Seven teams from around the world go head to head this week in Virginia in the first Olympic-style hacker games -- but don't expect to see the winners on a Wheaties box.
Seven teams from around the world are pitting their cyberattack and defense skills against each other this week in the first international CyberLympics hacker games.
The games, being hosted by iSight Inc. in Chantilly, Va., are organized by the International Council of E-Commerce Consultants (EC-Council) and are the culmination of a series of regional competitions that began last year.
Two teams each from North America, Europe, the Middle East and one team from the Asia Pacific region will attack each other’s networks while defending their own on March 21. The winner will be announced March 22.
Each teams is composed of four to six seasoned professionals, with two alternates allowed, and many of them have had experience securing high-value targets such as the Defense Department’s Global Information Grid. Because of the nature of their work, the teams demonstrate a certain reticence to publicity, if not outright secrecy.
“Some companies mask their names,” said David McGill, vice president of enterprise and security solutions at the U.S. security consulting firm ICF International, which is fielding the first place North American team. ICF is not hiding its name, but it is withholding the identities of its team members. Publishing the names could expose them, or their clients, to attacks, he said. “We don’t need to put a target on them.”
The runner-up North American team, also competing in the finals, is known only as The Little Penguins that Could.
Other participants are, from Europe:
- hack.ers from the Netherlands
- Six Pistols from Hungary
The Middle East and India:
- Ctrl+Alt+Del from India
- Team aeCert from the United Arab Emirates
- Requiem from Malaysia
The CyberLympic games are part of a growing trend toward local, national and now global competitions to help develop a professional cybersecurity workforce. In the United States, a coalition of government and private industry organizations two years ago set a goal of identifying and recruiting 10,000 people with the native skills required for cybersecurity work and providing a career path for them.
U.S. Cyber Challenge, a government and industry effort launched in 2009 to address cybersecurity workforce needs through a collection of near and long-term programs, has organized a series of professional boot camps. There also are a number of competitions being conducted at the high school and college level, as well as for professionals.
The IFC team earned a spot in the in the North American regional CyberLympics competition first by winning the professional category in the Maryland Cyber Challenge and Conference competition last year in Baltimore. They then competed at the Hacker Halted USA conference in Miami in October, where they took first place, followed by the Little Penguins.
The CyberLympics will consist of simultaneous offense and defense challenges, with each team keeping its own network and services up and running while attacking the competition. There are four cyber and physical offensive and two defensive challenges they will be scored on.
On the attack:
Web applications: A series of Web applications will be deployed on each network, with one or more “flags” embedded in them. Flags could be an entry in a database table, a hash, or some other hidden piece of data. Attackers must hunt down and find as many flags as possible in the allotted time.
OS compromise: All players have access to a phone home script that will be used to prove that they have executed privileges on a defender’s system. This script will report back to the scoring engine and verify the compromise.
Exploit hunting: Players must successfully identify known vulnerabilities on specific targets. Players will be awarded points based on the number of correctly identified vulnerabilities.
Lock picking: Metal flags will be attached to pad locks of varying difficulty. The locks must be picked to capture the flag.
On the defense:
Service uptime: Each defender’s network will have a group of servers running critical services that must be kept up and running. Periodic checks will be run to test service availability, functionality and integrity.
Keeping attackers out: This is the corollary to the OS compromise. For each successful OS compromise (as verified by a successful execution of the phone home script) the compromised team will lose points.