Listen to this Post
Introduction:
Attack and Defense (A&D) competitions represent the pinnacle of practical cybersecurity training, simulating high-pressure scenarios where teams must simultaneously exploit vulnerabilities in opponents’ systems while hardening their own. As highlighted by Mandiant’s experience at ICCTokyo2025, this format bridges the critical gap between theoretical knowledge and real-world operational readiness, forging professionals who can think like both attackers and defenders.
Learning Objectives:
- Understand the core structure and strategic value of A&D competitions in professional training.
- Develop practical skills for vulnerability identification, exploit development, and rapid patching.
- Implement infrastructure hardening and blue team monitoring techniques that translate directly to enterprise security.
You Should Know:
- The A&D Competition Framework: More Than Just Hacking
A&D competitions create a microcosm of real-world cybersecurity operations. Teams maintain multiple services that must remain available and secure while attempting to compromise other teams’ identical services. This dual-minded approach—maintaining constant offensive pressure while sustaining defensive vigilance—mirrors exactly what security teams face daily in protecting organizations against determined adversaries.
Step-by-step guide explaining what this does and how to use it:
– Service Identification: Each team receives identical virtual machines running vulnerable services (web applications, custom binaries, network services).
– Flag System: Competitors must steal “flags” (specific strings of data) from other teams’ services while protecting their own.
– Scoring Mechanism: Points are awarded for maintaining service availability, successfully stealing flags, and quickly patching vulnerabilities.
– Time Management: Teams must balance resource allocation between attack development and defensive hardening throughout the competition.
2. Strategic Team Composition: Specialization Meets Collaboration
The Mandiant team’s division into pwn (binary exploitation), web hacking, and crypto specialists reflects industry best practices for tackling diverse attack surfaces. This specialization allows for deep expertise development while requiring cross-team communication to address complex vulnerabilities that span multiple domains.
Step-by-step guide explaining what this does and how to use it:
– Pwn Team Focus: Binary reverse engineering, memory corruption exploits, Return-Oriented Programming (ROP) chains.
– Web Team Focus: SQL injection, cross-site scripting, server-side request forgery, API vulnerabilities.
– Crypto Team Focus: Cryptographic implementation flaws, random number generation weaknesses, protocol attacks.
– Collaboration Protocol: Establish regular sync meetings, shared documentation of found vulnerabilities, and coordinated patch deployment.
- Offensive Operations: From Vulnerability Identification to Exploit Development
The offensive component requires systematic vulnerability assessment and reliable exploit creation. This process begins with comprehensive enumeration of all services and attack surfaces, followed by methodical testing for weaknesses.
Step-by-step guide explaining what this does and how to use it:
Service enumeration example nmap -sV -sC -O -p- 10.0.0.0/24 Web vulnerability scanning with automated tools nikto -h http://target.com dirb http://target.com /usr/share/dirb/wordlists/common.txt Binary analysis workflow strings vulnerable_binary ltrace ./vulnerable_binary gdb-peda ./vulnerable_binary checksec --file=vulnerable_binary
4. Defensive Operations: Infrastructure Hardening and Monitoring
While offense earns points, defense prevents point loss. The blue team aspect involves systematic service hardening, monitoring implementation, and rapid response to compromises.
Step-by-step guide explaining what this does and how to use it:
Linux service hardening checklist
Remove unnecessary services
systemctl list-unit-files | grep enabled
systemctl disable unnecessary-service
Implement firewall rules
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Monitor for changes to critical files
apt install auditd
auditctl -w /etc/passwd -p wa -k user_account_changes
auditctl -w /var/www/html -p wa -k web_content_changes
Windows equivalent commands
Check running services
Get-Service | Where-Object {$_.Status -eq 'Running'}
Windows firewall configuration
New-NetFirewallRule -DisplayName "Block HTTP Except Competition" -Direction Inbound -Protocol TCP -LocalPort 80 -RemoteAddress 10.0.0.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block HTTP General" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Block
- Patch Development and Deployment: The Art of Rapid Mitigation
When vulnerabilities are identified—either through your own assessment or because they’re being exploited against you—rapid patch development becomes critical. Effective patches must resolve the vulnerability without breaking functionality.
Step-by-step guide explaining what this does and how to use it:
– Vulnerability Analysis: Determine root cause (buffer overflow, input validation flaw, logic error).
– Patch Development: Create minimal changes that address the vulnerability.
– Testing Protocol: Verify the patch fixes the vulnerability without disrupting service.
– Deployment Strategy: Roll out patches during minimal-impact windows with rollback plans.
Example patch for a simple buffer overflow:
// Vulnerable code
void vulnerable_function(char input) {
char buffer[bash];
strcpy(buffer, input); // No bounds checking
// ...
}
// Patched code
void patched_function(char input) {
char buffer[bash];
strncpy(buffer, input, sizeof(buffer)-1);
buffer[sizeof(buffer)-1] = '\0';
// ...
}
6. Flag Protection Strategies: Defense in Depth
Protecting your flags requires layered security controls that detect and prevent unauthorized access, while also maintaining service availability for scoring purposes.
Step-by-step guide explaining what this does and how to use it:
– Network Segmentation: Isolate competition services from management networks.
– Application Hardening: Remove unnecessary features, implement input validation.
– Monitoring and Alerting: Deploy intrusion detection systems and log monitoring.
– Incident Response: Establish procedures for detecting flag theft and responding.
7. The Human Factor: Team Dynamics Under Pressure
The psychological aspect of A&D competitions cannot be overstated. Teams must maintain clear communication, manage stress, and make rapid decisions under pressure—skills directly transferable to real-world security incidents.
Step-by-step guide explaining what this does and how to use it:
– Communication Protocols: Establish clear channels for incident reporting and coordination.
– Decision Frameworks: Create escalation matrices for critical security decisions.
– Stress Management: Implement regular breaks and maintain situational awareness.
– After-Action Reviews: Document lessons learned for continuous improvement.
What Undercode Say:
- A&D competitions provide the most realistic training environment outside of actual breach scenarios, developing both technical skills and strategic thinking.
- The forced context switching between offensive and defensive mindsets creates security professionals who understand the full attack lifecycle.
- Organizations should incorporate A&D principles into their internal training programs to build more resilient security teams.
The Mandiant team’s success at ICCTokyo2025 demonstrates that the future of cybersecurity expertise development lies in these immersive, high-fidelity simulations. The medal-winning performance underscores how European talent is competing at the highest global levels, bringing home not just trophies but invaluable operational experience. These competitions serve as crucial proving grounds where theoretical knowledge meets practical application under realistic constraints and pressure.
Prediction:
The normalization of A&D-style training will fundamentally reshape corporate security teams, creating professionals who inherently understand both attack and defense dynamics. Within five years, we’ll see these competition formats integrated into standard security certifications and corporate training programs, ultimately raising the baseline capability of entire security organizations. The organizations that embrace this training methodology will develop significantly faster incident response capabilities and more proactive security postures, fundamentally changing how we prepare for the evolving threat landscape.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sannemaasakkers Icctokyo2025 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
