Mechanics of the Standoff cyberbattle
An international cyber exercise taking place online as part of the Innovation Space at the St. Petersburg International Economic Forum (SPIEF)
This document describes how the cyberbattle will go down: what phases different types of teams will face and how the results will be determined.
What you will find in this document
SPIEF cyberbattle specifics
The goal of the Standoff cyberbattle held at SPIEF is to provide cybersecurity specialists with an opportunity to test their skills and get hands-on experience and knowledge by dealing with a variety of attack tactics and techniques employed by experts from different countries.
This cyberbattle doesn’t feature the usual rankings and prize-winning places, although we will acknowledge the achievements of all participants.
This cyberbattle doesn’t feature the usual rankings and prize-winning places, although we will acknowledge the achievements of all participants.
Important information for red teams
For the red teams, the cyberbattle will take place in a single stage over four days. All times below are given in local time (UTC+3).
1
June 4
11:00 a.m.–7:00 p.m.
2
June 5
11:00 a.m.–7:00 p.m.
3
June 6
11:00 a.m.–7:00 p.m.
4
June 7
11:00 a.m.–5:00 p.m.
- Attacks can be performed till 4:00 p.m.
- Reports are accepted till 5:00 p.m.
Over 30 international and Russian teams will take part in the cyberbattle. The list of Russian teams will not be announced on the cyberbattle website but you'll be able to see all participants on the Standoff 365 Platform when the battle starts.
How to complete tasks and score points
Attackers can perform two different types of tasks to earn points for their team.
Finding vulnerabilities
To earn points for vulnerabilities, you need to submit a vulnerability report or a flag — a set of characters that must be found in the analyzed information system.
What exactly needs to be submitted depends on the location of the host.
What exactly needs to be submitted depends on the location of the host.
To earn points for triggering a critical event, you need to submit a report on the Standoff 365 Platform.
The scoring system is dynamic, with points decreasing by 15% for each subsequent event caused. For more information, see How to earn points.
The scoring system is dynamic, with points decreasing by 15% for each subsequent event caused. For more information, see How to earn points.
All tasks will be published on the Standoff 365 Platform.
When completing tasks, participants must follow the cyberbattle rules. Our advice to all red teams is also to get familiar with the guidelines on how to fill out reports before the event to avoid making common mistakes and save time during the battle.
It is important that all cyberbattle participants treat each other and the organizers with respect and adhere to sportsmanlike conduct. Please carefully read the list of actions prohibited during cyber exercises so that you can have a good time during the cyberbattle and later be able to participate in other Standoff 365 events.
When completing tasks, participants must follow the cyberbattle rules. Our advice to all red teams is also to get familiar with the guidelines on how to fill out reports before the event to avoid making common mistakes and save time during the battle.
It is important that all cyberbattle participants treat each other and the organizers with respect and adhere to sportsmanlike conduct. Please carefully read the list of actions prohibited during cyber exercises so that you can have a good time during the cyberbattle and later be able to participate in other Standoff 365 events.
Where to view the results
International teams can view their results (both during and after the cyberbattle) on the following sites:
Russian teams can view their results on the Standoff 365 Platform.
- SPIEF cyberbattle website
- Standoff 365 Platform (a special section will appear when the battle starts)
Russian teams can view their results on the Standoff 365 Platform.
Important information for blue teams
For the blue teams, the cyberbattle will take place in a single stage over four days. All times below are given in local time (UTC+3).
1
June 4
11:00 a.m.–7:00 p.m.
2
June 5
11:00 a.m.–7:00 p.m.
3
June 6
11:00 a.m.–7:00 p.m.
4
June 7
11:00 a.m.–6:00 p.m.
On June 8, a special award ceremony for the participants will take place. We'll provide details about the ceremony later.
How will the cyberbattle go down?
Blue teams will be assigned to the industries that they will defend throughout the cyberbattle. The main task of defenders is to identify and investigate attacks caused by red teams and report the attacks. Defenders should also submit reports on incidents (atomic attacks by red teams) that they detect in the infrastructure.
Defenders should only submit reports on successful attacks. The following kinds of reports will be dismissed: reports on phishing attacks where users didn't click any malicious links, unsuccessful brute-force attack attempts, or investigation reports regarding facilities that don't belong to the cyberrange infrastructure.
To learn how to fill in reports, read the guide for defenders.
Defenders should only submit reports on successful attacks. The following kinds of reports will be dismissed: reports on phishing attacks where users didn't click any malicious links, unsuccessful brute-force attack attempts, or investigation reports regarding facilities that don't belong to the cyberrange infrastructure.
To learn how to fill in reports, read the guide for defenders.
Where to view the results
The team results during and after the cyberbattle will be displayed on the cyberbattle website and in a special section on the Standoff 365 Platform.
Important information for CERT
For the CERT teams, the cyberbattle will take place in a single stage over four days. All times below are given in local time (UTC+3).
1
June 4
11:00 a.m.–7:00 p.m.
2
June 5
11:00 a.m.–7:00 p.m.
3
June 6
11:00 a.m.–7:00 p.m.
4
June 7
11:00 a.m.–6:00 p.m.
CERT communication channels
Each CERT will be assigned to one or two blue teams. CERT teams can gather information and communicate with cyberbattle participants using the following three options:
Telegram channel to communicate with the blue teams
The channel bot will automatically post information about the following reports accepted by the jury:
The channel will have a chat where the CERT can communicate with the blue team.
- Attacks by red teams
- Investigations by a particular blue team
The channel will have a chat where the CERT can communicate with the blue team.
Telegram chat to communicate with other CERT teams
In this chat, CERT teams can communicate with each other and exchange information about the reports they receive and analyze.
Telegram channel dedicated to an industry
In channels dedicated to particular industries, the organizers will regularly post information about current threats relevant to the respective industry.
The organizers will add your team to all the necessary chats and channels before the cyberbattle starts.
CERT workflow scenarios
There are two main workflow scenarios for CERT teams.
Scenario 1
1
Information about the following reports submitted by a blue team and accepted by the jury is posted on the dedicated Telegram channel:
- Incident reports.
- Investigation reports.
2
The CERT team examines the information and analyzes the reports. The team's actions include the following:
- Analyze the attack techniques and tactics.
- Determine the indicators of compromise (IoC).
- Prepare information security bulletins.
3
The CERT team exchanges data with other CERT teams via the Telegram chat.
4
Following the discussion, the CERT team revises its information security bulletins and sends them to the blue team.
Scenario 2
1
The Standoff organizers post information about current threats posed to an industry on the Telegram channel dedicated to the industry, and the CERT team analyzes that information and prepares information security bulletins.
2
The CERT team sends the information security bulletins to the blue team via the dedicated Telegram channel.
