The first-ever U.S.-based Radware Hacker's Challenge took place in New York City last week, daring pentesters, bug bounty hunters, and other security pros to launch attacks on a simulated network and website in a head-to-head race against the clock.
Designed to evoke the feel of real-world threats, the competition challenged participants to infiltrate an infrastructure composed of Cisco Systems and Radware solutions, completing a series of tasks worth varying amounts of points. For instance, launching a denial of serial attack was worth 500 points, while changing or deleting website content was worth 1,000 points. At stake: a cash prize or a trip to the Black Hat conference in Vegas.
The contest was divided into four rounds. In the first round, the network was configured at its highest level of security – and with each ensuing round, protections were subsequently loosened. While the contestants were relatively few in number, they still managed to launch nearly 39,000 attacks against the network in a two-hour span. (Ultimately, the winner was a man using the handle Dark Vader, who required that his identity not be revealed.)
Among the most common attacks: “SQL injections seemed to be the prominent thing that everybody was going after,” said Joel Esler, open source manager and threat intelligence team lead at Cisco's Talos division.
“It's usually a popular attack because at the end of the day, they can get customer data and client data. These are things that they can go on the dark net and sell for profit,” said Daniel Smith, head of security research at Radware's emergency response team, noting that they can also hold the data for ransom.