This webinar is available at this YouTube link
-
As we know, this competition is focused on energy-based infrastructures and networks.
-
Types of teams in this competition
- Blue team (us)
- Red team (attackers that will try to pwn us on Nov 4th and 5th; industry professionals)
- White team (administrators, build out infrastructure for us)
- Gren team (users of our systems; these people test out usability, availability of our network in real time)
- Orange team (C-suite / senior executives)
-
Generally speaking, as the blue team, we communicate with all teams throughout the competition.
- But mostly, we aim to communicate with the green team (our network users) and the orange team (our execs)
-
This year, our competition scenario involves the solar energy industry.
- In 2021, it was hydropower. 2020 was wind, 2018 was natural gas...
Five main scoring categories:
-
Exploitability of vulnerabilities (they ask you about a vulnerability you found, how you found it, and what you would do to fix it -- be prepared to answer questions)
-
Vulnerabilities introduced in buildouts (during live attack)
-
Sportsmanship
- Service uptime (e.g. DNS, SMTP...) -- these services are required to be on certain IPs
- Usability
- they mentioned a website is part of it, and they mentioned that it will be broken (e.g. misspelling, broken links, incorrect information present)
-
Security documentation (pre-competition, AKA during our network access phase)
- they provide templates for our documentations, not sure if we should use them or just use the UF 2019 report as a template
-
Information sharing/incident reporting
- Throughout the day, they may ask us to provide some sort of information or reports of incidents.
-
C-suite panel brief (pre-competition)
- this panel brief will involve our team recording a video for these managers. communication and explanation skills are important.
- we will want to emphasize severity of breach, potentially even ask for resources/money...
- Real-world challenges/tasks
- these could be CTF-type challenges such as forensics, crypto, etc. or even a new vuln introduced in our systems.
- in general, these challenges are meant to pull attention away from the traditional role of protecting systems.
- Our goal is to balance the usability of our systems for customers, employees, and ourselves WHILE maintaining security of the system.
- BAD EXAMPLE: Implementing 10 passwords in a row within 30 seconds.
- GOOD EXAMPLE: Implementing dual authentication (2 different password mechanism)
-
The goal here is for us to be holistic blue teamers
- This means we document what we are doing
-
Part of understanding what we are building and defending is ensuring that others can quickly pick up where we left off
- This way, we keep track of our hard work and others can benefit from it in the future.
-
As mentioned before, this documentation needs to be written and submitted during the pre-competition phase (Oct 17th ~ November 3rd or so)
-
The start of this Q&A video on their youtube channel (different from the competition 101 video) starts off with about 20 mins of in-person information; not relevant for us.
-
What tools can we use?
- Supposedly ONLY FREE AND/or(?) OPEN SOURCE programs?
- We need to clarify this before the competition.
-
Past Competition stuff
- https://cyberforce.energy.gov/cyberforce-competition/prior-competitions/doe-cyberforce-competition-2019/
- Unfortunately, no past reports are publicized here. Need to look around Google.