Cyber Security Challenge Masterclass 2016

This year’s Cyber Security Challenge Masterclass saw over 40 contestants battling to become crowned the winner. I was fortunate enough to be invited as an assessor for the whole event. What follows are my views and interpretation of the event.

The challenge was set, and created, by PwC this year. This was the first year the company had picked up the mantle and was attempting to top the likes of HP, Airbus and BT to name just three; no small feat! Previous Masterclasses had seen a wide variety of features from disabling the guns on the HMS Belfast to dealing with a critical infrastructure compromise in the Churchill War Rooms.

The location this year was in the Shoreditch area of London in a beautifully set photography studio. The railway arches and traditional brickwork lit by red, blue and green lights created an ambiance that was both pleasant and terrifying.

Day 1

Wednesday late afternoon was the kick off to this event; all of the contestants were brought together in the Tower Hotel, split into their respective teams and shipped over to the venue. Upon arrival, they were immediately told that a large sum of money had gone missing from fictitious power company Bolt Power.

The company were sure this was an insider threat and had compiled a list of suspects; these suspects were available to be interviewed by the contestants. Some excellent acting then ensued from the PwC representatives, playing Bolt Power staff. A particularly commendable performance was from the “secretary” who was considered the central point of gossip for Bolt Power.

By the end of the first night most of the teams had a good idea of who was to blame. The evidence however, took a little longer to compile.

Day 2

Thursday morning the candidates turned up bright eyed and bushy tailed. They still had to gather the evidence of the insider threat, but were also presented with a 9GB PCAP (network traffic capture) file. This was intentionally made so large that it could not be opened with the traditional tools; instead the teams had to use their imagination.

Many teams carved the file up using Editcap, a program from the Wireshark suite of tools. This gave them multiple files to view. Some teams realised a single ‘stream’ in the PCAP was making up the bulk of the size and used TShark (also part of the Wireshark suite) to remove this single flow of data.

While the teams were working out how to deal with this issue, an email was received from Bolt Power SOC, explaining that Bolt Power were under cyber attack. They gave the teams access to Alien Vault IDS and log files using Kibana. The teams then had to demonstrate not only time management but task prioritisation. This attack was live and for every false positive that was reported points were deducted, in order to demonstrate the analytical skills of the teams.

As if this wasn’t enough, the teams were then provided with a memory capture and disk image of a compromised host within the Bolt Power environment. Volatility was the tool of choice for the memory dump, and a combination of tools was used on the disk image.

The teams discovered that there had been a compromise involving a flash exploit allowing a reverse shell to be established and data to be exfiltrated. There was also evidence that this was a nation state sponsored attack, however it was difficult to identify an individual or group.

The second day was by far the longest; the teams worked until 17:30 and were lured into a false sense of security and allowed to relax with alcohol. At around 19:00 an alarm sounded and all teams were asked to return to their workstations. Ransomware! There had been an infection of ransomware on the network and the teams were tasked with reverse engineering the malicious program to see if the data could be released. The ransomware was intentionally written with a symmetrical key, meaning the answer was available to the contestants if they knew where to look. Additional questions were also posed to the teams, including ‘what registry keys were created?’. There were some very imaginative ways of getting the required answers, however by the end of the evening all teams had dealt with the problem and were ready for Day 3

Day 3

Friday was very much a continuation of the previous day’s work with a Penetration Test (Pen Test) thrown in for good measure. The idea of the pen test; like the forensics considerations, was to see if the candidates understood how to carry out the task while taking into account legal considerations. A letter of authorisation was then issued to any team that requested it.

The end of Day 3 saw the teams given 30 minutes to create a verbal presentation to give the board of directors at Bolt Power, the people manning this board were actual directors from sponsoring companies meaning this is as real as it can get within the game environment. The teams were given a time to report to PwC Head Office were Bolt Power had set up their board room. Each team were expected to set their own timings with Bolt Power paying for the taxi journey. No help was given in terms of timings, adding to the pressure.

Each team sat in front of the board and had to explain what had gone on. As with previous competitions, the board intentionally played down their technical knowledge in order to show the candidates that explaining a ‘reverse shell’ to the CEO is not a simple task, especially when they have just been told a nation sponsored attack may have just hit their company. The pressure was turned up if the team hit a buzzword. Words like ‘safety’ would instantly get a strong reaction as Bolt Power controlled the nation’s nuclear power facilities.

Each team faced the board; each team survived the ordeal and was commended on a variety of topics.

Once the board meetings were completed, the candidates were told to go and relax in the hotel until the awards dinner later that evening; where the winning team, and winning individuals, would be decided.

Conclusion

I have assessed at several Cyber Security Challenge events, and this was one of the first to cover off almost all disciplines within the Cyber Security field, as such the assessment team noticed there was no obvious winner that excelled across every area, instead we had many strong contenders for the top slot and picking the winner was not an easy task. As always there was a passionate debate with strong arguments for and against many of the candidates.

As a result of this the assessment team were all very impressed with PwC’s competition. This is the first time we have had such a broad sweep of challenges, and I personally hope this will set the standard for all future challenges.

I would strongly encourage any company interested in embracing new talent, of all age groups, to contact the Cyber Security Challenge and register their interest. Next year’s Masterclass could contain your future analysts, consultants, engineers or even your future CISO.

This entry was posted in Competition, Cyber, Cyber Security Challenge, Memory Forensics, Network Forensics, Pen Testing, Windows Forensics, Wireshark and tagged , , , , , , , , , . Bookmark the permalink.

One Response to Cyber Security Challenge Masterclass 2016

  1. Pingback: Week 45 – 2016 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s