STANDOFF CYBERBATTLE RULES
Everything participants need to know
We’ve created a single document with everything participants need to know about the rules and key principles of the cyberbattle.
There are no descriptions of tasks or technical details, but there is information on what tasks different participants face, how to earn points, where to go for help, and what not to do to remain a Standoff participant.
There are no descriptions of tasks or technical details, but there is information on what tasks different participants face, how to earn points, where to go for help, and what not to do to remain a Standoff participant.
What you will find in this document
Standoff 365
About the platform
Standoff 365 is a platform for anyone who wants to practically test and improve their cybersecurity skills. Depending on their goals and skill level, participants can choose the product that suits them best.
A virtual infrastructure with realistic replicas of IT systems from various industries, where cybersecurity specialists can train 24/7 in security testing, vulnerability detection, and incident response.
Cyberrange
An annual international cyber exercise where infosec specialists use a simulated infrastructure to test the defenses of companies from various economic sectors.
Cyberbattle
Programs from platform partners with monetary rewards for discovering vulnerabilities.
Bug Bounty
Participation format: online
Participation format: offline and online
Participation format: online
To conduct a cyber exercise, cyberrange segments are deployed on the platform, simulating highly realistic IT systems. Typically, a segment is a specific economic sector or a company representing it
Each segment can include one or more services that regulate the activities of a virtual organization within the industry or ensure its information security.
Example:
— Infrastructure services: mail server, FTP server, customer database, document management system
— ICS: traffic light control system, wind generator control system
— Cybersecurity tools: firewall
For each cyberbattle, a new set of segments with partially modified tasks is deployed. This helps regular participants gain new knowledge and test their skills in today’s realities.
Example:
— Infrastructure services: mail server, FTP server, customer database, document management system
— ICS: traffic light control system, wind generator control system
— Cybersecurity tools: firewall
For each cyberbattle, a new set of segments with partially modified tasks is deployed. This helps regular participants gain new knowledge and test their skills in today’s realities.
Roles of participants
A cyber exercise involves two key roles.
Attackers
Also known as red teams or white hats. The task of attackers is to trigger as many critical events and identify as many vulnerabilities as possible. Regardless of the type of a cyber exercise, red teams always compete amongst themselves.
All participants
Also known as blue teams.
The task of defenders is to swiftly identify incidents, investigate attacks, and in some cyber exercises, respond to attackers' actions and implement measures to defend against attacks. Blue teams do not compete against each other.
The task of defenders is to swiftly identify incidents, investigate attacks, and in some cyber exercises, respond to attackers' actions and implement measures to defend against attacks. Blue teams do not compete against each other.
Regardless of their role, all participants become part of the Standoff community,
where they can exchange experiences, get up-to-date knowledge in the field of cybersecurity, and, of course, have a great time.
where they can exchange experiences, get up-to-date knowledge in the field of cybersecurity, and, of course, have a great time.
Defenders
Important notice for all participants
The Standoff 365 platform can host hundreds of researchers simultaneously, so it’s important to take care of your own security and follow a few rules when connecting:
- Disable incoming SSH.
- Connect to the platform through a virtual machine.
- Periodically check your connections using the netstat -antlp command.
- Disconnect your VPN connection when you’re taking a break.
Standoff cyberbattle
An annual international cyber exercise held on the Standoff 365 platform is known as the cyberbattle. For the cyberbattle, we prepare an extensive infrastructure with various industry segments and bring together the best teams of defenders and attackers to test their skills.
The cyberbattle usually lasts four days (sorry, but nighttime is off-limits). There are three possible formats.
The cyberbattle usually lasts four days (sorry, but nighttime is off-limits). There are three possible formats.
- Offline
All teams gather at the offline event. In this format, in addition to the cyberbattle itself, participants can expect networking and a fun afterparty
- Online
Teams can participate in a cyber exercise from anywhere in the world
- Mixed format
Some participants attend the event in person, while others participate remotely
The format of each cyberbattle is announced in advance.
Key information for attackers
The participation format for attacking teams depends on the specific cyberbattle. The cyberbattle can take place:
The structure depends on the specific cyberbattle and is outlined on the cyberbattle landing page, and in our Telegram channel.
- In a single stage. In this case, throughout the entire cyberbattle, attacking teams compete against each other for the main prize. For example, this was the case at Standoff 12.
- In multiple stages. In the first stage, all teams are divided into two states, and then the best teams from the winning state compete for final victory in the cyberbattle. This format will be used at Standoff 13.
The structure depends on the specific cyberbattle and is outlined on the cyberbattle landing page, and in our Telegram channel.
To participate in a cyber exercise, you need to:
After that, all team members can connect to the platform infrastructure.
- Create an account on the Standoff 365 platform if you haven’t already. It’s important that all team members are registered on the platform.
- Submit an application for participation. The application must be submitted by the team captain, listing all the participants. In some cyberbattles, the application is submitted twice: for qualifying competitions and separately for the cyberbattle. We send the application link to our regular participants, and also publish it on our landing page and social networks.
- After the application is approved, the team captain needs to contact the organizers to request the OpenVPN configuration to access the cyber exercise on the platform.
After that, all team members can connect to the platform infrastructure.
Attackers' tasks
The main goal of red teams is to trigger as many critical events as possible earlier than other teams and identify the most vulnerabilities. Usually, attackers only see the tasks once the event has started, but in some cases, we publish them in advance.
- Triggering critical eventsFor each cyberbattle, we prepare a list of critical events that attackers can trigger in different segments. For example, disrupting the traffic light system, contaminating water with chlorine, or derailing trains
- Finding vulnerabilities
Each segment has a list of vulnerabilities. Points can also be earned by identifying them
At the online cyberrange, the attackers can only target services at specific addresses provided by the organizers. Attacks on other addresses will not earn points and may result in penalties or disqualification from the cyber exercise.
How to earn points
Each task card will indicate:
- Description of the event or vulnerability
- The task
- Points awarded for triggering
Task description
Critical event description
Points for triggering critical events
To earn points for triggering a critical event, you need to submit a report on the Standoff platform.
What to do
Critical event
For example, disrupting the operation of a steam turbine, leaking confidential data, stealing funds from a bank account, or derailing a train
For example, disrupting the operation of a steam turbine, leaking confidential data, stealing funds from a bank account, or derailing a train
How to earn points
- Trigger the event according to the task and within the infrastructure of the cyberrange.
- Submit the critical event triggering report. The report should describe, step by step, the actions that led to the event’s triggering.
Read our guide on how to submit reports correctly.
All reports are manually reviewed. Once the report has been submitted, what happens next will depend on the report's quality and completeness.
All reports are manually reviewed. Once the report has been submitted, what happens next will depend on the report's quality and completeness.
No comments
Number of corrections: 0
Report: accepted without adjustments.
Points: awarded according to the precedence of triggering the event.
Report: accepted without adjustments.
Points: awarded according to the precedence of triggering the event.
Minor adjustments or clarifications needed
Number of corrections: ≤ 3 fields.
Report: sent for revision with organizers' comments. The team should follow the comments to update the descriptions of the steps listed in the report.
Points: assigned according to the precedence of triggering the event at the time of the first report submission and awarded after corrections are made.
Example: Team X was the first to trigger the event, but the jury left comments on two fields. The team will receive points for the first triggering immediately after submitting the corrected report.
Report: sent for revision with organizers' comments. The team should follow the comments to update the descriptions of the steps listed in the report.
Points: assigned according to the precedence of triggering the event at the time of the first report submission and awarded after corrections are made.
Example: Team X was the first to trigger the event, but the jury left comments on two fields. The team will receive points for the first triggering immediately after submitting the corrected report.
Significant changes needed
Number of corrections: > 3 fields.
Report: rejected by the organizers. The team can resubmit the report after addressing all comments.
Points: not awarded until the corrected report is submitted. After correction, points are awarded based on the precedence of event triggering at the time of submitting the correct report.
Example: Team X triggered the event first, but the jury didn't accept the report. While the team was making edits, two other teams successfully submitted reports on triggering the same event.
After submitting the corrected report, Team X will be considered the third to trigger the event and receive points accordingly.
Report: rejected by the organizers. The team can resubmit the report after addressing all comments.
Points: not awarded until the corrected report is submitted. After correction, points are awarded based on the precedence of event triggering at the time of submitting the correct report.
Example: Team X triggered the event first, but the jury didn't accept the report. While the team was making edits, two other teams successfully submitted reports on triggering the same event.
After submitting the corrected report, Team X will be considered the third to trigger the event and receive points accordingly.
The higher the difficulty level of the task, the more points can be earned. Points are calculated dynamically: the first participant or team to trigger the critical event receives the maximum points; each subsequent triggering by other participants earns 15% less.
Points decrease in this way until they reach 40% of the initial value. From then on, anyone who triggers the event will receive this number of points.
Points decrease in this way until they reach 40% of the initial value. From then on, anyone who triggers the event will receive this number of points.
Example of point calculation based on the order of triggering:
Points for discovering vulnerabilities
To earn points for vulnerabilities, you need to submit a vulnerability report or a flag — a set of characters that must be found in the analyzed information system. What exactly needs to be submitted depends on the location of the host.
The jury only accepts reports on certain types of vulnerabilities.
The jury only accepts reports on certain types of vulnerabilities.
LPE
(local privilege escalation to root or administrator level)
RCE
(remote code execution)
SQLi
(SQL injection)
Path Traversal
SSRF
(server-side request forgery)
XXE
(XML external entity injection)
How to earn points for vulnerabilities:
Gate
Location
Path Traversal, SSRF, SQLi, RCE, and LPE
Vulnerability type
- Identify the vulnerability.
- Submit the flag.
The way to get the flag depends on the vulnerability type:
— Path Traversal: retrieve the contents of the /etc/pt.flag file.
— SSRF: access the internal address on port 9732 (http://127.0.0.1:9732).
— SQLi: retrieve the contents of the flag cell from the secret table.
— RCE: execute the /home/rceflag script.
— LPE: execute the /home/lpeflag script.
How to earn points
- Identify the vulnerability.
- Submit a vulnerability report. The report should include the following:
— System where it was found
— Example of vulnerability exploitation
— Depending on the type of the vulnerability detected, it is also necessary to obtain a DBMS version banner, read a local file, send an arbitrary HTTP request, or display the output of the ipconfig/ifconfig, whoami, or id commands.
Path Traversal, XXE, SSRF, SQLi, RCE, and LPE
DMZ and beyond
Points awarded:
To increase your chances of earning points, consider the following when submitting a flag or a vulnerability report:
- Root privileges must be obtained on the main system, not in a container. The report must provide output from /etc/shadow.
- Each LPE method for Windows can be submitted only once for each segment of the cyberrange. If another method is found, it can be submitted for the same segment.
- Identical vulnerability classes with different parameters on the same host are considered duplicates.
- Points for vulnerabilities on Gate nodes are issued when submitting a flag. Reports on them will be rejected.
- For vulnerabilities reviewed by the jury you can get up to 1,500 points per host.
- For an autochecked vulnerability you can get up to 500 points.
What to do if you need assistance
To get technical support, write to our Telegram bot for attackers. Technical support specialists respond only to such requests.
Please note that regarding attack vectors, specialists only answer questions about operability.
Please note that regarding attack vectors, specialists only answer questions about operability.
What not to do during the cyberbattle
When searching for vulnerabilities and triggering critical events, red teams have a number of restrictions. If a team violates these rules, they may be penalized or disqualified from the battle.
- Attack the platform
- Hack the Standoff 365 platform.
- Attack and disable information security tools in the cyberrange infrastructure.
- Attack services located outside the infrastructure provided by the organizers.
2. Attack employees and organizers
- Attempt to gain access to service accounts.
- Conduct phishing attacks on Positive Technologies employees.
- Implement DoS and DDoS attacks on services and applications of the cyberrange infrastructure.
- Change passwords on services and applications of the cyberrange infrastructure.
3. Apply hardware tools to the virtual state model
- Physically connect to the model.
- Disable the hardware of the model.
4. Provide false information
- Submit another team's report as your own.
- Provide knowingly false information in the report.
5. Make changes to the platform or cyberrange
- Fix vulnerabilities embedded by the organizers.
- Make changes to the platform or cyberrange.
6. Generate flags and pass them to opponents
7. Use the "king of the hill" methods
- Occupy or block another team's resources to prevent access to them.
- Create conditions under which other teams cannot attack or defend their resources due to monopolization of access.
- Interfere with another team's traffic to prevent attacks or protect infrastructure without directly interacting with vulnerabilities.
- Block other participants' attempts to exploit vulnerabilities.
If attackers manage to penetrate the SCADA system host, they should report this in the chat with the organizers. This way, if multiple teams penetrate the same node at the same time, the organizers will help the participants to queue up, allocating 1−1.5 hours per team.
8. Be rude or otherwise show disrespect
- Be rude to the organizers and other participants.
- Spam technical support.
- Persistently argue with decisions made.
9. Be a member of a team if you are a Positive Technologies employee
Positive Technologies employees must not take part in the Standoff cyberbattle, even if invited by a captain.
10. Create multiple accounts (twinks) for the same participant and use them to form teams
- Create new teams using twink accounts.
- Join other teams under twink accounts.
11. Participate as a team with more than 10 members
Penalties for violations
In case of disagreement with a penalty or disqualification, the team captain can submit an appeal once per game day. The procedure and format of submission can be clarified in the chat with the organizers. In the appeal, the captain must prove that the team made no violations.
Key information for defenders
Preparation and connection
About a month before the cyberbattle, defender teams are given access to the infrastructure to get familiar with it. To access the cyberrange, the team captain must write to the organizers and request the OpenVPN configuration.
The team is provided with the following data and tools:
After familiarization, the team shall provide the organizers with a list specifying which security tools it plans to use and how they will be deployed. In general, teams are limited to the following classes of security tools:
The team is provided with the following data and tools:
- Configuration files.
- Login credentials for connection.
- Vulnerability scanner for familiarization with the infrastructure. The organizers provide the defenders with infrastructure credentials for performing inventory and scanning. A team can use any other vulnerability scanner, but in this case the defenders must install it on their own.
- Other information necessary for participation.
After familiarization, the team shall provide the organizers with a list specifying which security tools it plans to use and how they will be deployed. In general, teams are limited to the following classes of security tools:
SIEM
(MaxPatrol SIEM)
NTA
(PT Network Attack Discovery)
Sandbox
(PT MultiScanner or PT Sandbox)
WAF
(PT Application Firewall Pro)
Industrial NTA
(PT Industrial Security Incident Manager)
The use of other defense tools must be agreed upon with the organizers separately.
How defenders' performance is evaluated
The primary objectives of defenders are to detect and investigate incidents caused by attackers' actions. Team performance is evaluated based on the number of detected incidents and the average time to investigate an attack.
During a cyber exercise, defender teams are assigned to a specific industry in which they are to detect and investigate attacks. Information about the team’s results is published on the cyberbattle website and on the Standoff 365 platform.
During a cyber exercise, defender teams are assigned to a specific industry in which they are to detect and investigate attacks. Information about the team’s results is published on the cyberbattle website and on the Standoff 365 platform.
Number of detected incidents
During a cyber exercise, defenders can submit reports on detected incidents. We’ve created a guide to help defense teams understand how to correctly submit reports.
All defenders' reports are reviewed and evaluated by the organizers. If a report doesn’t contain sufficient information, the organizers will not accept it and instead leave a comment. After correction, the report can be resubmitted.
All defenders' reports are reviewed and evaluated by the organizers. If a report doesn’t contain sufficient information, the organizers will not accept it and instead leave a comment. After correction, the report can be resubmitted.
Average attack investigation time
After the organizers accept a report from the attackers on the triggering of a critical event, this information becomes available to the defenders.
The defenders' tasks are to investigate this event and submit a report. When the investigation begins, a timer appears on the portal, timing its duration.
All reports are evaluated by the jury. If there is insufficient information in the report about the attackers' actions, the report is not accepted, and a special mark appears on the portal. Based on the comment left by the organizers, the defenders can investigate further, refine the report, and resubmit it for review.
Once the organizers have finally accepted a report from the defenders, the time taken to investigate the attack is recorded. The time taken by the organizers to verify the report is not counted.
The defenders' tasks are to investigate this event and submit a report. When the investigation begins, a timer appears on the portal, timing its duration.
All reports are evaluated by the jury. If there is insufficient information in the report about the attackers' actions, the report is not accepted, and a special mark appears on the portal. Based on the comment left by the organizers, the defenders can investigate further, refine the report, and resubmit it for review.
Once the organizers have finally accepted a report from the defenders, the time taken to investigate the attack is recorded. The time taken by the organizers to verify the report is not counted.
For clarity, we've compiled a table with the types of reports that defenders need to submit:
Responding to attacks
In some cyberbattles, it’s possible to participate in response mode. In this case, in addition to identifying incidents and investigating attacks, defenders can also thwart attackers' actions. To do this, they can use the following tools:
MaxPatrol EDR
(as the main protection tool)
PT Application Firewall
(to protect web applications using targeted blocking rules)
Defenders have the ability to temporarily block infrastructure nodes as well as accounts. The blocking time is determined by the conditions of the cyberbattle (for example, no more than 15 minutes). Such limitations are necessary so that attacking teams can further develop their attacks and trigger critical events.
When participating in response mode, in addition to information about detected incidents, the number of prevented incidents will also be indicated for each defender team.
In addition to detected incidents, the number of prevented incidents is also indicated
When participating in response mode, in addition to information about detected incidents, the number of prevented incidents will also be indicated for each defender team.
In addition to detected incidents, the number of prevented incidents is also indicated
What to do if you need assistance
To get technical support, write to our Telegram bot for defenders. Please note that specialists only respond to such requests.
Glossary
Products
A platform for information security specialists that includes a cyberrange, bug bounty programs, a social network, themed events, and a platform for organizing CTF competitions.
Part of the Standoff 365 platform dedicated to conducting a cyber exercise. It can consist of one or more cyberrange segments, representing IT systems from various industries. A cyber exercise involves attackers and defenders, who can practice improving their skills in various areas of information security: security testing, incident detection and response, and attack prevention.
An open international cyber exercise held several times a year, which may coincide with a cybersecurity conference. For each cyberbattle, a pool of professional attacking and defending teams is recruited to test their skills in highly realistic conditions.
Cyber exercise
A series of attacker actions resulting in a triggering of a critical event. Following a successful attack, red teams submit a critical event triggering report.
A team or an individual participant whose goal is to find vulnerabilities and trigger critical events in a cyber exercise.
A description of the objectives that participants must achieve.
Communication of a team’s intent to participate in an offline cyber exercise. The application must specify:
— Team's role (attackers or defenders)
— Team captain’s name
— List of the participants
— Team's slogan or motto
— Brief description of the team
The application is submitted by the team captain or group admin. All applications are reviewed by the Standoff team and a special jury.
— Team's role (attackers or defenders)
— Team captain’s name
— List of the participants
— Team's slogan or motto
— Brief description of the team
The application is submitted by the team captain or group admin. All applications are reviewed by the Standoff team and a special jury.
Teams of information security specialists who test their skills in detecting and investigating incidents and attacks in a cyber exercise. In some cyber exercises, these specialists may also participate in response mode (responding to attacks).
A single action by attackers aimed at compromising the availability, integrity, or confidentiality of information. After investigation, blue teams submit reports on individual incidents.
A series of events organized to develop the skills of information security specialists and prepare them for real-life attacks.
An event that prevents an organization from achieving its operational or strategic goals or leads to long-term disruption of its core business. For example, disrupting the operation of a turbine, stealing funds from bank accounts, or derailing a train. In the Standoff 365 platform, the goal of attackers is to trigger critical events, while defenders' goal is to investigate these triggerings.
A report by a defender team containing a description of the presumed actions taken by attackers to trigger a critical event.
A report by attackers containing a description of the actions leading to a triggering of a critical event.
A report by a defender team containing a description of the documented actions of attackers affecting the availability, integrity, and confidentiality of information.
A report by attackers on a discovered vulnerability.
A separate virtual part of the cyberrange infrastructure where information systems and processes characteristic of enterprises in a particular industry are recreated. Usually, a segment represents a specific economic sector with one or more virtual companies. Examples of segments include the financial sector, housing and utilities, government services, oil and gas, metallurgical, energy, or nuclear industries.
A component of the cyberrange infrastructure that controls a particular process in the information system.
A flaw in the system that can be exploited to intentionally compromise the integrity, availability, and confidentiality of information.
Feedback and questions
We’ve tried our best to make these rules as clear as possible for all participants. If you’ve participated in our cyber exercise before, you’ll see that the rules have changed.
It would be very helpful for us if you could send feedback on this document to hello@standoff365.com. Tell us how clear the rules are, what you liked, what could be improved, and if there’s anything missing. This will help us make the document even more useful.
If you need any information, contact us:
— For any questions about the cyber exercise, email hello@standoff365.com or inquire in our Telegram channel.
— For technical questions, email support@standoff365.com.
See you at the cyber exercise!
The Standoff team
It would be very helpful for us if you could send feedback on this document to hello@standoff365.com. Tell us how clear the rules are, what you liked, what could be improved, and if there’s anything missing. This will help us make the document even more useful.
If you need any information, contact us:
— For any questions about the cyber exercise, email hello@standoff365.com or inquire in our Telegram channel.
— For technical questions, email support@standoff365.com.
See you at the cyber exercise!
The Standoff team
