At the inaugural Ixia Cyber Combat held in December 2017, 20 two-person teams of security-focused participants from various verticals – FSI, technology, government and education – pitted their skills against one another in a 12-hour test of skill, strategy and endurance.
In this attack-and-defend Cyber Combat, participants had to attack enemy servers, expose vulnerabilities and win “flags”, while defending their “fortress” from enemy onslaught. The winning team walked away with a prize of $10,000.
The dozens of high-profile breaches over the last few quarters – in both the private and public sector – were perpetrated by attacks using a wide variety of current hacking techniques. In order to be successful in the competition, offensive players had to utilize these current techniques for infiltration, data mining and exfiltration to rise to the top of the challenge. Defensive players had to race against the clock to quickly identify these ongoing attacks and even root out attackers inside the networks they are protecting.
At the sidelines of the event, Enterprise Innovation had the opportunity to speak to Dr Kitti Kosavisutte, senior vice president and head of security management at Bangkok Bank, and Naveen Bhat, managing director for Ixia Asia Pacific, a Keysight business, for some quick insights into the place of gamification in cybersecurity in the region.
At Ixia Cyber Combat, where the security challenges are modeled after the recent spate of cyber-attacks in Singapore and around the world, what are the benefits of this event to Bangkok Bank?
Dr Kitti: The collaboration and skill development roadmap becomes the key challenge. It will benefit Bangkok Bank from design framework to execution. We think that the Cyber Combat event could be used to raise cybersecurity awareness to the banking industry in Thailand.
The participants are from various ages, but are mostly quite young and only needed laptops to launch major attacks. So, it shows that cyber breaches and attacks are getting more advance every day. Banks would need to quickly catch up. One of the ways we can level up is to have such cyber range practices in the organization and continue to practise it.
Naveen: Businesses everywhere today face ever-increasing high-intensity cyber-attacks. Often, these businesses are left stranded or struggle to manage cyber-threats when they occur.
Cybersecurity is an expertise-driven industry. The right skills are needed to mitigate or prevent a threat. We’ve seen a number of initiatives the government has taken to maintain Singapore’s security posture as cyber-attacks become more rampant in Singapore and around the region.
Ixia hopes to raise more awareness around cybersecurity in Asia, through more cyber combat games and competitions in the hope of getting more security and IT experts trained.
What have been the key outcomes you’ve seen at the event, and were they different from expectations when planning for this event? If different, in what ways?
Naveen: Being an inaugural event, we were not sure about the response levels. It was exciting to see that we were over-subscribed and all 20 teams were taken in a short period.
Secondly, we were surprised at the endurance levels of the teams. The Cyber Combat was set as a 12-hour event, which requires intense focus and stamina. It is hard to stay on top of your game for this long period. We were surprised to see the teams fully engaged till the very end.
The third outcome that surprised us was the level of competitiveness. No game format is interesting if there is a runaway winner and everybody else is far behind. In this case, there were several leaders through the day, and in the last hour it was down to a 3 teams. Eventually it was a nail-biting finish, with the winner being determined at the very last second. Thrilling finish!
In your opinion, how is the quality of the competitors? And what more should they be doing, moving forward?
Dr Kitti: The quality of the competition is excellent. Moving forward, the analysis from the result of the competition may be beneficial to understand the skill gap needed for improvement.
Naveen: The quality of the participants was surprisingly high. We have participants ranging from students to professional groups. Ixia was very happy to see cooperation from our technology partners and hope to expand the role and scope of partners in the next event.
In a nutshell, how is Bangkok Bank protecting itself against cyber-threats today and for the near future? What strategy are you adopting?
Dr Kitti: Currently, banks in Thailand are starting to practise table-top and some simple exercises against cyber-attack scenarios. We are looking to raise skills with a more advanced cyber-attack simulation exercise or competition-based type of activities in Thailand. Partnering or seeking practical programs for security professional development is the focus and strategy.
How critical are training and certification in cybersecurity, and what are the ways Ixia is addressing these 2 areas?
Naveen: Training is of paramount important. Cybersecurity is a fast-evolving area of technology, and yesterday’s training is obsolete today. So every professional has to stay “current”. Ixia addresses the training challenge by providing a realistic training environment.
Cyber professionals can train in both offensive and defensive techniques in a safe, secure yet realistic environment. Certification is a parallel yet important issue, however the certification is only as good as the certification process that the candidate goes through. As long as the certification process takes the cyber professional through the latest methodologies, it would be valuable.
Source: Enterprise Innovation
Written by: Victor Ng
3rd January 2018