Cyber Resilience Helsinki 2023, May 4-5th

Cyber Resilience Helsinki is an extremely effective and engaging pre-set exercise aimed to bring together Finnish private and public organizations working with large scale IT systems for exercising together in a large-scale cyber incident.  

The main goal of the exercise is to give the participants defensive training experience with IT-systems under intense cyber-attacks. The main mission for the blue teams is to defend & protect their IT infrastructure against real-time attacks from red teams while maintaining required IT services availability. All of this happens in a competitive environment as participating teams are rivalling each other to come out on top.  

Threat Hunting is a task-driven live-fire exercise with a focus on response and investigation activities. The exercise is designed for practicing response to a cyber crisis according to a pre-defined scenario. The scenario background is designed to be wider than it is usual in the case of technical exercises. 

Threat hunting exercise are carried out in a Blue vs Red setup where the Blue Teams must monitor the environment for detecting Red Team attacks and perform post attack investigations on Red Team activities. There is no focus on system hardening and other general defensive tasks. 

There will be friendly competition between Blue Teams – score is awarded for solving incidents by providing relevant details about attacks. Additional bonus points can be gained from cooperation initiatives among blues mostly related on sharing helpful information via MISP. 

The goal of the exercise is to improve skills of the participants in following areas: 

• Detection and Prevention of attacks 
• Network & system monitoring 
• Situational awareness and control 
• Handling cyber incidents 
• Teamwork: delegation, dividing and assigning roles, leadership

The exercise has the following learning objectives:

• Fostering cooperation between various actors in the cyber defence at the organizational level
• Rehearse specific defensive measures in case of an attack against a particular field or combination of fields
• Live reaction, planning of defence and enhancement of the environment
• Monitoring and analysis of attacks
• Generalization and synthesis of information on the attacks, in particular from the point of view of validating appropriate defence plans and scenarios
• Discovery and understanding of sophisticated attack patterns and vectors against the targets
• Stress-handling and decision-making under multiple bad choices

The Gamenet represents a typical IT organisation (infrastructure company) and consist of about 40 different virtual machines that are under full control and management of defending Blue Teams. Besides regular business IT systems the Gamenet includes a very simple Power Generation and Distribution system with a Control Centre, which is fully virtualized. The Gamenet comprises the following network segments: 

• Demilitarized Zone (DMZ) – DMZ hosts internet facing publicly available services of the Blue Team. 
• Internal Office Segment (INT) – INT or internal office network hosts Blue Team internal services and end user workstations. 
• Security and Monitoring Segment (SEC) – SEC host various security tools that the Blue Teams can use for monitoring purposes. 
• WiFi Segment (WiFi) – This network segment should be considered as guest WiFi network. Hosts inside WiFi network are not under the Blue Team management. 
• Critical Infrastructure Control Center (CI) – This network segment hosts Energy Company control room related systems that are used to manage energy distribution network. 
• Cloud zone hosts one customer website that is managed by Blue Team and also one test virtual machine.