Characterizing Attacker Behavior in a Cybersecurity Penetration Testing Competition

Inculcating an attacker mindset, i.e., learning to think like an attacker, is an essential skill for engineers and administrators to improve the overall security of software. Describing the approach that adversaries use to discover and exploit vulnerabilities to infiltrate software systems can help inform such an attacker mindset. Our goal is to assist developers and administrators in inculcating an attacker mindset by proposing an approach to codify attacker behavior in cybersecurity penetration testing competition. We use an existing multimodal dataset of events captured during the 2018 National Collegiate Penetration Testing Competition (CPTC’18) to characterize the approach a team of attackers used to discover and exploit vulnerabilities. We collected 44 events to characterize the approach that one of the participating teams took to discover and exploit seven vulnerabilities. We used the MITRE ATT&CK framework to codify the approach in terms of tactics and techniques. We show that characterizing attackers’ campaign as a chronological sequence of MITRE ATTACK tactics and techniques is feasible. We hope that such a characterization can inform the attacker mindset of engineers and administrators in their pursuit of engineering secure software systems.