Testing 657 cybersec teams: Here’s what we learned (from 1,856 flag submissions)

Last year 657 security teams from (organizations such as Deloitte, Cisco, and Toyota) tested their cybersecurity skills in our annual global hacking event, Business CTF. 

Facing a total of 33 real-world inspired challenges related to forensics, reversing, web attacks, and more, players gained Continuing Professional Education (CPE) credits for role-playing as a multinational law enforcement agency in pursuit of fierce financial cybercriminals! 

Following the record-breaking event, we revealed behind-the-scenes performance data in our Cyber Attack Readiness report. In this post, we’ll publicly share the top three insights we gained from our analysis. 

Note: For a complete picture of industry and challenge performance data we suggest that you read the full report.

Measuring key cybersecurity skills with hacking challenges

Business CTF features jeopardy-style hacking challenges based on real-world vulnerabilities and emerging threats. These challenges are split into relevant skills categories pertaining to different aspects of cybersecurity. 

Cloud security skills gaps continue to manifest across all industries 

Most organizations performed above average when faced with cyber attack challenges that involved forensics, reversing, and web technologies. In comparison, cloud, crypto, and hardware technologies, as well as HostEx and pwn challenges, proved to be somewhat testing. 

This gap evidences the current cloud security skills shortage and highlights the urgent need for IT and cybersecurity leaders to prioritize cloud security training. 

In spite of the cloud's strong presence and adoption during the past few years, the cloud security skills shortage is still prevalent. Considering the central role cloud technology and security play in enabling modern organizations to scale, innovate, and manage complex IT infrastructure, the 60% decrease in attack readiness when comparing forensics (30.2% solve rate) against a category such as cloud (12% solve rate) is noteworthy. Some potential causes of this skills gap include:

• Constant updates to existing cloud tech stacks make it difficult to follow cloud-related knowledge and trends. 

• Poor (or poorly organized) documentation of cloud tech stacks that can result in knowledge gaps regarding both general cloud systems and cloud security. 

• The complexity of cloud migrations. An effective cloud security professional is required to be seasoned with both on-premise (or non-cloud) and cloud security matters. 

Overall the challenges were pretty realistic, which is a big plus for me. I definitely recommend joining the CTF, as it lets you test your skills in realistic scenarios and challenge yourself against the best specialists in the field. We will join again next year.

 

Lukasz Lamparski, Security Manager and Senior Incident Responder, ING Bank

Professional skillsets adapt to specific industry segments and threats 

All cybersecurity professionals strive towards a seamless and secure operation of the information systems under their watch within their usual scope of work. In addition, each industry deals with unique kinds of threats and malicious actors. Here are specific industry examples of skillset specialization per industry found in our report: 

Finance:

Finance teams achieved the best results in the HostEx category and were second best in cloud, but came last for solving crypto attack challenges. 

Government:

Government teams demonstrated strong skills in forensics, reversing, web, and hardware, scoring a top three position in all categories. Conversely, cloud and HostEx were the biggest areas of improvement for cybersecurity in government organizations. 

Tech: 

Teams in Tech organizations were among the top three performers in web, forensics, and reversing attacks, but (like teams from other industries) achieved lower scores in cloud, HostEx, pwn, and hardware challenges. 

Security:

Security teams were the most adept at dealing with attacks involving web, forensics, and reversing. Compared to the other seven industries, they scored third in cloud security and hardware challenges. 

Manufacturing:

Manufacturing holds the third lowest average across all industry categories, but performed relatively well in attacks involving web, forensics, and reversing. Cloud security was the biggest area of improvement for manufacturing teams. 

Industries related to critical infrastructure struggled

It comes as no shock to see that security, consulting, and technology organizations perform above average (15.4%) and are prepared to deal with cybersecurity challenges across a wide range of technologies. 

Organizations essential to global infrastructures, such as government, manufacturing, healthcare, and education showed less cyber attack readiness, with healthcare scoring 31% lower than the average solve rate for all challenge categories. This is noteworthy when you consider that data breaches in healthcare organizations are on the rise. Some potential causes of this include: 

• Legacy or unpatched systems that must remain operational

• Busy and stressful schedule that makes keeping up with the ever-evolving threat landscape challenging

• Sometimes focusing too much on achieving compliance whilst neglecting in-depth security across all systems and communication protocols 

Boost your team’s skills, employee engagement, and coordination under pressure

Skill level of individual employees isn’t the only important factor for an organization to be attack-ready and resilient in the face of cyber threats. Your team’s ability to collaborate and coordinate under pressure is vital to identifying, preventing, and improving your overall security posture. 

We’re biased, of course, but we recommend the HTB Business CTF as a great way to:

1. Get an industry benchmark of your organization and team’s ability to deal with various cybersecurity threats, challenges, and scenarios. 

2. Improve employee engagement and retention by encouraging both junior and senior staff to solve challenges based on real-world cybersecurity threats and enjoy a gamified, engaging storyline. 

3. Collaboratively upskill in an event that cultivates practical cyber skills and yields CPE credits. 

Amazing experience working with HTB! Not only it is a very complete and fun hacking learning platform, but also the team is full of talent and creativity and will support your CTF setups in a very professional way. I’m looking forward to continuing this great collaboration.

 

Ignacio Arsuaga, Cybersecurity Enterprise Architect, Siemens

Hack The Box specializes in distinguished practical and guided cybersecurity training courses aligned with the NIST NICE and MITRE | ATT&CK frameworks, as well as unrivaled hands-on labs designed to help organizations close skills gaps, hire top talent, and protect infrastructure.

Explore 360 cyber workforce development 

Author bio: Dimitrios Bougioukas (Dimitris), Senior Director of IT Security Training Services, Hack The Box Dimitrios has extensive experience in upskilling the IT security teams of Fortune 100/500 tech companies and government organizations. He enjoys analyzing the threat landscape as well as interpreting market and data analytics to assist Hack The Box in devising its training strategy and roadmaps, from go-to-market all the way to the syllabus level. Prior to Hack The Box, Dimitrios directed the development of training and certifications through eLearnSecurity/INE and was behind certifications like eCPTX, eWPT, and eCIR. You can connect with him on LinkedIn here.