Cyber security brings along a series of challenges that have become more acute over time. We could mention in this regard:
- A growing number of cyber attacks: a recent report shows that Business E-mail Compromise and DDoS attacks became much more popular in 2021, and the emergence of new ransomware schemes intensified throughout the year;
- Increasingly sophisticated attack methods developed by cybercriminals, and this trend will continue to grow;
- Increased demand for highly trained cyber security specialists: the global cyber security workforce still needs to grow by 65% to effectively defend organizations’ infrastructures.
Under these circumstances, more is expected from organizations’ security teams: complementary knowledge and skills, rich expertise doubled by a willingness to learn on a daily basis, as well as an extraordinary capacity for coordination and communication among team members.
Capture the Flag (CTF) competitions, an additional learning opportunity for infosec specialists
Security incidents happen too rarely to be the ideal way to practice incident response or digital forensics skills. Similarly, learning offensive skills, which are necessary for penetration testing, always requires approval from the owner of the infrastructure or service that is being tested. Therefore, organizing cyber security competitions remains probably one of the most effective ways to train the human resource in this field.
In the most common form of such a simulation, also known as Jeopardy, participating teams must solve as many exercises as possible in categories such as Web Applications, Digital Forensics, Cryptography, Binary Exploitation, Reverse Engineering, Mobile Security, Internet of Things or Secure Programming and involves extracting the correct solution (“flag”). Teams send their “flags” to the organizers to win as many points as possible.
In Romania, Jeopardy CTFs are very popular and attract many participants, from high school and university students – UNbreakable Romania, Romanian Cyber Security Challenge (#ROCSC) – to experienced industry specialists – DefCamp Capture the Flag.
Jeopardy vs Attack & Defense: which one makes for better training?
Another type of cyber security competition, and perhaps just as well known, but with a much higher level of complexity, is Attack and Defense. This is an exercise that provides a scenario extremely similar to challenges that occur in the day-to-day work of cyber security teams. While in a classic competition, teams win points only by solving a series of challenges as quickly as possible – so more on the offensive side, without competing directly against each other, things are quite different in Attack and Defense.
In this context, each team receives from the organizers a set of virtual machines and an infrastructure that simulates real-life applications and systems with vulnerabilities. The teams must fix the vulnerabilities and keep their systems operational. Meanwhile, competing teams try to exploit those vulnerabilities and gain access which allows them to exfiltrate information, and therefore score points.
Thus, Attack and Defense aims to develop a team’s defensive skills, aside from the offensive ones:
- It is important to understand the attackers’ mindset;
- Early identification of risks and weaknesses in the infrastructure is vital;
- Timely patching and remediation of threats;
- Creating a defense strategy against future attacks;
- Ability to effectively monitor the perimeter for attempted attacks from other teams.
The difficulty, and at the same time the adrenaline of this competition derive from the fact that, while a team strives to ensure its own services are permanently operational, it must in turn attack the services of the opposing teams to obtain “flags”. And all this is, of course, in a race against the clock.
An Attack and Defense competition, for the first time at the #ROCSC2022 bootcamp
The Bit Sentinel specialists have been involved for the fourth time in the selection of the Romanian national cyber security team that will participate in the European Cyber security Challenge of 2022 (#ECSC22). In addition to the Jeopardy challenges developed for the first rounds of this selection, the team organized, for the first time, the first Attack and Defense competition during the bootcamp (#ROCSC2022) for the European championship that will take place in Vienna, from 13 to 16 September.
The competition was hosted on the CyberEDU.ro technical educational platform, a virtual training ground designed to bridge the gap between theory and practice in cyber security learning. CyberEDU aims to train the next generation of security professionals, regardless of age or experience level.
Five teams of four members competed for 8 hours in 120-second rounds (“ticks”). At the end of each round, the organizers placed new “flags” and the participants had to prove that they still had access to the other teams’ infrastructures by capturing the “flag” and sending it to the CyberEDU platform. Also, at the end of each round, the organizers checked if the services defended were still operational and dropped points from those teams that failed to keep the service operational.
The scoring system was dynamic, based on these three components:
- attack: points earned for “flags” captured from other teams (with positive value);
- defense: points for „flags” stolen by competing teams (with negative value);
- points earned for keeping services operational (percentage value).
The intensity of the training was at its highest: the participants developed, tested and adapted various strategies starting from attack and defense principles, prevention and protection, data recovery and more. At the end of the competition, almost 30% of vulnerabilities were still unpatched.
However, the continuous battle against time was a main attraction. The much more realistic and intense scenario provided infinitely more valuable lessons and the necessary training our students need to score high on the leaderboard in the upcoming European Cyber Security Challenge.
Use Attack and Defense to train your cyber security team!
Attack and Defense is an ideal exercise for the complementary development of skills that are essential in cyber security specialists’ activity – understanding the offensive as well as defensive roles in a team, communication, coordination and working against the clock. As a result, the bootcamp players made another step forward towards becoming very good infosec professionals.
For organizations with specialists focused on the attack area only or on defense only, Attack and Defense competitions can be organized to test both sets of skills. The organizer will supplement the other capabilities by simulating attacks – in the case of teams working on defense (Blue Teams) – or by creating a vulnerable infrastructure, for teams focused on offense (Red Teams).
The complexity, benefits and engaging dynamics make such a competition a more effective learning and self-evaluation solution even for security teams in mature companies. An Attack and Defense exercise brings new challenges and approaches to stimulate professional development from a technical point of view – but it is not limited to that. There is also a bit of fun involved, which helps teams relax and relieve the pressure of daily responsibilities.
The Bit Sentinel team has the technical capabilities and human resources to scale an Attack and Defense for hundreds of teams. The specialists operating CyberEDU already have experience managing over 350 labs aligned with industry-standards (MITRE, OWASP and CWE), as well as over 60 public and private events on the platform. These include:
- the annual cybersecurity competition for high school and university students – UNbreakable Romania;
- The competitions in the Hacking Village competitions, the place that brings together all hacking activities from the largest cyber security conference in the CEE – DefCamp;
- The Romanian Cyber Security Challenge (#ROCSC).
In cyber security, there will be a constant need for self-development in order to keep up with increasingly diverse forms of cybercrime. It is of paramount importance that security teams have access to all the means and resources that can help them prepare thoroughly in their combat against cyber attacks and risks. Working in cyber security is demanding, to say the least. A fun way for specialists to learn how to react to threats effectively, such as Attack and Defense, may be their best training method.
Do you want to organize your own Attack and Defense competition? Contact us!