SaikoCTF Online Games (O-Games) – ASCEND Project

IARPA’s Reimagining Security with Cyberpsychology-Informed Network Defenses (ReSCIND) program aims to enhance cybersecurity by leveraging attackers’ human limitations. It focuses on developing novel defenses that exploit decision-making biases and cognitive vulnerabilities. These defenses help rebalance the asymmetry of cyber defense, imposing penalties on attackers and thwarting their efforts. IARPA’s ReSCIND program funds the ASCEND (Adaptive Security through Cognitive Exploitation for Defense) project. Led by SRI, the multidisciplinary team behind ASCEND includes researchers and experts from the Florida Institute for Human and Machine Cognition, George Mason University, RAD Science Solution, SimSpace, Two Six Technologies, the University of Florida, and Virtual Reality Medical Center, as well as independent consultants, will create a game-changing, cyberpsychology-informed cyber defense system (see http://ascend.sri.com for more information). Experiment Objectives The overall objective of this study is to determine how cyber attackers change strategy and behavior when presented with different cyber-attack countermeasures. ASCEND defines Cognitive Vulnerabilities (CogVulns) as decision-making and cognitive biases plus attacker’s culture, cognitive-emotional state, personality traits, and cyber-psychological characteristics.  This study targets Anchoring Bias (AB), Confirmation Bias (CB), Loss Aversion (LA) Bias, Representativeness Bias (RB), and two aspects of Socio-Cultural Bias (SCB), namely Hierarchicalism Bias (SCB-H) and Individualism/Collectivism Bias (SCB-IC).   We conducted four online experiments using targeted challenges in a capture-the-flag (CTF) event to simulate real-world adversarial behavior and international hackers recruited through various hacker, cyber security, conference and similar channels (e.g., Discord, social media, university clubs, conference mailing lists) as proxy for hackers. The four online games share the same experimental setup for AB, CB, LA, and RB. The SCB-H and SCB-IC setups were slightly revised from their original versions during “clubs” and stayed the same in the remaining three online games. Thus, the participants of OGames can be pooled for all but the SCB tasks, and participants for pwn, wicked6, and mayday can be pooled for all tasks (including the SCB tasks). The participants cannot be pooled with In-Person or Conference SaikoCTF participants because the length of challenges and specific design details were different between in-person/conference and online SaikoCTF events.   Experiment Description The study begins with consenting, online individual differences measures (IDMs) (e.g., demographics, pre-test measure regarding mental state, risk propensity measure, and a CogVuln measure). This is followed by an online skill-screener provisioned through pwn.college. At the end of the study, participants answer a post-test questionnaire about their mental state.   Each participant has ten CTF challenges. The CTF challenges are interleaved with nine blocks of IDM and CogVuln Measures.   Participants are pseudo-randomly assigned to be in one of two groups (1 and 2). SaikoCTF uses a within-subjects design. Each challenge has a control (no CogVuln trigger present) and a treatment (CogVuln trigger present) version. There are two CTF challenges (A/B versions) for each CogVuln, for a total of four challenges per CogVuln (version A control, version A treatment, version B control, version B treatment). The A/B pairs have similar objectives and target the same CogVuln but have enough differences to control for human learning. The order in which control and treatment versions of each CTF challenge is presented is counter-balanced between groups 1 and 2 to control for order of conditions. After each CTF challenge, participants answer additional IDM and CogVuln measures (questionnaires and surveys) to assess their biases, personality traits, cultural values, and cognitive-emotional and cyber-psychological attributes. CTF challenges are time limited.   CTF challenges are implemented in the SimSpace Cyber Range Platform (simspace.com/platform). For the three CogVulns tested in this study there are six, targeted CTF challenges, each particularly designed to elicit the effectiveness of one CogVuln trigger deployed in the treatment version of the challenge. Furthermore, cyber behavior data is collected to evaluate hypothesized CogVuln sensors in relation to the established methods (IDMs and Bias measures) during analysis.   The CTF challenges for AB target the numeric priming facet of AB. Participants are told to find the target server and port on the network. In the A version of the challenge, participants are given access to an administrator workstation with an admin password that ends in “44,” and there is only one port that contains the number 4. In the B version of the challenge, the participants in the treatment groups are given access to an administrator’s workstation that has the number “9” in its password, and there is only one IP address that contains the number 9.   The CTF challenges for CB test whether susceptible participants who are initially shown evidence of a network vulnerability and script will continuously attempt to exploit that vector even if a simpler and easier path exists out of sight. In the A version of the CB challenge, participants are given network access and login credentials to the target machine, which has a directory with potential attack scripts to try. The target machine has the root login credentials stored in a hidden location that linpeas can find. Participants must escalate privileges to get the flag that is only readable by root. In the treatment version, the participants are given a linpeas output that indicates dirtycow vulnerability, but linpeas is disrupted halfway through and is incomplete. The goal is to test whether susceptible participants will assume the output of linpeas to be correct and attempt multiple dirtycow exploits, rather than re-running linpeas to confirm the results. In the B version of the CB challenge, participants are given a file that contains the output of an nmap scan showing port 80/http open and port 445/smb open, with port 80 being vulnerable to a number of Apache 2.4.49 exploits. The goal is to test whether susceptible participants will continue to scan and attack the web server using the provided vulnerability scripts rather than re-scanning the box to see that SMB is enabled and allows anonymous login.   The CTF challenges for LA target the Loss/Gain Framing Effect facet of LA by informing participants that after three failed login attempts, they will be locked out for 30 seconds and their activities will be logged. The goal is to test whether participants susceptible to the Loss/Gain Framing Effect take less risky actions when faced with temporary suspended access.   The CTF challenges for RB target the Sample Size Insensitivity facet of RB by providing logs with proportionally more alerts for a web-server endpoint or service that is not compromised than for an endpoint or service that is compromised. The goal is to test whether participants who see a lot of mentions of a compromised service are more likely to target that service.   The CTF challenges for SCB-H present participants in the treatment version with a hierarchical military organization chart providing ranks from General, to Senior Officer, Officer, and Soldier. Participants need to find sensitive information in one of the backup directories of people belonging to the military organization. The goal is to test whether hierarchicalism affects some cultures more than others in that a person with a hierarchical culture is more likely to investigate higher-ranked personnel before they investigate lower-ranked personnel.   The CTF challenge for SCB-IC presents participants in the treatment version with an organization structure that has six locations. Each location has directories for either an individual researcher or for teams of researchers of 9, 12, or 18 members. The goal is to test whether predisposition toward collectivism or individualism can influence an attacker’s approach to exploring files (i.e., choosing team files over individual files or vice versa).   Experimental Results  For CogVuln Sensor analysis, we used two approaches: Clustering and Least Absolute Shrinkage and Selection Operator (LASSO).   LASSO identified for all CogVulns linear combinations of cyber behavior topics that predict average CogVulns nearly as well as the established methods (small SD difference, <0.20). Cyber behavior topics explain more variation for Base Rate Neglect, Sunk Cost, and Confirmation bias than for other CogVulns. However, for these CogVulns, the model identified complex interactions of cyber behavior topics, and therefore results are more difficult to interpret. For the Reflection Effect and Sunk Cost facets of LA, and for the Nonrandom Sequence facet of RB, one or two cyber behavior topics were identified as predictive and had statistically significant associations with those CogVulns.   Clustering identified low-level cyber measures that predict CogVulns well and are also ecologically valid, so they can be turned into CogVuln sensors. Clustering behaviors works well for predicting LA Framing Effect, CB, and AB, but results were not strong for the cultural biases we tested, and we found no predictive clusters for RB.   LA CogVuln Trigger analysis: Within the paired modeling of participant behavior in continuous and binary measures, we saw only one metric with significance related to the trigger, namely Mean Time Between Login Tool Invocation (MTBLTI).   RB CogVuln Trigger analysis: Within the paired modeling of participant behavior in continuous and binary measures, we consistently saw significance (p < 0.05) of the time on vulnerable path for event, challenge, and near significance for condition (p < 0.08). For the near significance in the trigger effect, we saw an effect size of approximately –0.19 for a pseudo-Cohen’s d across 170 participants.   CB CogVuln Trigger analysis: Within the paired modeling of participant behavior in continuous and binary measures, we saw significance (p < 0.05) in the trigger effect (condition going from control to treatment) in the Levenshtein distance (p < 0.00, pseudo-Cohen’s d of 0.72) for syntax and the binary measure of biased behavior (p < 0.0, odds-ratio of 13) in addition to significance from challenge and established measures (but at a lower effect size compared to Trigger). For the continuous Levenshtein distance metric, we saw significance for the syntax used between the control and treatment groups. The distance to the correct command syntax (the command was mentioned in the instructions for both control and treatment group), was greater in the treatment group. We interpret this to mean that the participant is so caught up in the planted data/information that how they run the command does not matter to them, even though it is given.  AB CogVuln Trigger analysis: We found no significant effect between control and treatment for all paired t-test groupings. Performing logistic regression model analyses to predict the effect on future target choices by looking at participants’ first/second/third selected target also showed no significant results. The CogVuln Trigger for AB as designed did not have the intended effect. We posit that the graphical order of ports/IP addresses was more strongly triggering a Position Bias than our trigger an Anchoring Bias.  SCB-H CogVuln Trigger analysis: We found significance in the distribution of making choices considered hierarchical (coded as following the hierarchy top-down or choosing a majority of higher-ranked profiles) between control and treatment; however, the results were surprising and unrelated to our hypothesis. Analysis of the normalized hierarchicalism scores revealed a clear (though unanticipated) treatment effect: control participants selected significantly more high‐rank targets (M=2.63, SD=0.59) than those exposed to the hierarchical chart (M=1.94, SD=0.90). Thus, the hierarchical prompt significantly reduced hierarchical search behavior.  SCB-IC CogVuln Trigger analysis: We found no significant effect between the control and treatment groups. A majority of participants displayed a left-to-right bias (72%), while a much smaller percentage displayed a right-to-left bias (4%). As a result, we posit that the graphical order of folders from which participants had to choose was triggering a Position Bias rather than our Bias Trigger stimulating an Individualism or Collectivism Bias.