About the CyberBastion League!
Scenarios
Prizes
You are the team responsible for ensuring cybersecurity for critical infrastructure and essential services in your country. The goal of the game is to build an effective cybersecurity system that can protect the entities represented by the team from various threats in cyberspace.
At the beginning of the game, the organization has a budget set before the competition. During the game, simulated cyberattacks and incidents based on real events will take place. Some scenarios may allow for an increase in the budget during gameplay.
The security measures are divided into 8 categories (Organization, Physical Infrastructure, Entire Network, Network Edge, Internal Network, End Devices, Applications, and Data).
• There is a ninth category of Security – Data Sources – which must be unlocked by selecting the appropriate card from the remaining categories.
The gameplay scenarios include the occurrence of so-called injects – events of various natures, including attacks, parts of advanced attacks, incidents, and information. Before the game, players will receive hints about the planned scenario, but the teams that prepare better by gathering the most missing information will gain an advantage.
Based on the choices made, points will be counted and summed to indicate how effectively the teams managed to prevent or respond to the injects occurring in the scenario.
NOTES:
Your cybersecurity system will be developed throughout the game, and the selected security measures will be effective for all injects present in the scenario. Security measures are scored differently based on their effectiveness in terms of prevention (identification and protection) and response (reaction, detection, and recovery).
Online Version
Before the league starts, a short training session on game navigation will take place. The game begins when the game administrator initiates it at a predetermined time communicated before the tournament. A list of cards representing the security measures will be displayed on the screen by the team captain or a designated person, who will mark the choices made by the team on behalf of its members. The screen will display the remaining time until the end of the phase, the current budget status, and the results after completed phases. Each team participating in the CyberBastion League is responsible for providing its own equipment and internet connection necessary for the gameplay for each tournament. The organizer is not responsible for technical problems that may occur during the game (e.g., connection loss, computer failure) and may consequently prevent participation in the tournament or its round, as well as the failure to record points during gameplay.
Points CPE are awarded for participation in the CyberBastion League.
Game Progress
Objective of the Game
The players’ task is to build a cybersecurity system that will be effective against emerging Attack-type Injects.
PIN Code – a code that enables participation in the game.
Lobby – a space where players wait for the game to start.
Briefing – a tab that describes the context of a given game session. Information may include the organization being defended by the players (e.g., sector, infrastructure) and a description of the game scenario.
HP (Hit Points, Health Points) – a metric used to present the impact of Injects on the defended organization’s infrastructure and the effectiveness of the decisions made by the players. The impact of each Event can be minimized by selecting appropriate security measures. The HP value decreases more slowly after the occurrence of Injects if more effective security measures are implemented.
Budget – Players receive a virtual budget within which they implement security measures according to their adopted strategy.
Scenario – the course and schedule of gameplay consisting of predefined Injects.
Inject (Event) – any event in the game that can have various characteristics.
The game will include Events according to the prepared game scenario. The moment the first Attack-type Inject (generic or the first technique in the attack chain) occurs is considered a compromise of the system and marks the end of the Prevention phase.
Attack – A negative event impacting the players’ infrastructure. It can be a generic event (e.g., malware delivered via email) or a specific technique used by the attacker as part of the attack chain (a sequence of techniques), such as using scripts and PowerShell commands, modifying domain policies. One scenario can include several Attack-type Injects or several attack chains composed of multiple Injects.
Control – An event that can have a negative or positive impact on the players’ HP or budget.
Information – A neutral or positive event providing information that influences the course of the game, e.g., information about the activities of cybercriminal groups, information about additional budget allocation.
Bonus – A positive event resulting from successfully completing a task by the players.
Prevention – A phase of the game that occurs before the first Attack-type Inject (generic or the first technique in the attack chain) takes place. In this phase, security measures that allow for the Identification of threats and Protection against them are the most effective. Note: In scenarios involving multiple Attack-type Injects (generic or attack chains), after the Event concludes, a notification will be displayed indicating the end of the attack, and another Prevention phase will begin until the next Attack-type Inject occurs.
Response – A phase of the game that takes place after the occurrence of an Attack-type Inject (generic or the first technique in the attack chain). In this phase, security measures that allow for Detection of threats, Response to threats, and Recovery of business capabilities post-incident are the most effective. The response phase continues until the information about the end of the attack is received.
Security Measures – Represented in the game using cards that contain a number, name, price, and icon. Descriptions of the security measures are available on the website https://lct.cybsecurity.org/safeguards.
The categorization of security measures is based on the defense in depth model:
- Organization
- Physical Infrastructure
- Entire Network
- Network Edge
- Internal Network
- End Devices
- Applications
- Data
- Data Sources
The effectiveness of the security measures is estimated based on criteria from the NIST Cybersecurity Framework functions:
Identification – Understanding the business context, resources supporting critical functions, and associated cybersecurity risks enables the organization to focus and prioritize its actions according to its risk management strategy and business needs.
Examples of security measures within this function include: Asset Management; Security Organization; Governance; Risk Assessment;
Protection – Developing and implementing appropriate safeguards to ensure the delivery of essential infrastructural services and supporting capabilities to limit the impact of potential cybersecurity incidents.
Examples include: Access Control, Security Awareness Training, Data Security; Security Processes and Procedures; Maintenance and Security Technologies.
Detection – Developing and implementing appropriate activities and tools to detect cybersecurity-related incidents.
Examples within this function include: Anomalies and Events; Continuous Security Monitoring and Detection Processes.
Response – Developing and implementing appropriate actions to respond to detected cybersecurity incidents.
Examples include: Response Planning; Communication; Preventing Event Propagation, Analysis.
Recovery – Developing and implementing appropriate actions to maintain resilience plans and restore capabilities or services affected by a cybersecurity incident. The Recovery function supports the restoration of normal operations to minimize the impact of the cybersecurity incident.
Examples within this function include: Business Continuity Planning, Recovery Planning, Backups, System Redundancy, Improvements, and Communication.
Effectiveness of Security Measures – Effectiveness is assessed against individual Injects. Some security measures are effective only in the Prevention phase, while others are effective in the Response phase. In scenarios where the attack chain consists of multiple Injects, the same security measures can be considered multiple times with varying levels of effectiveness depending on the Inject.
Implementation of Security Measures – The implementation of security measures is confirmed by using the Purchase button. Only then are they included in the cybersecurity system. NOTE! It should be noted that some security measures that are effective in the Response phase must be implemented in the Prevention phase. The game’s premise assumes that once the first Attack-type Inject begins, there are no longer options for implementing security measures that require a long time for implementation, such as technological (e.g., SIEM, IDS/IPS) and procedural security measures (e.g., Incident Response Process). However, some security measures related to external services or quick-action tasks can still be implemented in the Response phase, e.g., configuration changes, network segmentation, event logging, and connecting data sources.
General Information
- Organizer
The organizer of the CyberBastion League (hereinafter referred to as LCB) is the Foundation for a Safe Cyberspace, based in Warsaw, at ul. Adama Branickiego 13. - Tournament Format
Tournaments will take place online or as regular stationary events. Participants in online tournaments are responsible for providing their own equipment necessary for participation in the league, which means a computer with internet access. - Season Information
Information about the season (number of tournaments, duration, and prizes) in which the league is held is published by the organizer on the website cybertwierdza.cybsecurity.org.
Team Registration
- Registration
Teams wishing to participate in LCB must register through the website cybsecurity.org/cyber-twierdza. During registration, the team must provide the email of its captain, who will maintain contact with the team and be the official representative in the competitions. - Membership
A player cannot be a member of more than one team simultaneously. - Regulation Acceptance
By registering and participating in the tournaments, the captain confirms that all team members agree to these regulations. - Team Composition
Teams can consist of 2 to 5 members.
7.1. Special tournaments may occur in which teams can consist of a different number of players. Such tournaments will be clearly indicated by the organizer. - Joining the League
Teams can join the League at any point during the season. At the moment of joining, each new team starts with zero points. - Team Composition for Tournaments
In each tournament, the team does not need to be fully represented for points to count in the overall classification; at least one team representative must be present. - Exclusion from Participation
Employees and members of the Foundation for a Safe Cyberspace, as well as their families, cannot participate in LCT. - Team Name
Teams participating in LCB may not have offensive names or names that clearly refer to legal entities or organizations.
Tournament Organization Rules
- Tournament Rounds
During the tournament, teams will play a specified number of rounds of CyberBastion, according to the game rules available on the website: cybertwierdza.cybsecurity.org. - Tournament Dates
Tournaments within LCB will be organized on dates set by the organizer. They may take place in two formats: tabletop version—played “in real life” at tables, or online—using a prepared application. Information about the dates and possible tournament formats, as well as any other information related to LCB, will be published on the LCT website: cybertwierdza.cybsecurity.org. - Additional Tournaments
During the LCB season, there may be additional tournaments organized (e.g., in connection with other events). These tournaments will also be counted in the overall LCB classification. - Special Rules for Additional Tournaments
Each additional tournament may have special rules, of which participants will be informed prior to such a tournament. - Information for Captains
Captains of teams will be informed about all tournaments via email. - Equipment and Internet Connection
In the case of online tournaments, each participating team must provide their own equipment and internet connection necessary for the gameplay. The organizer is not responsible for technical problems that may occur during the game (e.g., internet disconnection, computer failure) that may prevent participation in the tournament or its rounds.
LCB Scoring Rules
- Points for a Tournament
Teams participating in a single tournament earn a specified amount of points according to the rules of the CyberBastion game. The team with the highest points wins the tournament. - Ranking Points
After each single tournament, teams earn ranking points for their placement, which count toward the overall score in the following way:
| Place | Points |
|---|---|
| 1 | 100 |
| 2 | 80 |
| 3 | 60 |
| 4 | 50 |
| 5 | 45 |
| 6 | 40 |
| 7 | 36 |
| 8 | 32 |
| 9 | 29 |
| 10 | 26 |
| 11 | 24 |
| 12 | 22 |
| 13 | 20 |
| 14 | 18 |
| 15 | 16 |
| 16 | 15 |
| 17 | 14 |
| 18 | 13 |
| 19 | 12 |
| 20 | 11 |
| 21 | 10 |
| 22 | 9 |
| 23 | 8 |
| 24 | 7 |
| 25 | 6 |
| 26 | 5 |
| 27 | 4 |
| 28 | 3 |
| 29 | 2 |
| 30 | 1 |
- Victory in the League
The victory in the League is determined by the highest number of points obtained by a team in the overall classification of the League at the end of its competitions. In case of a tie in points, the order is determined by the result of a tiebreak tournament between the interested teams. The tiebreak tournament ends after the first round, which determines the winner.
Prizes
- Prizes for Teams
The organizer provides prizes for teams that occupy the top positions in the entire LCT season. - Additional Prizes
Individual LCT tournaments may also be associated with additional prizes from both the organizer and potential tournament sponsors. The organizer will inform participants about such situations during the organization of tournaments.
Final Provisions
- Finality of Results
There is no appeal against the announced results of both the tournaments and the entire League. They are final. - Right to Resolve Disputes
The organizer reserves the right to resolve all disputes that may arise during gameplay as well as those related to these regulations. - Consent to Data Processing
By participating in the League, participants consent to the processing of their personal data (including the use of photos and videos from the game).
Information Clause
According to the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, participants in the League, by participating, consent to the processing of their personal data (including the use of photos and videos from the game). The administrator of the data is the Foundation for a Safe Cyberspace, located in Warsaw, at ul. Adama Branickiego 13. The data (first name, last name, email address) is used to send information about the game and to provide access to the gameplay. Participants can withdraw their consent by sending an electronic message to the address: [email protected]. Personal data may be shared with other entities in connection with providing IT services (servers, email). Such data is not automatically profiled and is not transferred outside the European Economic Area. In case of objections regarding the processing of personal data, a complaint can be lodged with the President of the Personal Data Protection Office.