STANDOFF CYBERBATTLE RULES
Everything participants need to know
We’ve created a single document with everything participants need to know about the rules and key principles of the cyberbattle.

There are no descriptions of tasks or technical details, but there is information on what tasks different participants face, how to earn points, where to go for help, and what not to do to remain a Standoff participant.
What you will find in this document
Standoff 365
About the platform
Standoff 365 is a platform for anyone who wants to practically test and improve their cybersecurity skills. Depending on their goals and skill level, participants can choose the product that suits them best.
A virtual infrastructure with realistic replicas of IT systems from various industries, where cybersecurity specialists can train 24/7 in security testing, vulnerability detection, and incident response.

Cyberrange

An annual international cyber exercise where infosec specialists use a simulated infrastructure to test the defenses of companies from various economic sectors.

Cyberbattle

Programs from platform partners with monetary rewards for discovering vulnerabilities.

Bug Bounty

Participation format: online
Participation format: offline and online
Participation format: online
To conduct a cyber exercise, cyberrange segments are deployed on the platform, simulating highly realistic IT systems. Typically, a segment is a specific economic sector or a company representing it
Each segment can include one or more services that regulate the activities of a virtual organization within the industry or ensure its information security.
Example:
— Infrastructure services: mail server, FTP server, customer database, document management system
— ICS: traffic light control system, wind generator control system
— Cybersecurity tools: firewall

For each cyberbattle, a new set of segments with partially modified tasks is deployed. This helps regular participants gain new knowledge and test their skills in today’s realities.
Roles of participants
A cyber exercise involves two key roles.
Attackers
Also known as red teams or white hats. The task of attackers is to trigger as many critical events and identify as many vulnerabilities as possible. Regardless of the type of a cyber exercise, red teams always compete amongst themselves.
All participants
Also known as blue teams.
The task of defenders is to swiftly identify incidents, investigate attacks, and in some cyber exercises, respond to attackers' actions and implement measures to defend against attacks. Blue teams do not compete against each other.
Regardless of their role, all participants become part of the Standoff community,
where they can exchange experiences, get up-to-date knowledge in the field of cybersecurity, and, of course, have a great time.
Defenders
Important notice for all participants
The Standoff 365 platform can host hundreds of researchers simultaneously, so it’s important to take care of your own security and follow a few rules when connecting:

  1. Disable incoming SSH.
  2. Connect to the platform through a virtual machine.
  3. Periodically check your connections using the netstat -antlp command.
  4. Disconnect your VPN connection when you’re taking a break.
Standoff cyberbattle
An annual international cyber exercise held on the Standoff 365 platform is known as the cyberbattle. For the cyberbattle, we prepare an extensive infrastructure with various industry segments and bring together the best teams of defenders and attackers to test their skills.

The cyberbattle usually lasts four days (sorry, but nighttime is off-limits). There are three possible formats.
  • Offline

    All teams gather at the offline event. In this format, in addition to the cyberbattle itself, participants can expect networking and a fun afterparty

  • Online

    Teams can participate in a cyber exercise from anywhere in the world

  • Mixed format

    Some participants attend the event in person, while others participate remotely

The format of each cyberbattle is announced in advance.
Key information for attackers
Attackers' tasks
The main goal of red teams is to trigger as many critical events as possible earlier than other teams and identify the most vulnerabilities. Usually, attackers only see the tasks once the event has started, but in some cases, we publish them in advance.
  • Triggering critical events
    For each cyberbattle, we prepare a list of critical events that attackers can trigger in different segments. For example, disrupting the traffic light system, contaminating water with chlorine, or derailing trains
  • Finding vulnerabilities

    Each segment has a list of vulnerabilities. Points can also be earned by identifying them

At the online cyberrange, the attackers can only target services at specific addresses provided by the organizers. Attacks on other addresses will not earn points and may result in penalties or disqualification from the cyber exercise.
How to earn points
Each task card will indicate:

  1. Description of the event or vulnerability
  2. The task
  3. Points awarded for triggering

Task description

Critical event description
Points for triggering critical events
To earn points for triggering a critical event, you need to submit a report on the Standoff platform.
What to do
Critical event

For example, disrupting the operation of a steam turbine, leaking confidential data, stealing funds from a bank account, or derailing a train
How to earn points
  1. Trigger the event according to the task and within the infrastructure of the cyberrange.
  2. Submit the critical event triggering report. The report should describe, step by step, the actions that led to the event’s triggering.
Read our guide on how to submit reports correctly.

All reports are manually reviewed. Once the report has been submitted, what happens next will depend on the report's quality and completeness.

No comments


Number of corrections: 0

Report: accepted without adjustments.

Points: awarded according to the precedence of triggering the event.
Minor adjustments or clarifications needed
Number of corrections: ≤ 3 fields.

Report: sent for revision with organizers' comments. The team should follow the comments to update the descriptions of the steps listed in the report.

Points: assigned according to the precedence of triggering the event at the time of the first report submission and awarded after corrections are made.

Example: Team X was the first to trigger the event, but the jury left comments on two fields. The team will receive points for the first triggering immediately after submitting the corrected report.
Significant changes needed

Number of corrections: > 3 fields.

Report: rejected by the organizers. The team can resubmit the report after addressing all comments.

Points: not awarded until the corrected report is submitted. After correction, points are awarded based on the precedence of event triggering at the time of submitting the correct report.

Example: Team X triggered the event first, but the jury didn't accept the report. While the team was making edits, two other teams successfully submitted reports on triggering the same event.

After submitting the corrected report, Team X will be considered the third to trigger the event and receive points accordingly.
The higher the difficulty level of the task, the more points can be earned. Points are calculated dynamically: the first participant or team to trigger the critical event receives the maximum points; each subsequent triggering by other participants earns 15% less.

Points decrease in this way until they reach 40% of the initial value. From then on, anyone who triggers the event will receive this number of points.
Example of point calculation based on the order of triggering:
Points for discovering vulnerabilities
To earn points for vulnerabilities, you need to submit a vulnerability report or a flag — a set of characters that must be found in the analyzed information system. What exactly needs to be submitted depends on the location of the host.

The jury only accepts reports on certain types of vulnerabilities.
LPE
(local privilege escalation to root or administrator level)
RCE
(remote code execution)
SQLi
(SQL injection)
Path Traversal
SSRF
(server-side request forgery)
XXE
(XML external entity injection)
How to earn points for vulnerabilities:
Gate

Location

Path Traversal, SSRF, SQLi, RCE, and LPE

Vulnerability type

  1. Identify the vulnerability.
  2. Submit the flag.

The way to get the flag depends on the vulnerability type:
— Path Traversal: retrieve the contents of the /etc/pt.flag file.
— SSRF: access the internal address on port 9732 (http://127.0.0.1:9732).
— SQLi: retrieve the contents of the flag cell from the secret table.
— RCE: execute the /home/rceflag script.
— LPE: execute the /home/lpeflag script.

How to earn points

  1. Identify the vulnerability.
  2. Submit a vulnerability report. The report should include the following:
— Vulnerability type
— System where it was found
— Example of vulnerability exploitation
— Depending on the type of the vulnerability detected, it is also necessary to obtain a DBMS version banner, read a local file, send an arbitrary HTTP request, or display the output of the ipconfig/ifconfig, whoami, or id commands.

Path Traversal, XXE, SSRF, SQLi, RCE, and LPE
DMZ and beyond
Points awarded:
To increase your chances of earning points, consider the following when submitting a flag or a vulnerability report:

  1. Root privileges must be obtained on the main system, not in a container. The report must provide output from /etc/shadow.
  2. Each LPE method for Windows can be submitted only once for each segment of the cyberrange. If another method is found, it can be submitted for the same segment.
  3. Identical vulnerability classes with different parameters on the same host are considered duplicates.
  4. Points for vulnerabilities on Gate nodes are issued when submitting a flag. Reports on them will be rejected.
  5. A maximum of 1500 points can be obtained per host.
What to do if you need assistance
To get technical support, write to our Telegram bot for attackers. Technical support specialists respond only to such requests.

Please note that regarding attack vectors, specialists only answer questions about operability.
What not to do during the cyberbattle
When searching for vulnerabilities and triggering critical events, red teams have a number of restrictions. If a team violates these rules, they may be penalized or disqualified from the battle.
  1. Attack the platform
  • Hack the Standoff 365 platform.
  • Attack and disable information security tools in the cyberrange infrastructure.
  • Attack services located outside the infrastructure provided by the organizers.

2. Attack employees and organizers
  • Attempt to gain access to service accounts.
  • Conduct phishing attacks on Positive Technologies employees.
  • Implement DoS and DDoS attacks on services and applications of the cyberrange infrastructure.
  • Change passwords on services and applications of the cyberrange infrastructure.

3. Apply hardware tools to the virtual state model
  • Physically connect to the model.
  • Disable the hardware of the model.

4. Provide false information
  • Submit another team's report as your own.
  • Provide knowingly false information in the report.

5. Make changes to the platform or cyberrange
  • Fix vulnerabilities embedded by the organizers.
  • Make changes to the platform or cyberrange.

6. Generate flags and pass them to opponents

7. Use the "king of the hill" methods
  • Occupy or block another team's resources to prevent access to them.
  • Create conditions under which other teams cannot attack or defend their resources due to monopolization of access.
  • Interfere with another team's traffic to prevent attacks or protect infrastructure without directly interacting with vulnerabilities.
  • Block other participants' attempts to exploit vulnerabilities.
If attackers manage to penetrate the SCADA system host, they should report this in the chat with the organizers. This way, if multiple teams penetrate the same node at the same time, the organizers will help the participants to queue up, allocating 1−1.5 hours per team.

8. Be rude or otherwise show disrespect
  • Be rude to the organizers and other participants.
  • Spam technical support.
  • Persistently argue with decisions made.

9. Be a member of a team if you are a Positive Technologies employee
Positive Technologies employees must not take part in the Standoff cyberbattle, even if invited by a captain.

10. Create multiple accounts (twinks) for the same participant and use them to form teams
  • Create new teams using twink accounts.
  • Join other teams under twink accounts.

11. Participate as a team with more than 10 members
Penalties for violations
In case of disagreement with a penalty or disqualification, the team captain can submit an appeal once per game day. The procedure and format of submission can be clarified in the chat with the organizers. In the appeal, the captain must prove that the team made no violations.
Key information for defenders
Preparation and connection
About a month before the cyberbattle, defender teams are given access to the infrastructure to get familiar with it. To access the cyberrange, the team captain must write to the organizers and request the OpenVPN configuration.

The team is provided with the following data and tools:
  1. Configuration files.
  2. Login credentials for connection.
  3. Vulnerability scanner for familiarization with the infrastructure. The organizers provide the defenders with infrastructure credentials for performing inventory and scanning. A team can use any other vulnerability scanner, but in this case the defenders must install it on their own.
  4. Other information necessary for participation.

After familiarization, the team shall provide the organizers with a list specifying which security tools it plans to use and how they will be deployed. In general, teams are limited to the following classes of security tools:
SIEM

(MaxPatrol SIEM)

NTA

(PT Network Attack Discovery)

Sandbox

(PT MultiScanner or PT Sandbox)

WAF

(PT Application Firewall Pro)

Industrial NTA

(PT Industrial Security Incident Manager)

The use of other defense tools must be agreed upon with the organizers separately.
How defenders' performance is evaluated
The primary objectives of defenders are to detect and investigate incidents caused by attackers' actions. Team performance is evaluated based on the number of detected incidents and the average time to investigate an attack.

During a cyber exercise, defender teams are assigned to a specific industry in which they are to detect and investigate attacks. Information about the team’s results is published on the cyberbattle website and on the Standoff 365 platform.
Number of detected incidents
During a cyber exercise, defenders can submit reports on detected incidents. We’ve created a guide to help defense teams understand how to correctly submit reports.

All defenders' reports are reviewed and evaluated by the organizers. If a report doesn’t contain sufficient information, the organizers will not accept it and instead leave a comment. After correction, the report can be resubmitted.
Average attack investigation time
After the organizers accept a report from the attackers on the triggering of a critical event, this information becomes available to the defenders.

The defenders' tasks are to investigate this event and submit a report. When the investigation begins, a timer appears on the portal, timing its duration.

All reports are evaluated by the jury. If there is insufficient information in the report about the attackers' actions, the report is not accepted, and a special mark appears on the portal. Based on the comment left by the organizers, the defenders can investigate further, refine the report, and resubmit it for review.

Once the organizers have finally accepted a report from the defenders, the time taken to investigate the attack is recorded. The time taken by the organizers to verify the report is not counted.
For clarity, we've compiled a table with the types of reports that defenders need to submit:
Responding to attacks
In some cyberbattles, it’s possible to participate in response mode. In this case, in addition to identifying incidents and investigating attacks, defenders can also thwart attackers' actions. To do this, they can use the following tools:
  • MaxPatrol EDR

    (as the main protection tool)

  • PT Application Firewall

    (to protect web applications using targeted blocking rules)

Defenders have the ability to temporarily block infrastructure nodes as well as accounts. The blocking time is determined by the conditions of the cyberbattle (for example, no more than 15 minutes). Such limitations are necessary so that attacking teams can further develop their attacks and trigger critical events.

When participating in response mode, in addition to information about detected incidents, the number of prevented incidents will also be indicated for each defender team.
In addition to detected incidents, the number of prevented incidents is also indicated
What to do if you need assistance
To get technical support, write to our Telegram bot for defenders. Please note that specialists only respond to such requests.
Glossary
Products
Cyber exercise
Feedback and questions
We’ve tried our best to make these rules as clear as possible for all participants. If you’ve participated in our cyber exercise before, you’ll see that the rules have changed.

It would be very helpful for us if you could send feedback on this document to hello@standoff365.com. Tell us how clear the rules are, what you liked, what could be improved, and if there’s anything missing. This will help us make the document even more useful.

If you need any information, contact us:
— For any questions about the cyber exercise, email hello@standoff365.com or inquire in our Telegram channel.
— For technical questions, email support@standoff365.com.

See you at the cyber exercise!

The Standoff team