“Penn Test” challenge helps infosec team think like attackers

From the outside, a career in cybersecurity seems pretty damn sexy — all those hoodies and green Matrix characters streaming past in the background wherever you go, popping boxen, zero-days and exploits, APTs and hackers, oh my. The reality on the inside, of course, can seem more like accounting. The sometimes boring drudgery of security operations can be a drum beat of digital paper shuffling, SIEM alerts to wade through, security audits to perform, GRC (governance, risk and compliance) to manage.

Keeping things a little spicy is key to employee acquisition and retention in a tight job market, and pushing your blue team to think more like an attacker pays dividends in an improved organizational security posture, according to Penn Medicine’s Seth Fogie, director of information security, who launched and manages their biweekly “Penn Test” security challenge for in-house security staff — a project that earned Penn Medicine a CSO50 award.

Real-world capture-the-flag scenarios

For 90 minutes every other week, the 35- to 40-person security department, including security engineering, security operations and information assurance, come together for a short capture-the-flag (CTF) competition. Fogie says he chooses real-world scenarios that could (and do) happen on their networks, so that employees are immediately empowered to go forth and seek out that vulnerability on their networks.

Penn Medicine has a lot of networks — and lives — to defend, including the University of Pennsylvania Health System’s six hospitals, the UPenn Perelman School of Medicine (the oldest in the United States, founded in 1765), and around 40,000 employees.

“A lot of people come into the security program out of college, or maybe from the infrastructure teams, but have never really been exposed to security skills, where you’re looking for vulnerabilities, looking for how bad guys break in,” Fogie tells CSO. “The whole concept of the Penn Test security challenge is a focus on teaching our staff how to break stuff and how bad guys do it, so we can build our systems better.”

Even recent college grads with a degree in computer science often lack the hands-on skills required to secure real-world networks, he says, making realistic CTFs a great way to both train them, and motivate them. “Ninety-nine percent of people out of college have never dealt with network file shares (NFS) — how it works, how you configure it,” he says. “The infrastructure team might know it exists, but half the time doesn’t know how to secure it.”

The emphasis on real-world scenarios that the infosec team is likely to discover on its own networks is key to the program’s success, he says. Many CTFs rely on fun but unrealistic mind-bending puzzles that don’t look anything like a real-world vulnerability that is likely to be exploited by an attacker. Keeping it real helps defenders think like attackers.

The goal isn’t to turn every employee into a threat hunter, he says, but to give them perspective on their existing work, whether that’s in security engineering or performing GRC audits. “Learning the finer details of how some of these attack scenarios are carried out … helps build a more well-rounded security professional.”

Unlike, say, sending his employees to take a SANS course or other training class, which is both money- and time-expensive and limited to classroom exercises, employees finish the Penn Test CTF and immediately return to their desk, where a massive network awaits to apply what they learn each biweekly session.

Much to learn about protecting medical applications

In addition to the many network security issues Penn Medicine shares with any organization, Fogie says the healthcare-specific concerns that worry him right now aren’t medical devices, but rather patient data, and how it’s being used. “While medical device security is definitely a popular subject in the media, when it comes to health care organizations, there is a larger field of exploration that hasn’t been touched yet, and that’s medical applications.”

There’s a lot of innovation in the medical application space, he says, including traditional client-server applications, web apps and mobile apps, all used in varying ways to provide basic health care services, and often built and deployed without security front and center.

Securing those applications requires curious and motivated breakers with the right set of skills — the kinds of skills Fogie says the Penn Test security challenge offers.

“I think this is something that needs to be prioritized by managers,” Fogie says. “Carving out time for this kind of activity…has had nothing but positive impact on those that are involved in these activities.”