Full Report
The Council for Scientific and Industrial Research (CSIR) recently hosted the nation Cyber Games Challenge as part of Cyber Security Awareness month. The challenge pit teams of 4-5 members from different institutes against each other in a Capture the Flag style contest. In total there were seven teams, with two teams from Rhodes university, two from the University of Pretoria and three teams from the CSIR. The games were designed around an attack/defence scenario, where teams would be given identical infrastructure which they could then patch against vulnerabilities and at the same time identify possible attack vectors to use against rival teams. After the initial reconnaissance phase teams were expected to conduct a basic forensic investigation to find ‘flags’ hidden throughout their systems. These ‘flags’ were hidden in images, pcap files, alternative data streams and in plain sight.
Analysis Summary
# Main Topic
Summary of the 2012 CSIR Cyber Games Challenge, an educational Capture the Flag (CTF) contest designed around an attack/defense scenario to promote cybersecurity awareness among university and institute teams.
## Key Points
- The event was a CTF contest held during Cyber Security Awareness month, involving seven teams from Rhodes University (2), University of Pretoria (2), and the CSIR (3).
- The challenge was structured around an **attack/defense scenario** where teams had to patch identical infrastructure while simultaneously identifying attack vectors against rivals.
- Technical difficulties significantly hampered the event, forcing the cancellation of the primary attack/defense phase.
- Scoring was shifted to focus on finding hidden "flags."
- **Flag locations** involved forensic investigation techniques such as searching within images, pcap files, alternative data streams, and plaintext.
- Basic challenges included decoding Morse code patterns or solving quadratic equations for decryption.
## Threat Actors
- **Internal Participants/Teams:** The primary "actors" were the participating student and institute teams engaging in simulated attacks and defenses against each other's infrastructure.
- **Team Blitzkrieg (SensePost Internal Exercise):** This team conducted an unauthorized social engineering exercise targeting team captains prior to the competition.
## TTPs
- **Reconnaissance:** Teams used tools like **DirBuster** to enumerate the competition scoring system (leading to a denial of service on the main website).
- **Defense:** Patching vulnerabilities in provided infrastructure.
- **Offense (Simulated):** Identifying attack vectors against rivals, gaining root access, and defacement (though the defacement phase was curtailed).
- **Forensics:** Investigating hidden data within images, pcap files, and Alternate Data Streams (ADS).
- **Social Engineering (Pre-Game Exercise):**
- Utilizing open-source intelligence (OSINT) via Google search for an exposed server.
- Creating a **fake Cyber Games website**.
- Creating a **spoofed Twitter account** to disseminate disinformation.
- Sending **spoofed emails** in the name of the games organizer to team captains.
## Affected Systems
- **Competition Scoring Website:** Rendered unusable near the start due to high-volume enumeration traffic (DirBuster).
- **Virtual Infrastructure (ESX Server):** Suffered connectivity issues, preventing most teams (except those from Rhodes) from accessing their assigned environments initially.
- **Team Captains/Participants:** Targeted by the pre-game social engineering campaign.
## Mitigations
- **Immediate Response to DoS:** Offending teams were asked to cease enumeration attacks.
- **Disqualification:** Two teams were disqualified for persistently attacking official infrastructure.
- **Infrastructure Remediation:** Connectivity issues were resolved, although connectivity was restored for most teams at a "cost."
- **Internal Policy Review:** The organizing body issued strong cautions regarding the scope of activities after the unauthorized social engineering exercise, highlighting the need for prior organizer approval.
## Conclusion
The CSIR Cyber Games successfully utilized a CTF structure to promote security awareness through simulated challenges, specifically focusing on vulnerability patching and basic digital forensics. However, the event was significantly disrupted by initial denial of service attacks and infrastructure failures. The pre-competition social engineering exercise conducted by Team Blitzkrieg serves as an important real-world demonstration of OSINT gathering, website spoofing, and targeted email/social manipulation, underscoring the need for participant conduct guidelines in such environments.