In accordance with Article 435 of the Civil Code of the Russian Federation, these Terms of Use (hereinafter the Agreement) constitute a public offer of Positive Technologies (hereinafter the Company) for participation in contests, events, and competitions on the Standoff 365 platform (hereinafter Standoff). The Agreement is addressed to an unlimited number of persons on the terms and conditions set forth below. By using the standoff365.com website (hereinafter the Platform), the user unconditionally accepts the terms of this Agreement.
The following actions are not allowed to the User:
The company has the right to do the following:
Positive Technologies
Address: Preobrazhenskaya Square 8, Moscow, 107061, Russian Federation
Tel.: +7 495 744 01 44
Fax: +7 495 744 01 87
Standoff (hereinafter the Cyberexercise, Standoff) is held at the Positive Hack Days conference and is intended for IT security professionals who fit the participation requirements set forth by Positive Technologies (hereinafter the Organizer). The Cyberexercise is held for the purpose of raising society's awareness of information security.
Participation in the Standoff Cyberexercise means accepting its terms (hereinafter the Terms).
Participants must be 18 years old or have reached the age of emancipation in the jurisdiction in which they are registering for the Cyberexercise (hereinafter the Participants).
Participation in the Cyberexercise is free of charge; nevertheless, since the Cyberexercise website is accessible via the Internet only, each user will have to bear all accession-related costs (including those concerning instruments required for Internet connection, such as the ownership of a computer, a modulator/demodulator, and any other spending required for Internet access).
The Cyberexercise will be held on the Standoff 365 platform. The Platform enables conducting the Cyberexercise to analyze attacks against the information infrastructure and applications and to play out incident response scenarios.
Several cyberrange segments are deployed on the Platform. Each of the segments is designed to re-create information systems and processes that are typical of enterprises from a particular industry (commercial firms, banks, telecom operators, and industrial facilities). Each industry can include one or more services responsible for regulating activity or providing security at a given organization. Such services might include a mail server, FTP server, client database, document management system, firewall, traffic light management system, and wind generators.
Participants are grouped into teams with a common goal. In Standoff, there are two types of teams: attackers and defenders. Teams will have to play through a full range of cybersecurity scenarios, simulate all test cycles, and in just a few days re-create events that may take years in real life. The Event offers both attackers and defenders a unique chance to test their skills on digital copies of genuine IT infrastructure. These copies are supplied by real businesses wishing to put their security systems to the test.
The Event is organized by Positive Technologies, a leading global provider of solutions in the field of information security, enterprise applications for vulnerability management, compliance with regulatory organizations, incident and threat analysis, and application protection. Legal address: Preobrazhenskaya Square 8, Moscow, Russian Federation.
Only individuals who have applied to participate in the Cyberexercise or were invited by the Organizer are able to participate.
The Cyberexercise is held online. The Cyberexercise can be followed at standoff365.com. Details will be fed to the Standoff 365 platform and updated regularly.
Teams
In Standoff, there are two types of teams: attackers and defenders. Attackers seek to trigger non-tolerable events, such as by bringing SCADA systems to a halt or accessing confidential information. The objective of defenders is to quickly detect and investigate incidents.
Attackers connect via a VPN server using the credentials received from the Organizer during the preparation process.
The exercise is time-limited. The remaining time is shown on the Standoff 365 platform. Technical breaks will be provided.
Attackers
During the Cyberexercise, attackers attempt to actuate non-tolerable events by accomplishing tasks proposed by the Organizer and receive points for doing so. Attackers may target only services located at addresses provided by the Organizer. Points will not be awarded for attacks on other addresses. Services located outside the infrastructure provided by the organizers are not included in the scope of the cyberrange and are prohibited for attacks.
Warning. The Organizer can suspend the team from the Cyberexercise for using service accounts or attempting to gain access to them. The list of service accounts will be published during the event.
Warning. Attacks on addresses not on the provided list may result in removal of the team from the exercise. Moreover, teams are prohibited from conducting DoS and DDoS attacks on the services and applications of the cyberrange infrastructure, including attacks at the network level. Teams performing such attacks may be removed from the exercise.
Defenders
The primary objective of defenders is to detect and investigate incidents caused by attackers' actions. During the exercise, defenders gain experience in sustaining infrastructure under hyper-realistic conditions.
The exercise is time-limited. The remaining time is shown on the Standoff 365 platform.
Defenders receive access to the cyberrange in advance (usually a month prior) and can become familiar with it. Each team is given configuration files, credentials for connecting, and other information needed to participate.
To become familiar with the infrastructure, the teams have access to a vulnerability scanner. The Organizer provides infrastructure credentials for performing inventory and scanning. Teams may use any other vulnerability scanners they prefer, but must install them themselves. After familiarization, teams shall provide the Organizer with a list of security tools they plan to use and indicate where they will be located. Generally speaking, teams are limited to three classes of security tools: next-generation firewall (NGFW), application firewalls (AF), and security information and event management (SIEM). Use of other tools is subject to prior approval from the Organizer.
Scoring and selection of winners
The Organizer evaluates the performance of the tasks at its own discretion. Attackers receive points for their activities. The actions of defender teams are scored using metrics.
Attackers can earn the points in the following ways:
Complete tasks offered by the Organizer. Tasks can include obtaining confidential information, disabling one or more services, or changing information on a test website. A task is deemed completed if an answer to it has been accepted as correct. For an answer to be checked, the participant must submit a report in a specific format (a report template is available on the page of the non-tolerable event).
Attackers earn points for each task they complete. The Organizer may also decide to award extra points or deduct penalty points. The first team to complete a task receives the maximum points. If two teams complete a task at the same time, the organizers can award both teams the maximum points.
If an answer does not contain sufficient information about how the task was completed, the report is not accepted and no points are awarded. If this occurs, the Organizer shall post a comment in the personal account for the report in question. The report may be revised and re-submitted.
Find vulnerabilities. For a vulnerability to be scored, it must be described in a report (any format is OK). The report must include an example of how a vulnerability can be exploited. Depending on the type of a vulnerability detected, it is also necessary to obtain a DBMS version, read a local file, send an arbitrary HTTP request, or display the output of the ipconfig/ifconfig, whoami, or id commands. Only certain classes of vulnerabilities are accepted (RCE, SQLi, Path Traversal, XXE, SSRF).
Attackers receive points for each vulnerability they find that is accepted by the Organizer.
The following metrics are used for each defender team:
Number of detected incidents. Defenders work to detect incident at the companies to which they have been assigned. During the exercise, defenders may send reports on the incidents that they have detected (a template and sample report are available on the Standoff 365 platform).
The Organizer evaluates the reports at its sole discretion. If a report does not contain sufficient information, the Organizer will not accept it and instead leave a comment on the portal. The report can be corrected and re-submitted.
The target history on the Standoff 365 platform will be periodically updated to reflect the number of incidents detected by defenders. If a defender team fails to detect incidents that have been detected by the Organizer, the Organizer's information will be displayed.
Average attack investigation time. After the Organizer accepts a report about an event being triggered from an attacker team, the defenders are informed about the non-tolerable event that was triggered. The defender team must then investigate the non-tolerable event. A timer appears on the Cyberexercise portal: it tracks the time spent on the investigation. The defender team should provide the Organizer with an event investigation report (a template and sample report are available on the Standoff 365 platform).
The Organizer evaluates the reports at its sole discretion. If a report does not contain sufficient information about the attackers' actions, the report will not be accepted by the Organizer and will be marked as such with a comment on the Cyberexercise portal. In response to the comment, the defenders may perform an additional investigation, revise the report, and re-submit it.
Once the Organizer has accepted an event investigation report from the defenders, the time it took to complete the investigation is recorded. Time taken by the Organizer to verify the report is not included.
Detailed information about the rules of the Cyberexercise is available at standoff365.com/downloads/standoff_rules_en.pdf.
During the Cyberexercise, defenders gain experience in sustaining infrastructure under hyper-realistic conditions. Their results will be displayed on a scoreboard for information purposes only.
The winners will be selected from the attackers only. The winners will be announced on the Standoff 365 platform within five working days after the completion of the Cyberexercise. The Organizer may, at its discretion, verify a winner's compliance with the Terms. The participants understand and acknowledge that even though their team may be announced as a winner, if any of them as an individual, or their team's compliance with this Agreement cannot be verified to the satisfaction of the Organizer, the Organizer will select an alternate winner.
In case of controversies on the identity of the winner, the owner of the email address provided upon registration in the Cyberexercise will be taken into account; in other words, the person to whom an email address has been attributed by a provider of online services or by any person responsible for the attribution of email addresses for the domain relating to the address provided, will be recognized as a winner. The Organizer reserves the right to ask the winner identified in this way to provide the relevant evidence of his/her being the owner of the email address associated with the winner.
By participating in the Cyberexercise, the Participants agree to provide their personal information to the Organizer in accordance with the Privacy Notice. If the Organizer is unable to collect necessary data, the Participant may be disqualified from the Cyberexercise. All personal information gathered by the Organizer in the course of the Cyberexercise will only be used for the Cyberexercise (and related purposes outlined in this Agreement and in the Privacy Notice).
The Organizer will not be liable to any of the Participants for any direct, indirect, actual, or possible damages in connection with the Cyberexercise or the Terms. Participants hereby release and agree to indemnify and hold harmless the Organizer and its employees, officers, affiliates, agents, partners, experts, as well as advertising and promotional agencies from any and all damages, injuries, claims, causes of actions, liability or losses of any kind (including actual legal fees and expenses), direct or indirect, absolute or contingent, arising from or related to: (a) a participant's failure to comply with any of the Cyberexercise rules (b) provision of false information by a participant; or (c) participation in the Cyberexercise.
The Organizer shall not be liable for any of the following:
In the event that a computer virus, bug, tampering with data, unlawful intervention, foul play, technical malfunction, or other cause results in the Participant's inability to complete a task of the Cyberexercise as planned, or if the security or fairness of the Cyberexercise is threatened, the Organizer reserves the right to cancel, end, or change the Platform's functions, or suspend the Cyberexercise.
By participating in the Cyberexercise, the Participants agree to be photographed and videotaped by the Organizer or its contractors without receiving compensation of any kind. The participants understand that the images and footage may be broadcast, displayed, reproduced, edited, exhibited, used, and distributed by either the Organizer over the Internet or any other communication medium now existing or hereafter created, for promotional, revenue producing, or any other purpose as the Organizer determines in its sole and absolute discretion. This authorization explicitly includes the use of a participant's name, likeness, or voice. The participant may opt out of being photographed or videotaped by informing the Organizer upon check-in at the Cyberexercise that he/she does not consent to be photographed or videotaped.
When participating in the Cyberexercise, harassment is prohibited. Harassment includes offensive verbal comments related to gender, gender identity and expression, age, sexual orientation, disability, physical appearance, body size, race, ethnicity, nationality, religion, sexual images in public spaces, deliberate intimidation, stalking, following, photography or audio/video recording against reasonable consent, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention. Participants asked to stop any harassing behavior are expected to comply immediately.
Information about vulnerabilities embedded by the Organizer in the cyberrange is not confidential and Participants are free to disclose it. However, Participants may not disclose information about zero-day vulnerabilities and/or critical vulnerabilities that were not embedded by the Organizer.
For any queries related to the Cyberexercise, please contact us at org@standoff365.com.
The Terms are prepared and construed in accordance with the laws of the Russian Federation.
If any part of the Terms is judged to be invalid or unenforceable by law, the remainder of the Terms shall continue to remain valid in its entirety.
The Standoff 365 cyberexercise (hereinafter the Cyberexercise) is a set of online events for information security professionals. Participants must meet the requirements specified by Positive Technologies (hereinafter the Organizer). The Cyberexercise is held for the purpose of raising society's awareness of information security. Participation in the Cyberexercise means accepting the terms of the cyberexercise on the Standoff 365 platform (hereinafter the Terms).
Participation in the Cyberexercise is free of charge; nevertheless, since the Cyberexercise website is accessible via the Internet only, each user will have to bear all accession-related costs (including those concerning Internet connection, such as the ownership of a computer, a modem, and any other required tool).
The Cyberexercise will be held on the Standoff 365 platform. The Cyberexercise Participants can analyze attacks against information infrastructure and applications.
Virtual cyberranges deployed on the Platform re-create information systems and processes that are typical of enterprises from a particular industry (for example, banks and electricity and IT companies). Each industry can include one or more services responsible for regulating activity or providing security at a given organization. Such services might include a mail server, FTP server, client database, document management system, firewall, traffic light management system, wind generators, electricity meters, and electrical substations.
The goal of the Participants is to disrupt the functioning of the provided information systems by triggering non-tolerable events and exploiting vulnerabilities.
The Event is organized by Positive Technologies, a leading global provider of solutions in the field of information security, enterprise applications for vulnerability management, compliance with regulatory organizations, incident and threat analysis, and application protection. Legal address: Preobrazhenskaya Square 8, Moscow, Russian Federation.
Participants must be 18 years old or have reached the age of emancipation in the jurisdiction in which they are registering for the Cyberexercise (hereinafter the Participants). To take part in the Cyberexercise, the Participants must register at standoff365.com.
The Cyberexercise is held online 365 days a year, with the exception of technical breaks. Information about the Cyberexercise is regularly updated on the Standoff 365 platform.
General information
At the cyberrange, Participants simulate the actions of attackers targeting a company's information system. Attackers seek to trigger non-tolerable events by accomplishing tasks proposed by the organizers, such as by spoofing ICS data or accessing confidential information. For doing so, they receive points. Attackers may target only services located at addresses provided by the Organizer. Points will not be awarded for attacks on other addresses. Services located outside the infrastructure provided by the organizers are not included in the scope of the cyberrange and participants are prohibited from attacking them.
Warning. The Organizer can suspend the Participant from the Cyberexercise for using service accounts or attempting to gain access to them. The list of service accounts will be published during the event.
Warning. Attacks on addresses not on the provided list may result in removal of the Participant from the Cyberexercise. Moreover, the Participants are prohibited from conducting DoS and DDoS attacks on the services and applications of the cyberrange infrastructure, including attacks at the network level. Participants performing such attacks may be removed from the Cyberexercise.
Participants connect via a VPN server using their personal accounts at standoff365.com. Technical breaks can be called during the Cyberexercise.
Task scoring
Participants can earn points in the following ways:
By triggering non-tolerable events. Non-tolerable events can include stealing confidential information, disabling one or more services, or changing information on a test website. The conditions required for a non-tolerable event to be triggered are described in the task. An event is considered triggered if a participant has submitted a report with the correct solution. The answer must contain a set of characters (flag) that the participant is supposed to find in an information system. The flags are predefined by the Organizer.
Participants earn points for each task they complete. In addition, the Organizer may evaluate the Participant's work and award additional points.
If the report is not accepted by the system, the Participant must submit a new report (flag).
By finding vulnerabilities. For a vulnerability to be scored, it must be described in a report containing a set of characters (flag). The submitted flag must match the flag predefined by the Organizer. Participants can only report vulnerabilities of the following types: Remote Code Execution (RCE), SQL Injection (SQLi), Path Traversal, and Server-Side Request Forgery (SSRF).
For the number of points awarded for the actuation of non-tolerable events and the detection of vulnerabilities, see the game portal standoff365.com.
Participants are ranked in descending order by number of points at standoff365.com.
By participating in the Cyberexercise, the Participants agree to provide their personal information to the Organizer in accordance with the Privacy Notice. If the Organizer is unable to collect necessary data, the Participant may be disqualified from the Cyberexercise. All personal information gathered by the Organizer in the course of the Cyberexercise will only be used for the Cyberexercise (and related purposes outlined in this Agreement and in the Privacy Notice).
The Organizer will not be liable to any of the Participants for any direct, indirect, actual, or possible damages in connection with the Cyberexercise or the Terms. Participants hereby release and agree to indemnify and hold harmless the Organizer and its employees, officers, affiliates, agents, partners, experts, as well as advertising and promotional agencies from any and all damages, injuries, claims, causes of actions, liability or losses of any kind (including actual legal fees and expenses), direct or indirect, absolute or contingent, arising from or related to: (a) a participant's failure to comply with any of the Cyberexercise rules (b) provision of false information by a participant; or (c) participation in the Cyberexercise.
The Organizer shall not be liable for any of the following:
In the event that a computer virus, bug, tampering with data, unlawful intervention, foul play, technical malfunction, or other cause results in the Participant's inability to complete a task of the Cyberexercise as planned, or if the security or fairness of the Cyberexercise is threatened, the Organizer reserves the right to cancel, end, or change the Platform's functions, or suspend the Cyberexercise.
When participating in the Cyberexercise, harassment is prohibited. Harassment includes offensive verbal comments related to gender, gender identity and expression, age, sexual orientation, disability, physical appearance, body size, race, ethnicity, nationality, religion, sexual images in public spaces, deliberate intimidation, stalking, following, photography or audio/video recording against reasonable consent, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention. Participants asked to stop any harassing behavior are expected to comply immediately.
Information about vulnerabilities embedded by the Organizer in the cyberrange is not confidential and Participants are free to disclose it. However, Participants may not disclose information about zero-day vulnerabilities and/or critical vulnerabilities that were not embedded by the Organizer.
For any queries related to the Cyberexercise, please contact us at org@standoff365.com.
The Terms are prepared and construed in accordance with the laws of the Russian Federation.
If any part of the Terms is judged to be invalid or unenforceable by law, the remainder of the Terms shall continue to remain valid in its entirety.