What do you need to know and be able to do to become a participant in the All-Russian Student Cyber ​​Battle?

The All-Russian Student Cyberbattle (for our VSKB) is a cool cyber competition that we hold for students majoring in information security. Everything is almost like for adults: a cyber training ground based on the N corporation, where attack teams implement cyber threats, and defenders monitor the infrastructure and respond to incidents.

Innostage has already held two cyber battles – in Kazan at Kazan Digital Week and in Moscow at Positive Hack Days 2. Today, we, the team of blue mentors – Daniil Romanovsky and Islam Gizzatullin, will tell you what students need to pass the selection, prepare for the cyber battle and fight for victory.

General requirements

There are several basic requirements to participate in the cyber battle.

1. You must be a student. The university can be any, the field too – but from experience, it is easier for those guys who study specifically in the information security profile. Neither the age of the participants nor their gender is important.

2. We fight in teams on the cyber polygon. There should be from 5 to 10 people in a team. It is not necessary to be already played, you can unite for a specific battle.

3. The team must have a captain: he will be responsible for organizational matters, including filing an application for the battle. One team may include participants from different universities – in this case, the team's affiliation will also be determined by the captain (where he is from, the team is from there).

In addition, there are points that will make your selection easier.

For the Defenders team, this is a prize or winning place in the past Student Cyberbattles. When selecting, mentors also look at the resumes of team members.

What will be a plus in a resume:

1. Completed internships in real information security companies.

2. Participation in projects such as Student SOC.

3. Participation in CTF games (we'll talk about them later).

How can you prepare to not only participate, but also achieve great results?

Have an understanding of the systems within the infrastructure. Administration skills help you understand how different services work inside each host. This will allow you to quickly distinguish legitimate processes from illegitimate ones. During a cyber battle, you will be able to identify them faster and react accordingly.

During the last cyber battle in Moscow, guys from one team created an infrastructure scheme in Miro. When incidents occurred in different parts of the system, they immediately marked it with a sticker in the right place. This allowed them to react faster to attack chains and systematize the actions of the reds.

Understand how the Reds operate. Frameworks will help here, the main one is MITRE ATT&CK. This matrix contains techniques and tactics that attackers use to attack real infrastructures. All techniques are divided by type – there are 14 of them, each is briefly described.

To investigate incidents, you also need to understand what the Cyber ​​Kill Chain is. It is a model that helps break down any attack into 7 stages: external reconnaissance, weaponization, delivery, external infection, installation, gaining control, actions within the network. Blocking hackers at any stage breaks the entire attack chain. To succeed, the reds must go through all stages, and the blues only need to block them at any stage.

MITRE ATT&CK and Cyber ​​KillChain may seem complicated to students – after all, these are real tools used by experienced defenders inside corporations. During preparation for VSKB, we offered the following task: students need to take real public reports from the Reds and, based on them, look in detail at each stage, technique and tactics inside the matrix.

The reports can be taken from DFIR Report – They are in English, but in principle understandable.

Many terms may be unknown to a novice defender, so arm yourself with Google and Habr to figure out what's what.

Gain practice. There are now more and more resources available where blues can practice investigating incidents.

CyberDefenders — a platform for comprehensive training of blue teams.

Let's Defend — a learning platform with courses and labs. All content is displayed in accordance with the MITRE ATT&CK matrix.

Cybrary — a platform for training blue team in practice.

TryHackMe — recently I started making educational materials and labs for the blue team.

DFIR-DIRVA — is a collection of free and open source material, including training labs and full-fledged tasks for preparing a blue team.

You can read more about each platform in our article on training the “blues”.

Participate in CTF competitions. Capture the Flag or CTF in IB is a competition in the form of a team game, the main goal of which is to capture the “flag” from the opponent in conditions close to reality. Basically, CTF is designed for the red team, but CyberDefenders also has rooms for blue, where you can investigate incidents and monitor attacks in a limited time mode.

Unfortunately, in CTF there is no opportunity to touch real means of information protection. That is why cyber polygons based at universities are now being actively developed: they allow you to get acquainted with the interfaces of the main information protection systems. So find out if your university has one – this will greatly help you navigate the tools of cyber battle faster.

Where to find CTF competitions?

CTF Time — international platform.

CTF News — Russian site.

Working in SOC. This option is suitable for senior students. The internship allows you to fully use the information security system in your work and quickly improves your practical skills. In addition, SOC has senior colleagues who can act as mentors.

What skills do defenders need?

Teamwork. Well-established interaction within the team allows for faster response to incidents and reporting. Doing everything alone is almost impossible, and of course, will take much more valuable time. Therefore, try to create a good atmosphere within the team to combine efforts and achieve the desired result.

Some good practices that have been used by participants in recent cyber battles:

1. Create your own chat in Discord or Telegram. Use it to coordinate the team's actions during preparatory tasks and the cyber battle itself.

2. Train together. At least once a week, get together for two or three hours to solve problems on special resources, and participate in CTF as a well-coordinated team.

3. Meet offline. If you are from the same city, it is a good practice to work together at your university's cyber training ground or just in the same room. This will help you work together faster.

Engagement. Cyberbattle is a competition for those who are truly passionate about information security. Participants are expected to have knowledge that goes beyond university subjects, developed practical skills. It will not work to participate just for the sake of a nice line on your resume: you need to really invest your time and perseverance.

What will participation in the battle give to students?

The winners of the All-Russian Student Cyber ​​Battle, both from the red and blue side, receive a prize. But everyone wins: the participants leave with a wealth of practical knowledge and experience in applying it. VSKB allows you to feel like a SOC analyst, fully get used to the role and in two or three days get an idea of ​​what a commercial SOC does.

For second- and third-year students, this is also a great boost from a theoretical perspective. In order to do well in a cyber battle, participants need to master the materials that are usually covered in the fourth year at universities. So VSKB also helps with their studies.

What to do after the battle?

Get ready for a new one!

In fact, the brightest participants can be hunted down by large information security companies quite quickly. The author of the article is a great example: in the fall of 2023, I was a member of one of the teams, and in May, I was already mentoring a new set of participants as an employee of the Innostage SOC CyberART team.

The All-Russian Student Cyber ​​Battle is also constantly evolving, the organizers make it more interesting and more difficult so that the teams get the maximum experience from participation. Even those who come to play for the second or third time will be no less interested than beginners.

The next All-Russian Student Cyberbattle will take place in the fall at Kazan Digital Week. Future participants have just the time to apply our advice, practice on the platforms and come to the competition fully armed. Register on the website: team selection will be held until July 28.