Want to have some fun while working on your network security skills? SANS Institute has opened its 10th annual Holiday Hacking Challenge. It’s a fun way to test your knowledge and learn a few new tricks while competing for awesome prizes.
It’s holiday time and the end of the year, so hopefully you’ll have a few days off from your stressful job. But if you are a Type A personality who needs to keep your mind busy, the SANS Institute has a challenge for you. It’s the SANS Institute 10th Annual Holiday Hacking Challenge and it’s now live.
The Holiday Hacking Challenge helps teach cyber security skills for defending computers and networks using a fun and entertaining approach. Ed Skoudis, Josh Wright and Tom Hessman at SANS Institute got pretty creative in developing this year’s hacking scenario. They spent more than 150 hours putting it together. According to Skoudis, this year’s challenge is the most involved yet. He says there is a low bar of required skills so novice network professionals can jump in, but there is also a deep end for skilled practitioners who really want a challenge.
The scenario is a play on the classic movie “It’s a Wonderful Life,” in which the character George Bailey was giving up on life until he learned how important he was to so many people. Now Mr. Bailey’s namesake grandson George is in charge of cyber security for the town of Bedford Falls. It’s his job to protect the city’s critical infrastructure. When the power grid goes out, modern-day George enlists the help of contest participants to match wits with the imaginary cyber attackers.
Skoudis says they designed the scenario so that participants feel like they are in CyberCity, a virtual city that SANS built for the U.S. military. “We can’t allow our contest participants to use the actual CyberCity because it is for our military clients, but we have tried to give to give them the feel of defending a real city,” says Skoudis. This year’s contest includes some industrial control protocols that participants might not be familiar with, but this is an opportunity to learn.
Participants must download a packet capture file and analyze it using a free tool like WireShark or a commercial tool in order to provide details on four specific items:
1. Describe each of the unsuccessful attacks Mr. Potter’s goons attempted against Bedford Falls’ infrastructure.
2. What defenses did George deploy that thwarted those attacks?
3. How had Mr. Potter caused the power grid outage that made George consider jumping off the bridge?
4. What defenses could George have employed to prevent Mr. Potter’s power grid attack?
“Participants will see artifacts in the packet capture that allows them to answer all four questions,” Skoudis says. “If someone doesn’t know a protocol or something else in the file, they go look it up in order to get an understanding of it. This is where the self-directed learning comes in.”
Each year thousands of people try their hand at solving the hacking challenge, and about 500 to 600 people end up submitting answers. All of the submissions are hand-scored. Skoudis says the responses range from hugely creative answers that incorporate the scenario down to plain old technical answers to the questions. Creativity in the response is fun for the people who have to read all of the submissions, but what really counts is the technical accuracy and the level of detail provided.
To make it worth your while (besides the opportunity to learn), SANS is offering multiple prizes, including a grand prize for the “very best answer” to the challenge. The grand prize winner receives a free SANS course offered at CyberCon this coming February, valued at more than $4,000. Other prizes are awarded for:
• The best technical answer
• The most creative answer that is technically correct
• A random draw answer selected from all entries
The random draw encourages people to submit their answers, even if they can’t answer one of the questions.
Since this is the 10th year for the competition, some of the previous years’ challenges and answers are posted online. This gives you an opportunity to see how to respond to the questions, and simply to learn about the previous attacks and appropriate defenses. For a look at the 2012 Holiday Hacking Challenge and the winning and honorable mention responses, click here.
You have until January 6, 2014 to send your results to HolidayChallenge@counterhackchallenges.com so put away the figgy pudding and settle in to help George Bailey rescue his town from cyber attackers. Good luck!
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.