RPE-019: Manufactured Crisis

Events

RPE-019: Manufactured Crisis

Date: October 3-7, 2022 | Location: Virtual or DreamPort Facility in Columbia, MD


Description

MISI’s critical infrastructure model city, that we have named DreamValley, includes a critical defense manufacturing sector. Rumors abound that DreamValley’s cyber nemesis, DreadRiver, is planning an imminent attack on the city’s manufacturers. DreamValley needs to verify the cybersecurity posture of this sector quickly and without disruption to manufacturing lines. DreamValley wants to leverage advances in artificial intelligence to understand the vulnerability of multiple manufacturers’ business networks with limited time and network traffic to minimize disruption to normal business activities. This type of rapid vulnerability assessment will also provide DreamValley and other manufacturers with cyber resilience and compliance situational awareness needed to accelerate compliance with a number of cybersecurity standards including Department of Defense cybersecurity standards and others.

Overview

In this rapid prototyping event, we are challenging participants to develop techniques for rapid, automated penetration testing. Developments in artificial intelligence (AI) algorithms, particularly in reinforcement learning, can enable exploitation decision-making at computer, rather than human, speed. We have $25,000 (USD) in prizes to give away to the best performers as determined by us!

We suggest leveraging existing capabilities for AI-driven penetration testing such as DeepExploit, MetasploitGym, or AutoPentest-DRL; however, participants are free to use whatever solution they wish. Individuals or teams are invited to compete.

This RPE directly addresses the following U.S. Cyber Command technical challenge problems:

  • 2020 1.1 CHALLENGE PROBLEM: Rapidly Defend and Exploit Vulnerabilities
  • 2020 2.1 CHALLENGE PROBLEM: Automated Network Mapping

Requirements

Each competitor will be given remote, administrative access to their own Kali Linux virtual machine (VM) from which to launch their solution. Competitors must demonstrate a capability to automatically discover the (virtualized) network assets and to then exploit those vulnerable assets. Vulnerabilities can range from weak passwords to unpatched operating systems to unpatched services. Competitors will be judged based on:

  • Correctness of discovered hosts
  • Number of hosts compromised
  • Level of access (non-privileged vs. privileged) gained to each host
  • Ability to pivot through compromised hosts
  • Time taken to complete (less is better)
  • Amount of network traffic generated (less is better)

For this event, we are not interested in enumerating all of the vulnerabilities for each host. The focus here is on completeness of access, time taken to gain that access, and to lesser extent, the amount of network traffic generated to gain that access. Degrading or modifying hosts beyond proving access is not permitted.

All solutions must AVOID targeting a specified range of IP addresses, e.g., x.x.x.240-254 or 10.0.100.0/24. Systems at these IP addresses will include capabilities such as centralized logging and alerting. Attempts to compromise hosts at these IP addresses will result in disqualification. No targetable hosts will include active defenses, e.g., antivirus software.

Schedule

We have chosen the following schedule of events:

  • 10 August 2022: RPE Announced Publicly
  • 26 September: Registration Closes
  • 29 September: Q&A Session (Hybrid)
  • 3-7 October: Main Event (Hybrid)

Note that participants are welcome to attend the Q&A session virtually or in person at the DreamPort facility in Columbia, MD. The event itself will also allow hybrid participation, and will involve three scheduled, non-overlapping time slots for each participant (see below). The schedule will be determined after registration closes and will be driven by the number of participants.

Before the Event

After the Q&A session:

  1. Each participant will join the Discord server used for event communications.
  2. Each participant will be given remote, administrative access (via ssh) to their Kali VM. We will standardize on Kali 2022.2 amd64, with only credentials and network addresses differing between competitors.
  3. Each participant is free to install their solution and any dependencies as necessary on their VM.

Event Flow

The event will consist of three competition rounds, each of which simulates a penetration test against a different DreamValley manufacturer. Competition rounds will feature increasing complexity in terms of size, networking, and vulnerabilities. Depending on the number of registered participants, the number of participants advancing from one round to the next MAY be limited.

Each participant will have an assigned time slot within each competition round. Between time slots, the target network will be reset to ensure a level playing field. At the beginning of each time slot, that participant’s Kali VM will be connected to the target network via a second Ethernet adapter. All penetration testing MUST be performed on that adapter only. Each competitor must announce completion of their penetration test via their Discord channel. At that time – or when their time slot has ended, whichever comes first – that Kali VM will be disconnected from the target network.

The notional network diagram below illustrates the concept that will be used. More specifics will be available closer to the event, but the intent is for advanced competition rounds to include multiple IP subnets (possibly with a requirement to pivot through an already-compromised host) and up to 50 vulnerable machines. This diagram depicts the off-limits centralized logging infrastructure as “Blue – SOC (OFF LIMITS)”.

Notional Network Diagram

Note that all target machines will be configured for centralized logging and alerting, and all network traffic will be captured. This data will be leveraged for participant evaluations and may also be leveraged for future events. As this is a penetration test designed to avoid disruption of normal operation, actions such as tampering with logging or denial of service (DoS) attacks are cause for disqualification.

Evaluation

Participants will be evaluated based on:

  • How many of the available hosts were correctly discovered?
  • How many of the available hosts were successfully compromised?
  • What level of access was gained to each of the compromised hosts?
  • How long did it take to achieve these results?
  • How much network traffic was generated by the penetration test?
  • Were any off-limits (SOC) hosts attacked? (disqualifying)
  • Was centralized logging tampered with? (disqualifying)
  • Were any DoS attacks conducted? (disqualifying)

The evaluation period will follow the event itself. Participants will be notified of the results as soon as possible.

Suggested Skills

We recommend the following skills for RPE participants:

  • Development language, e.g., Python, C/C++, Java
  • Network / host exploitation, e.g., Metasploit, Exploit-DB, Hydra, etc.
  • Machine learning algorithms for penetration testing, e.g.:
    • DeepExploit / Mofosploit
    • MetasploitGym
    • AutoPentest-DRL

Prizes

DreamPort will award $25,000 in cash prizes to the best participants, as determined by MISI based on post-event evaluation.

Register for RPE-019: Manufactured Crisis