Skip to main content
security

Speaker liaison Genevieve Netter is silhouetted against a Black Hat logo during the Black Hat USA 2014 hacker conference at the Mandalay Bay Convention Center in Las Vegas, Nevada .STEVE MARCUS/Reuters

When hackers attack your computer systems, and your best defences don't keep them out, the only thing that can be done is to track down the crooks, find out who they are, retrieve the stolen data and shut them down. That's what the RCMP did when the Canada Revenue Agency was hacked through the Heartbleed bug, and although the culprit in that case seems to have been a curious student, the technology and techniques they used were the same as those they'd employ to hunt down an international crime ring.

But, as with any skill – and cyber defence is a skill, and a complex one – investigators need to hone their techniques in a safe environment. A misstep in a real case could warn the criminals, or compromise the evidence. That's where simulations come in, and they're not photogenic ones with scary AIs like those we see in the movies.

There was no creepy computer voice providing play-by-play at the Symantec Cyber Readiness Challenge. But there was plenty of mischief afoot at the High Technology Crime Investigation Association (HTCIA) conference in Halifax last week, as a room full of law enforcement and corporate security folks took part in a simulation of a cybercrime. The bonus: participation gave them credits towards the continuing education requirements for security certifications such as Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Many of us remember the movie War Games, with its AI asking "Would you like to play a game?" And while "Global thermonuclear war" wasn't on the agenda, the scenario Symantec presented at the HTCIA conference would be equally scary to a company. According Symantec's Michael Garvin, many of those scenarios are based on actual incidents, and the team he leads is perpetually monitoring the threat landscape to find more real-world situations to simulate.

The Halifax scenario was a heart-stopper for any IT pro or CIO: a rogue employee has mishandled forensic data from a recent break-in. He was fired when the CIO discovered that he had also uploaded that data to a cloud service and a social network, and had then deleted the originals from the corporate servers. Your mandate from the boss: track down and recover that data, any way you can.

Participants supply their own laptops, and their own tools, for the Cyber Readiness Challenge, though Symantec suggests Kali Linux, a distribution designed for use in forensic investigations that can be run from a live CD or USB, in a virtual machine, or locally. The simulation takes you through the five steps in a cyber attack: reconnaissance, incursion, discovery, capture and exfiltration.

What do they mean? First, you get the lay of the land. You research whoever you're attacking to figure out their weak points and learn as much as possible about them. That's reconnaissance. Once you've gathered enough information, you get into their computer or network. That's incursion. Discovery is the process of snooping around the network to find the valuable information, which you then capture. The final step, exfiltration, is when you retrieve that data for fun or profit.

However, for the purposes of the simulation, what you're actually doing is hunting down your evil former co-worker so you can recover the data he stole. Same techniques, different motives. The simulation is scored like a game of "capture the flag" – you're given challenges to solve, and each correct solution adds points. The game has multiple levels, and while you can hop around within one level, you can't progress to the next until you've captured all of the flags.

Because the challenge is designed for both security professionals and those with more basic IT skills, each flag challenge comes with hints (which, of course, reduce your score – in Level 1, for example, a flag won unassisted was worth 300 points; if you took all three hints, it was only worth 30 points). But it's still not simple. You really have to think; even the most skilled of the Halifax participants only got through the first two levels. But it was also educational fun. It taught the security pros how to use offensive skills to defend their companies. As Mr. Garvin pointed out, "You have to walk in your adversary's footsteps to understand his motives."

Symantec has so far run over 60 of these challenges, in 21 countries and also online. If you'd like to take a kick at the can yourself, the next Cyber Readiness Challenge is Oct. 7 in San Antonio, Texas, more details here.

Interact with The Globe