Everybody knows this pirate attack scene NCIS. Working in their dimly lit forensic lab, Abby Sciuto (Pauley Perrette) and Timothy McGee (Sean Murray) must fend off a cybercriminal determined to steal information about their investigation.
In the midst of a torrent of indecipherable technobabbles (it burned through the firewall! It’s DOD level 9 encryption!), The pair begin to fight. Eventually, they end up typing on the same keyboard simultaneously. This is – for lack of a better term – ridiculous.
Sit down. We hack
These scenes epitomize all that is wrong with the way piracy is portrayed in the world of television and film. Forays into remote computer systems take place in moments, accompanied by a variety of meaningless green texts and random popups.
The reality is much less dramatic. Hackers and legitimate penetration testers take the time to understand the networks and systems they are targeting. They try to understand network topologies, as well as the software and devices used. Then they try to figure out how these can be exploited.
Forget the real-time counter-piracy featured on NCIS; it just doesn’t work that way. Security teams prefer to focus on defense by ensuring that all external systems are patched and properly configured. If a hacker somehow manages to breach external defenses, the automated IPS (Intrusion Prevention Systems) and IDS (Intrusion Detection Systems) take over to limit the damage.
This automation exists because, proportionally, very few attacks are targeted. On the contrary, they are opportunistic in nature. Someone can set up a server to scan the Internet, looking for obvious holes that they can exploit with scripted attacks. Since these occur at such high volumes, it is hardly possible to process them manually.
Most human intervention occurs in the moments following a security breach. The steps are to try to discern the entry point and close it so that it cannot be reused. Incident response teams will also attempt to discern what damage has been done, how to fix it, and if there are any regulatory compliance issues to address.
It doesn’t make for good entertainment. Who wants to watch someone scrutinize documentation on obscure corporate computing devices or setting up server firewalls?
Capture the Flag (CTF)
Hackers sometimes fight in real time, but it is usually for “props” rather than a strategic objective.
We are talking about Capture the Flag Competition (CTF). These often take place at infosec conferences, like the various BSides events. There, hackers compete with their peers for challenges for a specified period of time. The more challenges they win, the more points they earn.
There are two types of CFF competitions. During a Red Team event, hackers (or a team of them) attempt to successfully penetrate specified systems that do not have active defense. Opposition is a form of protection introduced before the competition.
The second type of competition pits the red teams against the defensive blue teams. Red teams score points for successfully penetrating target systems, while blue teams are judged on their effectiveness in deflecting those attacks.
The challenges differ for different events, but they are generally designed to test the skills used by security professionals on a daily basis. These include programming, exploiting known vulnerabilities in systems, and reverse engineering.
Although CTF events are quite competitive, they are rarely contradictory. Hackers are by nature curious people and also tend to want to share their knowledge with others. It is therefore not uncommon for opposing teams or spectators to share information that could help a rival.
There is a twist, of course. As of this writing, due to COVID-19, all 2020 in-person safety conferences have been canceled or postponed. However, people can still participate in a CFF event while complying with shelter-in-place or social distancing rules.
Sites like CTFTime consolidate upcoming CTF events. Just like you would expect an in-person event, many of them are competitive. CTFTime even displays a ranking of the best performing teams.
If you’d rather wait for things to reopen, you can also take part in some solo hacking challenges. The website Root me offers various challenges that test hackers to the limit.
Another option, if you are not afraid to create a hacking environment on your personal computer, is Damn Vulnerable Web Application (DVWA). As the name suggests, this web application is intentionally full of security holes, allowing potential hackers to test their skills in a safe and legal manner.
There is only one rule: two people for a keyboard, folks!