Cybersecurity competitions have become principal education components preparing students for cybersecurity jobs through hands-on exercises and competition scenarios. However, the competitions like Capture the Flag (https://ctftime.org/) and King of the Hill (http://www.cyberpanoply.com/) only allow participants to practice their technical skills in an environment that rarely resembles a real-world scenario.
For a while there was just one realistic competition that focused on the defensive side of information technologies and systems: Collegiate Cyber Defense Competition, CCDC (http://www.nationalccdc.org/). CCDC is structured in such a way that student teams have to maintain their company’s network and fulfill business injections that can be encountered in any real company outside of the competition. Additionally, CCDC spices up the event by introducing a red team consisting of professional penetration testers and cybersecurity experts. The red team constantly challenges the student teams by attacking their servers that they need to maintain. In other words, the red team introduces chaos into the network to simulate real cyber-attacks that businesses have to deal with in 21st century. The main theme in CCDC comprises of the cyber-defense and business tasks that students have to successfully perform to gain points.
On the contrary, a Collegiate Penetration Testing Competition (CPTC) held at the Rochester Institute of Technology (http://cptc.csec.rit.edu/) concentrates on modeling a real-life penetration test within a competition environment. CPTC was established in 2015, involving only local universities. In 2016, CPTC has become a national competition with universities from such states as California, Connecticut, Florida, Maine, New York, Pennsylvania, Tennessee, and Texas.
CPTC has several unique characteristics that distinguish it from other cybersecurity competitions. For instance, the teams are tasked to find as many vulnerabilities as possible in a network that closely resembles a real-world company. There is not limit when the teams have to stop, as long as they act within the scope of the penetration test.
Another exceptional feature of CPTC is that the teams need to act, behave, talk, and write professionally. At the beginning of the competition, all teams meet the upper-level management and technical personnel of the competition company to discuss the upcoming penetration test. Afterwards, the teams work for 10 hours straight on fulfilling intelligence gathering, vulnerability assessment, and exploitation of the company’s network and resources without damaging any running services. The company’s network in CPTC 2016 was built in such a way that it had everything that a typical company has: from employee LinkedIn, social networks, and GitHub accounts to cloud services, databases, research portals, and domain controllers.
At the end of the competition, the teams need to write a real professional penetration test report that they further present to the upper-level management. The teams have to think how to rate and mitigate all vulnerabilities they discovered, taking into account the risks to reduce the number of potential cyber threats. At the same time, the teams face a real challenge of presenting their findings to the Chief Information Officer and Chief Executive Officer, balancing between discussing highly technical content and explaining it to non-technical personnel.
CPTC was developed by a large team spanning over several big organizations: RIT IT support group, IDM, Crowe Horwath, Uber, HurricaneLabs, Amazon, Google, and NCC Group, just to name a few. Also, multiple healthcare providers contributed in designing a realistic representation of the competition network.
Cybersecurity students, want to try yourself as a real pentester? CPTC is waiting for you!
