Building Better Incident Responders

Author: Adobe Security Incident Response Team

A strong and resilient incident response process is key to helping Adobe manage security issues that may arise. Since this field constantly evolves and changes, Adobe spends significant time and resources to ensure that our incident responders — those individuals on the front lines — maintain fresh and current skill sets. To do this, we’ve built a multi-pronged training program for our incident response teams to help them constantly improve their skills and maintain the level of excellence Adobe is known for in the industry.

Introducing Adobe’s Incident Response Team

Like “first responders” — those individuals who are the first to arrive and assist at the scene of an emergency — Adobe’s incident response team is the front line of response to a computer security event or incident. Working under intense pressure and located in a geographically dispersed team, these individuals must quickly assess, respond to, and mitigate cyber-threats and attacks using a variety of tools, including intrusion detection and computer forensics.

And because, as the saying goes, success is 90 percent preparation and 10 percent execution, Adobe has invested heavily in skilled training that helps ensure our incident responders are adequately prepared in the event of a cyber-emergency. While our training program includes multiple components, we are going to focus on “Capture-the-Flag” (CTF) type trainings in this blog and leave the others for a later post.

What is a Capture-the-Flag (CTF) style Training?

CTF training is a security-themed competition that uses strategic questions to reveal clues that guide you to solve complex tasks in a specific order. Flags are used as markers and indicate a solution to problems or tasks presented within the training. They are secretly hidden in purposefully vulnerable programs or websites; the challenge or objective is for the player to capture multiple flags which in turn increases their overall score. These flags or “markers” are usually random strings embedded in the challenges.

Why Use a CTF-style Training?

Now that you know a little more about CTF-style training, let’s talk about why Adobe thinks it’s a great tool to aid in improving the skills of our incident response team. We see three significant benefits:

Builds critical thinking skills: We have found that individuals who spend time working on CTFs usually are much better candidates for an incident response role at Adobe. Participating in CTF challenges helps to develop the critical thinking and strategic mindset that Adobe looks for in our incident responders. We believe that players with this type of training possess a broader depth of skills and are more in tune with the security landscape.

Allows teams to explore and test skillsets: CTF training is a great way to evaluate strengths and weaknesses. Many CTFs cover a broad range of topics while some CTFs are very specific, but all are a great way to test and evaluate our teams’ skill levels. For example, if we want to know who on our team is the strongest in reverse engineering, we have them play some of the challenges on https://challenges.re/, a site that contains varied reverse engineering challenges.

Reinforces comradery and skilled response strategies: Attending CTF events serves to reinforce comradery among team members within our incidence response team at Adobe. To compete and even win challenges against team members or opposing organizations produces opportunities to increase their knowledge base and response strategies, enabling them to better handle attacks when they occur.

Adobe values and encourages educational growth for our incident responders. We recognize that a well-developed, educated, and skilled responder is an asset to our organization and participating in CTF challenges helps to produce just that.

Two Primary Types of CTF Training

There are two types of CTF-style training that we use here at Adobe to keep our incident responders’ skills sharp: Jeopardy-type and attack-defense-type trainings. Not only are CTFs fun, which means it’s easy to get people to take the trainings, but they are also relatively easy to build compared to other types of trainings. Plus, everyone can learn something new by taking a CTF training. Here’s a little more about each type.

Jeopardy-style CTF Training

“Jeopardy”-style training is designed and built using a gameboard (much like the television show board). The board includes categories, such as Forensics, Web Challenges, Reverse Engineering, that allow us to test the knowledge of the player. The categories vary in difficulty: the higher the point value, the more difficult the challenge. Players then work through the categories and challenges, attempt to amass the most flags which serve as solutions to the challenges and are submitted for points.

For a “vulnerability” challenge in the “web” category, the challenge author might spin up a website with a specific vulnerability. When the incident responder “player” opens the challenge, they would likely see a description of the challenge, the URL for the vulnerable website, and a spot to respond with the flag when they solve it. Jeopardy-style training provides a variety of ways to engage our incident response teams using team-building exercises: employees can play individually for their own benefit, hold a team challenge, and keep score among different team members and offer prizes, or even compare their rank and standing against other incident response professionals around the world.

Attack-Defense CTF Training

Attack-defense CTFs simulate real-world situations, including attacks and vulnerabilities that incident responders may be asked to address on any given day. By aligning with real evidence and exploits that have occurred “in the wild,” attack-defense CTFs provide a high level of training to build and reinforce our world-class incident response team.

While attack-defense CTFs are typically more difficult than Jeopardy CTFs, they can also build more advanced skills and help better prepare incident responders for the inevitability of a real cyberthreat event. Players participate on either the attack side or the defense side of the CTF training, and then they can switch sides in a subsequent training or team challenge.

Typically, attack-defense trainings spin up a dedicated server and provide players access to that server for the duration of the CTF training. The National Collegiate Cyber Defense Competition (CCDC) @ https://www.nationalccdc.org/, Pros V Joes CTF events @ http://prosversusjoes.net/, hackthebox, and VulnHub are all examples of this style of CTF training.

Conclusion

Adobe strives to ensure that our incident response team is trained and capable of monitoring and securing Adobe systems and environment against malicious cyber-attacks. Cyber criminals are always looking for ways to secure a foothold in corporate networks. We continuously share knowledge with security experts around the world, swiftly resolve incidents when they occur, and feed this information back to our development teams to help ensure the highest levels of security for Adobe products and services.

Please visit the Adobe Trust Center for more information about security efforts across our products and services.