Some time in April, Bouvet CIO Anders Volle made an announcement on our Slack security channel: Watchcom had invited us to take part in the Paranoia Challenge 2018 hacking- and security-competition, on Circadence's gaming-based platform for cybersecurity. The contestants would tackle so-called red-team- and blue-team-based scenarios (attack and defence, respectively). The plan was to have an informal competition in May, where one would have the opportunity to experiment on one's own for a few days and get to know the platform. A couple of weeks later, there would be a qualifying round, and finals after that. The winners would be announced at a ceremony during the Paranoia Conference – one of the Nordic region's largest security conferences, which is held in Oslo Spektrum every summer.
As someone who has read a lot about the field, and who finds it interesting, I thought that this sounded really exciting. I didn't have much practical experience to speak of, other than having experimented with tools like Wireshark, Metasploit, Nmap and hashcrackers in my spare time through the years – but since I've long wanted to learn more, I saw this as a golden opportunity to do just that.
A short while after signing up there was a short webinar, where we were told about the platform, the schedule, how we would be evaluated during the competition – in short, what exactly this was all about. We were then granted access to the training- and competition-solution, and the so-called "free range" play- and learn period begun.
Edit: Since this was written, I've posted a Norwegian version on Bouvet's blog.
The platform we used is called "Project Ares", and is a kind of e-learning platform for security and hacking via gamification. It offered training and teaching via practical exercises and simulation.
We logged in via an HTML5-client built with Unity by opening a website in our browsers.
The first thing we saw was a menu that looked like a typical menu from a strategy- or military-centered videogame; In addition to other stereotypical hacker graphics there was a spinning wireframe globe featuring prominently in the interface, with highlighted points indicating available missions. This was a recurring theme amongst the means used in the solution – to capture the contestants' interests via narratives.
In a given mission one was first introduced to a background story, which explained the context one was dropped into, and what would be the goal. A username and password for a "working machine" (in reality a virtual machine) was also made available.
Then a map of (parts of) the network was made available, which could also contain units like proxies, switches, routers, firewalls, VPNs, subnets – and which could potentially detail IP-addresses and operating systems on all, some or none of the units, depending on the assignment at hand.
We were then given access to to things: a shell (a new window with a virtual terminal) – typically Bash on a Linux-machine – and a VNC/RDP (a new window with a graphical remote interace on a desktop) on a given "working machine"; the latter could be either a Windows installation or a Linux distro. Any eventual extra tools needed to complete the mission would come preinstalled.
Our work was timed, and we gathered points as we made progress solving subtasks. If we became stuck, we could "burn" points to get subtask-specific hints.
Additionally, there was a chatbot – which could present contextual information, such as definitions, on the platform. If one were to ask, for instance, what "OWASP" was, the bot would answer that it was an acronym for "The Open Web Application Security Project", and present a short paragraph of information.
Technically, all units that were a part of the mission were actual virtual machines, running on a server somewhere; it seemed as though the solution was wrapped around or based upon some VMWare technology. If you have ever played hacking-centered video games,such as "Hacknet", "Uplink" or "Hacker: Unleashed" – or seen seres or movies such as "NCIS" and "Swordfish", you probably know that some of the realism often dissapears in abstractions and simplifications. During the competition, we were working on actual virtual machines – meaning that things strictly speaking were as realistic as they could be: Everything that happened were real code and real applications running. The only limitation was that the working environment was somewhat controlled; We could, for instance, not break out of the virtual network (without being disqualified).
On higher difficulties, the system could engage an AI-opponent (allegedly based on IBMs Watson-technology), which would make things more challenging. It could for instance randomize affected port numbers and addresses, and in come cases play the role as the attacker that has penetrated the network, lurking in systems. This means that it could reinfect machines if one hadn't done a proper job cleaning up and hardening defenses.
Project Ares also contaned a library with various theory, media coverage, technical documentation and video tutorials for relavant software. There were also a few minigames, the goals of which was to teach us relevant trivia in a less serious form.
During free ranging, there were just under 100 registered players toying around, learning and practicing missions to varying degrees.
I mainly read and experimented with some lower-level missions, as I felt I needed to buid a solid knowledge base. After a couple of weeks all the contestants lost access to the platform for a little while, before the qualifying rounds began. I kept practicing so-called Capture The Flag (CTF) competitions other places online.
Then, one afternoon, all the contestants got an email: We were to solve a specific mission within a window of 3 days. The contestants were free to attempt to qualify at any time, a total of maximum four times, and the best try would count.
Less than half of the contestants attempted to qualify – some allegedly thought the mission was too hard, and used their time on other missions and minigames in stead.
Only 12 players were able to get through all of the 16 tasks in 4 attempts.
The final score was made up of a combination of time spent and the points achieved.
On the last night of the three day window, I sat down to accomplish the mission. After my first attempt, I spent two tries making notes and memorizing what actions and commands it took to solve the subtasks, and slowly step through everything to really understand what happened. After this, I performed a final attaempt as a sort of well prepared "speedrun", working as quickly as I could.
The mission was, among other things, based around handling a scenario, where an internal network was penetrated; A machine on the network was infected with malware. We would therefore log onto an adminserver that was used to configure the firewall, and use a tool called Burpsuite to analyze the network traffic and get a sort of signature (hash) of the payload (which had been transmitted as a GET-request) and set up network rules, so that the IP-address that the malware originated from was blocked, and to prevent the malware from spreading. Then we had to localize the malware and neutralize it via Windows' builtin Powershell functions.
When I was done with the final subtask on my final attempt, I discovered that I was not registered as finished. The time kept running. I became nervous – what if I had messed up completely, despite all my preparations?
I then notices that subtask 2 was not checked of as done. I then decided to "burn" a few point to get some hints on that subtask, so that I could find out what I had forgotten or not performed correctly, and finish in as short amount of time as possible. I was afraid that my mess-up and burning of points together lead to dramatically more time spent and fewer points, and therefore to such a worsening of my score that I would not qualify.
I spent a total of 16.01 minutes on my final and best attempt, but the last 2 to 4 minutes were spent finding this final error.
When was finally done, I though that it was a shame that the mission had so much focus on Windows. This is, after all, a platform I nearly haven't used in about ten years. I didn't count on making it to the finals, but I thought it had been a fun experience testing the platform: I had learnt a lot, and it had been exciting to have been a part of.
The next day, I noticed a mention the private Slack-channel for those of us from Bouvet that were registered in the challenge. Someone asked whether it was me that were in 4th place, and asked me to check my email.
"Wow", I thought.
I was then given a free gold pass to the 2018 Paranoia Conference the following week (which seemed to have a lot of exciting talks), where the winners would be announced.
Then I waited for the final mission.
We knew that the finals would be held on friday the same week, but not when or how long we would have. I had originally thought I would takesome time off to get home early and be prepared, in case there would be little time, so that I wouldn't have to sit on-site at a customer's offices and stress my way through it.
Friday at half past two, the contestants got an email: From three o'clock we would have one attempt and two hours to solve the following assignment:
- Answer 50 multiple choice questions
- Complete a mission with 6 subtasks based on protection of banking systems and networks.
The players would need the following competency to be successful:
- Intrusion detection/prevention systems
- Basic malware analysis
- Development of rulesets based on snort
- Isolating and removing malware
I blew through the multiple choice test and got on with the mission. Unfortunately, I introduced an error that would follow me throughout the mission when I configured the intrusion detection system Snort, which I then spent a half an hour to find. As a consequence, I only had time to finish two subtasks of the mission.
The clock struck five. No one had achieved a full score.
I wasn't particularily satisfied, and I was so convinced of my low performance that when colleagues asked me how the finals had went, I consistently answered "I certainly won't be on the podium."
At the end of the first day of the conference the following week, where I amongst other things had seen security guru Bruce Schneier talk and gotten myself a signed copy of his book "Data and Goliath", the presentations were over.
From the program, I saw that there would now be an announcement of the winner of the Paranoia Challenge 2018, and thought to myself that I really didn't have to be there, as I wasn't a possible candidate for the podium anyway. I therefore saw an opportunity to make a phone call.
As I reentered the hall 10 minutes later, I was congratulated by Bouvet-people saying "Where were you? They announced your name. You came in third!"