[willcipriano]

Hacker competitions often seem very contrived to me. I suspect that in order for the red team to make any progress you have to tie the blue teams hands behind their backs. Most of what I see from the penetration testing community is pretty gimmicky and situational generally and often doesn't take into account the attackers risk/reward ratio.

[_8j50]

I disagree completely. Red team tools and techniques are different and gimmicky for a reason, their goal is to demonstrate lack of or effectiveness of security controls and processes. While bad guys have more time and more precise target. For example, 0days and disruptive actions are mostly prohibited for red teamers

[LinuxBender]

I agree completely. I see it as entertainment and a way to recruit people out of college.

[AnHonestComment]

What would be a less gimmicky setup?

[olivierduval]

Allowing Blue Team to fight back maybe? Or to be able to actively track the red team instead, using an active defense, instead of only passive defense?

Moreover, the outcomes are different for both teams:

- RedTeam success => they are seen as "real" hackers/heros and the BlueTeam are the poor incompetent

- RedTeam fail => the BlueTeam did "only" its job, the investments in cybersec for the company paid off... so the budget for the cybersec can be reduced.

So, for RedTeam, it's either a win or a tie. And for BlueTeam it's either a tie or a loss...

If the BlueTeam could fight back, maybe this could change...

[close04]

That's true but only because it mimics real life. The defenders are always at a disadvantage here, they have the boring job but one where one mistake is one too many. And they have to achieve that perfect score while operating within the rules.

On the other side the attackers have the more exciting job and only need one success which they can achieve by using whatever means they see fit.

You'll see this outside of IT just as well, like in sports. Goalkeepers (defenders) vs. strikers come to mind but at least there they all operate within the same set of rules.

[Enginerrrd]

I kind of like the dual approach. First team to get in to the box has to try and hold onto it while still maintaining specified services it's supposed to be providing in the simulation. Winner is whoever holds it the longest.

[mindslight]

It's inherent to the field. A successful blue team is a distributed win - every line of code did what it was supposed to do. A successful red team is a concentrated win, for the people who found the few lines of code that did something else. The job of a red team is to make things interesting. The job of a blue team is to keep things boring.

[willcipriano]

That's good. Perhaps something like if they can attribute the attack to a particular machine the red team gets "arrested".

[Bnshsysjab]

Easier said than done, the red team can’t break real laws (routing through compromised hosts) where real hackers will.

[DaiPlusPlus]

Do the feds still attend DC? >:}

[birdyrooster]

No and they don’t come because hackers asked them not to. >:/

[Shared404]

Found the Fed.

[LinuxBender]

Let the non-red teams use pre-existing scripts, code, etc, to harden things. This of course would make the competition a level playing field and would make it much less fun for the red team. Attendance would drop off quickly and companies would no longer sponsor these events, as the primary purpose is to recruit people out of college.

[olivierduval]

Actually, this could be made like "CS:GO" competition:

- RT is the terro - BT is the AT

The RT has to "plant" an exploit. The BT can either block/track the RT or "diffuse" (find/disable) the exploit.

The "maps" would be the kind of system:

- an AD behind a firewall - a WebServer with datas to extract from a backend DB - and so...

The sponsors could sell either the skills of their pen-testers to hire, or their solution to secure a system, so it might be a good maketing campaing for the winner...

[count]

I can't tell if you're being facetious, but you just invented 'capture the flag' competitions.