IGF 2021 – Day 0 – Pre-Event #41 Cyber Stability Games: Learning The Complexities Of Technical Attribution

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> ANASTASIYA KAAKOVA:  So, thank you so much.  Well, we really are happy to have you all at the Cyber Stability Games: Learning the Complexities of Technical Attribution, which is actually the virtual cyber capacity building exercise that's been a result in an outcome of international project of Kaspersky, in Kaspersky Interactive Protection Simulation and DiploFoundation.  The game has been specifically designed for all non‑tickets, the cyber professionals that work to ensure the stability of cyberspace but do not have technical background.  We wanted also to make this game to assist specifically diplomats, academia, technical community, policy, researchers, those actively also involved in cyber diplomacy project to help them to learn the complexities of the technical attribution, the process that we at Kaspersky, specifically my colleagues, really are experts at. 

Before we start with the game, I wanted to also make a short disclaimer that the attribution is in three different lenses:  We have technical, legal, could be political attribution.  So we see that legal and political attributions are only done by states, while the technical attribution, meaning conducting technical analysis and clustering different threats to the threat actors and non‑extending ‑‑ and understanding different connections, all of the ‑‑ actually all of the pieces collected of evidence was happening through the cyber incident, through cyberattack, this is the area where we could definitely help and this is the global community so today the focus of our games is only technical attribution.

This has been a short disclaimer at the very beginning.

Before we also start, we also would like to make a short debrief, but those that do not know me, I am happy to introduce myself, I'm Anastasiya Kazakova, I'm a Senior Public Affairs Manager, Kaspersky, and also with us, I mentioned that DiploFoundation is a main development and design of the game to make it actually more realistic to the cyber realities, and for that, I really am happy to introduce Vladimir Radunovic, Director, E‑diplomacy and Cybersecurity Programmes, DiploFoundation, and pass the floor to him first to debrief and set the scene before we proceed with the game.

Thank you.

>> VLADIMIR RADUNOVIC: Thank you.  This 0 day of the IGF is interesting with the capacity building sessions, but I can't remember, we have had many of the games and exercises in the past, so this is a nice opportunity.  The DiploFoundation is an NGO, international, our focus is on cyber issues, diplomacy, digital relations, and in this context of the game we are trying to help with the game, it is setting the stage a little bit, the context of the game, and then debrief after the game.  Now, this edition is shorter than what we usually do, and Anastasiya Kazakova will elaborate when we do the exercise, it is usually an hour and a half, two hours, our discussion, but we'll try to give a snapshot.

The background is easier to share the green actually, you can put me on this side.  You can sew the background behind me.  The demonstration of how warfare may be ‑‑ in the future, even today, so you, as an attacker, you have a person whose not dressed as a civilian, he or she does not necessarily have to be ‑‑ you can probably put the speaker view if you want to see closer.  So it doesn't necessarily have to be a military official who is launching an attack.  We see more and more proxies which are acting on behalf of states and conducting attacks.  The attacks are conducted through the computer in a way in a digital space, attacking targets which can range from everything from hospitals to education, to energy sector, to shipment and then harbor, so on.  We have seen many, many cases in the past of who are the targets, critical infrastructure can basically get attacked and in a way make this functional or even cause a lot of damage, luckily we have not seen lives yet but I'm afraid it is a matter of time.

Then what you can't see on this illustration, I can share the link later on, there is a book on international law which underpins the table so there are a lot of questions on international law and how international law applies to these cases and most cases, what we see, the attacks ongoing in cyberspace will go under the threshold of the armed attack, we don't know what the attack is, we have a lot of discussions on that, a lot of suggestions of how to articulated that in cyberspace we recollects don't have the international agreement on that.

With all of these circumstances and contexts, a huge question, it is attribution.  So if you get an attack from somewhere, you have a huge loss and high effect of attack, sophisticated ones, you can do a lot of forensics, technical analysis and try to find where is that keyboard that actually is providing the attack?  You can do as much to that extent, but then you have to as a virtual ‑‑ some colleagues in the field, you have to bridge the couple of sent meters from the keyboard to the person who is behind, then try to connect that person with proxies and entities around and then these proxies are maybe government states.  It is a very hard job to do.  The attribution, if you look into closer details, it has technical details, technical attribution, legal attribution, you have to collect all of the evidence that they can put in court that are valid, I don't want to mention how complex that is in different jurisdictions and lastly, political attribution, it is in a way sort of a decision of states, it does not follow the previous ones but we're trying to explain how complex this is.  Now, what we're going to do in the next hour and something, it is focus particularly on this aspects of technical attribution, understanding how can we, can we actually track what happened and understand how the attack unveiled, who is behind it, what reasons, and suggest some options based on this, what would you do in such case if you would be in the shoes of decision maker, would you point a finger, would you do it differently to do a sort of attribution, a signal of who is behind, touch on political level, but just as a matter of exercise, if we have time, I hope we will afterwards, we can debrief and look at the traps of these complexities of attributions and where we should be more cautious.

Back to you.  I hope we have more time at the end.

>> ANASTASIYA KAZAKOVA:  Thank you so much. 

A wonderful introduction, I hope it is a helpful introduction to the broader context we're dealing with throughout the games.  We know that we'll be diverse set of experts and people joining the IGF this year, and also I know that some people may be joining physically in Poland while conducting the game fully virtual. 

So for playing the game, you will need to have computers or a laptop.  The game cannot be launched through mobile phone or tablet.

Before moving on with the games, before I actually explain the rules of the game, I also send a link in the chat with a glossary, which contains technical notes specifically designed to attest you with any sort of clarification of the technical notion that you may face throughout the game.  You could then load that in the meantime.

We proceed with the cyberstability games.  I hope you can see my slides again.  So the goal of the simulation would be to ensure cyberstability through avoiding conflict and by enhancing cooperation and exchange.

We have sort of Kaspersky Interactive Protection Simulation, it is for different scenarios.  We usually design the environment of the airport, of a power station to help actually ‑‑ the participants to learn how to protect those environments and many critical assets in there.

For today's scenario, which focuses on technical attribution and complexities of this, we offer you a new fictional world, you see the map on the screen right now.

It, of course, contains several country, you don't need to choose any country, but please pay special attention to the three countries.  Each of you will represent as a diplomat of a national delegation at the UN first Committee, existing actually in real life, it deals with the pillars of issue of International Security and peace.  Your responsibility would be to prevent security incidents, playing as a diplomat to ensure International Security through conducting technical attribution to identify who has been attacking the UN and namely your delegation.

Not to leave you completely in a desperate security situation, assisting you through the game, we have designed five profiles of possible threat actors available in the consult which we will access altogether a little bit later.

So you see that the five actor, three of them, Black Octopus, Red Snake, WHITE HORSE, you see what they're interested in, the language they use, what targets they prefer, and also we included two actors, Bob Hactivist and hacking‑for‑hire company, only one is the culprit who will be attacking the UN.  A couple of ways to play, before we start actually playing.

You see right now the print screen of the actual consult joining soon.  The consult will contain all necessary information that you would need throughout all of the courses of the game.  It will have the reports in the messages, the game resources, I'll explain this a little bit later, and actual timer because we have limited number of time, limited time ‑‑ sorry ‑‑ for each phase.

If you would like to open different panels throughout the consult, for instance, if you like to open the message panel, you need to click at the banner and you can switch between the game board and action cards with the slider and you can also Zoom in and Zoom out of the consult.

About the rules:  Remember, each of you will be playing as a single player, we will be playing as a cyber diplomat representing your national delegation to the UN.  Structurally with you, two levels, the UN level, first Committee level, and the national level.  So each of you as a cyber diplomat is sent by the ministries of Foreign Affairs to the UN and you use computers which are managed by the ministries.  They also connected to the UN infrastructure and right now you see on the slide the structural visualization of that.

To zoom in a little bit to the national level, we also indicated here, national cybersecurity agencies, certs, law enforcement, as a ‑‑ an important connect point for you to assist and to actually ask for assistance in dealing with the cyber incident.

Beyond the national and the UN level, we also indicated here WORLDPOL, local to Interpol in real life, and that's international organization that helps with the world populous cooperation and crime control and they could be specifically helpful to you to investigate cyber incidents through ‑‑ across different borders and jurisdictions.

We also put here private cybersecurity experts of different way, if you need help with let's say digital forensic, malware analysis, penetration testing, incident response.

Finally, at the UN level, we also indicated here two instruments, two tools, one is the UN PR service team, which may be really helpful to you as a cyber diplomat dealing with questions that would come from journalists, and also the Committee meeting, more explanation is given in glossary, the link I put in the chat, so I also explain here a little bit.

We discussed this quite extensively with Vlad and the DiploFoundation, the idea was, in 2025 where hopefully the current open‑ended working group, which will start the work in the next week, they'll add in a dialogue at the UN level so this sort ‑‑ this is the UN institutional cyber dialogue working group, which you already could leverage to set up the coordination platform and to cooperate with other states, exchange information, threat intelligence, to respond to their request for assistance or to ask for assistance to their delegations.

So First Committee, this is ad hoc operational meetings which you as a cyber diplomat may ask to convene if you need to have a coordination channel with other states.

To sum up, throughout the game, you have four types of assistance, so you could ask national UN IT support for a cyber incident, you could ask national cybersecurity agency CRT to help you with the investigation of a cyber incident, WORLDPOL and other private sector partners could be helpful and you could cooperate with other states as I mentioned, by sharing the intelligence with them or by sharing for instance your work and infrastructure and if this doesn't work or ask the local law enforcement assistance with investigation of cyber incident.

Keeping in mind that the goal of today's game, it is international stability and peace, you would need to go through some steps, namely you need to investigate, to understand what's happening to you with what you're dealing with, to try to remedy this, to conduct technical attribution and finally to also conduct a proper communication with your important external and internal stakeholders, to avoid the escalation and panic.

Please, remember that you will be short of resources as in the real life, and you will need to prioritize.  Please keep in mind that the focus should say on technical attribution, which is the goal of today's game.

The more information you have for evidence‑based technical attribution, the safer cyberspace is.

A couple of words about the structure, how actually the game would work.

Throughout the game, we will have five turns.  Each of the turns is similar with the threat, the structure is the same for all five turns.  So each turn will start with the message, you will get some news, world news, internal messages e‑mails, lots of information that you need to deal with.  Then there will be action phase, limited time, when you would need to respond to the message, basically to choose action cards.  The system will then generate the score and will provide you with a report sharing what's happened in your fictional reality, in your world, since you took the actions.  This is happening throughout all five turns.

If you may have already questions at this moment, please do not worry, we'll have a specific allocated time slot to discuss the questions.  In the meantime, please write them down and ‑‑ or you could also ask them in chat and I would be happy to assist you with the information about the game.

About the game resources:  As I mentioned, you will be short of resources.  In our game, we have two resources, abstract time and budget.  Abstract time is if you ask me what is the abstract time, basically we wanted to give theoretically a suggestion of how much theoretically time it could cost each of the actions throughout the game.  Each of you will receive 100 abstract time units, for all five turns total you have 500 abstract time units.  However, the time that you didn't use for one turn cannot be transferred to the next turn. 

About the budget:  For all five turns, you will get $75,000 ‑‑ we know that's not that much ‑‑ just in the real world I guess!  But also please keep in mind, your goal is not to have budget savings.  If you manage even to save some money, it will not make your score higher.  The budget is not the end goal for you.  This is something to assist you with the more options to deal with the cyber incidents.

You could take the action and respond to the messages that you will receive as many action cards as you want, but with three conditions:  First, you cannot actually accede the sum of the action cards more than 100 abstract time units.  The sum of the action cards cannot exceed your budget, and also we will have limited realtime for each phase and you need to make the actions before the time runs out.

The success of each of you as a single player will be measured by the score which evaluates how successful your delegation in our fictional world in dealing with a complex cyberattack scenario is through investigation, remediation, technical attribution.

The final part of the onboarding I will explain with the action cards.  Right now you see the slide the illustration of two random action cards.  Each has a number, name and effect.  Number doesn't matter anything.  Please, you could just ignore it, it is just for easier navigation throughout the game.

However, name and effect, it really is important for you to consider.  You need to read the name each time and the description each time.  The effect of the card could be different depending on the turn and depending on the combination of different cards you play.  Cost and time, it is also two game resources indicated in each card.  For instance, you see the game, the card number two, which means convening the UN cyber emergency group meeting, this is the same working group meeting that I explained a little bit earlier.  It definitely will not cost you anything as a cyber diplomat, but speaking theoretically in terms of the abstract time units in our game, it will cost you 50 abstract time units.

Some time, investigating the attack, meaning that you request your national cyber agency assistance with the investigation and it means that your national cybersecurity agency will probably purchase special equipment and spend time to install it properly and it will also cost you somewhere 50 abstract time units and in terms of money, it will cost you somewhere around $15,000.

This is the end of the simulation.  Remember that the goal for you as cyber diplomat is to ensure International Security and peace, and you would need to investigate a cyber incident or incidents, depending on how long you will face throughout all five turns.  You will need to collect all necessary pieces of evidence to understand who is the culprit, communicate it timely to avoid panic and escalation and remediate the attacks you face if you have the time.

Accurate technical analysis and the actual culprit being found is the ultimate target of today's game.

This is the time for the questions.  Please let me know if you have any questions so far.

You could ask them in the chat or raise a hand.

If not, I will show you the demo session on how the consult will work, maybe you could have more questions in the meantime I will be sharing my screen again.  You don't need to do anything.

Let me share this.  We will send you a registration link to access the game.  I recommend that you launch it from here, I did it from a cognitive mode, I opened the Google Chrome browser.  So it would be helpful if you copy and paste the link here.  The game hasn't started yet.

I see a question:  You will be working individually, Sean, as a single player.  I hope this helps. 

So once I will launch the game you will basically see this window, welcome to play team A.  Team A is a standard name.  You choose any nickname you want.  I choose mine.  Let it be Anonymous.  I choose the nickname.  I choose button go.  Once I access the game, I could actually check the game board, zoom in, zoom out, and also to check the cards of the different actors.  So here you could access them at any moment in the game you like.  Just need to click it and click it again to close the cards. 

Here's the slider which you can use and see the action cards for turn number 1.  They have not been activated because we have not started playing yet.  This is fine. 

You see the game resources.  As I have promised, you have 75K dollars for all 5 turns and 100 abstract time units for the first turn.

Then here, if you click here, you will see the news.  We don't have anything yet.  That's okay.

Then, you will also have here the ranking of your individual score.  So let's play a demo session to understand how the action cards actually work.

I will give you for the first turn 5 minutes.  You will get the first message here.  Once you finish reading your message here for the first turn, you will have just one message, but more and more turns happen, more messages that you have.

Now you see that your time is ticking right now, you have 5 minutes for the turn number 1and you need to decide what action cards to choose.  I will choose randomly the first and the second card.  You see that the sum of my cards is now 100 abstract time units and all of the action cards are now deactivated.  If I'm okay with my decision, I push the button submit.  I still have the time.  If I'm not okay with my decision, I would like to change it, I push the button cancel, let's delete the small card and choose another one.

Again, I push the button submit.

Once everybody has chosen the cards, I will send you the results, you will have 2 minutes and let's see the ranking.

I got 165 points, after the turn of 1.  You will see here the individual ranking, how much everybody of you will receive after each turn.

Here, in the news, as promised, you have the message.  It shows you which action cards you selected and now you have the report.  You have to read carefully the reports.  Basically I got the two message, depending, of course, on the particular action cards played, it helps you with some tips to understand how better to proceed with the turns and thus to win in this game and to identify who is being attacking the UN.

I hope this is clear for now.

As I also mentioned, you could switch between the game board and the action cards.  You could do this at any moment of your game. 

Let me know if you have any questions so far.  Everything is clear I guess. 

I will send you the actual link in the chat.  Just sent it.  Kindly ask you to copy and paste this link and also to use the incognito mode if possible.  Don't use mobile phone, iPhone, tablet, it wouldn't work on the laptops and computers, it is really good to use for better user experience.

I will launch the game right now.  Everybody will have the opportunity to choose their nickname.

Let me know if anybody has any issues with the game.  You could share this in the chat or unmute yourself and let me know.

We'll wait for everybody to join before starting to play.

It is better to copy and paste the link in cognitive mode, browse, refresh the page if it doesn't work.

I see the message, I will send you an individual link in a second.

I will send individually the link.  I just sent to Fabio.  Fabio, let me know if this work, I see the messages from Corinne and Monica and will send them as well.

I sent links to Corinne and Monica.  We'll wait for feedback if this now works.

In the meantime, I see people have joined the game and chosen interesting nicknames.

Thank you, I got your message, Fabio. 

We'll wait to hear from Monica, make sure everybody is in the game.  Thank you so much.

This is the last call.  All the rest, please apologies for this inconvenience, you can use this time to grab a coffee, a tea.  I just want to make sure that everybody joined.  Please let me know if anybody still has any issues.

Okay.  I got the message.  We'll send a link in a second.

Last call to everybody.

Yeah.  There's still ‑‑ I'll see if they appear, it is all good.

I got the message from one more participant that did have some issues.  I assume we can start.  I will be sharing my screen again.

Good luck to everyone!  We'll start with turn number 1.

Remember, that you are a cyber diplomat and in turn number 1 you have a message, red alerted from the national IT, with the message about the cyber incident at the UN.  They tell you that there seems to be a network of flood attack, DDoS, targeted at the services you rely on either managed by the national or by the UN IT service team and some services are unresponsive.  Internal and public mail and digital conference communications which you use are affected.  This can create panic and undermine reputations and internally hinders your work.

This is the message for turn number 1.  Please proceed to your consult.  Everybody has 5 minutes for turn number 1 and your time has just started.  Good luck to everyone!  Your task is to identify which action cards you would like to choose to respond to message number 1.

If you have questions in the meantime, please do not hesitate to ask in the chat or unmute yourself and I would be happy to help you.

Thank you so much for the question, Kenddrick.  You can choose as many cards as you want but with the three conditions, the sum of the cards cannot exceed 100 abstract time units and you cannot exceed your budget and you feed to follow the actual time.  We have got 5 minutes for the first round and you need to manage to make the decision before the time runs out.  I hope this helps.

1 minute and 40 seconds left.  I see some of you are already with a decision.  This is great.  Still you have the time to decide before the time runs out.

Let's not forget to use the glossary.  It may help you with some explanation of technical notes you will face. 

30 seconds left.

3, 2, 1!  I'm stopping the action.

Let's see the result.  I'll give you 2 minutes to read the reports.  In the meantime, let's see the ranking.  Congratulations to someone nicknamed Silenced.  Turn number 1, a total score of 230.  All the rest, really good results.  Until ‑‑ we still have the time, 1 minute and 40 seconds.  Please read the reports now carefully.  They may have some tips for you to proceed better.

30 seconds left.

Time runs out.  I'm stopping this phase.  Let's press into turn number 2.

Again, we'll start with checking the public messages if we have any, let's see.  I'm sharing my screen.  Yes, we do.

This time, the public message comes from the UN IT, red alerted, they also spotted DDoS attacking the UN servers and they share with you it is ongoing and intensifying.  All communication exchanges have been severely affected and the UN PR service reports that journalists are asking even more questions but they still don't have any additional information to provide.  However, they are working hard to develop the incident response and ask for more time.

At some time, you also got the message from WORLDPOL, analogue to Interpol, red alerted, they identified a message mentioning the ongoing cyberattacks against the UN in a specialized Dark Web forum which they assess to be credible.  It includes the UN seems to be under DDoS attack, their security is bad, I hacked them.  It is all public messages for turn number 2.  You may have some additional messages in your consult.  Don't forget to check them as well.

I'm sending you 4 minutes for turn number 2, and good luck to you, everyone.  Your time has just started.

One minute left.  I see many of you have chosen your action cards.  You still have time.  Please hurry up.

10 seconds left.

5, 4, 3, 2, 1, I'm stopping the action phase.  I hope you managed to choose the action cards.  Again, let's check the results and see the reports.  I'm sending you 2 minutes.

We see again Silence is leading after turn number 2.  Congratulations.  Congrats to all of the rest.  I see really good results.

By the way, do not get sad too fast if you're not happy with your result, we have three more turns and the situation, it usually as it happened, it may actually change significantly.

For now, let's read the reports, and then we'll proceed with turn number 3.

5 seconds left.  2, 1, and I'm stopping the reporting phase.

Let's proceed with turn number 3.  Let's check if we have any public news.  Yes, we do.

Again, it comes from the UN IT, and they share with you that DDoS attack is ongoing and effecting now all IT services at the UN.  It is no longer only your delegation dealing with the DDoS.  The entire services within the UN are affected as well.  Now the risk is additional critical information, it is not reachable anymore because supporting services and network devices are becoming flooded by the DDoS network communications as well.

At the same time, you got the report from the UN press service colleagues, and they shared with you that the newspapers which feature multiple articles, citing unnamed sources in Republia, a country in our fictional reality, and they declare that WHITE HORSE, an APT group with allegedly origins from Vulcania is conduct offensive cyber operation against the UN.  Journalists report that relations between Republia and the suspected country of origin of WHITE HORSE are becoming strained but Republia may have its own agenda here.  That information may be helpful or something to distract you, but we proceed with turn number 3 and you have 4 minutes.

Good luck to everyone.  Please choose the action cards to respond to these messages.  

Almost 2 minutes left.  Please, hurry up.

30 seconds left.

5, 3, 2, 1.  I'm stopping the action right now.

Let's proceed to the results and I'm sending you 2 minutes.  Okay.  Congratulations to Silence again!  Leading after turn number 3.  It is really impressive.  Congrats with a total score of 520!  We also see a new number two with a total score of 495, and all the rest, congrats!  You still have the time to read the reports.  We'll then proceed to turn number 4.

30 seconds left.

2 and 1.  I'm stopping the reporting phase.

Let's proceed to turn number 4.  Let's check again the public news, which will be coming for all.  Yes, we do have the message from the UN IT.  It is red alerted, but they share that the DDoS attack suddenly stops, but no one really understands why.  The communication exchanges within the UN are working as they should.  Everything is now perfect again.  At the same time, the investigation by one UN Member State has revealed that the servers that were used for the DDoS attack were located in Fook Island.

I don't know if it is helpful information or not, something to distract you.  Again, you have four minutes and your time has just started.  Good luck to everyone.  Please do not forget to check your individual messages in the consult.  You may also have some really useful tips for you to proceed better.  .

Let us know please, you have 2 minutes for reading the report, if it is enough, not really.  It would be helpful to have your feedback.  Your final 1 minute.  Please hurry up.  I see that some of you have not decided yet.  5 seconds, 3, 2, 1.  I'm stopping the action phase.

Sending you 2 minutes.  Again, let's check the score.  Congratulations, as I promised, it is now significantly changed.  Now we have another leading after turn number 4 with a total score of 645., other, congrats.

Before going to the final turn of the game, please read the reports and we'll proceed in 1 minute, 30 seconds.

Your last 5 seconds, 3, 2, 1.  I'm stopping the reporting phase.  Let's proceed to the final turn and check first if we have any public news.

No public news for turn number 5, you may have some individual messages.  Do not forget, please, to check them as well.

Launching final 4 minutes.  Good luck to everyone.

Final 1 minute.  10 seconds left.  2, 1.  I'm stopping the action phase.

So let's see the final score.  I'm sending you 2 minutes.  Congratulations for the total score of 895.  Congrats to all of the rest.  Really, really good job.  This is not the end.  We have bonuses and the bonuses may change the situation.

While you are still reading your final reports I would like to explain to you what the bonuses are and for which cases we designed bonuses.

So I'm sharing my screen again.

So the bonus was specifically for keeping in mind that this is a capacity‑building virtual exercise and also security‑focused game training.  We also tried to give bonus force really good security decisions that you may take throughout the five turns.

Right now you see the examples of such cases.  I'm not going to read all of them, of course.  Just we'll probably share with you some of them.  For instance, if you decided to investigate the DDoS by examining all of the available clue, by checking all of the action cards for that, you will get 20 minutes.

If you for instance, remediated the malware incident at the very begin, you will get 20 minutes.

What's really important for us, as those who try to design this game, if you get both highlighted messages, if you decided to follow all possible steps to conduct the technical attribution and investigation, including sharing the results afterwards with the other states, you will also get 20 minutes, but it is really important for us to know if you get this highlighted message.  Let us know in the chat.  It would be really, really interesting to know.

For some cases we designed anti-bonuses.  We wanted to highlight what decisions are not considered really secure, security wise good decisions.  For instance, if you decided to subscribe to standard Internet access provider to create free and quick mail accounts but not secure, especially for you as a diplomat and for you, for your confidential data, yes, it will help you to get rid of the DDoS quite quickly, and forget about this for the time being.  Again, working in the government, working in the UN, it will not be a real security wise decision.  If I decided to pay ransom, if you actually faced ransomware, don't pay ransom, paying ransom does not guarantee that you will have the data encrypted, if you did, you will be ducted minus 20 minutes.  Finally, if you decided to link publicly APT threat actors without evidence, meaning that you didn't play any action cards before ‑‑ publicly blame ‑‑ that will help you to launch any technical investigation and to get any pieces of evidence, you just randomly decided to blame all APT actors, you will be deducted minus 20 points because we thought it would be a step that would lead to threat escalation and confusion among international communities.

I will now send you the bonuses and let's again check the final, final score.  The situation hasn't changed significantly!  Congratulations for winning the game!  I'm really hoping that you're satisfied with your results!  If you wish to reveal yourself, please feel free to do so in the chat, Cali.  If you do not, no pressure, of course.

Also, forgot to mention that the nicknames that you used will be automatically generated in the certificates which I will send in a moment.  Also if you wish to have certificates with your real name, we can do so.  For now, we would like to proceed with ‑‑ the entire scenario will be unveiled and I will share specifically what's happened with you during the five turns.

Again, if you have any question, do not hesitate to write them down, we will be happy to also during the debrief session, which Vlad will lead to respond to any questions or feedback you may have.  Now is the part when we'll actually share with you what's happened, what was specifically what we're dealing with and before that just a quick reminder that your goal was to ensure international stability and peace.

You had to go through several steps.  Of course, keeping in mind the technical attribution is a key priority within this game for you.

Actually, throughout the whole game you were dealing with four cyber incidents with DDoS, Hacktivist and APT and ransomware.  The DDoS, everybody knew about that from the beginning and the attack ended as surprisingly as it started, it was definitely hindering work.  It was causing some chaos, but not really a big deal.  No intrusion was involved and you could find ways to keep working despite the DDoS.

In any case, criminals are really focused.  So they work with a purpose, and this attack could have been actually smoke screened for the real attack.

The Hacktivist, it was launched a long time ago by a lone hacker exploiting a very old vulnerability and it was a backdoor that could be unattended that could be leveraged.  You can learn about this by investigating the affected mail service by the DDoS from the very beginning.

The APT, Advanced Persistent Threat, the serious attack, the most, the most important attack to consider, it is sophisticated and shows the vulnerability to spy on confidential data that your delegation and broadly other delegations within the UN have.  You could find out about this conducting the security audit from the very begin, actually it would help you to understand where the intrusion took place and what you have been dealing with.

Finally, ransomware:  This is the attack that your delegation had been dealing with on all five turns.  This is an absolutely independent attack.  This could unfortunately happen with everyone, and it has been made possible in our game out of the negligence, when some users open phishing emails. 

Some secret reveals:  All action cards were split into groups, effective actions and you better don't actions.  We also called them simplistically a bad and good card.  Those cards, they were effective actions, they were designed to help you with the investigation, mitigation, finally to collect pieces of the evidence for technical attribution.  The bad cards, they were specifically designed to bother you, to make your situation worse, to distract you and thus lead the situation to less stability in cyberspace.

To give you an idea of how this concept of the good and bad cards work, this is just an illustration of turn number 1.  You see that this, the 2, 4 and 5 were considered effective actions.  If you for instance request for investigations affected by the malware service, it helps you to understand what actually DDoS were possible, where the vulnerability existed and from where, from which AP address did the DDoS may come.  The question and assistance from the private sector with the security audit, it was an ad hoc one, it could be also quite a good decision because at the very beginning you will probably get a bigger picture, technical picture, where the intrusion took place, if there was data that's been linked, if there is any data breach happening and broadly to help you to understand what you have been dealing with.

The card number 3, preparing the PR statement in turn number 1, we thought it would not be really a good decision because at the very first moments you don't have what you have been dealing with.  You just got a message from the UN IT, you have a DDoS, no further information, you still don't have any fact checking, you have other delegations in the UN dealing with this DDoS as well, going public with answering questions from journalists would probably provide more escalation of the situation.

Another illustration, a combination of the cards, also they could be considered as not really effective solution.  So for instance, cards 24 and 25, if played together at one turn will not be really a good decision.  Why?  Well, because you cannot ask to investigate ransomware, if you ask also to cleanup at the same time.  Playing those cards at a different turn would be actually good decision that will help you with the ransomware investigation further.

How could you learn about the APT attack?  This is the path.  The step by step, how you could learn about the attack that you have been dealing actually with, with a sophisticated attack.  Turn number 1, as I mentioned, it is good if you decided to conduct a security audit and understand why the DDoS happened, if any deep intrusion took place, what part of the computers and servers were affected, those managed by you nationally or managed by the UN IT service team.

At turn number 2, you have the knowledge, you also go with the analysis of malware, you know there is a vulnerability exploited by the malware.  You purchased threat intelligence report on this malware to learn who has been affected in using this malware in the past, which particular threat actor, you shared this result with the other delegations as sort of a due diligence and probably to get some threat intelligence in response to advance your investigations, investigation in this regard.

At turn number 3, you learn it may be coincidence that some threat actors in the past have been exploited.  You want to double‑check if this is coincidence or not.  If you go to the expert and ask them, he will tell you that it is not a coincidence for sure. 

Then, by turn number 4 you learn that this was WHITE HORSE APT threat actor.  You could decide to go with the public attribution, it is your sovereign right as delegation.  Turn number 4 is an optional card, I mentioned the goal of the game was technical attribution, playing card number 19, it doesn't increase your score, doesn't lower the score.  It was among the possible options as well.

Hacktivist attack, how do you learn about this?  Turn number 1, you decide to convene the UN cyber emergency meeting to understand if anyone in the UN has been also affected by DDoS and you ask the forensic investigation, you go with a deeper forensic investigation in turn number 2 to get a list of IP addresses.  You know that they're low cased in Vulcania, you ask if they will help you identify, if they help you with turn number 4 and you ask the local law enforcement to help with the cybercrime investigation and you learn that a lone hacker indeed intruded into the UN system, left the backdoor, not creating damage.  We don't know why, maybe he lost interest.

Again ‑‑ (no audio).