The results of Cyber Polygon suggest the following conclusions:

Training makes it quicker

The second round of each scenario resulted in the participants taking considerably less time to detect and mitigate the attack compared to the fastest participants during the first round. This is partly due to the fact that after getting some practice in the first round, the teams better understood how to withstand the attacks. In the second round of the scenario, the only elements that were changed were the IoC values, and not the attack logic itself, so the participants responded to the threat much faster. This confirms the effectiveness of practical training: teams improved their ability to mitigate attacks and immediately demonstrated progress all within a relatively short amount of time.

Collaboration is the key

Working with the data exchange platform yielded a remarkable decrease in the average time it took to respond to an attack. The best results from using the information sharing platform were obtained in the second scenario: compared to the first round of attacks on the web-based application, in the second round the response was 7 times faster. By exchanging data, the participants mitigated the attack in 2 minutes 31 seconds, as opposed to the longest independent response that took 24 minutes 24 seconds in the first round — the difference between the indicators was almost 22 minutes with a total duration of the scenario set to 30 minutes.

Competencies differ — uniting them is a must

In some cases, the joint efforts made it possible to mitigate even those attacks that would otherwise have been missed. Thus, organisation 3 could not cope with the first scenario on its own. However, in the second launch, the use of the platform and the efforts of other participants were enough to protect the organisation. In a real situation, this would have saved a company from losses associated with its web resources being unavailable.

Some threats are still almost irresistible

The ransomware infection turned out to be the most difficult scenario for the participants: only one company was able to mitigate the attack independently. Companies showed the best results in the web-based application attack.

Relying on the results gathered from the first training we hope to convince the global community of the efficiency of such exercises and demonstrate the process of global collaboration as a whole, thus attracting more international participants to exercise their cybersecurity capabilities and contribute to our common goal, which is to combat global cybercrime.

The training started at 12:00 and lasted about 3.5 hours. During this time, the three cyberattack scenarios were executed according to the following rules:

• Each scenario was executed twice.
• In order to keep the situation as close as possible to real-life, the attacks were obfuscated by a stream of legitimate traffic that was in turn created by traffic generators.
• The duration of each scenario was set to last 1 hour to accommodate two rounds for each scenario as described above.
• The duration of each round lasted 30 minutes, regardless of the results and success.

During the first round, each participant had to identify and mitigate the attack on their own. To stop the attack, the Blue Teams needed to apply a security policy on the necessary protection tool that would block IP addresses, files with a specific checksum or other indicators of compromise (IoC) that distinguish a particular attack. The task was considered completed when the participant uploaded the correct IoC in the team’s personal account on the training website.

During the second round, the teams submitted their IoCs to the BI.ZONE ThreatVision platform. The attack was considered mitigated when the first participant to identify and block the attack loaded the correct IoC into the platform. Following this, the uploaded IoCs were automatically transferred to the protection assets of the other participants and the attack ceased for everybody.

Scenario 3. Ransomware attack

In 2017, WannaCry, Petya, and NotPetya ransomware epidemics forced the international community, even those not directly involved in cybersecurity, to talk about ransomware trojans. Once inside the system, this class of malware encrypts files and extorts a ransom to be paid before decrypting them. The average amount claimed is more than $1000.

The popularity of phishing is only growing. A study done by Proofpoint in 2018, surveyed cybersecurity specialists and found that 83% of them encountered this attack — that is 7% more than in 2017.

A couple of seconds of encryption can translate into hundreds of thousands of dollars in damage, while such attack is relatively easy to implement. For this reason, such scenario was a conclusive choice for inclusion in the training exercises.

Scenario 2. Web application attack

The Open Web Application Security Project community has published that code injection has been the leading method of attacks on web applications since 2013. Embedding SQL code, or SQL Injection, is one of the varieties of such attacks aimed at manipulating site databases.

A well-prepared attack allows cybercriminals to send requests to the web application database, bypassing all protective measures, and to gain access to part or all the information stored there: users’ bankcard details, passwords and phone numbers, their addresses and much more.

This scenario was a perfect choice to be included in the line-up of exercises due to the prevalence and potential reach of SQL injections, as well as to the severity of their consequences.

Scenario 1. DDoS attack

Internet connectivity is the backbone of any modern business. If the availability and stability of company information resources is disrupted in any way, it may cost the business its customers and lead to defamation and profit loss for its partners. For some cybercriminals, a DDoS attack is an attractive attack vector to pursue for financial extortion or to wage competitive warfare.

As this type of threat is very real, questions arise around how to secure the sustainability of our digital economy. The problem is so critical that it has become self-evident that the only viable option to diminish its impact as best as possible would require a joint effort.

Cyber Polygon simulated several of the most common types of attacks on the participants’ training infrastructures. Three cyberattack scenarios were selected as relevant for organisations in any sector of the economy:

• DDoS attack
• Web application attack
• Ransomware infection

For the first Cyber Polygon the focus was put on improving joint response to ongoing cyberthreats through timely exchange of threat data between the participants.

Based on these objectives, participants were asked to undertake the following:

• Create a realistic training infrastructure and simulate the most common cyberattack scenarios.
• Test independent response to incidents against that of cooperated response with other training participants.
• Compare the results of the two approaches and assess the effectiveness of cooperation in repelling cyberattacks.
• Use the results from Cyber Polygon 2019 to openly disseminate to the world community the knowledge and experience gained.

Strengthening cyber resilience is a critical factor primarily for the representatives of the industries that form the digital ecosystem. However, developing commonly accepted regulations is necessary for maintaining functionality and avoiding chaos. The Cyber Polygon debut event focused on engaging the following sectors:

• Financial services industry, being the driver of economic activity in the world.
• Telecom providers, as the ‘creators’ of cyberspace which allows us to bring economic activity to a new dimension.
• Cyber-oriented government agencies — global coordinators and advocates of the digital ecosystem.

In 2019 among the participants involved in Cyber Polygon were Sberbank, New Development Bank, Department of Information and Communications Technology of the Republic of the Philippines, one of the largest telecom operators in Kazakhstan Transtelecom, and MTS — an advanced telecommunications company in Russia.

In building the training infrastructure for Cyber Polygon, it was important to choose those security solutions that would be familiar to the participants. This would allow them to take part in the training without extraneous efforts or special preparation. Cyber Polygon partnered with IBM and Fortinet — the largest international tech giants whose solutions have been protecting companies around the world for many years.