Back to Blog
And then there were six. Just six teams remain, competing for the title of the Best Defensive Cyber Team in the Americas. Thus far, each team has completed a set of labs and the 20 teams who moved on to the semis have experience two different attacks. In the quarterfinal, each team was tasked with completing a Coin Miner scenario. But, in the semis we wanted to make things a bit more challenging, so we brought one of the more difficult scenarios available on the Cyberbit platform: Dragonfly.
Introducing Dragonfly – Difficulty Level, Intermediate
As in the last round, competitors were not aware of the attack type until they logged onto their machines and began exploring their Splunk and network. With over 60 components included within the enterprise grade virtual network, this task would take considerably longer than their given 4 hours without the help of Splunk, their Palo Alto firewall, and all the system logs. Even with this advantage, the Dragonfly scenario is still challenging considering it is based on the 2017 Dragonfly attack on the western energy sector (primarily focused on the UK).
With stark comparisons being drawn to Stuxnet in terms of technical brilliance and strategic execution, the Dragonfly group introduced a new malware aimed directly at energy companies. The malware has at least three different attack mechanisms and appears to be completely legitimate since it appears to be an unaltered software from trusted suppliers. However, once the malware is introduced to the control systems, it comes to life.
Initially discovered by Finnish security firm F-Secure and rediscovered by Symantec a week later (as a different malware), the Dragonfly malware was researched and initially diagnosed as a RAT (remote access tool) by Symantec.
The first was known as the Havex RAT though it has also been referenced as Backdoor.Oldrea or the Energetic Bear RAT. The malware extracts data from outlook address book and ICS related software files used for remote access from infected machines to industrial systems. Some of the more than 88 variants of the malware specifically look for OPC servers and more are continually being discovered. The similarity is that all Havex variants are used to communication different types of information.
The other piece of Malware, experience by our competitors, is known as Kragany or Trojan. Kragany gives the attackers the option to upload and/or download files form an infected machine and run executable files along with the ability to collect passwords, take screenshots, and catalog documents.
Dragonfly was executed using multiple pathways to access the control systems. First, executives and senior employees became the target of a phishing campaign which included a malicious PDF attachment. Next, the attackers set up a watering hole for employees of the energy sector. Once the site was visited, employees were redirected to a compromised legitimate website hosting an exploit kit which installed the RAT. Finally, at least three ICS vendors were compromised so that the supply chain included the RAT malware.
Once the attackers were inside the system they could sit with persistent access, measure employee capabilities, steal industrial information, and cause disruption to power systems, electric grids, and nuclear facilities.
What did we learn about our competitors?
In this round we learnt that our competitors are assuming that each scenario has one attacker behavior per TTP. However, as Cyberbit reflects reality, this simply is not true. Attackers rarely use one type of persistence and rarely only use a single script to control their actions on a network. Our top competitors all missed the same goals related to deleting scripts and removing persistence. I wish I could say more, but we can’t give everything away!
If you analyze the ATPs included in the MITRE ATT&CK Framework, you will see that almost every attack contains multiple behaviors per Tactic. For example, APT28, attributed to the GRUs 85th Main Special Service Center military unit 26165 and believed to be responsible for the Hillary Clinton campaign compromise, used five different techniques in the Initial Access phase only. Each phase of their attack flow contains at minimum three different techniques to accomplish their given goal. Only the impact has one technique highlights, the denial of service to the network.
What’s next?
It’s finals time! For this round, we’ll be pulling out all the stops, providing the remaining six teams with just three hours of competition time. Six? But you said only six were going to the finals! You are correct! Given the six PERFECT scores in the semifinals round and the closeness of the time, we decided to add an additional two teams into the finals!
Like our previous rounds, the remaining teams will not know what type of activity is occurring on their network until they access their virtual machine. However, as my little hint to competitors, this round’s scenario will require you to rely on your technical capabilities more heavily and less on tool capabilities.
Don’t we all wonder what it could be? You’ll have to come back as we announce the winners to find out!
Post Semifinals Standings
First, we’ll give you the overall standings from the quarterfinals. ISA Cybersecurity knocked this scenario out of the park with the first sub-hour score in the competition. They seem to be getting stronger as the competition goes on! Hudson Bay Company continues their perfect scoring record, going into the finals in 3rd place by time alone. Game of Thone’s (USAF) came in 5th place after being a top contender over the first two rounds. We hope to see a quick performance from them following their continued high scoring to date.
| # | Company | Team Name |
| 1 | ISA Cybersecurity INC | ISA Cybersecurity |
| 2 | American Express | The Marchwardens |
| 3 | Hudson’s Bay Company | Hudson’s Bay Company |
| 4 | Schlumberger | Schlumberger |
| 5 | United States Air Force | Game of Thone’s |
| 6 | Metlife | Grace Hopper Has A Posse |
| 7 | Panasonic Avionics | DirtySOC |
| 8 | PNC Bank | PNC |
| 9 | Voya Financial | Voya |
| 10 | Deepwatch | Deepwatch |
| 11 | National Bank of Canada | Glorious G00ns |
| 12 | Global Payments | SKYNET |
| 13 | Howard Hughes Medical Institutes | Rock, Scissor, or Exploit |
| 14 | Plante Moran | Perseverance |
| 15 | City of Calgary | City of Calgary |
| 16 | IBM | Gone Phishing |
| 17 | Synovus Financial | Synovus Financial |
| 18 | Sirius | Sirius |
| 19 | East West Bank | Bridge |
| 20 | AT&T | AT&T |
Post Semifinals Power Rankings
Hudson’s Bay Company continues to be the favorite going into the finals, maintaining their perfect scoring status through the semis. They’ll need to hurry it up if they want to win in the final round! Game of Thone’s (UAF), with a near perfect score, must take the same advice as Hudson’s Bay Company if they want to finish in the top three! ISA, our fastest team in the semis, is now in 3rd place, positioning them as favorites as well to take the title of Best Cyber Defense Team in the America’s! The bottom three teams in our power rankings have maintained their spots with good performance and should look to improve their time coming into the finals as well but our three favorites to win right now are Hudson’s Bay Company, Game of Thone’s, and ISA Cybersecurity!
| # | Company | Team Name |
| 1 | Hudson’s Bay Company | Hudson’s Bay Company |
| 2 | Panasonic Avionics | DirtySOC |
| 3 | United States Air Force | Game of Thone’s |
| 4 | ISA Cybersecurity INC | ISA Cybersecurity |
| 5 | PNC Bank | PNC |
| 6 | Metlife | Grace Hopper Has A Posse |
| 7 | City of Calgary | City of Calgary |
| 8 | Howard Hughes Medical Institutes | Rock, Scissor, or Exploit |
| 9 | Plante Moran | Perseverance |
| 10 | National Bank of Canada | Glorious G00ns |
| 11 | American Express | The Marchwardens |
| 12 | Schlumberger | Schlumberger |
| 13 | Voya Financial | Voya |
| 14 | Global Payments | SKYNET |
| 15 | Deepwatch | Deepwatch |
| 16 | Synovus Financial | Synovus Financial |
| 17 | East West Bank | Bridge |
| 18 | Sirius | Sirius |
| 19 | AT&T | AT&T |
| 20 | IBM | Gone Phishing |