nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

State-of-the-Art: Security Competition in Talent Education

verfasst von : Xiu Zhang, Baoxu Liu, Xiaorui Gong, Zhenyu Song

Erschienen in: Information Security and Cryptology

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Security competitions have become increasingly popular events for recruitment, training, evaluation, and recreation in the field of computer security. And among these various exercises, Capture the flag (CTF) competitions have the widest audience. Participants in CTF of Jeopardy style focus on solving several specific challenges independently while participants in CTF of attack-defense mode concentrate on vulnerable service maintenance and vulnerability exploitation on an end-target box. However, according to a report published by TREND MICRO Corporation, there are six stages of a typical Targeted Attack: (1) Intelligence Gathering (2) Point of Entry (3) Command and Control Communication (4) Lateral Movement (5) Asset Discovery and (6) Data Exfiltration. Further, Lateral Movement is the key stage where threat actors move deeper into the network. Because of the lack of large-scale complex network environment, CTF cannot simulate a complete network penetration of the six stages, especially the Lateral Movement. It is indispensable to perform the Lateral Movement the skill of Network Exploring which is not included by security competitions at present. So we create Explore-Exploit which is an attack-defense mode competition that models the network penetration scenario, and promotes the participant’s skill of Network Exploring. This paper is trying to convey a better methodology for teaching practical attack-defense techniques to participants through an alternative to CTF.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Influence of Error on Hamming Weights for ASCA

Nächstes Kapitel A Modified Fuzzy Fingerprint Vault Based on Pair-Polar Minutiae Structures

Paulsen, C., McDuffie, E., Newhouse, W., Toth, P.: Nice: creating a cybersecurity workforce and aware public. IEEE Secur. Privacy 10, 76–79 (2012)CrossRef

NIST: Nice Cybersecurity Workforce Framework, draft NIST Special Publication 800–181. http://csrc.nist.gov/publications/drafts/800-181/sp800_181_draft.pdf

O’Neil, L.R., Assante, M., Tobey, D.: Smart grid cybersecurity: Job performance model report. Technical report. Pacific Northwest National Laboratory (PNNL), Richland, WA (US) (2012)

CTF-Time. https://ctftime.org/

Cyberpatriot. https://www.uscyberpatriot.org/Pages/About/What-is-CyberPatriot.aspx

Nccdc. http://www.nationalccdc.org/

Petullo, W.M., Moses, K., Klimkowski, B., Hand, R., Olson, K.: The use of cyber-defense exercises in undergraduate computing education. In: ASE@ USENIX Security Symposium (2016)

How do threat actors move deeper into your network? http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf

Lufeng, Z., Hong, T., YiMing, C., JianBo, Z.: Network security evaluation through attack graph generation (2009)

10.

Fraze, M.D.: Cyber Grand Challenge (CGC). https://www.darpa.mil/program/cyber-grand-challenge

11.

Shoshitaishvili, Y., Invernizzi, L., Doupe, A., Vigna, G.: Do you feel lucky?: a large-scale analysis of risk-rewards trade-offs in cyber security. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1649–1656. ACM (2014)

12.

Hadnagy, M.F.C.: The def con 22 social-engineer capture the flagreport. https://www.social-engineer.org/wp-content/uploads/2014/10/SocialEngineerCaptureTheFlag_DEFCON22-2014.pdf

13.

Doupé, A., Vigna, G.: Poster: Shell we play a game? CTF-as-a-service for security education

14.

Wikipedia: Pwn2own. https://en.wikipedia.org/wiki/Pwn2Own

15.

GeekPwn: Geekpwn. http://2017.geekpwn.org/1024/en/index.html

16.

CPS-CDC: Cps-cdc. http://www.iserink.org/wp-content/uploads/2015/12/2016-CPS_CDC_invite.pdf

17.

Deterding, S., Dixon, D., Khaled, R., Nacke, L.: From game design elements to gamefulness: defining gamification. In: Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, pp. 9–15. ACM (2011)

18.

Ruef, A., Hicks, M., Parker, J., Levin, D., Memon, A., Plane, J., Mardziel, P.: Build it break it: measuring and comparing development security. In: 8th Workshop on Cyber Security Experimentation and Test (CSET 2015) (2015)

19.

Childers, N., Boe, B., Cavallaro, L., Cavedon, L., Cova, M., Egele, M., Vigna, G.: Organizing large scale hacking competitions. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 132–152. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14215-4_8 CrossRef

20.

Netkoth. http://archive.phreaknic.info/pn18z/content/netkoth.html

21.

Vulnhub. https://www.vulnhub.com/

22.

Shellweplayagame. https://shellweplayagame.org/

23.

Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., Shoshitaishvili, Y.: Ten years of ICTF: The good, the bad, and the ugly. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014) (2014)

24.

CGC-rules. https://dtsn.darpa.mil/cybergrandchallenge/CyberGrandChallenge_Rules_v1.pdf

25.

Connolly, C.: The cyber defense review. Technical report, vol. 1(1). Army Cyber Inst, West Point, NY, Spring 2016

26.

Social engineering definition. https://en.oxforddictionaries.com/definition/social_engineering

27.

Netkoth. https://netkoth.github.io/

28.

Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)

29.

The world’s most used penetration testing software. https://www.metasploit.com/

30.

The exploit database of offensive security. https://www.offensive-security.com/community-projects/the-exploit-database/

Titel: State-of-the-Art: Security Competition in Talent Education
verfasst von: Xiu Zhang
Baoxu Liu
Xiaorui Gong
Zhenyu Song
Verlag: Springer International Publishing
Buch: Information Security and Cryptology
Print ISBN: 978-3-319-75159-7

Electronic ISBN: 978-3-319-75160-3

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-75160-3_27

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner