Penetration Testing, Red Teaming and CTFs

The need to assess the security of IT infrastructure arose almost simultaneously with computer systems. In the middle of the last century, scientists began to assume that attacks on computer systems were possible, and in 1988 Robert Morris Jr. created the first major network worm, which caused an estimated $96 million damage. Then people began to seriously consider the threat of computer attacks.

In 1992, the first document that breaks the containing information security management rules in a company appeared, which later evolved into the well-known ISO/IEC 17799 standard. Based on this document, audits began to be carried out to identify inconsistencies. However, these audits helped ensure that the information security systems in the company comply with the requirements set on paper (policies, regulations) and do not protect against real cyber threats. Moreover, the audit itself was carried out mainly in the form of an employee survey.

After a decade, a risk assessment technique emerged, putting the community on a path to identifying potential occurrences and determining the best approaches to prevent them. Initially, risk assessments were conducted solely on paper, but professionals soon began to apply a practical analysis of information system security and the notion of penetration testing to effectively identify threats.

A pentest is a simulation of an attacker getting unauthorized access to a company’s information technology resources. Penetration testers seek for flaws in the system and imitate hacker operations to demonstrate the threat of an attack. Modern pentests, on the other hand, have one big drawback: they are always confined to the list of resources that can be “broken,” and, more crucially, they are constrained in attacker behavior scenarios due to the inability to influence real infrastructure. For pentesters, there is a list of acts that are prohibited. As a rule, this is specified in the contract. For example, even if there is such an opportunity, you cannot transfer a billion from a bank account or stop a turbine in a thermal power plant.

Companies are afraid of the irrevocable effects of imitating cyber-attacks, which has resulted in these restrictions. A penetration test usually involves hacking into the company’s local network or acquiring access to the domain administrator’s account as a result of these constraints. The only thing that emerges is proof of the assailants’ supposed powers. The results are then documented in a report. Another issue is that the human component is not taken into account.

Penetration testing in Red Team mode is a way to approach the conditions of a real attack. Within the framework of Red Team, information security experts simulate targeted attacks against a company. Unlike penetration testing, the information security service resists, thereby increasing its readiness to respond to cyber threats.

This is why the Capture the Flag (CTF) contest is so popular among cybersecurity professionals. At CTF sites, participants can look for vulnerabilities in services and use them to develop attack vectors against other teams without negatively impacting companies’ business functions. Plus, these competitions are a great way to train information security professionals (researchers, pentesters, Red Team and Bug Hunter members).

Until 2010, CTF competitions were far removed from real-life scenarios and infrastructure, vulnerabilities were fictitious, and the game’s outcome was irrelevant to businesses. CTF formats are divided into two categories:

  • Task-based, where it is necessary to solve individual problems and get points (“markers”) for correct answers.
  • Attack – attack defense where participants get the same servers as a set of unrelated vulnerable services (applications). The task of each team is to find vulnerabilities, eliminate them on their servers and use them to obtain confidential information (“flags”) from competitors.

Participants improve their ability to swiftly uncover and solve security vulnerabilities, learn to operate as a team, and grow as experts through the competition. Employers increasingly value both pentesters and cybersecurity and SOC professionals who have participated in a CTF. Trend Micro has been sponsoring contests since 2015, while Google has been holding them since 2016. Furthermore, generic bug bounty programs have evolved, in which anybody can test the services and products of well-known organizations and get monetary rewards for vulnerabilities discovered. For example, Apple is willing to pay $1 million for a zero-day vulnerability with code execution in the core.

Companies are beginning to have the ability to model their infrastructure as accurately as possible thanks to the development of cyber dumps, which implies risk and consequence assessment has reached a new level. Companies develop their security maturity and employ cyber incident response techniques as hackers improve their attack strategies. From CEOs to pentesters, all computer security experts hone their skills in a realistic environment that mimics a company’s infrastructure and business procedures. As pentesters develop their skills and get more experience in competitions, hackers will find it more difficult to break into systems in the future.