Everyone knows that hacker-attack scene from NCIS. Working in their dimly lit forensics lab, Abby Sciuto (Pauley Perrette) and Timothy McGee (Sean Murray) have to fend off a cybercriminal, hell-bent on stealing information about their investigation.
Amidst a torrent of indecipherable technobabble (He’s burned through the firewall! This is DOD Level 9 encryption!), the pair begin to fight back. Eventually, they end up typing simultaneously on the same keyboard. It is—for lack of a better term—ludicrous.
Take a Seat. We’re Hacking
Those scenes epitomize everything wrong with how hacking is portrayed in the world of TV and film. Incursions into distant computer systems take place in a matter of moments, accompanied by a variety of meaningless green text and random popups.
Reality is a lot less dramatic. Hackers and legitimate penetration testers take the time to understand the networks and systems they’re targeting. They try to figure out network topologies, as well as the software and devices in use. Then, they try to figure out how those can be exploited.
Forget about the real-time counter-hacking portrayed on NCIS; it just doesn’t work that way. Security teams prefer to focus on defense by ensuring all externally-facing systems are patched and correctly configured. If a hacker somehow manages to breach the external defenses, automated IPS (Intrusion Prevention Systems) and IDS (Intrusion Detection Systems) take over to limit the damage.
That automation exists because, proportionally speaking, very few attacks are targeted. Rather, they’re opportunistic in nature. Someone might configure a server to trawl the internet, looking for obvious holes he or she can exploit with scripted attacks. Because these occur at such high volumes, it isn’t really tenable to address each of them manually.
Most human involvement comes in the moments after a security breach. The steps include trying to discern the point of entry and close it off so it can’t be reused. Incident response teams will also attempt to discern what damage has been done, how to fix it, and whether there are any regulatory compliance issues that need to be addressed.
This doesn’t make for good entertainment. Who wants to watch someone meticulously pore over documentation for obscure corporate IT appliances or configure server firewalls?
Capture the Flag (CTF)
Hackers do, occasionally, battle in real time, however, it’s usually for “props” rather than any strategic purpose.
We’re talking about Capture the Flag (CTF) contests. These often take place at infosec conferences, like the various BSides events. There, hackers compete against their peers to complete challenges during an allotted amount of time. The more challenges they win, the more points they gain.
There are two types of CTF contests. During a Red Team event, hackers (or a team of them) try to successfully penetrate specified systems that have no active defense. The opposition is a form of protections introduced before the contest.
The second type of contest pits Red Teams against defensive Blue Teams. Red Teams score points by successfully penetrating target systems, while the Blue Teams are judged based on how effectively they deflect these attacks.
Challenges differ between events, but they’re typically designed to test the skills used daily by security professionals. These include programming, exploiting known vulnerabilities in systems, and reverse engineering.
Although CTF events are quite competitive, they’re seldom adversarial. Hackers are, by nature, inquisitive people and also tend to be willing to share their knowledge with others. So, it’s not uncommon for opposing teams or spectators to share information that could help a rival.
CTF at a Distance
There’s a plot twist, of course. At this writing, due to COVID-19, all 2020 in-person security conferences have been canceled or postponed. However, people can still participate in a CTF event while complying with shelter-in-place or social-distancing rules.
Sites like CTFTime aggregate upcoming CTF events. Just as you’d expect at an in-person event, many of these are competitive. CTFTime even displays a leaderboard of the most successful teams.
If you’d rather wait until things reopen, you can also take part in solo hacking challenges. The website Root-Me offers diverse challenges that test hackers to the limit.
Another option, if you’re not afraid to create a hacking environment on your personal computer, is Damn Vulnerable Web Application (DVWA). As the name implies, this web application is intentionally rife with security flaws, allowing would-be hackers to test their skills in a safe, legal way.
There’s just one rule: two people to a keyboard, folks!