I first learned about gamification in college when I attended a talk about internship opportunities at IBM. Jason Flood and William Bailey, members of the security teams at IBM Collaboration Solutions (ICS) and Industry Solutions, made a great impression on me when they spoke about capture the flag (CTF) events they were building for students and the IT industry.
What really piqued my interest was how gamification and capture the flag events could teach people about security in a learning environment without a lot of pressure. I was what you would describe as a new collar candidate. I hadn’t gone straight into college after my primary education, instead going into the workforce as a laborer and truck driver. But I decided to go back to school to retrain and rewire my brain for new skills in the IT world.
I’ve always had an affinity for electrical things and learning how they worked. I was grounded once as a kid for taking apart the clothes iron and reassembling it in a nonconventional way. IT seemed to be the next logical progression in my career, where I could break stuff intentionally. After an internship at IBM, I was luckily accepted into the ethical hacking team in the Dublin, Ireland lab at the ripe old age of 33. The ethical hacking team at that time was very involved in providing cybersecurity education and CTF frameworks for universities and conferences throughout the U.K. and Ireland. Some members of that team have gone on to join IBM X-Force Red. It was during this time that I really caught the gamification bug.
Gamification and Capture the Flag: What Are They?
Most people interact with some form of gamification in their daily lives. What is it? Gamification — the application of game-design elements and game principles in nongame contexts — taps into that natural human need to play, improve and maybe win sometimes. For example, we use gamification when we collect coupons at the store, participate in loyalty programs and use fitness apps. Gamification is also used in the education system — think student rankings based on GPA, dean’s lists, honor rolls, scholarships, etc.
A capture the flag exercise is a gamified set of challenges designed to teach cybersecurity skills in a variety of categories. CTF events generally have a mixture of professionals and students participating. The types of CTF are Jeopardy-style, attack-defense and mixed.
In a Jeopardy-style CTF, participants take on challenges in a range of categories, including application security, forensics, reverse engineering, cryptography and more. Teams discover “flags” and submit them for points. Challenges get progressively harder and teams earn more points based on the level of difficulty.
In an attack-defense CTF, competitors attempt to compromise systems and services with known vulnerabilities. Once a team has compromised a system, it must then defend that system against opposing teams. Participants perform the actions of a red team (attackers) and switch to the blue team (defenders) seamlessly. This game can be continuous and run for many days.
A mixed CTF is a combination of both Jeopardy and attack-defense.
Many of the challenges in CTFs are built around the OWASP Top 10 Application Security Risks or the SANS Top 25 Most Dangerous Software Errors, which give participants a feel for real-world vulnerabilities that many industries have to contend with.
How CTF Events Can Help Recruit and Train Cybersecurity Experts
The value of CTFs in terms of cybersecurity awareness, training and education is evidenced by the number of CTF events out in the wild today and the caliber of participants. CTFs are valuable for sharpening the skills of technical operators. Just like athletes who constantly train to stay in top shape, cybersecurity experts need to keep on top of their game.
From attending and building CTFs myself, I have seen how they can be used to train new hires and employees and as a tool for recruitment. Given the impending global cybersecurity skills gap that’s expected to reach approximately 3.5 million unfilled jobs by 2021 and attacks rising year after year, as a community we need to engage people sooner in the career pipeline. This is why the new collar approach — considering job candidates who lack a college degree or cybersecurity background — is so vital.
I’ve also seen how CTFs can provide an opportunity for a company to interview large numbers of people in a safe and controlled environment. I’ve observed recruiters from many companies walk the CTF floor asking people questions during an event. The benefit for recruiters is that they can witness participants showcasing their technical, social and teamwork skills in person. Recruits can discuss vulnerabilities and demonstrate how they compromised systems, how the team broke down tasks and how they solved them.
The environment of a CTF is relaxed and fun, which enables people to show their social side. This environment removes the pressure of an interview, where you’re sitting in a chair in a small room, slumping awkwardly in an ill-fitting suit and hoping you don’t answer any of the questions wrong. The CTF is the place where you can make mistakes, hone your skills and become a better professional.
Engaging and Training the Next Wave of Cyber Professionals
I am lucky enough to have been part of many CTF events over the years, and I’ve seen the concept evolve into an amazing platform for engaging employees, raising awareness and training the future cyber workforce. I am also lucky to be part of IBM’s world-class X-Force Command special forces team as a gamification engineer.
IBM Security is at the forefront in the gamification space, as is evident from the unique facilities we have in the X-Force Command Cyber Range in Cambridge, Massachusetts and the X-Force Command Cyber Tactical Operations Center (C-TOC), a security operations center (SOC) and cyber range aboard an 18-wheeler tractor trailer, now touring Europe.
Our gamified breach simulations immerse participants in a scenario that brings them as close to the endgame as possible. In this high-pressure scenario, clients can test their processes, identify gaps in their security plan and train the muscle memory that is required for when worst happens.
My small part in this well-oiled machine is to provide the technical aspects of the cyber range offerings, building out attack scenarios in the attack-defense challenge we call Cyber Wargame. I also work on developing CTF events within IBM’s own CTF framework, doing my part to help engage and train the next wave of cyber professionals here at IBM.
It’s exciting to do this work for IBM, but I also enjoy taking my experience creating CTFs outside of my job. Last month, I was honored to have the opportunity, along with the Irish branch of the nonprofit security organization Honeynet Project, to support the inaugural cybersecurity competition at the Ireland Skills Live event. WorldSkills competitions have been running since 1950, but this was the first event in Ireland, with teams from universities across the country competing for a chance to represent the nation at a future event in a global WorldSkills competition.
The upcoming graduates’ passion for cybersecurity and vast array of knowledge was clear. Participants told me they had played in many CTFs and that they feel it gives them a better chance at employment. The interest from spectators was very high too, which was one of my main goals for this event. I really wanted to raise awareness among the public and remove some of the mystique around cybersecurity, while correcting the Hollywood notion some people have of cybersecurity.
The event was a success from a recruitment perspective, with many colleges and schools requesting an on-site event for their students. Parents and their kids asked for resources and locations where they could get more information and participate.
The security community offers many opportunities for information sharing, learning and networking, and none more so than a CTF event. Events like this can only help in tackling the cybersecurity skills gap going forward.