War zone: how I thought like a hacker to battle it out in cyber-attack games
Threat researcher Candid Wueest recounts his experience of participating in Symantec’s Cyber War Games 2017
Symantec’s Cyber War Games is a classic capture the flag (CTF) game, where teams have to tackle various IT security challenges and solve tasks and puzzles from the perspective of an attacker.
And we’re not talking about challenges like the ones featured in 1980s blockbuster movie War Games, where Matthew Broderick saved the world with a few rounds of Tic Tac Toe.
There are various CTF games online, but Cyber War Games is a bit different. Only Symantec employees can participate, and its aim is to entertain and challenge the company’s technically-minded employees. CTFs are gaining popularity in IT companies as a way to keep internal specialists entertained and trained through cyber exercises, and to assess the skills of potential new hires.
This year’s Cyber War Games played out over two rounds: an online qualification round with more than 1,500 Symantec employees worldwide battling it out to become one of the top 10 teams to make it to the live onsite finals.
Teams of up to four people had to walk in the shoes of an attacker and breach a variety of systems to solve tasks. There were various levels with multiple challenges, but they were all connected by a story and reflected attacks that have been seen in the real world. Just like in real life, small things like easy-to-guess passwords or badly configured web servers can accumulate to allow for a complete breach.
The qualification rounds
This was the fifth time the Cyber War Games competition has been held in Symantec, and I have had the pleasure of participating in all of them so far. After being in the finals every time, the ambition to advance again was great.
It can be quite difficult to convey accurately to non-technical people what actually happens during games like this, and the sort of strategies teams use.
The qualification games took place on a long weekend in March. Colliding with St Patrick’s Day, it was not ideal, as part of my team was located in Dublin. However, we were all excited and eager to play, so we saved the drinks for when the Games were done. In my time zone, the game started at 1am on Friday and was scheduled to go on for six days non-stop. The energy drinks and snacks were stacked in the fridge and a short pre-game power-nap ensured an effective start. In order to keep disruption to a minimum, all of my friends knew what I was doing and that I wouldn’t be reachable during the game.
Games like this are nothing like the Hollywood movies suggest, where someone frantically types on a keyboard in front of seven screens until some green “Access Granted” writing appears. Imagine it more like a real cyber attack.
The organizers of the games replicated the infrastructure of multiple companies to simulate a real ecosystem. From the email server of the marketing department and the web store of the business unit, to the file exchange server in the cloud, all of it was there, using official software just as would be the case in the real world. Each player then had to solve one of the around 85 tasks from various scenarios.
A task could be as simple as finding the port number of a specific server, or as complicated as discovering the malware sample in a forensic image. The tasks covered all phases of a targeted attack: reconnaissance, incursion, lateral movement, and data exfiltration. The tasks are not standalone, but are rather embedded in an overall story. So, the password you discovered in a previous task might be used later for a different server, or a file recovered from a forensic image can be the key to decrypting some network communication. Just like in the real world, everything is connected and every detail counts. For difficult tasks there were hints available, but taking hints would deduct points from your team score. Hints allow people to still advance when they are stuck and also help them learn new methods and tricks for the next time.
When I take part in CTF games, I usually play on a Linux laptop with multiple virtual systems and have a backup laptop in case the hardware fails me. Of course, as in all walks of life, preparation is key, so I installed and updated all the usual attack tools, from Burp proxy to modify web traffic and SQLmap to find SQL injections, to simple hex editors like Bless and a lot of Python scripts that I’d used previously that I could adapt if needed.
Ready to rumble
My team used a private Slack chat to coordinate and exchange ideas, as collaboration was key. The first two levels in the game were sequential, but after that multiple levels opened up, so we could split the work between us. Each individual focused on their strengths: web attacks, forensics or exploits. We made some good progress in the first 24 hours and the boost of adrenaline after solving the various tasks motivated me to go without sleep for a few more hours.
But sooner or later the tiredness takes over and you start making too many typos, so I called it a day and slept for a few hours. Thanks to our group chat, after my power nap it was easy to catch up on the progress of my team over a cup of coffee and take over from there again. On day two I spent many hours trying to exploit a web server. There were many possible attack vectors, and unfortunately I spent a long time working on the wrong idea, trying to bypass upload filters to gain a PHP shell. After getting frustrated with constant failure, I discussed other possible ideas with my team. At first we didn’t come up with any good new ideas, but then I realized that the application might be vulnerable to the ImageTragick vulnerability (CVE-2016–3714). And indeed, a few minutes later I had my test payload executed on the remote server and shortly after that I had a proper shell connection to the server. Another task solved.
After about three days of intensive work, we eventually reached the final puzzle, gaining remote code execution on a HVAC application. We were the fourth team to complete all the tasks, so we knew we had made it through to the finals, as the first 10 teams advanced. Happy, but exhausted, I fell asleep as soon as the adrenaline levels dropped. It took me half a day of sleep to return to normal.
The onsite finals
However, in ways our work had only just begun, as then we had to prepare for the finals, where the top 10 teams from Symantec offices all over the world would compete.
The finals were held onsite in the Symantec HQ in Mountain View, California, at the start of May. The theme of the onsite finals this year was agriculture, and the organizing team did a fantastic job of building physical props to support the scenarios visually and to give the team tangible targets. There were SCADA sprinkler systems, NFC door locks, and flying drones that all needed to be attacked.
The finals consisted of four small CTFs, each running for around five hours, spread out over three days. So, unlike the earlier exercise, the competition was not running non-stop for 24 hours per day, which allowed the participants to enjoy the evenings and socialize over a meal. It is quite an interesting experience to be in a room with 40 geeks, crammed at small tables, staring at their laptops while electronic music plays in the background. Of course, the hours flew by every day and I always felt that we had just started when it was already time to wrap up. The time limitations also meant we had to play strategically and decide to take hints to advance faster, even though we sometimes already knew the type of attack to use.
Being physically close to the machinery also allowed us to not only attack virtual targets, but also to carry out attacks where the physical and digital worlds interconnect. For example, on one level we used a ZigBee sniffer to find a connected SCADA system that controlled the sprinkler pump. Once the target was identified we used the sniffed information to connect to the device and turn the pump on in order to drown the crops. It took us some time to get used to the Human Machine Interface (HMI), but since it was a quite simple setup we were able to identify the pump and modify the corresponding settings within a short time.
For another task, we had to attack a small-size replica of an autonomous tractor that we could control remotely, hijacking the coordinates and generating havoc. Combining all these attacks led to the end goal of the overall scenario, which was to seriously disrupt large parts of the crop harvest of our simulated world. This, in turn, influenced the stock price of various agricultural companies.
Unfortunately for my team, in the end we didn’t make the top three in the finals, so no trophy came home to add to my collection. However, it was a great experience and I learned a few new tricks. A big shout out to the rest of my team for doing an awesome job, and congratulations also to my friends in the “No Name” team for winning.
CTF games like this are not just about having fun, they also keep engineers challenged. Experiencing attacks firsthand like this can help you to better understand attackers and to prepare better protection for customers. It’s also interesting to see that it’s not always that easy to exploit a vulnerability. Because of my day job as a threat researcher, the details of these attacks are not that surprising, but it is always good to see that you need to be aware of every detail of a breach to know the full story of an attack.
If you or your team want to experience something like the Cyber War Games yourselves, Symantec offers a service to simulate this kind of environment, to keep engineers on their toes or test new hires.
I’m definitely looking forward to the next Cyber War Games!
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
