"Sports" hacking: types and benefits

[Father]

In this article, we tell you what kind of cyber training sessions there are, who cyber games are organized for, and what benefits they bring to companies and participants.

The number of targeted cyber attacks targeting companies and enterprises in Russia has been increasing recently. They are becoming more complex and sophisticated. Hackers are finding new ways to break through security and steal sensitive data or disrupt an organization. To prevent information threats and repel such attacks, information security specialists must constantly improve their level and update their knowledge. They can practice identifying and fixing vulnerabilities, repelling attacks, or using sports hacking or cyber training. Such events help researchers not only hone their skills, face new challenges, share experiences with colleagues, and win a cash prize, but also help companies discover vulnerabilities in their defenses.

Сapture the Flag (CTF)​

The format of Capture the Flag competitions in the field of information security involves two variants of the game: Attack/Defense-teams steal flags from each other, and Jeopardy - when players must capture the flag from the organizers.

In both cases, the players ' task is to find vulnerabilities in services and get sensitive data from users of this service or a unique combination of symbols – a flag, and then send it to a special platform. In the case of Attack/Defense, hackers must not only detect bugs in the other team's defense, but also in their own to fix them and prevent the enemy from stealing the flag.

Maxim Golovlev
Technical Director of iTPROTECT

The purpose of CTF competitions is to provide specialists with an opportunity to demonstrate their skills and attract the attention of potential partners, as well as to popularize the field of information security. Therefore, such events should be conducted with the proper level of organization. To do this, the tasks that participants will have to perform must be quite complex and interesting, and therefore, an appropriate IT infrastructure must be prepared that emulates various scenarios. At the same time, the equipment on which all this is implemented must be modern, reliable and sufficiently powerful. Otherwise, the competition will not allow participants to properly show themselves, and the event itself may harm the reputation of the organizer.

Computer security competitions in CTF format are held all over the world both in person and remotely. They started with the hacker conference DEF CON in Las Vegas, where they were held for the first time and still remain one of the most prestigious. Later, such competitions were held by other organizers in different countries of the world. For example, the University of California at Santa Barbara hosts the UCSB iCTF, which is considered the largest international CTF competition to date. In Russia, the first international CTF competitions (RuCTFE) were organized by Hackerdom, a team assembled at the Faculty of Mathematics and Mechanics of Ural State University. In addition to RuCTF, which has been held annually in Yekaterinburg since 2008, Hackerdom also hosts other regular competitions, such as RuCTFE and QCTF.

CTF can become a springboard for professionals who want to build their career in information security. Participants can not only gain practical skills and gain experience, but also use networking to find a job.

In Russia, there are quite a lot of organizers of CTF competitions, among which there are both experienced and beginners. At the same time, when organizing and conducting their first capture the Flag games, many make annoying organizational and technical mistakes.

Kirill Filimonov (CuriV)
RADCOP Pentester, founder of the PermCTF community

1. It is necessary to start planning the competition at least a couple of months in advance: plan that there is an intention to hold a tournament, start looking for speakers (if a conference is also planned in parallel), prepare tasks, solve issues with the merch, platform, etc.All this needs to be planned.
2. You must have a sufficient development team. Tasks can't be done by one person, even if it's difficult for two people to do it. By analogy with any product development, it should have its own managers, performers, deadlines and responsible persons. Without all this, tasks will not be made.
3. Developers should also have the appropriate expertise. Without it, tasks can be completely inadequate and turn out to be, in fact, "utsutsugami" (in the CTF environment, this is what they call"guessing games" when it is not clear what the author meant). Often, such "utsutsugi" come across among the tasks of steganography, brute force, or password matching.
4. It is important to understand the load that may be on your servers. You must test tasks in advance and write instructions on how to deploy them if necessary. Make sure that your entire infrastructure works like clockwork in advance. There should be instructions on how to raise all this in case of failures.
5. You should also pay attention to the event's PR campaign: advertise the event in advance, connect connections in CTF communities, and actively attract people.
6. The security of your platform is also important, because it can also be attacked.
7. During the event, it is advisable to stay in touch, do not give hints, and spread all announcements in advance through all available resources.

Due to the fact that tasks at CTF competitions are created by the organizers, they do not always reflect the real work of an information security specialist. Within the framework of competitions, specialists often face the solution of non-standard tasks that were created for them artificially.

Maxim Golovlev
Technical Director of iTPROTECT

For those who plan to build a career in security analysis, software development, etc., this is an additional demonstration of skills that will serve as a confirmation of competencies in the eyes of the employer. For those who plan to work as an information security specialist, or in similar positions, this is rather additional useful knowledge to counter real attacks.

Pwn2Own​

Pwn2Own is an annual hacker competition held as part of the CanSecWest Information security Conference. This is a kind of Olympiad in the world of cybersecurity, so, as a rule, these competitions have a small number of participants – only the best vulnerability researchers and hackers from around the world. Their task is to hack real products that companies provided to the contest organizers. So, in 2023, at Pwn2Own Toronto 2023, information security specialists were asked to hack various smartphones, smart speakers, routers, video surveillance systems, and more.

Alisa Shevchenko
Winner of Pwn2Own 2021

The Pwn2Own rules do not include artificial selection of participants, artificially constructed targets, artificially embedded vulnerabilities, artificial "show" for the public, which is typical for CTF competitions - everything is real. It is forbidden to attack even those real vulnerabilities that have already been closed or published in some way-only new and unknown ones. There are no judges who decide who won and who lost: this is decided by reality, the fundamental physics of space.

Researchers receive a large monetary reward for finding vulnerabilities. Pwn2Own is not the only competition in the world of this format. A similar competition for hackers has been held, for example, in China since 2018 – the Tianfu Cup.

Alisa Shevchenko
Winner of Pwn2Own 2021

Cash prizes in Pwn2Own are also quite real: on average, the reward for a successfully attacked target is several times more than the system manufacturer offers in the corresponding menu item of the official vulnerability reward program, and several times less than the state customer would pay for the same attack.

Cyberbits​

Cyberbits are closer in purpose to exercises than to competitions. Information security specialists from various companies can use them to test and hone their skills in conditions that are as close to real life as possible. They are held at special training grounds where models of infrastructure in various industries are located: oil and gas, energy, housing and public services, space, nuclear, banking, and others. All security systems and digital infrastructure are implemented using virtual machines and software that are used in reality.

For example, since 2016, the international forum on practical security Positive hack days (PHDays) has hosted the largest Standoff cyber battle in Russia. Large-scale cyber training sessions are also held at the SOC-Forum site. In addition, cyber battles are also held online, for example, at the site of the National Cyber Polygon.

Two types of teams are expected to participate in cyber battles: attackers and defenders. Blue Team – a security team that aims to maintain control over the infrastructure, and in the event of an attack, return and restore it. The team may include employees of cyber incident response units and information security specialists. take control of the protected infrastructure and restore it in the event of an attack.

Alexander Goncharov
Senior Penetration Testing Specialist at Innostage IT Companies

You need to be in good shape and constantly participate in various hacker events. So the organizers will see that the participants are purposeful and ready to give their best, and the teams will build up their "muscles" and improve their results.

Organizational and technical requirements may differ. For example, a team for cyber battles usually consists of four to six participants. This format is different from the typical CTF, so it requires a minimum of four players to cover the highlights. Organizers can set requirements for the level of" pumping " of players. But there are quite a few tournaments open to teams without a lot of experience, which allows newcomers to the field to immerse themselves in the atmosphere of hacking and further build a career in information security.

Red Team, the attacking team, must gain control of the infrastructure and hold it. As a rule, the team includes employees of penetration testing departments, hackers, and other information security specialists.

For completing tasks, participants are awarded points, based on which the rating is formed. The red team is responsible for implementing critical events or finding vulnerabilities. Blue team – for the number of detected incidents and the average time spent investigating an attack. The higher the difficulty level of the task, the more points the team can get.

Corporate cyber studies​

This version of cyber training is carried out by companies among their employees in order to anticipate possible attacks and work out ways to protect themselves, the actions of specialists. Usually, such corporate games allow you to work out various scenarios, take into account many possible scenarios, and answer the question " What if...". Exercises are held for top managers, but sometimes apply to employees at all levels. For example, in 2022, due to more frequent cyber attacks on banks, financial market participants began to train more often all departments and divisions-from call center employees to top management.

Such games can be conducted by both our own information security personnel and specialists invited from outside. One of the possible scenarios for working out is when an encryption virus gets into the system. The task of specialists is to detect the threat, neutralize it, and restore the operation of all systems. We also develop scenarios for attacking the security system from outside or from within, when one of the company's employees becomes the attacker.

Cyber training in this format helps to work out the actions of all employees and reminds them of possible threats, which helps companies protect themselves from a large number of attacks and reduce the risk of hacking.

Conclusion​

Cybersecurity competitions and cyber training have become an important tool for improving the security of companies ' information systems and entire infrastructures. They allow you to identify security vulnerabilities, raise the level of information security specialists, and find new solutions and methods. In addition, sports hacking increases public awareness and information literacy, drawing attention to the problem of cybersecurity and increasing its importance.

For researchers and other information security specialists, events such as CTF competitions, cyber battles, and various cyber studies provide an opportunity not only to hone their skills and increase their level of professionalism, but also to express themselves.