The Dragos Industrial Security Conference (DISC) is an annual event celebrated on November 5th that provides attendees with some of Dragos’s best research through multiple cybersecurity presentations focused on industrial control systems (ICS) and operational technology (OT). Last year, Dragos offered the event’s second Capture the Flag (CTF) contest, and considering its immense success, we decided to offer it again this year, with more in-depth challenges. The main goal was to give back to the global OT and InfoSec community by providing free access to a series of fun and engaging challenges.
But before showing the results of this year’s competition, we would like to take a step back and describe how it all started several months prior to DISC 2023. In the following sections, we will explain how we exchanged ideas and how those ideas became the unique challenges for Dragos’s DISC CTF.
What Is Capture the Flag (CTF)?
A Capture the Flag (CTF) event is a great way for cybersecurity practitioners to learn, practice, and develop new skills and knowledge in tackling specific security challenges they may encounter on the job. These skills and knowledge not only apply to red-teamers acting as adversaries in simulated events to test detection and response capabilities but blue-teamers playing as the defenders protecting critical assets.
The CTF security challenges are often designed to make participants think outside the box to help develop a deeper understanding of accessible/non-accessible ports, network protocols, and network communications and often leverage user or system misconfigurations.
How We Built the DISC CTF
The third edition of DISC CTF also focused on industrial control systems. We attempted to improve the understanding of the five critical controls for ICS/OT cybersecurity identified by the SANS Institute by exploring multiple scenarios connected directly or indirectly. We built this year’s challenge leveraging a full MITRE ATT&CK for ICS kill chain, including phase 1 and phase 2. Additionally, we wanted to expose all participants to challenges not found in traditional (i.e., only IT security) CTF events. We followed a fictitious adversary, The Faceless Men, through their attack starting with Initial Access, through Collection, and ultimately down into the ICS environment, where they impacted the process environment, using the following MITRE attack navigator.
Project Milestone 1 – Develop the Storyline
Our next task was to create a story to connect all the challenges. The story completion provided the first milestone for the CTF project, allowing Dragos professionals from several teams to provide specific ideas for the challenges within certain boundaries. Every idea was evaluated to ensure that it was relevant, fun, and accessible to participants with different experiences and skills. The outcome was a fictitious story that focused on a popular Game of Thrones group, The Faceless Men.
Project Milestone 2 – Assess the Feasibility
Once an idea was proposed and accepted, our team evaluated its feasibility (i.e., can it be solved in a CTF environment?) before building the corresponding artifacts. We needed to think beyond the game content and look at the context from the player’s perspective. Therefore, we started conceiving ways to expedite the artifact delivery and minimize the chances of misconfigurations. This analysis resulted in the files bundled to download during the challenge. Our purpose was to ensure that artifacts were not interfering with the player’s ability to solve the challenge and that, the majority of the time, the focus was on the challenge and not the tools. Once we got all artifacts for the different challenges, we reached the second milestone of the project.
Project Milestone 3 – Test (and Validate, and Test, and Validate, and Test) the Challenges
The final part consisted of validating and verifying each challenge to be deployed for the CTF. More Dragos professionals joined the project and ensured that the challenge description, artifacts, hints, and flags were correct, fair, and solvable. After reviewing all 47 challenges, the team started the CTF deployment and conducted a final test before starting the competition. It was the third and last milestone, meaning we were ready (as much as we’d ever be) for the competitors.
Project Milestone 4 – Supporting DISC CTF Participants
As not to reveal solutions or hints to other participants that did not request them, Dragos used direct messaging to communicate with the individual teams. Depending on the difficulty of the challenge and the level of progress the Dragos’s team aided in finding the right starting point, and the right answer format or provided general guidance on how to approach a question.
DISC 2023 CTF By the Numbers
In 2022, we doubled the number of players and teams compared to DISC 2021. Our goal was to do the same again this year – and we did. We doubled the event again! We had 1507 registered players that found themselves together in 866 teams. Here’s a quick summary of the results of this year’s DISC CTF.
Player Demographics
OT security is a global topic and that is also represented by our players. Players logged in from every continent, but the arctics. In addition to the expected strong competition from North America, Europe, Asia, and Australia showed their skills in securing, hacking, digital forensics, and programming OT components and networks. This year the Dragos’s team added even more and completely new challenges, raising the count to 47 – some teams even had the answer to everything.
At the end of two days, only three teams succeeded in completing the competition. Many teams showed impressive motivation and exceptional skills in solving our challenges and the feedback shows that we hit the mark – not too easy, not too hard, and not unfair. An overall good mix that our players enjoyed.
Although it is not possible to ensure that each IP used by the participants during the competition represents a real player (or their real location), it is interesting to note that sources registered are also well distributed with clusters in North America and Europe.
The Leaderboard – Top 5 Completions
Below is a summary of our Top 5 teams, the completion times, and the corresponding country. Each of the Top 5 teams came from a different country showing skills and interest in OT security around the globe. Our winning team, ukatemi, comes from Hungary and they completed all 47 challenges. They gained all 24,600 possible points within 31 hours and 39 minutes to win the Dragos CTF in back-to-back years, incredible! Shoutout to ZeroFoxGiven, and OTóż to, for narrowly completing the DISC 2023 CTF!
A Breakdown of Challenges
We received a significant number of support requests via the Discord support server during the CTF event. All requests were handled and solved by the Dragos’s team – from simple formatting issues to helping debug flawed Buffer Execution code on the player’s side.
The challenge that had the least number of solves was “Overthrow the Citadel!”, which belonged to the “Execution: Command Line Interface” category. This is no surprise since it required users to download an application and develop a custom buffer overflow script that would pull the flag.
The challenges that had the highest number of solves belonged to the “Welcome Trivia” category. This was expected as it helped participants unfamiliar with a CTF gain an understanding of how the event flows. A few statistics about our flags show that the most difficult challenge was only solved by 0.85% of all registered teams (these were the extremely difficult flags). The easiest flag though was solved by 85% of all teams.
Here’s a quick list of most and least solved flags in this year’s CTF:
| Most Solved Flags | Least Solved Flags |
|
|
Thank you for playing, and come next year to test your skills against custom OT Capture the Flag challenges!
Register your interest for future DISC events!
Ready to put your insights into action?
Take the next steps and contact our team today.