SANS Holiday Hack Challenge 2023
Between December 7, 2023 and January 6, 2024, the SANS Institute hosted the SANS Holiday Hack Challenge & KringleCon 2023, open to anyone to participate for free. This was the second year I participated.
Similar to previous years, the challenges were structured around a holiday themed story. This year, Santa and the Elves, on ChatNPT’s suggestion, had taken their holiday to the tropical Geese Islands. It’s hard to say anything further about the story without ruining it because it played out as a bit of a mystery but if you missed participating, the challenges will still be available over the next three years.
The challenges covered a range of skill levels from beginner to advanced. Whilst they weren’t grouped into sections the same way they were in the 2022 challenges, the marketing material listed the topics as follows:
- AI-assisted cybersecurity, offense and defense
- AI voice synthesis
- Cloud security
- Web application security
- Threat hunting in Windows Cloud
- Identifying vulnerabilities in space mission software packages
- Lock picking
- Phishing analysis
- Cyber Defense Azure AD Configurations
One topic not listed is binary exploitation - there were a few such challenges centered around Game Boy ROMs.
The role of AI in the challenges was different to what I was expecting. For example, there were no adversarial machine learning challenges. Instead, there was an emphasis on encouraging participants to augment their workflow with AI. I was skeptical at first but I think this was a useful approach to take - it certainly encouraged me to use AI more than I otherwise would have and it was quite educational in terms of better understanding the strengths and weaknesses of AI for different tasks. In the end, I mainly used generative AI for code generation.
The inclusion of lock picking was unusual because, whilst they were “mechanical” locks, the interface was a digital simulation. Although such an approach doesn’t sound like it should work, at least to me, it was actually implemented quite well.
Similar to previous years, the requirement for entering the contest for a chance to win a prize was a report describing how each challenge was solved. This year, there was a 100 page and 100MB limit, twice the page limit set for the 2022 event. Furthermore, there was an additional requirement that AI be used in solving at least some of the challenges, with sample prompts to be included in the report.
Prizes were awarded based on the best technical, creative, and overall reports, as well as some random draw prizes and some honorable and super honorable mentions. The winners were announced in a webcast on Jan 18, 2024. I was very pleased to be awarded the Extra Special Noteworthy Exemplary Trophy (ESNET) Award.
My submitted report can be viewed in the original PDF format or in a single (heavy) page HTML version, which are both generated from the same markdown source, courtesy of the wonderful Pandoc universal document converter. Different to last year, I took a more creative approach to the writing style but at the same time, covered each challenge in more depth.
- Submitted PDF report
- HTML version of the report (single heavy page)