CHARACTERIZATION OF MULTISTAGE ATTACKS IN CAPTURE THE FLAG EXERCISES

The cyberattacks suffered by organizations are inherently multistage attacks, also known as MSNAs (Multistage Network Attacks). They consist of a series of correlated steps over time to achieve a specific objective. Understanding and analyzing these attacks pose significant challenges in detection and effective defense. However, the scarcity of real MSNA examples available for research and analysis complicates the study of these attacks. In this article, a novel methodology is proposed to characterize MSNAs using a simplified model of the Cyber Kill Chain and historical Capture the Flag (CTF) event files released by DEF CON. We propose a method that we applied to the historical files of DEF CON 22, through which we successfully visually characterized 148 MSNAs targeting the winning team. The results revealed a clear sequence of stages in the attacks, providing a deeper understanding.