⚡ CyberForce Webinar: Competition 101 ⚡

This webinar is available at this YouTube link

As we know, this competition is focused on energy-based infrastructures and networks.
Types of teams in this competition
- Blue team (us)
- Red team (attackers that will try to pwn us on Nov 4th and 5th; industry professionals)
- White team (administrators, build out infrastructure for us)
- Gren team (users of our systems; these people test out usability, availability of our network in real time)
- Orange team (C-suite / senior executives)
Generally speaking, as the blue team, we communicate with all teams throughout the competition.
- But mostly, we aim to communicate with the green team (our network users) and the orange team (our execs)
This year, our competition scenario involves the solar energy industry.
- In 2021, it was hydropower. 2020 was wind, 2018 was natural gas…

SCORING BREAKDOWN

Five main scoring categories:

Exploitability of vulnerabilities (they ask you about a vulnerability you found, how you found it, and what you would do to fix it – be prepared to answer questions)
Vulnerabilities introduced in buildouts (during live attack)
Sportsmanship

Service uptime (e.g. DNS, SMTP…) – these services are required to be on certain IPs

Usability
- they mentioned a website is part of it, and they mentioned that it will be broken (e.g. misspelling, broken links, incorrect information present)

Security documentation (pre-competition, AKA during our network access phase)
- they provide templates for our documentations, not sure if we should use them or just use the UF 2019 report as a template
Information sharing/incident reporting
- Throughout the day, they may ask us to provide some sort of information or reports of incidents.
C-suite panel brief (pre-competition)
- this panel brief will involve our team recording a video for these managers. communication and explanation skills are important.
- we will want to emphasize severity of breach, potentially even ask for resources/money…

Real-world challenges/tasks
- these could be CTF-type challenges such as forensics, crypto, etc. or even a new vuln introduced in our systems.
- in general, these challenges are meant to pull attention away from the traditional role of protecting systems.

Our goal is to balance the usability of our systems for customers, employees, and ourselves WHILE maintaining security of the system.
- BAD EXAMPLE: Implementing 10 passwords in a row within 30 seconds.
- GOOD EXAMPLE: Implementing dual authentication (2 different password mechanism)

The goal here is for us to be holistic blue teamers
- This means we document what we are doing
Part of understanding what we are building and defending is ensuring that others can quickly pick up where we left off
- This way, we keep track of our hard work and others can benefit from it in the future.
As mentioned before, this documentation needs to be written and submitted during the pre-competition phase (Oct 17th ~ November 3rd or so)

The start of this Q&A video on their youtube channel (different from the competition 101 video) starts off with about 20 mins of in-person information; not relevant for us.
What tools can we use?
- Supposedly ONLY FREE AND/or(?) OPEN SOURCE programs?
- We need to clarify this before the competition.
Past Competition stuff
- https://cyberforce.energy.gov/cyberforce-competition/prior-competitions/doe-cyberforce-competition-2019/
- Unfortunately, no past reports are publicized here. Need to look around Google.