DISC: SANS ICS Virtual Conference and ICS CTF Event Details

We are counting the days for our DISC Conference! but before we let the fun begin, here's important information you must read.

On April 30th, 2020, a day before the Conference, there will be an entirely free, really exciting, industrial control system (ICS) capture the flag (CTF) hosted by Dragos, Inc. and the SANS Institute. Following that there will be an entirely free day long virtual conference with speakers from SANS and Dragos, Inc. covering topics from building your own ICS range, analyzing ICS vulnerabilities, thinking through the easiest and low cost actions you can take to better enable ICS security quickly, and more.

There are a lot of people that have signed up so I want to provide some quick details ahead of the email going out about this Monday April 27th. You can register for the event here

The conference agenda is published at the link I posted and it’s pretty self explanatory. The only thing to call out is that the times are different than normal; we did that so that folks across the US could easily access it and it’s long enough that folks across the world can participate in different parts of it from a time zone perspective; it’s difficult to balance this but the sessions are all being recorded. If you sign up you will get the slides and recordings after the fact. The only confusing thing is that initially the webinar was going to be run on GoToWebinar as all SANS presentations are but after we blew past the limit (well over 3,500 have signed up already) we switched to Zoom (yes we evaluated the security concerns and found Zoom’s response and actions to be appropriate). So if you have a calendar invite for GoToWebinar that’s a legacy thing. However, there’s nothing you need to do. On the day of the conference simply go to the same registration link that you used to sign up, when you sign in to your SANS portal account that link will turn into the conference link and automatically forward you to the Zoom invite (we have enabled the browser option so you do not need to install the Zoom application if you do not want).

On the ICS CTF I want to draw folks’ attention to a few points to help them prepare. For those of you that have participated in a NetWars before, this is an entirely new and unique DISC ICS NetWars so you won’t see any overlap with previous questions and approaches of the other ICS NetWars run at the various SANS Summits. Additionally, the style will be different anyway since Dragos made Level 3 and Level 4. Here’s the most important details for everyone (these will all be in the email that goes out on Monday but in case you don’t get the email I wanted to write them down in the blog):

• DISC ICS NetWars is an entirely unique ICS CTF and will only be run at this event
• The data, questions, and answers will be made available to everyone who registers for the virtual conference, you do not need to register for the CTF to get the data
• You should only register for the CTF if you plan to play live, it’s limited to 1k people so we want to ensure everyone who wants to play gets to play
• To register for the CTF you must first register for the conference, then, starting Monday the 27th, in your SANS portal you will see a NetWars registration link; it is first come first serve
• The style of the CTF is entirely defensive; there will be questions ranging from entry level questions that are multiple choice (e.g. what is the accurate way to describe Fieldbus protocols?), intermediate questions that have data sets (e.g. here’s some PLC ladder logic, analyze it to find the flag), and advanced questions primarily in the form of packet captures (e.g. analyze an ICS range’s data to find flags in ICS protocols, analyze attacks happening, and perform functions across asset identification, threat detection, and response with network security skills)
• You will be playing at home on your own (teams may be enabled, we’re checking now to see if it’s doable but plan on playing alone as a back up plan if you have a team)
• You can use your own system and your own tools, no tools or VMs will be provided; I would recommend network security tools and VMs like SecurityOnion or if you’re a SANS alumni your ICS515 VM
• There will be prizes. It’ll at least include coins and swag but we’re seeing if we can get approval for free SANS events, training, and maybe some Amazon gift cards; we’ll know more at the event
• Normally at ICS NetWars you can ask questions and get help; we’ll have a Slack channel for everyone and a Zoom link for everyone to join in on if they want to hear our commentary or us answering questions and announcing important information to the participants, but it will be entirely impossible for us to answer 1,000 people’s questions consistently. So plan on only asking questions that relate to technical issues and getting up and running with the data, you will not have much support in the event outside of that
• The day of the event we’ll have all the appropriate details for everyone and a welcome brief (that will be shared over a Zoom link we’ll distribute in email) to include the Slack channel, some FAQs, and some details to get started. We’ll distribute as much of these as possible ahead of the event especially for those of you who are joining at different times instead of doing the CTF the entire time
• There will be a leaderboard broadcast through the Zoom conference on the day of the CTF
• Austin Scott (the lead architect of the CTF) will present the last session at the conference on May 1st to go through Level 3 and 4’s questions and answers. It will not be a full walk through but give you all the answers and details that would have been helpful. Post event, all the questions/answers will be published. People are free to post their own walkthroughs
• Be Social! The hashtag #DISCSANS is the event (CTF and Conference) hashtag; share helpful tips with people, collaborate with peers, and try to make this as social as possible given the socially distant life to which we are all dealing with
• If you are intimidated by the concept of a CTF don’t worry. The event is broken into 4 levels.
  • Level 1: QA with multiple choice and hints to help you answer the questions
  • Level 2: Some multiple choice, some exact answer, across some technical data sets such as packet captures, but still with hints enabled and very approachable
  • Level 3 and Level 4: A single packet capture that’ll contain data from an ICS range and a wide variety of technically challenging questions with little to no hints
• The approach means that the winners will really have to earn it but everyone can play and learn from any background including brand new folks
• This is an exceptionally important event for people to learn from, it is very difficult to get ICS range data normally especially with attacks and a variety of ICS protocols take this opportunity. 
  
  Dragos and SANS are doing this for the community as a thank you for everyone always being so awesome but also as an opportunity to help share the world of ICS security and get you all excited about it. As always thank you for your continued learning and excitement. Take care, look for the email on Monday April 27th, check your portal that day regardless, and have fun! If you have any questions use the hashtag #DISCSANS and I’ll try to answer as many as I can ahead of the event.