What is a CTF?
A Capture the Flag event, or CTF for short, is a gamified exercise designed to test cybersecurity skills. The goal of the game, much like in the live-action, outdoor game many of us remember from childhood, is to get the highest score by capturing the most flags.
The most common formats of cybersecurity CTF events, according to the European Union Agency for Cybersecurity, are Jeopardy and Attack-Defense. Jeopardy challenges are stand-alone, problem-solving challenges which yield one flag for each successfully completed challenge. In Attack-Defense challenges, participants are given a range of targets in the form of vulnerable services, and the goal is to take down as many targets as possible to retrieve as many “flags” as possible. Depending on the CTF, participants may form teams or compete independently.
The Benefits of CTFs
CTF events can be effective tools for assessing cybersecurity skill level and for teaching new skills in a gamified scenario. CTF creators can design the competitions to test a variety of skills at any level. For example, some CTFs may focus on penetration testing and set challenges testing the offensive cybersecurity skills of participants. Other CTFs may be designed to test both offensive and defensive capabilities with teams attempting to breach each other’s networks and protect their own against attacks. CTFs can also have more specific focuses, testing skills in reverse engineering, network traffic analysis, or other subfields within cybersecurity.
Building Employee Engagement for Cybersecurity
The field of Learning Science Principles has taught us that “understanding motivation is critical” for effective learning to occur in any field. For many development organizations, employee engagement is one of the biggest challenges to creating a culture where cyber security training is embraced. For example, if developers see security as a burden or a distraction from “real work” (like releasing software on time), then they are less likely to take the necessary steps to secure their code against attack.
In addition to security champion programs, CFTs can be a great way to increase employee engagement in cyber security education. CTFs allow participants to practice in a virtual environment where it’s safe to demonstrate what can go wrong. This can help developers understand why security is a necessary part of the development process — not just something to be done if time allows.
While some CTF participants choose play for the opportunity to demonstrate their mastery of cybersecurity skills or simply for fun, others play for the chance to win prizes. These prizes — much like the prizes offered as incentives to complete secure code training — may come in the form of cash, organizational recognition, scholarships, or admission to more restricted CTFs. In addition to the individual benefits, the organization can also derive significant benefits from encouraging its employees to play these games, or from assembling and sponsoring a team of employees to play against other teams in a larger competition.
Contrary to popular belief, CTFs are not only valuable to cybersecurity personnel; a developer could also benefit from participating in a CTF that demonstrates how web applications can be exploited by an attacker. By learning about these attack patterns and how to defend against them, the developer can improve the security of their own code.
Introduction to Realistic Attack Scenarios
CTFs take place in gamified environments, so they are not a perfect simulation of a real-world cyber attack and organizations should not depend upon them alone (PDF) to prepare security staff for real-world events. Although CFTs aren’t a one-stop-shop for cybersecurity education, and should be used in conjunction with secure code training, they can still provide a valuable introduction and experience in using offensive and defensive skills. This is especially the case with CTFs which are designed to closely mimic realistic scenarios, especially in an attack-defense exercise where teams compete against one another.
Some of the more realistic CTFs may enable the player to gain more familiarity with security tools and the different ways in which an organization can be attacked. This will enable the player to identify potential defensive countermeasures using these security tools in their everyday lives.
Low-Risk Incident Response and Process Testing
In the event of a real-world cyber attack, having a strong incident response (IR) plan which defines how personnel should respond can make a major difference in the magnitude of damages inflicted on an organization from the attack. However, no plan is perfect, and even small flaws or oversights in the process can degrade the effectiveness of incident response. Participating in a CTF provides an opportunity for an organization to test its incident response strategies in a low-risk environment. For example, during a CTF where the security team must defend its network against attack, team members can gain practice with following the organization’s security processes and using the tools that they would need to use when responding to a real incident.
Unlike in a real security incident, there is no cost of failure in a CTF. Even a loss is a win if it teaches the organization where the weaknesses in its defensive strategy are and helps identify additional staffing needs. Additionally, the individual or team will have the ability to perform retrospectives after the CFT and, in many cases, read writeups which describe the “right” way to handle a particular threat. This can be used to re-evaluate and improve existing IR plans and to better prepare the organization to face real-world threats.
Hands-on practice with Software Vulnerabilities
While guides exist to help developers identify the most common types of cyber security vulnerabilities, such as the OWASP Top 10, reading about best practices may not be enough for a developer to identify and patch the vulnerabilities in their own code. That’s why it’s important that developers learn to “think like a hacker” by learning offensive strategies in addition to defensive responses.
Participating in a CTF helps developers learn to think creatively about how software can be exploited. Some CTFs provide the opportunity to play offensive, exploiting the same types of vulnerabilities that they are trying to identify and eliminate in their code. A CTF designed to be challenging will offer participants experience with different variants of attacks which are not explicitly described in guides. This experience enables them to build better security test cases and identify and remediate potential vulnerabilities within their code.