Escolar Documentos
Profissional Documentos
Cultura Documentos
Sponsored by
Made possible by
Thanks to
James Griffin
9/8/2015
Preview of key
points
Related exercises
Related
exercises
9/8/2015
Related
exercises
Related
exercises
Simulations
Not about finding security vulnerabilities
More about finding vulnerabilities or gaps
Procedures
Communication
Contacts and stakeholders
Decision making capability
9/8/2015
Related
exercises
3 types
Capture the
flag
Defense oriented
Offense oriented
Hybrid
Team options
Individual
Single player
Multiple competing players
Teams
Single team
Multiple competing teams on same side
9/8/2015
A basic
offensive CTF
game
Moderator
Facilitates
Adjudicates
Keeps score
Gives hints where necessary to make sure all teams complete
the game
Winning based on time to complete
Can also be based on highest score within time
Getting
started
Hardware
Venue
Prizes
Food
9/8/2015
Game
dynamics and
logistics
How long?
All day or weekend advanced players
3 hours for entire event more appropriate for first game
Need time for getting started, and to have a post game
discussion, prizes, etc
Technical
design of the
actual game
Decoy servers?
Setup network
Isolated?
9/8/2015
Flags
Example flags
https://www.kb.cert.org/vuls/id/111677
Nice vulnerability because its very easy to understand
Requires no special tools or programming use it right from
your browser
SQL Injection
Get application password stored in database
9/8/2015
Design your
attacker
client PCs
Beginner
Short amount of time
If you want to follow a one-design approach
Start on time
Opening words
Review rules
Explain scoring
List prizes
Begin competition
Game day
Stop on time
Award prizes
Have post game discussion
Lessons learned
What to change for next game
Survey
9/8/2015
Bottom line
Technical skills are a factor
But mindset is the big thing
Capture the
Flag
Planning
Resources
Hardware and software
Coordination
Team travel and availability
Setup
Very technical!
Creation of the flags and how to explain to participants is the biggest
challenge
Knowing how to give hints also a challenge
Capture the
Flag
Get all the benefits of Capture the Flag without any of the pain
Planning
Hardware
Setup
Design
Teardown
Not even necessary to make an event
Staff availability
9/8/2015
Seemingly limitless
resources
Sophisticated, multistage attacks
Attacker tactics
constantly morphing
* ESGs annual global IT Spending Intentions survey has shown a problematic shortage of cybersecurity experts as the top IT skills shortage for four years in a row.
http://www.esg-global.com/research-reports/2015-it-spending-intentions-survey/
20
10
9/8/2015
21
Hacktivist
wants notoriety, attention
Cyber Criminal
motivated by money
Reconnaissance
What
Theyre
Trying to
Steal
How They
Stole It
Cyber Espionage
Incursion
Discovery
seeking Intellectual
Property for profit
Capture
The
Attacker
Exfiltration
22
11
9/8/2015
Scenario 1:
The EDC and RKI
Scenario 2:
The Coffee Shop Hack
Scenario 3:
EDC and the Lost Laptop
Scenario 4:
Skills:
Methods:
Ethical hacking
Identify targets
Penetration Testing
Forensics
Data exfiltration
Blend attacks
Forensics Examiner
Mishandles Evidence
Exfiltrate data
23
Particip
ate
Assess
Progres
s
Particip
ate /
Learn
Assess
skills
Create
develop
ment
plan
24
12
9/8/2015
Demo
25
13