NCIIPC-AICTE Pentathon 2024

NCIIPC is mandated as the national nodal body for protection of Critical Information Infrastructure. A key aspect of CII protection is Vulnerability Assessment and Penetration Testing(VAPT). Envisioning the mainstreaming and democratising of VAPT space in India and bringing in young talent on an annual basis- the NCIIPC partnered with All India Council of Technical Education (AICTE) to conceptualise the NCIIPC AICTE PENTATHON 2024 - India’s first national level VAPT challenge for students.

The Grand Finale of the NCIIPC AICTE Pentathon 2024 will be held from April 2nd to 4th, 2024. This will witness nearly 200 students-competing in team and individual formats converging to compete on a platform especially designed to mimic the Information Technology and Operational Technology networks in the CII systems in the country.

Notably these students have been hand picked from India’s first National Level VAPT Challenge which saw over 8000 participants from all over India. While the top three teams and individuals stand to win cash prizes, top performers- upto 10 teams and 40 individuals, subject to vetting will be recognised to conduct VAPT at actual CII entities in the country.

We believe this could be VAPT’s IPL moment for India, where a hitherto non- descript cyber function comes to the Indian mainstream . Stay tuned to this space for further updates !

Among its many strengths, India has one that makes it one of the most promising countries in the world today. As the world searches for young talent and looks towards an increasingly integrated digital ecosystem- India is fast becoming the technology hub of the world.

What is Critical Information Infrastructure- the key fundamentals of any country’s digital ecosystem. CII includes any computer systems whose destruction would have debilitating effects on its national security, economy, public safety and public health.

Whether it is vast servers and databases storing the countries key national data, its banks with systems responsible for thousands of transactions everyday, power plants key to the country’s energy security, or its telecom networks which integrate systems and networks across the country- the National Critical Information Infrastructure Protection Centre(NCIIPC), a unit of NTRO, plays a key role as the national nodal body protecting all CII in the country. A part of its mandate is to undertake activities for developing and enabling the growth of skills working closely with academia et al for protection of CII.

While the Internet has made information available to all, it has also created dangers- in the form of cyber attackers—across the world in the form of espionage and cyber attacks.Whereas in Espionage- innocuous users- both individuals and organisations are unaware of the prying eyes of adversaries- who ultimately seek to steal valuable national data,On the other hand cyber attacks, can cause disruption, confusion and panic among the victims of attack, not to mention serious supply chain disruptions affecting the country.

Vulnerability Assessment and Penetration Testing aka VAPT plays a key role in monitoring the health of the Critical Information Infrastructure systems. This is the exercise that allows the tester to probe within the systems to understand the gaps that attackers could potentially exploit to breach the cybersecurity defence perimeter.

VAPT professionals need to search systems for vulnerabilities - looking deeply into the networks and devices across the entire architecture; find through detailed analysis potential vulnerabilities and once found, find ways to inform the infrastructure owners who then work towards finding ways to patch these vulnerabilities.

VAPT is a highly sought after skill that requires a combination of technical understanding, creativity and determination to persist. One should be able to wear the thinking hat of an attacker but with the intent to do good.

With the above challenge in mind, NCIIPC in partnership with AICTE has decided to undertake a program for the crowdsourcing of ethical hackers from around the country.

These ethical hackers would need to have the technical skills, be willing to learn the global best practices, undertake deep research and last of all innovative with new ideas - it is with such a diverse and talented pool that such a program would succeed. Once vetted for credibility and skill, in coordination with CII management these ethical hackers would be given the opportunity to conduct VAPT exercises at CII entities.

How does one set up such a pool- democratically and giving every one the opportunity to be part of it?
NCIIPC has found an answer through its Pentathon 2024.

This is India’s first national level VAPT exercise opening up the opportunity for all technical colleges and universities in India to participate in a challenge specially designed to resemble and mimic the real world CII entities.

The competition has been conducted in two phases:

Stage I was a Jeopardy style online competition held from 15-17 March 2024 where top teams and individuals have been shortlisted and invited to Stage II.

Stage II will be an in person final round to be held from 2-4 April 2024

No Attacking the CTF Platform: Participants are strictly prohibited from attempting any attacks on the CTF platform itself. This includes but is not limited to exploiting vulnerabilities, attempting to gain unauthorized access, or disrupting the normal functioning of the platform.

Respect Towards Participants and Organizers: All participants are expected to treat each other and the organizers with respect and professionalism. Any form of harassment, discrimination, or disrespectful behavior will not be tolerated.

Flag Sharing Prohibited: Sharing flags or any solution details with other participants or outsiders is strictly prohibited. Participants should not collaborate on solving challenges or share answers in any form.

Confidentiality of Challenge Information: Participants must maintain the confidentiality of all information related to the challenges, including but not limited to challenge names, descriptions, attachments, and deployment URLs. This information should not be shared with anyone outside of the event until the results are officially released.

Communication Through Designated Channels: All communications regarding the event, including questions, clarifications, and announcements, should be conducted through the designated Discord channel provided by the organizers. This approach streamlines communication and ensures that participants receive relevant information promptly. Please ensure to regularly check both the announcements channel within Discord and the Notices provided within the platform for any updates regarding the competition.

Fair Play: Participants are expected to engage in fair play throughout the competition. This includes refraining from any form of cheating, such as using automated tools or unauthorized assistance, and respecting the spirit of the competition. Participants should not attempt to brute force or fuzz challenge deployments unless explicitly specified by the organizers

Code of Conduct: Participants must adhere to a code of conduct that promotes a positive and inclusive environment for all involved. Any behavior that violates this code, including but not limited to harassment, intimidation, or discrimination, will result in immediate disqualification and potential further consequences.

Legal Compliance: Participants must comply with all relevant laws and regulations, including those related to cybersecurity and data protection, throughout the duration of the event

Right to Modify Rules: The organizing body reserves the right to modify or add any rules at any point during the event with ex post facto. Participants should adhere to any updates or changes communicated by the organizers.

Final Decision by Organizers: The decisions made by the organizing body will be final. Any disputes or issues arising during the event will be resolved according to the judgment of the organizers.

By participating in the event, all participants agree to adhere to the rules outlined above. Failure to follow these rules may result in immediate disqualification from the competition, as determined by the organizing body.

In Stage I, student attempted a gamified version of the VAPT challenges. They were tested on a broad range of challenges of varying levels of design and difficulty. This allowed students of all range of abilities and experiences to participate and engage.

First timers, and those not well equipped with the appropriate skill sets found it challenging and yet a very new experience –opening their minds and horizons to the possibilities in cyber space.Veterans and those experienced in capture the flag domains found similarity and ease of navigation, yet the challenges were designed to test the most well versed of the lot. So for everyone, challenges were one to look out for.

The Stage II will take the competition to the next level introducing OT challenges with participants requiring to navigate simulated CII scenarios with the challenge complexity increasing as the competition advances.

During the course of the competition, the participants had an opportunity not only to challenge and test themselves but continually learn. Through on portal training resources and specially designed live mentorships programs, all the students will stood to gain no matter which level they started out at.

Special ethical hacking workshops were conducted in 6 Indian cities- Kolkata, Mysore, Ahmedabad, Pune, Chennai and Hyderabad where students from colleges around the country had the opportunity to understand the idea of CII, the importance of VAPT and the design of the Pentathon 2024.

Top teams and individuals after Stage II of the competition will be rewarded with cash prizes. In addition, the top 10 teams and top 40 individuals (subject to due vetting) will be recognised to be part of the pool of ethical hackers to be enlisted for VAPT exercises in 2024.
Team Prizes (for winners after Stage II):
 1^st Prize: Rs. 2.5 Lakh
 2^nd Prize: Rs. 1.5 Lakh
 3^rd Prize: Rs. 1 Lakh
Individual Prizes (for winners after Stage II):
 1^st Prize: Rs. 1 Lakh
 2^nd Prize: Rs. 75000/-
 3^rd Prize: Rs. 50000/-