Aviation ISAC Capture the Flag
Starting this post with the words “Aviation ISAC” is probably a risky idea in terms of general reader attention and retention…. but risky posting is kinda my thing. More accurately (and if I want fewer suggested edits from the man), I should start this post with “Capture the Flag”. A term that often brings up mental images of a bunch of nerds sitting in a dark room, hunched over their laptops, chugging energy drinks, and muttering to themselves about brute-forcing a password. But the hacking and cybersecurity scene has grown up quite a bit since those images provided an accurate representation of the community. Attack Research recently had an opportunity to mentor and coach a CTF event put on by the Aviation Information Sharing and Analysis Center or, since that’s a mouthful, A-ISAC. 2022 was, if memory serves, the sixth year that the A-ISAC has put on a CTF at their annual summit. While many of the flags-to-be-captured were centered around standard challenges such as website directory traversals and SUID scripts, many of them were far more interesting and aviation-centered including “safely land this flight simulator” and “actuate the ailerons on this model aircraft using the X-Plane protocol”. Eleven teams from colleges around Florida competed for cash prizes, a resumé bullet, a cool learning experience, and most importantly, ever-coveted bragging rights. Competitors ranged from first-year college students getting into cybersecurity to veterans returning to school after service to “non -traditional” students changing careers and everything in between. The diversity of age, background, ethnicity, sex, and experience in the industry was incredible to see. The event was professional, engaging, and educational for everyone in the room. How often when we tell someone new what we do, do they ask something like, “Oh, you’re a hacker. Can you hack my email/bank/Facebook account?” Seldom do we have the *legal* opportunities to do those things. Similarly, how often do we get the *legal* opportunity to make someone else’s airplane go brrrrr? Aside from the folks in an A-10 Warthog, the answer for most of us is basically never. I had a blast watching the experienced students figure out how to work with the protocol that made ailerons wiggle and tails wag. Alternately, a few of the students were new to the game. The opportunity to teach some basic techniques like tab completion, data sorting, and for looping early in the event and watch as, within a few hours, that team turned those techniques into an operational tactic was great. Everyone had the opportunity to learn some new things, including the mentors. Now, I don’t follow sports. Like, any of them. HoopyRun&Toss and StickWhackGloveBall have simply never interested me. But standing in the conference center watching these teams compete in a game of skill, thought, and planning brought me to the brink of a rare and momentous occasion. Yep… *I had a thought*. This is a sport. It’s competitive. It’s engaging. The scoreboard was covered in the most glorious squiggly lines charting team progress and scores. And I was enjoying it. I wanted more. The teams wanted more! Probably after a break to let their brainpans cool down after 10 hours at a high simmer. As it turns out, these events don’t have to just be a once-a-year event at a highly industry-specific event. There are other services and platforms that anyone can use anytime. Services like HackTheBox or Offensive Security’s ProvingGrounds Play/Practice. HackTheBox has an added bonus feature; a job board where you can find and apply for cybersecurity jobs if your “rank” is high enough. There are platforms like CTFTime that track CTF events and teams all year, presumably similarly to how those professional league sports teams are tracked. There’s even a National Collegiate Cyber Defense Competition if you’re into more of the defense game. As I told the students I was mentoring, it's out there if you want to play more, but this time the rest of the world could join in. Mentoring these students was a fantastic experience for me as a cybersecurity industry practitioner (or as a good friend of mine puts it, Emulated Criminal). It reminded me of some of the silly, hacky stuff *I* used to do to get a job done. Things like using cmd to pass an environment variable to PowerShell to run a script that then passes a different environment variable to another PowerShell script in order to write to an Excel sheet to track changes I made on a Domain Controller. I don’t recommend doing that. But I did learn better methods through reading, good mentorship, and a whole bunch of my own absolute failures. I want to thank the A-ISAC for making this event a real success. I also want to thank the other mentors from all over the country who came out to help shape this upcoming generation of cybersecurity professionals. The team of professors and students from Embry Riddle also did a great job building an awesome set of challenges. And most of all, I want to thank the teams of students who came out and made the most of an awesome opportunity. Y’all rocked it.