The North Pole is on the verge of a civil war. Santa is missing. It’s elf vs. elf. Factions have formed, and it's up to you to save the day, block a ransomware attack, and untangle multiple cybersecurity snafus to ensure this year's holiday gifts don't get buried under a mountain of snowballs.
No, it's not a children's story with a cyber twist. The Holiday Hack Challenge from SANS Institute is back for another season of wintery fun. Open to players of all skill levels, the online competition with real-world cybersecurity problems is set in the world of Santa, elves, and Christmas mayhem. This year's competition is open and will run through Jan. 3, 2025.
"There's some really good stuff in there with ransomware analysis, Web application penetration testing, incident response and incident analysis," says Ed Skoudis, founder of the Holiday Hack Challenge and president of the SANS Institute.
Skoudis calls the Holiday Hack Challenge, now in its 21st year, SANS's gift to the cybersecurity community. The goal is to provide a learning environment that is freely available to everyone in the world to learn skills while having fun, as well as to build a community where people work together and get to know each other. Players don't have to play through the game in one sitting or in order. Anyone who needs help can ask the elves in the game — the elves are very promiscuous hint-givers, Skoudis says — or join the Discord server to chat with other players.
Many of the challenges are taken from real-world cybersecurity incidents. Each challenge is ranked by difficulty, from one to five snowballs, with five being the most difficult. What's new this year is that every challenge can be solved in two ways: an easy mode and hard mode. Players don't know which mode they are in, but if their solution took the easy method, they'll "receive" a silver trophy. Solving the hard way results in a gold trophy. And skipping a challenge gives them a bronze participation trophy. A certain number of points are assigned for bronze, silver, and gold for each challenge, which are then summed into the player's score. A leaderboard displays player scores — and people who signed up as a cohort have their own private scoreboard.
"All year long, we're canvassing, looking for ideas of novel attacks that everybody should know about and know how to investigate, know how to do penetration tests for, and we're pulling those ideas together and putting them in holiday hack at the highest quality we can," Skoudis says.
This year's challenges fall into the following categories:
Ransomware Reverse Engineering
Web App Hacking with MQTT and Video Feed Manipulation
Mobile App Penetration Testing
OSINT via Drone Path Analysis
Web Exploration with cURL
PowerShell for Cyber Defense
The Best Prize of All
Winners will be announced in a webcast on Jan. 16, 2025. The grand prize winner will get a free SANS on-demand course, though some previous winners have found themselves with something more: a full-time job.
Janusz Jasinski first participated in the Holiday Hack Challenge in 2018 and was hired as a senior technical engineer by Counter Hack in 2023 after networking with people he encountered in the community. He is now involved with the challenge as a game designer. Finding the sweet spot of something that's not too easy yet not too hard is the greatest challenge in designing the game, Jasinski said. He designed this year's mobile app penetration test challenge.
"My challenge this year was [a difficulty level of] two or three out of five,” Jasinski says. "It's easy to do [create] a very easy challenge, it's easy to do a very hard challenge. It's very hard to do those in the middle, and just getting the right amount of complexity in there was a bit challenging. But further this year, we had the gold and silver, i.e., easy and hard routes. So to bake that in was now an extra level of difficulty."
But the fun part, he says, is having people in the real world playing and actually succeeding in the challenge, then sharing their solutions on Discord or social media.
Participating in the Holiday Hack Challenge and joining the community also led Kyle Parrish to a role behind the scenes. Parrish first played the Holiday Hack Challenge in 2018, winning an honorable mention early in his cybersecurity career.
"I played it and absolutely loved it — the practical application of the challenges and the just goofy video game feel," he says. "It was a ton of fun. I learned a lot of tools that I literally was able to start using in my work and help me progress as a young security engineer."
Parrish says he enjoyed the competition and sense of community so much that he played annually and volunteered to be a concierge in Discord, helping others with the challenges, in 2023. In January 2024, he joined the Counter Hack team as a senior technical engineer and is also now involved in designing the challenges.
"My favorite part is how, basically, the entire game is run off an Excel spreadsheet, which just kind of blew my mind," Parrish says. "And to see the skill that was put into it by some of our other teammates on building this game engine … to create these environments in this virtual world where players can interact with these challenges. It's so much fun."
It's also exciting to see how people solve his challenge, he adds.
"Somebody found an exploit in it and was able to get root against the challenge, which was awesome," Parrish says. "It was really cool to see that I had an intended path, but you were able to have an alternate path and were able to escalate your privileges. And that just makes for an even better write-up and a better learning experience for everybody involved."
Though it may come cloaked in snowball fights and elf espionage, real-world training and building a peer community is the real point of the challenge.
"I hope players develop cybersecurity skills that they can use in their actual job," Skoudis says. "That's the bottom line. And at the same time, I hope we have spoonfuls of holiday sugar that helps make the medicine go down, you know?"