Skip to main content
SpringerLink
Log in

State-of-the-Art: Security Competition in Talent Education

  • Conference paper
  • First Online:
Information Security and Cryptology (Inscrypt 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10726))

Included in the following conference series:

Abstract

Security competitions have become increasingly popular events for recruitment, training, evaluation, and recreation in the field of computer security. And among these various exercises, Capture the flag (CTF) competitions have the widest audience. Participants in CTF of Jeopardy style focus on solving several specific challenges independently while participants in CTF of attack-defense mode concentrate on vulnerable service maintenance and vulnerability exploitation on an end-target box. However, according to a report published by TREND MICRO Corporation, there are six stages of a typical Targeted Attack: (1) Intelligence Gathering (2) Point of Entry (3) Command and Control Communication (4) Lateral Movement (5) Asset Discovery and (6) Data Exfiltration. Further, Lateral Movement is the key stage where threat actors move deeper into the network. Because of the lack of large-scale complex network environment, CTF cannot simulate a complete network penetration of the six stages, especially the Lateral Movement. It is indispensable to perform the Lateral Movement the skill of Network Exploring which is not included by security competitions at present. So we create Explore-Exploit which is an attack-defense mode competition that models the network penetration scenario, and promotes the participant’s skill of Network Exploring. This paper is trying to convey a better methodology for teaching practical attack-defense techniques to participants through an alternative to CTF.

This paper was supported by the Key Laboratory of Network Evaluation Technology of China Academy of Sciences, and Beijing Key Laboratory of Network Security Protection Technology. This paper was funded by the Beijing Municipal Science and Technology Commission D161100001216001, Z161100002616032 project.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Paulsen, C., McDuffie, E., Newhouse, W., Toth, P.: Nice: creating a cybersecurity workforce and aware public. IEEE Secur. Privacy 10, 76–79 (2012)

    Article  Google Scholar 

  2. NIST: Nice Cybersecurity Workforce Framework, draft NIST Special Publication 800–181. http://csrc.nist.gov/publications/drafts/800-181/sp800_181_draft.pdf

  3. O’Neil, L.R., Assante, M., Tobey, D.: Smart grid cybersecurity: Job performance model report. Technical report. Pacific Northwest National Laboratory (PNNL), Richland, WA (US) (2012)

    Google Scholar 

  4. CTF-Time. https://ctftime.org/

  5. Cyberpatriot. https://www.uscyberpatriot.org/Pages/About/What-is-CyberPatriot.aspx

  6. Nccdc. http://www.nationalccdc.org/

  7. Petullo, W.M., Moses, K., Klimkowski, B., Hand, R., Olson, K.: The use of cyber-defense exercises in undergraduate computing education. In: ASE@ USENIX Security Symposium (2016)

    Google Scholar 

  8. How do threat actors move deeper into your network? http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf

  9. Lufeng, Z., Hong, T., YiMing, C., JianBo, Z.: Network security evaluation through attack graph generation (2009)

    Google Scholar 

  10. Fraze, M.D.: Cyber Grand Challenge (CGC). https://www.darpa.mil/program/cyber-grand-challenge

  11. Shoshitaishvili, Y., Invernizzi, L., Doupe, A., Vigna, G.: Do you feel lucky?: a large-scale analysis of risk-rewards trade-offs in cyber security. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1649–1656. ACM (2014)

    Google Scholar 

  12. Hadnagy, M.F.C.: The def con 22 social-engineer capture the flagreport. https://www.social-engineer.org/wp-content/uploads/2014/10/SocialEngineerCaptureTheFlag_DEFCON22-2014.pdf

  13. Doupé, A., Vigna, G.: Poster: Shell we play a game? CTF-as-a-service for security education

    Google Scholar 

  14. Wikipedia: Pwn2own. https://en.wikipedia.org/wiki/Pwn2Own

  15. GeekPwn: Geekpwn. http://2017.geekpwn.org/1024/en/index.html

  16. CPS-CDC: Cps-cdc. http://www.iserink.org/wp-content/uploads/2015/12/2016-CPS_CDC_invite.pdf

  17. Deterding, S., Dixon, D., Khaled, R., Nacke, L.: From game design elements to gamefulness: defining gamification. In: Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, pp. 9–15. ACM (2011)

    Google Scholar 

  18. Ruef, A., Hicks, M., Parker, J., Levin, D., Memon, A., Plane, J., Mardziel, P.: Build it break it: measuring and comparing development security. In: 8th Workshop on Cyber Security Experimentation and Test (CSET 2015) (2015)

    Google Scholar 

  19. Childers, N., Boe, B., Cavallaro, L., Cavedon, L., Cova, M., Egele, M., Vigna, G.: Organizing large scale hacking competitions. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 132–152. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14215-4_8

    Chapter  Google Scholar 

  20. Netkoth. http://archive.phreaknic.info/pn18z/content/netkoth.html

  21. Vulnhub. https://www.vulnhub.com/

  22. Shellweplayagame. https://shellweplayagame.org/

  23. Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratantonio, Y., Invernizzi, L., Kirat, D., Shoshitaishvili, Y.: Ten years of ICTF: The good, the bad, and the ugly. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014) (2014)

    Google Scholar 

  24. CGC-rules. https://dtsn.darpa.mil/cybergrandchallenge/CyberGrandChallenge_Rules_v1.pdf

  25. Connolly, C.: The cyber defense review. Technical report, vol. 1(1). Army Cyber Inst, West Point, NY, Spring 2016

    Google Scholar 

  26. Social engineering definition. https://en.oxforddictionaries.com/definition/social_engineering

  27. Netkoth. https://netkoth.github.io/

  28. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)

    Google Scholar 

  29. The world’s most used penetration testing software. https://www.metasploit.com/

  30. The exploit database of offensive security. https://www.offensive-security.com/community-projects/the-exploit-database/

Download references

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Xiu Zhang, Baoxu Liu, Xiaorui Gong & Zhenyu Song

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Xiu Zhang

Authors
  1. Xiu Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Baoxu Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaorui Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhenyu Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhenyu Song .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Xiaofeng Chen

  2. SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

  3. Columbia University, New York, New York, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, X., Liu, B., Gong, X., Song, Z. (2018). State-of-the-Art: Security Competition in Talent Education. In: Chen, X., Lin, D., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2017. Lecture Notes in Computer Science(), vol 10726. Springer, Cham. https://doi.org/10.1007/978-3-319-75160-3_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-75160-3_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-75159-7

  • Online ISBN: 978-3-319-75160-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation