16 March 2022
Flagship 2: The Successful Second Cybersecurity Exercise Hosted By CyberSec4Europe
Flagship 2, the second CyberSec4Europe cybersecurity exercise conducted in January 2022, consolidated the high-quality of standards previously set by Flagship 1. In addition to representatives from CyberSec4Europe, Flagship 2 also engaged a highly motivated external community of cybersecurity enthusiasts, serving as clear evidence of pressing market need for this type of educational facility.
The two-day cybersecurity exercise was designed, orchestrated and post-analysed by the JAMK University of Applied Sciences – one of two CyberSec4Europe Finnish partners.
As with its predecessor, the Flagship 2 exercise was designed as a learning experience, built on the Flagship 1 narrative, that demanded no previous technical cybersecurity expertise from its participants. However, Flagship 2 included for the first time an open track, offered in parallel to the CyberSec4Europe partners’ track:
- Participants in the open track (“the analysts’ activity”) analysed samples exported from the exercise environment and reported their findings to the exercise using a dedicated self-hosted open-source Capture The Flag (CTF) platform. Analysts worked alone, without any instructions on how to analyse the samples.
- Participants in the partners’ track (“the exercise”) played the role of employees of a critical infrastructure provider, a fictional Italian train operator. The employees detected operational anomalies which they had to investigate. This revealed an active threat actor in the environment, who had penetrated the train operator’s network and had modified the on-train firmware which was guarded by a trusted platform module. The exercise participants followed the attack path, cleared the environment, and detected the initial weakness that allowed the threat actor to penetrate the network.
Simulating a real-world environment
For the exercise, the technical environment was a realistic global cyber environment (RGCE), i.e. a cyber arena that contains several cybersecurity training environments or cyber ranges. This included a new environment that simulated a railway operator’s IT and OT infrastructure, several networks providing, for example, on-premise data centre and traffic control systems, office and other common networks and services.
For the analyst activity, participants were sent an email containing login information to an open-source capture the flag platform instance, which was commissioned to the premises of JAMK for this purpose. The email contained a URL to the technical support platform, which was hosted by TU Delft. To work on this, the analyst workstation was a prepared virtual machine containing Kali Linux with additional analyst tools pre-installed. The analyst workstation was created by Masaryk University using the Cyber Sandbox Creator.
Processing the feedback
Post-exercise surveys gathered responses from 19 exercise CyberSec4Europe participants. Gender analysis revealed 24% female participants, making Flagship 2 representative of the current (still to be improved) gender balance in technical IT fields. Moreover, all participants gave highly positive feedback, reporting that they:
- found the exercise beneficial;
- acquired new cybersecurity-relevant content through their participation;
- would recommend the Flagship 2 exercise to others.
A total of 43 participants provided answers to the survey questions concerning the two days of the analysts’ activity. Statistics revealed different degrees of skill, from junior to high-performing specialists, and also IT professionals with no previous experience in analyst workshops. This is evidenced by the number and time distribution of incorrect answer submissions: in total, 337 submissions were deemed incorrect and 185 correct, with a roughly uniform distribution on the number of correct submissions per challenge (there were six challenges in total). The conclusion is that, even though the difficulty of the activity was balanced, the degree of skill of the participants was not: while some submitted all correct answers at once at the end of the exercise, others had to submit several responses to each challenge before getting it right.
The conductor of the analysts’ activity estimated that, based on the received feedback and from what we have concluded from the statistics, the analyst activity was certainly in demand.
So, all in all, the active participation and high number of submissions from the analyst activity reveals a pressing need for such realistic technical cybersecurity exercises in the IT sector.