A capture the flag (CTF) contest is a special kind of cybersecurity competition designed to challenge its participants to solve computer security problems and/or capture and defend computer systems. Typically, these competitions are team-based and attract a diverse range of participants, including students, enthusiasts and professionals. A CTF competition may take a few short hours, an entire day or even multiple days.
CTF competitions have elevated from their humble roots to reach sport-level status, with thousands of individual games and leagues now taking place every year across the globe — including the annual DEF CON competition, one of the most prestigious CTF events in the world.
How a CTF Competition Works
There are several variations on the capture the flag format. The most popular styles are jeopardy, attack-defense and a mix of the two.
In a jeopardy CTF format, teams must complete as many cybersecurity challenges as they can from a given selection, testing their skills and knowledge on a diverse range of computer security categories in novel and creative ways. Typical tasks are related to networking, programming, applications, mobile, forensics, reverse engineering and cryptography. For each challenge a team completes, a specific number of points is rewarded.
In an attack-defense CTF competition, teams must capture and defend vulnerable computer systems, typically hosted on virtual machines in an isolated network. To gain points, a team can maintain ownership of as many systems as possible while denying access to the other competing teams.
Finally, a mixed CTF is arguably the most challenging for participants. Combining jeopardy and attack-defense styles, successful teams must strategically divide their efforts and play to each of their member’s strengths by completing security challenges while simultaneously hacking into target vulnerable systems, maintaining access to these machines and defending them against their competitors.
The winner is usually the team or individual with the most points at the end of the game. Like many sporting events, prizes are commonly awarded for first, second and third place. In the interest of contest integrity and respect for the game platform, CTF ground rules are shared with participants prior to the event. Violation of these rules may result in restrictions or even elimination from the competition.
Behind the Scenes at a CTF Event
It is approaching 9 a.m. on Nov. 24 in the Grand Ballroom of the Ballsbridge Hotel in Dublin. While the much-anticipated competition does not officially start for another hour, several teams of eager competitors embraced the cold Irish winter morning and arrived well ahead of time at the venue, trusted laptops and well-worn network switches in hand, ready to play.
The decadent ballroom, with its chandeliers and rich furnishings often reserved for weddings and other formal occasions, is playing host to the IRISSCON 2016 capture the flag competition. The competition is a staple of the annual cybersecurity conference, which is one of the largest events of its kind in Ireland. The CTF attracts competitors from across the nation. Some participants are regular faces on the circuit, while others are playing for the very first time.
A Live Environment
William Bailey, operational security architect at IBM in Ireland, is one of the organizers of this CTF event.
“We aim to demonstrate and teach participants practical attack and defense techniques in a live environment, where discovery and exploitation of vulnerabilities, as well as securing systems and completing individual challenges, are rewarded,” he explained.
Bailey and his colleague Jason Flood are veteran CTF organizers, having run the major IRISSCON competition for the past several years. Today, Flood and Bailey are supported by a large team of dedicated volunteers from the IBM Ireland Lab’s cybersecurity division. Everyone has been hard at work in the Dublin hotel since 5 a.m. setting up the venue for the competition, lugging large server equipment, running computer network cables through the room and deploying their custom CTF platform from the master console.
Despite the early start, the excitement and energy in the room is palpable. The buzz picks up in harmony with the steady stream of diverse players arriving at the venue, aligning with the final preparation efforts from the organizing team. A total of 17 teams, each consisting of four players, preregistered for the event. Both new and seasoned players will be exposed to new tools, technologies, and attack and defense methods.
“We designed the platform so all players can effectively use real-life attack tools, and even seasoned players can find new techniques to exploit these systems, all inside of a sandboxed environment,” Bailey said. “We are encompassing both attack and defense techniques in a gamified, safe environment, scoring players on their ability to complete challenges, discover and exploit security flaws, as well as closing security gaps that they find on vulnerable systems.”
An Eerie Silence
At 10 a.m., with competitors ready and waiting at their assigned team roundtables, the lights are drastically dimmed to set the dramatic scene. After a quick briefing and rundown of the house rules from Flood, the IRISSCON CTF competition officially begins.
An eerie silence descends on the large hotel ballroom as the CTF gets underway, interrupted only by the occasional team chatter and the steady, rhythmic hum of the event’s electronic music soundtrack. Looking around, a trance has taken hold of the players, who are deeply immersed in the game. The atmosphere, while initially jovial in nature, quickly acquires a much more serious character.
A giant scoreboard is projected onto the wall, a central fixation point detailing the success of every conquest and victory throughout the day and showcasing the top 10 teams according to their accumulated points. Players’ eyes occasionally glance nervously upwards, evaluating how their efforts are faring against others on the leaderboard.
Aside from the standalone challenges, teams receive points by exploiting and maintaining control of vulnerable computer systems from a pot of 25 virtual machines, running a mixture of Windows and Linux operating systems, on the isolated CTF network. For each system a team successfully captures and owns while preventing access from other teams, it will receive one point per minute of ownership. Each vulnerable computer system is visually mapped to a specific country on the CTF scoreboard’s 3-D spinning globe. A country is lit up on the display when a team claims the corresponding machine.
One team, in a stroke of technical genius and ruthless defending strategy, cut off access to their machines by turning off Secure Shell (SSH). This made it difficult for their competition to capture and dispute ownership of these computer systems, even if they managed to discover the exploits that would have otherwise provided a backdoor to access.
During lunchtime, the CTF platform is temporarily switched off to accommodate a well-deserved food break for all. Still, many teams stay planted at their stations, cautiously discussing their strategies in mere whispers. Like football players in a locker room during halftime, these CTF competitors are deeply engrossed in their sport, examining their teams’s position and planning to adapt accordingly.
A company sponsor kindly provides a table of snacks and soft drinks in the corner of the ballroom, a much needed energy booster to keep players’ concentration and focus at optimum levels throughout the day. Later, during a coffee break, a number of curious conference attendees not involved in the CTF enter the competition room. One unassuming gentleman in the crowd quietly requests to be notified of the winning teams so he “knows who to hire.”
Pulling the Plug
Finally, after almost six hours of intense, highs-stakes competition, the plug is pulled on the platform. There is a massive, collective exhale, as if everyone inside the ballroom been holding their breath the entire day. The CTF is over and the scoreboard tells the spectacular story of a standout winner.
The first place team, which overtook the top spot after a fierce final stretch of the game, is beyond ecstatic, not to mention just a little mentally exhausted. These four players earn a gracious round of applause from their peers and sizable gift vouchers as a reward for their winning performance.
For many competitors, big-ticket prizes are a welcome, but material boon. Arguably, the real award in is the invaluable expertise, professional development, know how and industry contacts that CTF competitors stand to gain, regardless of whether their team comes in first or last place. For the winners, the glory and peer recognition received is an added bonus.
Looking to start a career in cybersecurity or raise your industry profile? A CTF competition is a great place to start. These events are often closely watched and attended by recruiters and management hoping to spot budding talent and headhunt existing professionals.
Job seeking or not, a CTF is one of the best ways to challenge your expertise inside a safe, forgiving and collaborative environment, whether you are a student, enthusiast or security guru. Aside from the clear technical development benefits, CTFs also offer participants a great opportunity to work on their soft skills, such as communication, teamwork, time management, problem-solving and adaptability.
Despite the competitive environment, the occasion also has a strong social element. It gives players a chance to meet up in real life to network, share knowledge and bond over common goals, experiences and interests. But if you are the kind of person that likes to go for gold, many CTFs, through sponsorship and funding, offer generous prizes.
Finally, CTFs are beneficial to security researchers and academics who can use the attack data and network traffic generated during competitions as case studies to help model, predict and prevent real-world security incidents.
How to Participate
CTF competitions are held in a variety of shapes, sizes and formats around the world each year. The popularity of these events is increasing as interest in cybersecurity and ethical hacking rapidly enters the mainstream.
Typically, CTF events operate on a bring-your-own-device (BYOD) basis, meaning players who wish to play will need to bring their own laptop to take part. However, it’s possible to run a CTF with the appropriate setup and permission to utilize existing infrastructure, such as a high school, college, office or even public computer lab.
If you are interested in taking part in a CTF competition, conduct a quick online search or chat with a local IT security professional or computer science professor to find an event near you. There is plenty of information and platforms online to help prospective participants prepare, train and even find a team for an upcoming CTF event. The CTF Field Guide is a brilliant resource to get started.
First-timers should not overprepare or worry too much. CTF games are inclusive events with open and welcoming atmospheres. If you do not have a team to play with, you will be assigned one prior to the competition or on the day of.
How to Organize a CTF Event
For those organizing a CTF, be sure to clearly communicate suitable rules and boundaries to the competition in advance of the event. For example, participants are usually prohibited from attacking the host venue’s network, performing denial-of-service attacks or breaching fellow competitors’ devices.
Chief information security officers (CISOs) should consider proactively encouraging staff to attend CTF competitions as part of their professional development. This would enable them to hone their red team skills, bond as a team and maintain their industry edge.
Better still, consider investing in your own CTF-style competition within your organization. Invite your employee base, local students and security enthusiasts to take part. Such initiatives form an effective basis for a wider cybersecurity education and awareness strategy. CTF competitions can help your security team stay on its A-game, promote your company and provide reliable, measurable channels to attract new talent.
Read the X-Force Report: The Role of CTF Exercises in Security Incident Response Planning