Thunder CTF: Learning Cloud Security on a Dime
This addresses the need for accessible training in cloud security for students and organizations, though it is incremental as it builds on existing CTF frameworks.
The paper tackles the problem of cloud security misconfigurations by introducing Thunder CTF, a low-cost, extensible Capture-the-Flag platform that helps students learn and practice cloud security skills through scaffolded scenarios.
Organizations have rapidly shifted infrastructure and applications over to public cloud computing services such as AWS (Amazon Web Services), Google Cloud Platform, and Azure. Unfortunately, such services have security models that are substantially different and more complex than traditional enterprise security models. As a result, misconfiguration errors in cloud deployments have led to dozens of well-publicized breaches. This paper describes Thunder CTF, a scaffolded, scenario-based CTF (Capture-the-Flag) for helping students learn about and practice cloud security skills. Thunder CTF is easily deployed at minimal cost and is highly extensible to allow for crowd-sourced development of new levels as security issues evolve in the cloud.