Cyber Polygon is an international online exercise prioritising joint response to cyberthreats and the improvement of business cooperation in the fight against cybercrime. Training sessions such as Cyber Polygon are not yet a common practice, so there is no single approach to its conduct. For the debut session the focus was put on improving joint response to ongoing cyberthreats through timely exchange of threat data between the participants. Based on these objectives, participants were asked to undertake the following:

Strengthening cyber resilience is a critical factor primarily for the representatives of the industries that form the digital ecosystem. However, developing commonly accepted regulations is necessary for maintaining functionality and avoiding chaos. The Cyber Polygon debut event focused on engaging the following sectors:

In 2019 among the participants involved in Cyber Polygon were Sberbank, New Development Bank, Department of Information and Communications Technology of the Republic of the Philippines, one of the largest telecom operators in Kazakhstan Transtelecom, and MTS — an advanced telecommunications company in Russia.

In building the training infrastructure for Cyber Polygon, it was important to choose those security solutions that would be familiar to the participants. This would allow them to take part in the training without extraneous efforts or special preparation. Cyber Polygon partnered with IBM and Fortinet — the largest international tech giants whose solutions have been protecting companies around the world for many years.

Cyber Polygon simulated several of the most common types of attacks on the participants’ training infrastructures. Three cyberattack scenarios were selected as relevant for organizations in any sector of the economy:

Internet connectivity is the backbone of any modern business. If the availability and stability of company information resources is disrupted in any way, it may cost the business its customers and lead to defamation and profit loss for its partners. For some cybercriminals, a DDoS attack is an attractive attack vector to pursue for financial extortion or to wage competitive warfare.

As this type of threat is very real, questions arise around how to secure the sustainability of our digital economy. The problem is so critical that it has become self-evident that the only viable option to diminish its impact as best as possible would require a joint effort.

The Open Web Application Security Project community has published that code injection has been the leading method of attacks on web applications since 2013. Embedding SQL code, or SQL Injection, is one of the varieties of such attacks aimed at manipulating site databases.

A well-prepared attack allows cybercriminals to send requests to the web application database, bypassing all protective measures, and to gain access to part or all the information stored there: users’ bankcard details, passwords and phone numbers, their addresses and much more.

This scenario was a perfect choice to be included in the line-up of exercises due to the prevalence and potential reach of SQL injections, as well as to the severity of their consequences.

In 2017, WannaCry, Petya, and NotPetya ransomware epidemics forced the international community, even those not directly involved in cybersecurity, to talk about ransomware trojans. Once inside the system, this class of malware encrypts files and extorts a ransom to be paid before decrypting them. The average amount claimed is more than $1000.

The popularity of phishing is only growing. A study done by Proofpoint in 2018, surveyed cybersecurity specialists and found that 83% of them encountered this attack — that is 7% more than in 2017.

A couple of seconds of encryption can translate into hundreds of thousands of dollars in damage, while such attack is relatively easy to implement. For this reason, such scenario was a conclusive choice for inclusion in the training exercises.

The training started at 12:00 and lasted about 3.5 hours. During this time, the three cyberattack scenarios were executed according to the following rules:

During the first round, each participant had to identify and mitigate the attack on their own. To stop the attack, the Blue Teams needed to apply a security policy on the necessary protection tool that would block IP addresses, files with a specific checksum or other indicators of compromise (IoC) that distinguish a particular attack. The task was considered completed when the participant uploaded the correct IoC in the team’s personal account on the site cyberpolygon.com.

During the second round, the teams submitted their IoCs to the BI.ZONE Threat Intelligence platform. The attack was considered mitigated when the first participant to identify and block the attack loaded the correct IoC into the platform. Following this, the uploaded IoCs were automatically transferred to the protection assets of the other participants and the attack ceased for everybody.

The results of Cyber Polygon suggest the following conclusions:

The second round of each scenario resulted in the participants taking considerably less time to detect and mitigate the attack compared to the fastest participants during the first round. This is partly due to the fact that after getting some practice in the first round, the teams better understood how to withstand the attacks. In the second round of the scenario, the only elements that were changed were the IoC values, and not the attack logic itself, so the participants responded to the threat much faster. This confirms the effectiveness of practical training: teams improved their ability to mitigate attacks and immediately demonstrated progress all within a relatively short amount of time.

Working with the data exchange platform yielded a remarkable decrease in the average time it took to respond to an attack. The best results from using the information sharing platform were obtained in the second scenario: compared to the first round of attacks on the web-based application, in the second round the response was 7 times faster. By exchanging data, the participants mitigated the attack in 2 minutes 31 seconds, as opposed to the longest independent response that took 24 minutes 24 seconds in the first round — the difference between the indicators was almost 22 minutes with a total duration of the scenario set to 30 minutes.

In some cases, the joint efforts made it possible to mitigate even those attacks that would otherwise have been missed. Thus, organization 3 could not cope with the first scenario on its own. However, in the second launch, the use of the platform and the efforts of other participants were enough to protect the organization. In a real situation, this would have saved a company from losses associated with its web resources being unavailable.

The ransomware infection turned out to be the most difficult scenario for the participants: only one company was able to mitigate the attack independently. Companies showed the best results in the web-based application attack.

Relying on the results gathered from the first training we hope to convince the global community of the efficiency of such exercises and demonstrate the process of global collaboration as a whole, thus attracting more international participants to exercise their cybersecurity capabilities and contribute to our common goal, which is to combat global cybercrime.

Cyber Polygon is a unique event that has been launched in 2019 and brought together government and private sector representatives from different countries to develop skills for joint response to cybersecurity incidents.

The training is organized on an annual basis — the next Cyber Polygon will be held on July 8, 2020. The technical part of the training takes place online, which virtually allows the geography and the number of participants of the exercise to be scaled at infinitum. Each training is accompanied by lectures, interviews and commentary by world experts — all this is live-streamed and can be followed from anywhere in the world.

The adopted format of Cyber Polygon is believed to foster about a new approach to cyber exercises for the sake of benefiting the community at large. In the future, as more complex scenarios are developed, results of the training as well as the feedback of participants and partners will be further analysed to formulate concrete proposals for improving global cooperation in the fight against cybercrime.