On Thursday, Nov. 23, 2017, the IBM X-Force Command Advanced Persistent Threat (APT) capture the flag (CTF) competition kicked off at the IRISSCON 2017 conference in Dublin.

Forty-eight contestants across 12 teams battled it out in a free-for-all competition that required hacking, defending and forensics skills.

What Is a CTF Competition?

A cybersecurity CTF competition is designed to highlight the strengths and weaknesses in a security team’s technical aptitude, response strategies and time management. Teams must amass as many points as possible, which can be achieved through multiple routes. Having multiple ways to score points encourages teams to organize and think carefully about where the focus of each team member should be.

The IBM X-Force CTF contest is broken down into four sections:

  1. Vulnerable servers built with publicly known vulnerabilities;
  2. Offline security puzzles (packet capture, forensics, steganography, cryptography, etc.);
  3. Fastest finger first security questions; and
  4. Controlling our hackable city, Hadley’s Hope.

Simulating an Advanced Persistent Threat

The CTF framework is designed around the idea of an APT. An APT is a network attack where the attacker’s main objective is to gain unauthorized access to a system and remain there undetected for an extended period of time. Once in the system, the threat actor can start siphoning out data or just lay in wait preparing for the next stage.

To simulate an APT in our CTF, participants must run the CTF’s custom-made malware to claim control of a server and begin scoring points. Once a team has control of a server, it must do everything it can to hold onto it and protect it from other competing teams.


Points are awarded for every minute a team can hold onto a server. As each team expands its botnet of vulnerable servers, it will harvest more points, pushing the team up the leaderboard.

Each server is mapped to a country, which lights up on the scoreboard when captured by a team. This allows everyone to follow the malware epidemic spread around the game globe.

Teams can also score points by completing offline security puzzles around the areas of packet capture analysis, forensics, reverse engineering and steganography. While teams work on those elements, they also need to keep an eye out for one-off security questions throughout the game, where only the first correct answer is accepted.

Read the report: Using gamification to enhance security skills

On the Day of the Competition

Participants arrive with their laptops, attack tools and any automation that they have developed to help them complete the challenges. Once everyone has connected to the CTF’s sandboxed network and the rules have been explained, a six-hour timer is started and the players are let loose.

Each vulnerable server is configured to report back to IBM QRadar, an event management and log aggregation tool. As players start to attack the vulnerable servers, QRadar’s dashboard begins lighting up. Brute-force attacks, privilege escalation attempts and a range of other messages highlight the player actions for anyone passing by to review.

The IBM X-Force Command team also leverages QRadar to monitor the competition for prohibited malicious activity. This is a hacking competition, after all.

Hacking Hadley’s Hope

Bringing attention to cyberattacks can be a tricky affair, especially when your audience is nontechnical. Most cyberattacks lack impact and meaning to some organizations, and more so to the public. This is a substantial hurdle to overcome when trying to draw attention to the growing volume of cyberthreats. How do you demonstrate the potential damage of a cyberattack in a visual, tangible and memorable way? An interesting solution is to use hackable Internet of Things (IoT) devices and pair them with models created using 3-D printing technology.

Hadley’s Hope is a science fiction-themed model city with physical, hackable services that are controlled by IoT devices. When a hacker gains access to one of these services, his or her actions are made visually apparent to anyone observing the model city. When the city’s train starts moving too fast, for example, or when its perimeter fence lights are flashing seemingly at random, it is very apparent that the system has been compromised. With these visual cues, it is much easier to demonstrate the potential dangers of a cyberattack to both technical and nontechnical audiences.

On the day of the competition, many teams attempted the Hadley’s Hope challenge, with one team managing to hack in and take control of the perimeter fence and train. The successful team revealed that this was one of the most enjoyable challenges — so enjoyable, in fact, that the team wanted to continue triggering events in the city even after the game had ended.

The Value of CTF Exercises

A CTF competition challenges participants to find and exploit security vulnerabilities, solve problems and fend off network attacks while keeping an eye on the game clock. Many contestants create automation scripts on the day of the competition to help them slow opposition teams taking control of their servers or to help them capture another server.

Team building is a big part of a CTF competition since individuals must work together as a team to succeed. Teams must communicate, divide work and assist one another to score high on the leaderboard.

The way we train the current and next generation of cybersecurity specialists will have a defining impact on the level of security we all feel when using technology. Fostering creativity and motivating your workforce can be challenging, but when we gamify these efforts, it takes advantage of our competitive side, improving our learning, innovation and preparation.

The Next Step: Red on Blue Training

A CTF is one approach to tackling the security skills gap. Another is red on blue incident response training. During the CTF, we managed to preregister 15 groups from organizations in the industry and colleges for our new red on blue experience, which is starting in January 2018.

Groups of eight to 10 people will join us out at our Dublin campus, where they will be divided into two teams. The red team will be handed attack tools and small snippets of information about the targets that it must attack to disrupt normal service and exfiltrate mock customer data. The blue team will be given a sandboxed network with servers and web applications that it must defend from the red team.

These scenarios offer participants a chance to hone their technical skills, gain a hacker’s perspective and test team dynamics. They also give IBM an opportunity to showcase the IBM Security stack in live, configurable scenarios and generate new connections with businesses and academia. Throughout the year, we will grow and evolve the experience to incorporate more scenarios around malware, insider threats and social engineering.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today