Security Awareness Blog

Capture The Flag - Human Style

One of my favorite security events to attend every year is the Blackhat security conference. This is an annual event held every July/August in sunny Las Vegas, United States. Not only are there a tremendous number of talks from leading security researchers, but great opportunities to meet and network with your peers. In addition, with every Blackhat conference comes Defcon, the infamous underground event, which in many ways is a rite of passage for every security professional, you have to experience it at least once. What is great about Defcon is it provides the perfect venue to try out new idea. One really stood out for this year, the Social Engineering Capture the Flag, sponsored by the guys at Social- Engineer.org. Capture The Flag is a traditional event at Defcon where competing teams attempt to hack into networks (or each other). While this has been going on for years, this year's CTF event was the first were attackers used social engineering to 'hack' their way into real corporations. Contestants competed to see who could use the most persuasive social engineering techniques to extract the most information from organizations. I was very excited about this for several reasons.

  • First, the security community is beginning to realize its not all about technical exploits. Cyber attackers are bypassing most technologies and targeting the human. Events like this dramatically demonstrate this. Events like this also demonstrate the need for addressing the human factor.
  • Gaining information on human based attacks is difficult. Events like this help create a baseline of what are the most effective techniques and why.

Chris Hadnagy and the team at Social-Engineer will be releasing a detailed report in the coming weeks. However, Chris was kind enough to share with me some of this thoughts from the event. Tomorrow I'll post some of the key lessons he feels we should take away from this.