Background
Cyberforce is a defense competition put on by the Department of Energy that focuses on defending energy related infrastructure. For 2024, the theme for the competition was a wind turbine company providing electricity to a government facility training a AI. The scenario also had an assumed breach on the system that forced us to not change certain servers and for the servers we could change there was malware and backdoors that we had to find, remove, and document. In addition, there was green team, c-suite points, security documentation, and anomaly points which consisted of creating a company website, recording a report on the current state of the network for company leadership, documenting the issues and changes made to the network, and solving ctf-like challenges.
The Actual Event and Our Approach
The main draw of the event, was the fact that we had to setup our network and machines before the start of the event (we could also add stuff during the event, but that is really just unnecessary stress). The focus for the
team I was on (the 11th place team), was adding hardening steps to the machines as well as removing backdoors and clear security vulnerabilities, with the addition of a SIEM (in our case splunk), so that we could monitor our entire network. This strategy was due to the format of the competition where we didn’t lose points from red team activity, in fact we could only gain points from the red team, and if they couldn’t run their scripts (which could be because we removed their way in on the assumed breach boxes) we would lose out on those points.
My Place on the Team
I focused mainly on Linux boxes during this event, but eventually helped out another teammate with setting up Splunk on our network so that we could find security event easily during the competition. This was my first real hands on installation of a SIEM in a production environment, and it took us a while to setup the program up with the network. For instance one server refused to connect to our SIEM because this one specifically just was unable to connect to other AWS boxes. We ended up having to use another box on the network to act as a proxy to the SIEM, which took us a while to figure out but we ended up getting it to work (with much pain) by basically setting up a dummy SIEM server on the box acting as the proxy.
Conclusion and Takeways
Looking back at the event as a whole I really enjoyed the entire experience (even the stressful moments), and I learned quite a bit about energy infrastructure as well as just dealing with energy servers and networks. Probably the biggest skill I learned was the setup and use of a SIEM, especially splunk. Probably the biggest takeaway though was that for these competitions, many off-the-shelf SIEMS were just too bulky for the machines that we had access to and the scope during these competitions. One of of our teammates even mentioned making our own lightweight SIEM for these competitions, which if it comes to fruition, I’ll go into more detail in another post. All in all, the event was a great experience both for increasing my skills, but also was incredibly fun working together with my teammates, and a special thanks to the Department of Energy and the sponsors for continuing to put on this event, and I’ll look forward to next year!
