Abstract
Security competitions have become increasingly popular events for recruitment, training, evaluation, and recreation in the field of computer security. And among these various exercises, Capture the flag (CTF) competitions have the widest audience. Participants in CTF of Jeopardy style focus on solving several specific challenges independently while participants in CTF of attack-defense mode concentrate on vulnerable service maintenance and vulnerability exploitation on an end-target box. However, according to a report published by TREND MICRO Corporation, there are six stages of a typical Targeted Attack: (1) Intelligence Gathering (2) Point of Entry (3) Command and Control Communication (4) Lateral Movement (5) Asset Discovery and (6) Data Exfiltration. Further, Lateral Movement is the key stage where threat actors move deeper into the network. Because of the lack of large-scale complex network environment, CTF cannot simulate a complete network penetration of the six stages, especially the Lateral Movement. It is indispensable to perform the Lateral Movement the skill of Network Exploring which is not included by security competitions at present. So we create Explore-Exploit which is an attack-defense mode competition that models the network penetration scenario, and promotes the participant’s skill of Network Exploring. This paper is trying to convey a better methodology for teaching practical attack-defense techniques to participants through an alternative to CTF.
This paper was supported by the Key Laboratory of Network Evaluation Technology of China Academy of Sciences, and Beijing Key Laboratory of Network Security Protection Technology. This paper was funded by the Beijing Municipal Science and Technology Commission D161100001216001, Z161100002616032 project.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Paulsen, C., McDuffie, E., Newhouse, W., Toth, P.: Nice: creating a cybersecurity workforce and aware public. IEEE Secur. Privacy 10, 76–79 (2012)
NIST: Nice Cybersecurity Workforce Framework, draft NIST Special Publication 800–181. http://csrc.nist.gov/publications/drafts/800-181/sp800_181_draft.pdf
O’Neil, L.R., Assante, M., Tobey, D.: Smart grid cybersecurity: Job performance model report. Technical report. Pacific Northwest National Laboratory (PNNL), Richland, WA (US) (2012)
CTF-Time. https://ctftime.org/
Cyberpatriot. https://www.uscyberpatriot.org/Pages/About/What-is-CyberPatriot.aspx
Nccdc. http://www.nationalccdc.org/
Petullo, W.M., Moses, K., Klimkowski, B., Hand, R., Olson, K.: The use of cyber-defense exercises in undergraduate computing education. In: ASE@ USENIX Security Symposium (2016)
How do threat actors move deeper into your network? http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf
Lufeng, Z., Hong, T., YiMing, C., JianBo, Z.: Network security evaluation through attack graph generation (2009)
Fraze, M.D.: Cyber Grand Challenge (CGC). https://www.darpa.mil/program/cyber-grand-challenge
Shoshitaishvili, Y., Invernizzi, L., Doupe, A., Vigna, G.: Do you feel lucky?: a large-scale analysis of risk-rewards trade-offs in cyber security. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1649–1656. ACM (2014)
Hadnagy, M.F.C.: The def con 22 social-engineer capture the flagreport. https://www.social-engineer.org/wp-content/uploads/2014/10/SocialEngineerCaptureTheFlag_DEFCON22-2014.pdf
Doupé, A., Vigna, G.: Poster: Shell we play a game? CTF-as-a-service for security education
Wikipedia: Pwn2own. https://en.wikipedia.org/wiki/Pwn2Own
GeekPwn: Geekpwn. http://2017.geekpwn.org/1024/en/index.html
CPS-CDC: Cps-cdc. http://www.iserink.org/wp-content/uploads/2015/12/2016-CPS_CDC_invite.pdf
Deterding, S., Dixon, D., Khaled, R., Nacke, L.: From game design elements to gamefulness: defining gamification. In: Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, pp. 9–15. ACM (2011)
Ruef, A., Hicks, M., Parker, J., Levin, D., Memon, A., Plane, J., Mardziel, P.: Build it break it: measuring and comparing development security. In: 8th Workshop on Cyber Security Experimentation and Test (CSET 2015) (2015)
Childers, N., Boe, B., Cavallaro, L., Cavedon, L., Cova, M., Egele, M., Vigna, G.: Organizing large scale hacking competitions. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 132–152. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14215-4_8
Netkoth. http://archive.phreaknic.info/pn18z/content/netkoth.html
Vulnhub. https://www.vulnhub.com/
Shellweplayagame. https://shellweplayagame.org/
Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., Shoshitaishvili, Y.: Ten years of ICTF: The good, the bad, and the ugly. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014) (2014)
CGC-rules. https://dtsn.darpa.mil/cybergrandchallenge/CyberGrandChallenge_Rules_v1.pdf
Connolly, C.: The cyber defense review. Technical report, vol. 1(1). Army Cyber Inst, West Point, NY, Spring 2016
Social engineering definition. https://en.oxforddictionaries.com/definition/social_engineering
Netkoth. https://netkoth.github.io/
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)
The world’s most used penetration testing software. https://www.metasploit.com/
The exploit database of offensive security. https://www.offensive-security.com/community-projects/the-exploit-database/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Zhang, X., Liu, B., Gong, X., Song, Z. (2018). State-of-the-Art: Security Competition in Talent Education. In: Chen, X., Lin, D., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2017. Lecture Notes in Computer Science(), vol 10726. Springer, Cham. https://doi.org/10.1007/978-3-319-75160-3_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-75160-3_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75159-7
Online ISBN: 978-3-319-75160-3
eBook Packages: Computer ScienceComputer Science (R0)