RPE-015: Sage and Sentry


RPE-015: Sage and Sentry

And the winner is…

Congratulations to Seth Sites for winning this RPE!


In this event we are studying solutions (software and techniques) for performing analytics against cyber threat information. We have $15,000 (USD) in prizes to give away to the best performers as determined by us!


We have defined a fictitious threat actor named DreadRiver (adversary) who has been reportedly attacking other cities, and our DreamValley would prefer to refine its defenses. For those of you who have not visited DreamValley, in 2019 MISI began construction of an industrial control systems-based scale-model city, which we have named DreamValley. DreamValley is an immersive cyber lab capable of exhibiting effects malicious cyber actors can deliver against technological aspects of the encounters and touchpoints we each experience daily. There are now eight (8) separate real-world systems inside this scale-model city that are controlled by different programmable logic controller (PLC) devices. There are more than seventy-five physical hosts and depending on our scenario, hundreds of virtual hosts in this network. In August 2021, DreamValley was subject to sustained attacks for seven days. They survived and obtained massive amounts of data but are powerless to make sense of the information. Well, today we are announcing that DreamValley learned it is under constant threat by DreadRiver and needs your help. What they now need is the combined power of a Sage and Sentry.

Remote Participation

This entire event is expected to take place remotely. Participants shall be able to download all required data from an Amazon S3 storage bucket operated by MISI.

How It Will Work

Participants in this event will receive a copy of an ElasticSearch server (as a virtual machine image) which holds more than seventy million documents of aggregated logs, packet flows and network activity during the time period where DreamValley was attacked potentially by DreadRiver. Participants must utilize this knowledge to build and refine search queries and prepare this knowledge to transform technical data or indicators of compromise (IOCs) into cyber threat intelligence, to deliver back to DreamValley's Security Operations Center (SOC).

Within DreamValley, there are critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to DreamValley that their incapacitation or destruction would have a debilitating effect on security, economic security, public health and safety.

DreamValley is a complex system of systems and requires the use of data governance standards to share and utilize cyber threat knowledge.

After this brutal cyber assault, DreamValley now agrees to concepts and structure described in STIX 2.1, MITRE ATT&CK/D3FEND, and the OpenCTI platform.

DreamValley needs to standardize and integrate cybersecurity data to continuously store and update malicious traffic information. DreamValley uses OpenCTI to manage its cyber threat knowledge and observables within its SOC.


Participants in this event are expected to:

  • Spin up a virtual machine/bare metal instance of OpenCTI using a static Docker Compose baseline YAML file. NOTE: Participants are expected to customize API keys and other required information from this baseline.
  • Spin up their own copy of ElasticSearch utilizing MISI issued OVA file.
  • Enable the OpenCTI ElasticSearch connector to ingest data from the DreamValley Elastic store.
  • Construct their own connector and separate service to analyze this ElasticSearch store and produce analytic outputs (defined in evaluation criteria).
    • The Connector must be written in Python 3 compatible syntax.
    • Participants are expected to interface with a separate VM or system for external processing (we have our own theories on how this should be done but this is where you come in).
  • Deliver a Docker Container (Docker file, Container and required OpenCTI Docker-Compose syntax) to a separate (DreamValley SOC) OpenCTI instance.
  • Participate in a scheduled (6) hour evaluation period during which new attacks will be launched against DreamValley. NOTE: DreamValley will have details of past known attacks (day/time/target) and can share a network map to registered participants.

There are both control system and traditional IT exploits detailed in the ElasticSearch stack all participants shall have access to during this event. Participants can consult online OpenCTI documentation on building connectors found here: https://www.notion.so/Connectors-4586c588462d4a1fb5e661f2d9837db8


This event is going to take place over time. Here is the proposed schedule which is subject to change:

  • September 28: Registration Closes.
  • September 29: Download Required files from AWS.
  • September 30 – October 22: Participant Construct OpenCTI Connector.
  • October 1: Initial Q&A Session.
  • October 15: MISI holds virtual call to evaluate progress and provide additional Q&A, as necessary.
  • October 29: MISI holds individual virtual meetings with registrants for evaluation of progress.

After the final step, participants will be evaluated on their performance which we discuss next.


We describe the formal evaluation requirements in this section. There are two (2) basic areas of evaluation we define as Tasks below. The successful participant connector will organize data within OpenCTI in such a way that communicates past-attack(s) via STIX 2.1, ATT&CK/D3FEND techniques.

Each participant shall be evaluated separately in a series of virtual teleconference meetings that are expected to take no more than (6) hours over (1) scheduled business day. Prior to this event, the participant must ensure their connector has successfully been installed in the production (DreamValley SOC) OpenCTI instance within the DreamPort AWS VPC for this event. When the evaluation begins, MISI personnel will launch attacks against the DreamValley infrastructure as the DreadRiver adversary and we will determine if the participant connector is able to meet the requirements defined here:

  • Task 1 - Participants will take data provided from elastic stack remote access, transform the data to populate to RPE DreamValley SOC, visualized via OpenCTI instance.

    Under Activities, the winning OpenCTI connector should:
    1. Observations. Ensure all observables from attack(s) are added as observations within OpenCTI
    2. Events.
      1. Populate 1 or more incident(s) from attacks that are captured within Elastic
      2. Create 1 new event during evaluation to represent attacks that occur live
    3. Threats.
      1. Threat Actor(s): Populate at least 1 threat actor to capture DreadRiver
      2. Intrusion Set(s): Populate at least 1 intrusion set (DreadRiver - APT 777) representing the attacks observed in DreamValley elastic store
    4. Arsenal. Ensure data is automatically populated in the following areas:
      1. Malware(s)
      2. Attack Patterns
      3. Courses of Action (for mitigation)
      4. Tools (if applicable)
    5. Entities.
      1. Sector(s)
        1. Chemical
        2. Commercial Facilities
        3. Communications
        4. Critical Manufacturing
        5. Dams
        6. Defense Industrial Base
        7. Emergency Services
        8. Energy
        9. Financial Services
        10. Food and Agriculture
        11. Government Facilities
        12. Healthcare and Public Health
        13. Information Technology
        14. Nuclear Reactors, Materials, and Waste
        15. Transportation Systems
        16. Water and Wastewater Systems
      2. Cities
        1. DreamValley
  • Task 2 - Provide a push-button (single event) generation of a past-attack that links STIX, ATT&CK/D3FEND techniques together in a vendor agnostic fashion using an OpenCTI analysis report. Your connector should be creating an analysis report from past attacks that have been observed.

Tie Breaker

In the event multiple participants are able to successfully complete the entirety of both Tasks, the speed and accuracy each participant communicates DreadRiver attack(s) to DreamValley's SOC will determine level of achievement.

The winner(s) will demonstrate the ability of using a pre-existing query to identify an attack that will be launched in real-time during an evaluation phase and transform data into useful cyber threat intelligence records, alerting the DreamValley SOC, and communicating the attack exercised during event.

Registration is now closed.

Registration is now closed.