Our quarterly Programming Parties are one of the many ways we engage and teach each other, and how we fulfill one of IronNet’s core values: Innovate, Learn, and Lead. We feel strongly about providing learning opportunities for everyone in the company, not just our engineers, and as you might imagine, we take cybersecurity very seriously. That’s why our recent event focused on common cybersecurity failings that we hear about every single day.
The focus for this quarter's programing party was to educate non-technical and technical employees on cyber vulnerabilities and why they matter.
Spotting Cyber Vulnerabilities
Although the name “Programming Party” might imply a certain level of technical expertise is required to participate, we aim to make it as accessible to employees who may not be in technical roles or may never have received cybersecurity-specific training. For all of our activities, the only thing you need to know to participate is how to use a web browser!
During the Cybersecurity Tutorial, one of our senior engineers walked participants through several beginner-level challenges. First, they introduced the concepts involved, then explained how to look for vulnerabilities in each challenge. For the less technical participants, this step-by-step approach that explained how cyberattacks work was both helpful and enlightening!
Exploiting Vulnerabilities: Capture-the-Flag Competition
Capture-the-Flag (CTF) events involve a series of technical challenges in which participants attempt to bypass cybersecurity controls. The challenges at our programming party ranged from beginner-friendly to diabolically advanced, a wide range suitable for every employee at IronNet. In each challenge, participants needed to access a specific file or service and submit their answer to our scoreboard.
Challenge #1: Command Injection Attack
One of the introductory challenges involved a simple web application which asked the user to input an IP address and then returned the results of a simple ping command against that device.
Diving into the code, you might discover two things:
- The application runs the ping command via a child process on the host machine.
- The application does not validate or sanitize the input provided. (Remember: it’s assumed to be an IP address.)
To most users, the application works as intended, but a malicious user could use this web application to pass other commands to the host machine because the input is never validated or sanitized. This kind of attack is known as a command injection.
The lesson to our team was that command injection attacks are possible when an application passes unsafe user supplied data to a system shell and why it is considered by the 2017 OWASP Top 10 as the most critical web application security risks because of how easy these attacks are for attackers to find and exploit.
Challenge #2: (Bad) DNS Tunneling
One of the more advanced challenges involved a PCAP file from an imaginary employee (Judy) containing hundreds of network packets. The challenge stated that Judy tried sending messages to her friend, but the corporate firewall was blocking them. In order to evade the firewall, she decided to send the message by hiding it in some DNS traffic.
This challenge provides a great way to teach our team about DNS tunneling and how cyber attackers can exfiltrate information by hiding it amongst benign-looking DNS traffic. A secondary benefit was that this challenge served as a fun introduction to tools like Wireshark and tcpdump.
Investing in our Most Important Assets
Companies of all shapes and sizes struggle to engage and train their workforce in a meaningful way. IronNet may not be unique in our need to educate our employees in cybersecurity, but we try to be innovative and creative in our approach to becoming the most trusted, respected, and loved cybersecurity company in the world.
New events such as quarterly programming parties have been a popular addition to other ongoing training that IronNet provides and we hope that more "IronNetters" can join us for future events.