Light Dark
December 7, 2017 By Richard Moore
John Clarke
5 min read
Incident Response
Intelligence & Analytics
X-Force

On Thursday, Nov. 23, 2017, the IBM X-Force Command Advanced Persistent Threat (APT) capture the flag (CTF) competition kicked off at the IRISSCON 2017 conference in Dublin.

Forty-eight contestants across 12 teams battled it out in a free-for-all competition that required hacking, defending and forensics skills.

What Is a CTF Competition?

A cybersecurity CTF competition is designed to highlight the strengths and weaknesses in a security team’s technical aptitude, response strategies and time management. Teams must amass as many points as possible, which can be achieved through multiple routes. Having multiple ways to score points encourages teams to organize and think carefully about where the focus of each team member should be.

The IBM X-Force CTF contest is broken down into four sections:

  1. Vulnerable servers built with publicly known vulnerabilities;
  2. Offline security puzzles (packet capture, forensics, steganography, cryptography, etc.);
  3. Fastest finger first security questions; and
  4. Controlling our hackable city, Hadley’s Hope.

Simulating an Advanced Persistent Threat

The CTF framework is designed around the idea of an APT. An APT is a network attack where the attacker’s main objective is to gain unauthorized access to a system and remain there undetected for an extended period of time. Once in the system, the threat actor can start siphoning out data or just lay in wait preparing for the next stage.

To simulate an APT in our CTF, participants must run the CTF’s custom-made malware to claim control of a server and begin scoring points. Once a team has control of a server, it must do everything it can to hold onto it and protect it from other competing teams.


Points are awarded for every minute a team can hold onto a server. As each team expands its botnet of vulnerable servers, it will harvest more points, pushing the team up the leaderboard.

Each server is mapped to a country, which lights up on the scoreboard when captured by a team. This allows everyone to follow the malware epidemic spread around the game globe.

Teams can also score points by completing offline security puzzles around the areas of packet capture analysis, forensics, reverse engineering and steganography. While teams work on those elements, they also need to keep an eye out for one-off security questions throughout the game, where only the first correct answer is accepted.

Read the report: Using gamification to enhance security skills

On the Day of the Competition

Participants arrive with their laptops, attack tools and any automation that they have developed to help them complete the challenges. Once everyone has connected to the CTF’s sandboxed network and the rules have been explained, a six-hour timer is started and the players are let loose.

Each vulnerable server is configured to report back to IBM QRadar, an event management and log aggregation tool. As players start to attack the vulnerable servers, QRadar’s dashboard begins lighting up. Brute-force attacks, privilege escalation attempts and a range of other messages highlight the player actions for anyone passing by to review.

The IBM X-Force Command team also leverages QRadar to monitor the competition for prohibited malicious activity. This is a hacking competition, after all.

Hacking Hadley’s Hope

Bringing attention to cyberattacks can be a tricky affair, especially when your audience is nontechnical. Most cyberattacks lack impact and meaning to some organizations, and more so to the public. This is a substantial hurdle to overcome when trying to draw attention to the growing volume of cyberthreats. How do you demonstrate the potential damage of a cyberattack in a visual, tangible and memorable way? An interesting solution is to use hackable Internet of Things (IoT) devices and pair them with models created using 3-D printing technology.

Hadley’s Hope is a science fiction-themed model city with physical, hackable services that are controlled by IoT devices. When a hacker gains access to one of these services, his or her actions are made visually apparent to anyone observing the model city. When the city’s train starts moving too fast, for example, or when its perimeter fence lights are flashing seemingly at random, it is very apparent that the system has been compromised. With these visual cues, it is much easier to demonstrate the potential dangers of a cyberattack to both technical and nontechnical audiences.

On the day of the competition, many teams attempted the Hadley’s Hope challenge, with one team managing to hack in and take control of the perimeter fence and train. The successful team revealed that this was one of the most enjoyable challenges — so enjoyable, in fact, that the team wanted to continue triggering events in the city even after the game had ended.

The Value of CTF Exercises

A CTF competition challenges participants to find and exploit security vulnerabilities, solve problems and fend off network attacks while keeping an eye on the game clock. Many contestants create automation scripts on the day of the competition to help them slow opposition teams taking control of their servers or to help them capture another server.

Team building is a big part of a CTF competition since individuals must work together as a team to succeed. Teams must communicate, divide work and assist one another to score high on the leaderboard.

The way we train the current and next generation of cybersecurity specialists will have a defining impact on the level of security we all feel when using technology. Fostering creativity and motivating your workforce can be challenging, but when we gamify these efforts, it takes advantage of our competitive side, improving our learning, innovation and preparation.

The Next Step: Red on Blue Training

A CTF is one approach to tackling the security skills gap. Another is red on blue incident response training. During the CTF, we managed to preregister 15 groups from organizations in the industry and colleges for our new red on blue experience, which is starting in January 2018.

Related: The Hunter Becomes the Hunted: The Value of Red on Blue Cyber Training

Groups of eight to 10 people will join us out at our Dublin campus, where they will be divided into two teams. The red team will be handed attack tools and small snippets of information about the targets that it must attack to disrupt normal service and exfiltrate mock customer data. The blue team will be given a sandboxed network with servers and web applications that it must defend from the red team.

These scenarios offer participants a chance to hone their technical skills, gain a hacker’s perspective and test team dynamics. They also give IBM an opportunity to showcase the IBM Security stack in live, configurable scenarios and generate new connections with businesses and academia. Throughout the year, we will grow and evolve the experience to incorporate more scenarios around malware, insider threats and social engineering.

 |  |  |  |  |  |  |  | 
Richard Moore
Security Gamification Specialist, IBM
John Clarke
Ethical Hacking Test Engineer, IBM

More from Incident Response
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature