Capture That Flag!

Posted by Giovanni Vigna JAN 10, 2019 ON

How participating in hacking competitions can improve the security culture of a company and the talent of the security team

Security Talent is Hard to Find and Even Harder to Keep

One of the most-heard complaints from security experts is that often they find their work repetitive (“The CFO’s laptop has a been compromised… again!”), which results in the desire of trying something “new”, meaning “leave for another company.” Another common complaint is that the work is very compartmentalized, and there are few occasions in which the various security specialists can enjoy working as a team.

One activity that can help build a team, and at the same time improve the security skills of the people involved, is participating in Capture the Flag (CTF) competitions. How do I know?

I started organizing CTF competitions in 2001 at the University of California at Santa Barbara, and every year since 2003 I have organized one of the world’s largest attack-defense Capture the Flag competitions (http://ictf.cs.ucsb.edu), which often includes novel designs to push the limits of the players and provide opportunities for better learning (you can see some of my papers in the references below).

I also founded Shellphish, one of the most known hacking teams. Shellphish has participated in more DEF CON CTF competitions than any other team (DEF CON CTF is considered the world championship of hacking), and has also participated in DARPA’s Cyber Grand Challenge, bringing home $1.5M in cash prizes.

It All Started Outdoors, in the Boy Scouts

An associate of mine, Christos Sarris, who is an active CTF participant and who contributed to this article, recalled his first experience with a CTF-style competition almost 30 years ago when he was a young Boy Scout. The rules of the competition were very simple. The scouts were separated into two teams, each with its own defined territory and its own distinct flag. Team members needed to cooperate in order to succeed in two strategic objectives simultaneously. The first objective was to defend the flag from being stolen by the opposing team, and the second was to capture the opponent team’s flag and return it to home base. In the end, the team that managed to make the most flag captures and score the most points was declared the winner.

Participating as a child in countless CTF competitions taught Christos from a very young age the important concepts of teamwork, trust, communication, problem-solving, decision making, planning, attacking and defending strategies, information sharing, patience, self-sacrifice, and adaptability all while having fun at the same time. Unknown at the time was that these were some of the same skills that every information security professional must master.

How Does This Work for Security?

This concept has been applied to hacking competitions. And while it’s now clearly an indoor sport, the central idea is identical: defend your flag while attempting to capture those of the other teams.

Historically, the first ever digital CTF event took place at the DEF CON hacking conference in 1996. Digital CTFs was then a revolutionary idea. As such, they helped transform DEF CON into a place where security enthusiasts could actually compete, compare their skills, and exchange knowledge. Internet CTF competitions ultimately spread beyond DEF CON; soon, international teams were competing for prizes and bragging rights.

Today, there are three common types of CTFs. Regardless of the style of competition, participants must obtain proof that they succeeded at exploiting an opponent’s service or a challenge by gaining access to a unique piece of data, referred to as a “flag.” With this flag in their virtual hand, they must then turn it in to obtain points. The three types of CTFs are:

Attack-Defense – These are interactive competitions where each team receives an identical machine that is running vulnerable services. The competitors then use their security skills to protect their own services while simultaneously trying to break into the same services on their opponents’ machines.

Jeopardy – These competitions involve challenges that need to be solved for points. There are multiple categories of security challenges, each of which contains a variety of questions of different difficulties and point values, and it uses a scoreboard similar to the Jeopardy game board. Teams compete against the game clock (usually anywhere from 12 to 24 hours), and the winner is the team that earns the most points. Security challenges in this type of competition include cryptography, steganography, binary analysis, reverse engineering, mobile & system security, and trivia.

Mixed – This type of competition, as the name suggests, incorporates elements of both the Attack-Defense and Jeopardy styles, thereby raising the challenge for competing teams. To give a simple example, a team might need to simultaneously defend its systems, attack and compromise the opponent team’s systems to locate “digital” flags, and solve security challenges to earn points.

The Benefits and Possible Drawbacks of CTF Competitions

Whatever their structure is, CTFs are a fun and exciting way for security practitioners to showcase their security skills while competing with one another for fame and glory.

But fame is not the only motivator.

By solving challenges and breaking services, participants discover new techniques and tools that they never had to use in their day-to-day routine work, expanding their toolset and skills. For example, a reverser might learn how to use a tool to profile SSL connections, or a network expert might learn the joys of JavaScript de-obfuscation. These new tools might inspire the identification of weak points in the enterprise network (“Are we vulnerable to this attack?”) as well as novel applications of security mechanisms (“We could use this to make our intrusion detection better”).

Competitions offer contestants an opportunity to meet and network with other security experts, as well as to share knowledge and develop non-technical skills like teamwork, communication, problem-solving, and adaptability.

These competitions develop team spirit. Working together under pressure but in a game setting (where losing does not mean real harm to a team’s corporate network) is exhilarating, instead of being stressful. In these situations, members of a company’s security team bond together and learn about each other’s skills and limitations. It is not surprising that many corporate teams that participate in these events become some of the strongest players (for example, Raytheon, CISCO, and Tencent have teams that participate in several high-profile competitions that require very selective qualification rounds).

At the industry level, CTFs are great places for prospective employers to find and recruit new talent.

Security researchers can test new theories, tools, and techniques.

Companies can use a CTF to generate security metrics (like network traffic, attack vectors, new tools, new vulnerabilities, etc.) and apply that data to improve their prediction models in order to better prevent real-world attacks.

CTFs are not without problems though. The first is that many competitions require a certain skill level to participate. Although most of the current competitions officially are open to “all skill levels,” realistically the subject matter they use for their challenges largely precludes security beginners from participating.

The other primary concern is that CTF competitions don’t exactly simulate a real-world work environment. Someone who trains to build a skill set built around solving pre-designed flaws and security puzzles in CTF competitions may not be as effective with security assessments in a real-world environment involving numerous heterogeneous systems, networks, and specialized applications from different vendors.

But then again, nobody said that CTF competitions would provide all the skills needed for a successful career in information security, and the benefits far outweigh these limited drawbacks.

Getting Started with CTFs

Anyone interested in a CTF competition has two main choices when it comes to locating and participating in an event: 1) events that take place online through specialized websites; and 2) events that occur on-location, which are usually local, national, or international competitions planned by security organizations and hacking conferences.

Online CTFs

Online events, as the name suggests, are organized and happening entirely online. Anyone can register on a website and instantly start solving security challenges. Here are a few examples of great websites that offer online CTF challenges:

Hackthebox – An online platform that allows users to test their security skills through CTF types of challenges and also exchange ideas and methodologies with other members.

picoctf – A free computer security game targeted at middle and high school students.

vulnhub – A platform with materials that allow anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration.

OverTheWire – A site that offers wargames similar to CTFs, where the level of difficulty grows as you progress.

We Chall – A web site that provides training challenges, outside direct competitions.

On-Location CTFs

On-location events require the physical presence of the team. Anyone interested in participating should carefully read the rules of the competition on what equipment and tools are allowed and what the expected expertise level is. A few examples of great on-location CTF competitions are:

DEF CON – Probably the largest cybersecurity conference in the world, DEF CON hosts the most prestigious CTF contest in the world.

BSides – A non-profit organization that organizes security conferences hosting great CTF contests around the world.

WCTF – A hacking conference that invites the world’s top CTF teams and hosts China’s world-class competition.

Regardless of your preferred format, a great resource for finding available and upcoming CTF competitions is the ctftime.org website. Under “Upcoming Events,” there’s a list of literally hundreds of competitions that are scheduled around the world. In addition, the website’s calendar contains both formats of CTFs (online and on-location) and separates them by type (Attack & Defense, Jeopardy, or Mixed).

Conclusion

As the CTO of a security company, I can definitely say that participating in CTFs is a great way to educate, entertain, and retain your security workforce. They test cyber skills and train security teams to defend against unknown security scenarios involving a range of techniques, tools, threats, and attack vectors.

With information security rapidly becoming more and more important as a field, Capture the Flag competitions are a great way for security enthusiasts to learn, network, play, have lots of fun, and advance the profession.

Hack the planet!