Back to Blog
Just one week ago, nearly 300 cybersecurity pros on close to 100 teams received their login credentials to Cyberbit and began the process of qualifying for the ICL: America’s Cyber Cup. Thus, the hunt to find the best cyber defense team in the Americas kicked off!
Each team, made up of 2-3 cybersecurity professionals from an enterprise, military, civilian government, or MSSP, was responsible for completing a set of three “cyber labs.” Each lab required approximately 60 minutes to complete with each team member completing a unique lab in the 3-lab set. A cyber lab is a micro-environment (one machine or a micro network) designed to train or test a specific individual skill. In the case of the ICL: America’s Cyber Cup, we specifically chose labs to test the specific skillsets the pros would require through the rest of the competition. Over the last week, over 300 labs were completed by our competitors, giving us a strong baseline of their future performance.
The three labs included were:
- Threat Hunting – Data Leakage
- SMB Protocol
- Threat Intelligence – Keylogger Investigation
Scoring on the qualifiers round is based on the competitor’s ability to answer the questions included within each lab. The top 40 teams have qualified for the ICL and begin their competition in the quarterfinals against a live simulated cyberattack!
Performance Breakdown by Lab
Lab #1: Threat Hunting – Data Leakage
Difficulty Level – Easy
Threat hunting is fast becoming a skillset required to excel in the SOC (security operations center) or incident response team. In the Threat Hunting – Data Leakage lab, competitors were asked to identify significant bulk traffic flowing through the network but do not have any alerts in their SIEM. Using a fully licensed version of Splunk Enterprise Security (Splunk’s SIEM product), each team was asked to proactively search and track malicious activity on the network, confirming a brute force attack that ultimately led to data being leaked from the simulated network to an outside server. To accomplish their goal, competitors had to build queries inside Splunk using various commands to discover the amount of data transferred to an outside address including the destination port, discover the type of malicious activity occurring on the network, filter traffic from different log types, and rebuild a complete attack flow to answer the questions included in the quiz.
Lab Stats:
Average Time – 48:44
Highest Score – 100
Average Score – 59
Lowest Score – 0
Wrong Answers – 367/912
Lab #2: SMB Protocol
Difficulty Level – Intermediate
During the SMB Protocol lab, competitors were asked to investigate a PCAP file containing the usage of the EternalBlue exploit (CVE-2017-0143) over the SMB protocol of the provided simulated network. Even though the EternalBlue exploit only affects Windows operating machines, every old version that makes use of the SMBv1 (Server Messaging Block Version 1) file-sharing protocol is technically vulnerable to ransomware and other types of cyberattacks. To date, WannaCry and Petya are the most famous attacks in which EternalBlue was used for lateral movement across the organization with WannaCry infecting over 200,000 machines across 130 countries in a single day! To complete this lab successfully, competitors were asked to analyze the connections in the PCAP file to determine attack origin, how the attack spread, and to determine who the attacker and victim are.
Lab Stats:
Average Time – 42:25
Highest Score – 100
Average Score – 79.4
Lowest Score – 0
Wrong Answers – 226/1116
Lab #3: Threat Intelligence – Keylogger Investigation
Difficulty Level – Easy
The cream of the crop of cyber experts all understand the concept of sharing information to work as a cohesive unit against cybercrime. Many organizations use an MISP (Malware Intelligence Sharing Platform) to share IOCs (indicators of compromise) to be used to prevent future attacks. In other words, information is openly shared to make everyone safer. In this lab, competitors were challenged to use their MISP to detect a keylogger on the network, validate IOCs, identify the attack and camouflage mechanisms, and eradicate the malware by deleting malicious files from the systems, blocking the network IOCs in the firewall, and blacklisting the IOC’s hashes on the appropriate systems.
Lab Stats:
Average Time – 38:54
Highest Score – 100
Average Score – 69
Lowest Score – 0
Wrong Answers – 240/816
ICL: America’s Cyber Cup Current Standings
Now that you’ve understood what our teams had to go through to qualify, let’s see where we currently stand. To determine the 40 teams moving on to the Quarterfinals we combined the scores of each teammate’s labs to see where each team stands. The teams with the top 40 combined scores move on! You can see the standings below. On the ICL Website you will also see Power Rankings which will combine scores across rounds to see which teams are the favorite!
| Place | Organization | Team Name |
| 1 | Hudson’s Bay Company | Hudson’s Bay Company |
| 2 | Panasonic Avionics | DirtySOC |
| 3 | ISA Cybersecurity INC | ISA Cybersecurity |
| 4 | (US Army) RCC-SWA | SWA Cyberspace Criminal Minds |
| 5 | (US Army) RCC-SWA | We Are Definitely Da Best |
| 6 | United States Air Force | Game of Thone’s |
| 7 | Global Payments | Global Payments |
| 8 | American Express | The Marchwardens |
| 9 | Deepwatch | Deepwatch |
| 10 | HCL America | knightriders |
| 11 | Highmark | Higher Mark |
| 12 | HomeEquity Bank | HomeEquity Bank |
| 13 | Lennar | M1nd 0ver MITR3 |
| 14 | City of Calgary | City of Calgary |
| 15 | Capital One | The COF JAM Team |
| 16 | East West Bank | Bridge |
| 17 | American Express | TeamBeaST |
| 18 | Voya Financial | Voya |
| 19 | Illinois State Treasurer | SpeakerHeads |
| 20 | PNC Bank | PNC |
| 21 | Howard Hughes Medical Institutes | Rock, Scissor, or Exploit |
| 22 | Boeing | Bash Bros |
| 23 | Counter Hack | Devious Elves |
| 24 | Cecyber | CECyber Brazil |
| 25 | Synovus Financial | Synovus Financial |
| 26 | Plante Moran | Perseverance |
| 27 | Outsystems | OutSOC |
| 28 | Fannie Mae | Mae The Force Be With You |
| 29 | Customers Bank | The 10-Bit Hash |
| 30 | Ceridian | CyberDefElite |
| 31 | AT&T | AT&T |
| 32 | Metlife | Grace Hopper Has A Posse |
| 33 | National Bank of Canada | Glorious G00ns |
| 34 | IBM | Gone Phishing |
| 35 | Sophos | CaptainSinkhole |
| 36 | Morgan Stanley | IPv7 |
| 37 | Schlumberger | Schlumberger |
| 38 | Sirius | Sirius |
| 39 | Match | Sparks |
| 40 | Highmark | Sticky BandITs |
What’s coming in the America’s Cyber Cup quarterfinals?
Let the competition begin! As the quarterfinals kick off, we say goodbye to labs and hello to complete simulated cyberattacks! For the quarterfinal round, teams will be given two hours to complete an intermediate level scenario on the cyber range included within Cyberbit. Only 20 teams will move on to the semi-finals, so time is of the essence! Scoring on this round will see how far the team, acting as a whole, can get in the resolution of the simulated attack and will be measured by evaluating uploaded forensic evidence, advanced network sensors which measure trainee actions, and using a quiz built in to the attack simulation.
To maintain the hyper-realistic nature of the ICL: America’s Cyber Cup, competitors will not be aware of the attack type taking place on the enterprise grade network simulated inside the cyber range. Competitors will be provided with commercially licensed tools including Splunk Enterprise Security (SIEM), McAfee EPO, a Palo Alto Networks Firewall, and the rest of a complete security stack required to detect, investigate, respond, and mitigate the ongoing attack. Stay tuned for a complete breakdown of the quarterfinals attack and to see which 20 teams continue to the semis!