Cyber Teams

8 min read

Testing 657 cybersec teams: Here’s what we learned (from 1,856 flag submissions)

Insights from testing 2,979 cybersecurity professionals (who submitted a total of 1,856 flags) across 8 key cybersecurity skills categories.

Dimitris avatar

Dimitris,
Oct 16
2022

Last year 657 security teams from (organizations such as Deloitte, Cisco, and Toyota) tested their cybersecurity skills in our annual global hacking event, Business CTF

Facing a total of 33 real-world inspired challenges related to forensics, reversing, web attacks, and more, players gained Continuing Professional Education (CPE) credits for role-playing as a multinational law enforcement agency in pursuit of fierce financial cybercriminals! 

Following the record-breaking event, we revealed behind-the-scenes performance data in our Cyber Attack Readiness report. In this post, we’ll publicly share the top three insights we gained from our analysis. 

Note: For a complete picture of industry and challenge performance data we suggest that you read the full report.

Measuring key cybersecurity skills with hacking challenges

Business CTF features jeopardy-style hacking challenges based on real-world vulnerabilities and emerging threats. These challenges are split into relevant skills categories pertaining to different aspects of cybersecurity. 

Skill category  

Description

Forensics

Analysis of digital forensics artifacts. Teams had to investigate realistic digital forensics artifacts commonly seen in sophisticated cyber security attacks.

Real-world relevance: Investigate an incident and identify who is responsible. 

Reversing

The art of reverse-engineering. Teams had to analyze and identify the behavior of compiled applications by leveraging static and dynamic reverse engineering techniques.

Real-world relevance: Discover hidden or undocumented features in systems that make software or hardware vulnerable to an attack. 

Web

Web-based exploits. Teams had to enumerate, identify vulnerabilities, and exploit a variety of different vulnerable web applications.

Real-world relevance: Find and exploit code flaws, misconfigurations, and insecure software in web-based applications or environments. 

Cloud

AWS, GCP, and Azure misconfigurations. Teams had to apply real-world privilege escalation techniques and attack paths in cloud environments. 

Real-world relevance: Identify and deal with common cloud security flaws. (This is becoming increasingly important with the rise of remote work and reliance on cloud infrastructure). 

Pwn

Binary exploitation through exploiting memory corruption bugs. Teams had to analyze executables, find memory flaws, and chain different techniques to develop an exploit.

Real-world relevance: Develop exploits/attacks based on binary files that interact with computer memory and processors. 

Hardware

Penetrating different hardware systems with software. Teams had to analyze and develop a working exploit for infrastructure-related Supervisory Control And Data Acquisition (SCADA) 

Real-world relevance: Find and secure against vulnerabilities, weaknesses, or flaws that can compromise infrastructure systems. 

Host exploitation

Teams had to enumerate the hosts, identify vulnerable entry points, gain an initial foothold, and escalate their privileges to administrator or root. 

Real-world relevance: Identify or exploit vulnerabilities that would allow attackers to remotely access a network, gain elevated privileges, or move deeper into a network. 

Crypto

Cryptographic flaws. Teams had to leverage weaknesses in known or custom-made algorithms to decrypt objects with up-to-date cryptological processes.

Real-world relevance: Protect sensitive information from unauthorized access by identifying encryption flaws. For example, banking applications and financial transactions. 

HTB business CTF gated report - measuring skills

Read the full report

  • Learn the three critical steps that forward-thinking cybersecurity leaders of today must take to cultivate a capable, attack-ready culture and improve employee engagement (from Dimitrios Bougioukas, our Senior Director of IT Security Training Services).

  • Get a complete breakdown of overall industry performance across eight key cybersecurity challenge/skills categories (including cloud, crypto, web, forensics, hardware, and more).

  • See how each industry performed when tested with various cybersecurity technologies, vulnerabilities, and threat types.

Access the report

Cloud security skills gaps continue to manifest across all industries 

Most organizations performed above average when faced with cyber attack challenges that involved forensics, reversing, and web technologies. In comparison, cloud, crypto, and hardware technologies, as well as HostEx and pwn challenges, proved to be somewhat testing. 

Cloud skills gap business ctf hack the box

This gap evidences the current cloud security skills shortage and highlights the urgent need for IT and cybersecurity leaders to prioritize cloud security training

In spite of the cloud's strong presence and adoption during the past few years, the cloud security skills shortage is still prevalent. Considering the central role cloud technology and security play in enabling modern organizations to scale, innovate, and manage complex IT infrastructure, the 60% decrease in attack readiness when comparing forensics (30.2% solve rate) against a category such as cloud (12% solve rate) is noteworthy. Some potential causes of this skills gap include:

  • Constant updates to existing cloud tech stacks make it difficult to follow cloud-related knowledge and trends. 

  • Poor (or poorly organized) documentation of cloud tech stacks that can result in knowledge gaps regarding both general cloud systems and cloud security. 

  • The complexity of cloud migrations. An effective cloud security professional is required to be seasoned with both on-premise (or non-cloud) and cloud security matters. 

Overall the challenges were pretty realistic, which is a big plus for me. I definitely recommend joining the CTF, as it lets you test your skills in realistic scenarios and challenge yourself against the best specialists in the field. We will join again next year.

 

Lukasz Lamparski, Security Manager and Senior Incident Responder, ING Bank

Professional skillsets adapt to specific industry segments and threats 

All cybersecurity professionals strive towards a seamless and secure operation of the information systems under their watch within their usual scope of work. In addition, each industry deals with unique kinds of threats and malicious actors. Here are specific industry examples of skillset specialization per industry found in our report: 

Finance:

Finance teams achieved the best results in the HostEx category and were second best in cloud, but came last for solving crypto attack challenges. 

finance

Cyber threats in Finance webinar

Lessons learned from Mastercard and Gemini on reducing cybersecurity risks, getting leadership buy-in for Red teams, and how Blue & Red teams can improve their defense with lower budgets.

Government:

Government teams demonstrated strong skills in forensics, reversing, web, and hardware, scoring a top three position in all categories. Conversely, cloud and HostEx were the biggest areas of improvement for cybersecurity in government organizations

gov

Tech: 

Teams in Tech organizations were among the top three performers in web, forensics, and reversing attacks, but (like teams from other industries) achieved lower scores in cloud, HostEx, pwn, and hardware challenges. 

tech

Security:

Security teams were the most adept at dealing with attacks involving web, forensics, and reversing. Compared to the other seven industries, they scored third in cloud security and hardware challenges. 

security

Manufacturing:

Manufacturing holds the third lowest average across all industry categories, but performed relatively well in attacks involving web, forensics, and reversing. Cloud security was the biggest area of improvement for manufacturing teams. 

manufacturing

Industries related to critical infrastructure struggled

It comes as no shock to see that security, consulting, and technology organizations perform above average (15.4%) and are prepared to deal with cybersecurity challenges across a wide range of technologies. 

Organizations essential to global infrastructures, such as government, manufacturing, healthcare, and education showed less cyber attack readiness, with healthcare scoring 31% lower than the average solve rate for all challenge categories. This is noteworthy when you consider that data breaches in healthcare organizations are on the rise. Some potential causes of this include: 

  • Legacy or unpatched systems that must remain operational

  • Busy and stressful schedule that makes keeping up with the ever-evolving threat landscape challenging

  • Sometimes focusing too much on achieving compliance whilst neglecting in-depth security across all systems and communication protocols 

Boost your team’s skills, employee engagement, and coordination under pressure

Skill level of individual employees isn’t the only important factor for an organization to be attack-ready and resilient in the face of cyber threats. Your team’s ability to collaborate and coordinate under pressure is vital to identifying, preventing, and improving your overall security posture. 

We’re biased, of course, but we recommend the HTB Business CTF as a great way to:

  1. Get an industry benchmark of your organization and team’s ability to deal with various cybersecurity threats, challenges, and scenarios. 

  2. Improve employee engagement and retention by encouraging both junior and senior staff to solve challenges based on real-world cybersecurity threats and enjoy a gamified, engaging storyline

  3. Collaboratively upskill in an event that cultivates practical cyber skills and yields CPE credits. 

Amazing experience working with HTB! Not only it is a very complete and fun hacking learning platform, but also the team is full of talent and creativity and will support your CTF setups in a very professional way. I’m looking forward to continuing this great collaboration.

 

Ignacio Arsuaga, Cybersecurity Enterprise Architect, Siemens

Hack The Box specializes in distinguished practical and guided cybersecurity training courses aligned with the NIST NICE and MITRE | ATT&CK frameworks, as well as unrivaled hands-on labs designed to help organizations close skills gaps, hire top talent, and protect infrastructure.

Explore 360 cyber workforce development 

Author bio: Dimitrios Bougioukas (Dimitris), Senior Director of IT Security Training Services, Hack The Box

Dimitrios has extensive experience in upskilling the IT security teams of Fortune 100/500 tech companies and government organizations. He enjoys analyzing the threat landscape as well as interpreting market and data analytics to assist Hack The Box in devising its training strategy and roadmaps, from go-to-market all the way to the syllabus level. Prior to Hack The Box, Dimitrios directed the development of training and certifications through eLearnSecurity/INE and was behind certifications like eCPTX, eWPT, and eCIR. You can connect with him on LinkedIn here.

 

Hack The Blog

The latest news and updates, direct from Hack The Box