PenQuest Reloaded: A Digital Cyber Defense Game for Technical Education

Today's IT and OT infrastructure is threatened by a plethora of cyber-attacks conducted by actors with different motivations and means. Furthermore, the complexity of these exposed systems as well as the adversaries' sophisticated technical arsenal makes it increasingly difficult to plan and implement an organization's defense. Understanding the link between specific attacks and effective mitigating measures is particularly challenging - as is understanding the underlying information security concepts. To support the training of current, and more importantly, nascent security engineers, we propose PenQuest, a digital attack and defense game where an attacker attempts to compromise an abstracted IT infrastructure and the defender works to prevent or mitigate the threat. The game is based on MITRE ATT&CK, D3FEND, and the NIST SP 800-53 security standard and incorporates a multitude of concepts such as cyber kill chains, attack vectors, network segmentation, and more. PenQuest is built to support security education and risk assessment and was evaluated with a class of engineering students as well as independent security experts. Initial results show a significant increase in knowledge retention and attest to the game's feasibility for educational use.