The North Pole is on the verge of a civil warfare. Santa is lacking. It’s elf vs. elf. Factions have fashioned, and it is as much as you to save lots of the day, block a ransomware assault, and untangle a number of cybersecurity snafus to make sure this yr’s vacation presents do not get buried underneath a mountain of snowballs.
No, it is not a kids’s story with a cyber twist. The Vacation Hack Problem from SANS Institute is again for one more season of wintery enjoyable. Open to gamers of all talent ranges, the net competitors with real-world cybersecurity issues is about on the earth of Santa, elves, and Christmas mayhem. This yr’s competitors is open and can run via Jan. 3, 2025.
“There’s some actually great things in there with ransomware evaluation, Net utility penetration testing, incident response and incident evaluation,” says Ed Skoudis, founding father of the Vacation Hack Problem and president of the SANS Institute.
Skoudis calls the Vacation Hack Problem, now in its twenty first yr, SANS’s present to the cybersecurity neighborhood. The purpose is to supply a studying setting that’s freely out there to everybody on the earth to study expertise whereas having enjoyable, in addition to to construct a neighborhood the place folks work collectively and get to know one another. Gamers do not should play via the sport in a single sitting or so as. Anybody who wants assist can ask the elves within the recreation — the elves are very promiscuous hint-givers, Skoudis says — or be part of the Discord server to speak with different gamers.
Most of the challenges are taken from real-world cybersecurity incidents. Every problem is ranked by problem, from one to 5 snowballs, with 5 being probably the most tough. What’s new this yr is that each problem will be solved in two methods: a simple mode and onerous mode. Gamers do not know which mode they’re in, but when their resolution took the simple methodology, they will “obtain” a silver trophy. Fixing the onerous manner ends in a gold trophy. And skipping a problem provides them a bronze participation trophy. A sure variety of factors are assigned for bronze, silver, and gold for every problem, that are then summed into the participant’s rating. A leaderboard shows participant scores — and individuals who signed up as a cohort have their very own personal scoreboard.
“All yr lengthy, we’re canvassing, on the lookout for concepts of novel assaults that everyone ought to learn about and know how you can examine, know how you can do penetration assessments for, and we’re pulling these concepts collectively and placing them in vacation hack on the highest high quality we are able to,” Skoudis says.
This yr’s challenges fall into the next classes:
-
Ransomware Reverse Engineering
-
Net App Hacking with MQTT and Video Feed Manipulation
-
Cellular App Penetration Testing
-
OSINT by way of Drone Path Evaluation
-
Net Exploration with cURL
-
PowerShell for Cyber Protection
The Finest Prize of All
Winners shall be introduced in a webcast on Jan. 16, 2025. The grand prize winner will get a free SANS on-demand course, although some earlier winners have discovered themselves with one thing extra: a full-time job.
Janusz Jasinski first participated within the Vacation Hack Problem in 2018 and was employed as a senior technical engineer by Counter Hack in 2023 after networking with folks he encountered locally. He’s now concerned with the problem as a recreation designer. Discovering the candy spot of one thing that is not too straightforward but not too onerous is the best problem in designing the sport, Jasinski stated. He designed this yr’s cell app penetration check problem.
“My problem this yr was [a difficulty level of] two or three out of 5,” Jasinski says. “It is simple to do [create] an easy problem, it is easy to do a really onerous problem. It’s extremely onerous to do these within the center, and simply getting the correct quantity of complexity in there was a bit difficult. However additional this yr, we had the gold and silver, i.e., straightforward and onerous routes. So to bake that in was now an additional stage of problem.”
However the enjoyable half, he says, is having folks in the actual world enjoying and truly succeeding within the problem, then sharing their options on Discord or social media.
Taking part within the Vacation Hack Problem and becoming a member of the neighborhood additionally led Kyle Parrish to a job behind the scenes. Parrish first performed the Vacation Hack Problem in 2018, successful an honorable point out early in his cybersecurity profession.
“I performed it and completely liked it — the sensible utility of the challenges and the simply goofy online game really feel,” he says. “It was a ton of enjoyable. I discovered a variety of instruments that I actually was capable of begin utilizing in my work and assist me progress as a younger safety engineer.”
Parrish says he loved the competitors and sense of neighborhood a lot that he performed yearly and volunteered to be a concierge in Discord, serving to others with the challenges, in 2023. In January 2024, he joined the Counter Hack crew as a senior technical engineer and can also be now concerned in designing the challenges.
“My favourite half is how, mainly, your complete recreation is run off an Excel spreadsheet, which simply sort of blew my thoughts,” Parrish says. “And to see the talent that was put into it by a few of our different teammates on constructing this recreation engine … to create these environments on this digital world the place gamers can work together with these challenges. It is a lot enjoyable.”
It is also thrilling to see how folks resolve his problem, he provides.
“Any individual discovered an exploit in it and was capable of get root in opposition to the problem, which was superior,” Parrish says. “It was actually cool to see that I had an supposed path, however you had been capable of have an alternate path and had been capable of escalate your privileges. And that simply makes for an excellent higher write-up and a greater studying expertise for everyone concerned.”
Although it could come cloaked in snowball fights and elf espionage, real-world coaching and constructing a peer neighborhood is the actual level of the problem.
“I hope gamers develop cybersecurity expertise that they’ll use of their precise job,” Skoudis says. “That is the underside line. And on the similar time, I hope we’ve got spoonfuls of vacation sugar that helps make the drugs go down, you recognize?”