The North Pole is on the verge of a civil struggle. Santa is lacking. It’s elf vs. elf. Factions have shaped, and it is as much as you to avoid wasting the day, block a ransomware assault, and untangle a number of cybersecurity snafus to make sure this yr’s vacation presents do not get buried beneath a mountain of snowballs.
No, it is not a youngsters’s story with a cyber twist. The Vacation Hack Problem from SANS Institute is again for one more season of wintery enjoyable. Open to gamers of all ability ranges, the net competitors with real-world cybersecurity issues is ready on this planet of Santa, elves, and Christmas mayhem. This yr’s competitors is open and can run by means of Jan. 3, 2025.
“There’s some actually great things in there with ransomware evaluation, Net software penetration testing, incident response and incident evaluation,” says Ed Skoudis, founding father of the Vacation Hack Problem and president of the SANS Institute.
Skoudis calls the Vacation Hack Problem, now in its twenty first yr, SANS’s present to the cybersecurity neighborhood. The objective is to supply a studying atmosphere that’s freely obtainable to everybody on this planet to be taught expertise whereas having enjoyable, in addition to to construct a neighborhood the place individuals work collectively and get to know one another. Gamers do not must play by means of the sport in a single sitting or so as. Anybody who wants assist can ask the elves within the sport — the elves are very promiscuous hint-givers, Skoudis says — or be a part of the Discord server to talk with different gamers.
Most of the challenges are taken from real-world cybersecurity incidents. Every problem is ranked by issue, from one to 5 snowballs, with 5 being essentially the most tough. What’s new this yr is that each problem will be solved in two methods: a straightforward mode and onerous mode. Gamers do not know which mode they’re in, but when their answer took the straightforward technique, they’re going to “obtain” a silver trophy. Fixing the onerous manner ends in a gold trophy. And skipping a problem provides them a bronze participation trophy. A sure variety of factors are assigned for bronze, silver, and gold for every problem, that are then summed into the participant’s rating. A leaderboard shows participant scores — and individuals who signed up as a cohort have their very own personal scoreboard.
“All yr lengthy, we’re canvassing, in search of concepts of novel assaults that everyone ought to learn about and know the best way to examine, know the best way to do penetration checks for, and we’re pulling these concepts collectively and placing them in vacation hack on the highest high quality we are able to,” Skoudis says.
This yr’s challenges fall into the next classes:
-
Ransomware Reverse Engineering
-
Net App Hacking with MQTT and Video Feed Manipulation
-
Cellular App Penetration Testing
-
OSINT through Drone Path Evaluation
-
Net Exploration with cURL
-
PowerShell for Cyber Protection
The Greatest Prize of All
Winners can be introduced in a webcast on Jan. 16, 2025. The grand prize winner will get a free SANS on-demand course, although some earlier winners have discovered themselves with one thing extra: a full-time job.
Janusz Jasinski first participated within the Vacation Hack Problem in 2018 and was employed as a senior technical engineer by Counter Hack in 2023 after networking with individuals he encountered locally. He’s now concerned with the problem as a sport designer. Discovering the candy spot of one thing that is not too straightforward but not too onerous is the best problem in designing the sport, Jasinski stated. He designed this yr’s cellular app penetration check problem.
“My problem this yr was [a difficulty level of] two or three out of 5,” Jasinski says. “It is simple to do [create] a very simple problem, it is simple to do a really onerous problem. It’s extremely onerous to do these within the center, and simply getting the correct quantity of complexity in there was a bit difficult. However additional this yr, we had the gold and silver, i.e., straightforward and onerous routes. So to bake that in was now an additional degree of issue.”
However the enjoyable half, he says, is having individuals in the true world enjoying and truly succeeding within the problem, then sharing their options on Discord or social media.
Taking part within the Vacation Hack Problem and becoming a member of the neighborhood additionally led Kyle Parrish to a task behind the scenes. Parrish first performed the Vacation Hack Problem in 2018, profitable an honorable point out early in his cybersecurity profession.
“I performed it and completely beloved it — the sensible software of the challenges and the simply goofy online game really feel,” he says. “It was a ton of enjoyable. I discovered a whole lot of instruments that I actually was capable of begin utilizing in my work and assist me progress as a younger safety engineer.”
Parrish says he loved the competitors and sense of neighborhood a lot that he performed yearly and volunteered to be a concierge in Discord, serving to others with the challenges, in 2023. In January 2024, he joined the Counter Hack crew as a senior technical engineer and can be now concerned in designing the challenges.
“My favourite half is how, mainly, your complete sport is run off an Excel spreadsheet, which simply form of blew my thoughts,” Parrish says. “And to see the ability that was put into it by a few of our different teammates on constructing this sport engine … to create these environments on this digital world the place gamers can work together with these challenges. It is a lot enjoyable.”
It is also thrilling to see how individuals remedy his problem, he provides.
“Any person discovered an exploit in it and was capable of get root in opposition to the problem, which was superior,” Parrish says. “It was actually cool to see that I had an supposed path, however you had been capable of have an alternate path and had been capable of escalate your privileges. And that simply makes for a good higher write-up and a greater studying expertise for everyone concerned.”
Although it could come cloaked in snowball fights and elf espionage, real-world coaching and constructing a peer neighborhood is the true level of the problem.
“I hope gamers develop cybersecurity expertise that they’ll use of their precise job,” Skoudis says. “That is the underside line. And on the similar time, I hope we have now spoonfuls of vacation sugar that helps make the drugs go down, you recognize?”
