (Server Messaging Block Version 1) file-sharing protocol is technically vulnerable to ransomware and other types of cyberattacks. To date, WannaCry and Petya are the most famous attacks in which EternalBlue was used for lateral movement across the organization with WannaCry infecting over 200,000 machines across 130 countries in a single day! To complete this lab successfully, competitors were asked to analyze the connections in the PCAP file to determine attack origin, how the attack spread, and to determine who the attacker and victim are.

Lab Stats: 

Average Time – 42:25

Highest Score – 100

Average Score – 79.4

Lowest Score – 0

Wrong Answers – 226/1116

Lab #3: Threat Intelligence – Keylogger Investigation
Difficulty Level – Easy

The cream of the crop of cyber experts all understand the concept of sharing information to work as a cohesive unit against cybercrime.  Many organizations use an MISP (Malware Intelligence Sharing Platform) to share IOCs (indicators of compromise) to be used to prevent future attacks. In other words, information is openly shared to make everyone safer. In this lab, competitors were challenged to use their MISP to detect a keylogger on the network, validate IOCs, identify the attack and camouflage mechanisms, and eradicate the malware by deleting malicious files from the systems, blocking the network IOCs in the firewall, and blacklisting the IOC’s hashes on the appropriate systems. 

Lab Stats: 

Average Time – 38:54

Highest Score – 100

Average Score – 69

Lowest Score – 0

Wrong Answers – 240/816

ICL: America’s Cyber Cup Current Standings 

Now that you’ve understood what our teams had to go through to qualify, let’s see where we currently stand. To determine the 40 teams moving on to the Quarterfinals we combined the scores of each teammate’s labs to see where each team stands. The teams with the top 40 combined scores move on! You can see the standings below. On the ICL Website you will also see Power Rankings which will combine scores across rounds to see which teams are the favorite!

PlaceOrganizationTeam Name
1Hudson’s Bay CompanyHudson’s Bay Company
2Panasonic AvionicsDirtySOC
3ISA Cybersecurity INCISA Cybersecurity
4(US Army) RCC-SWASWA Cyberspace Criminal Minds
5(US Army) RCC-SWAWe Are Definitely Da Best
6United States Air ForceGame of Thone’s
7Global PaymentsGlobal Payments
8American ExpressThe Marchwardens
10HCL Americaknightriders
11HighmarkHigher Mark
12HomeEquity BankHomeEquity Bank
13LennarM1nd 0ver MITR3
14City of CalgaryCity of Calgary
15Capital OneThe COF JAM Team
16East West BankBridge
17American ExpressTeamBeaST
18Voya FinancialVoya
19Illinois State TreasurerSpeakerHeads
21Howard Hughes Medical InstitutesRock, Scissor, or Exploit
22BoeingBash Bros
23Counter HackDevious Elves
24CecyberCECyber Brazil
25Synovus FinancialSynovus Financial
26Plante MoranPerseverance
28Fannie MaeMae The Force Be With You
29Customers BankThe 10-Bit Hash
32MetlifeGrace Hopper Has A Posse
33National Bank of CanadaGlorious G00ns
34IBMGone Phishing
36Morgan StanleyIPv7
40HighmarkSticky BandITs

What’s coming in the America’s Cyber Cup quarterfinals? 

Let the competition begin! As the quarterfinals kick off, we say goodbye to labs and hello to complete simulated cyberattacks! For the quarterfinal round, teams will be given two hours to complete an intermediate level scenario on the cyber range included within Cyberbit. Only 20 teams will move on to the semi-finals, so time is of the essence! Scoring on this round will see how far the team, acting as a whole, can get in the resolution of the simulated attack and will be measured by evaluating uploaded forensic evidence, advanced network sensors which measure trainee actions, and using a quiz built in to the attack simulation. 

To maintain the hyper-realistic nature of the ICL: America’s Cyber Cup, competitors will not be aware of the attack type taking place on the enterprise grade network simulated inside the cyber range. Competitors will be provided with commercially licensed tools including Splunk Enterprise Security (SIEM), McAfee EPO, a Palo Alto Networks Firewall, and the rest of a complete security stack required to detect, investigate, respond, and mitigate the ongoing attack. Stay tuned for a complete breakdown of the quarterfinals attack and to see which 20 teams continue to the semis! 

See a Cyber Range Training Session in Action