Hacking challenge reviewed (the resolution)

One of our central values is transparency. Wherever you work as security consultant, you should be able to answer the question why you in particular are trustworthy?

So the way we tried to answer this question is to create an ever-open-hacker-challenge (see below). It is nothing new but we wanted to demonstrate that we have the processes in place, the monitoring, the hardening, the patchmanagment etc.

Figure 1 hacker challenge open from 2020/10/31 until 2023/07/31

The challenge remained on the public website until we recently changed to a less serious, more entertaining look-and-feel. This followed the perception that more and more institutions follow the idea of Bruce Schneier’s “security theatre”.

But what about the results of our hacker challenge?

First – we never caught a defacement. This has nothing to do with our unbreakable infrastructure, it is in our view a sign that all of us are so busy to fulfill the customers’ needs that we don’t have spare time hack the colleagues’ website.

Figure 2 monitored adversaries in the last three months

Second – it is always a good practice if you introduce a new public service to monitor your real live attacks to verify your risk assumptions. As you can see in the diagram, we used AWS WAF logs to classify the attacks into categories. AWS contains all helpful mechanisms to take your share of responsibility serious without a lot of effort.

Third- we realized the usual suspects, geographically as well as from the quality of attacks. Our design had a real flaw, see picture below:

Figure 3 Three availability zones

The website was serviced by three AWS availability zones. If the load on a node exceeded a certain level, one more node was started etc. As with most WordPress installations, the plugins were running in auto-update mode, but new nodes are started with the last saved plugin configuration. So when the exploits are new, the chance is high that new nodes are started with a vulnerable state – do you see the entry point?

Of course this was incorporated into splunk Enterprise Security and we would get alerted, but it never happened, thanks to the high workload of you, dear colleagues! At the end it was a lot of fun, which is needed in daily work.