Are Capture the Flag cybersecurity (CTF) competitions just a game? Or do they make someone better at offensive security?
We asked the members of our technical team who are the most active in CTFs. We even run our own internal CTF every year and sponsor CTFs like justCTF.
So, why would anyone want to spend their time solving increasingly complex and sometimes frustrating cybersecurity-related puzzles?
Here’s what they said.
What Are Cybersecurity CTF Competitions?
Before we explain why our team enjoys participating in cybersecurity CTFs and why we think that is a good thing, here’s a quick recap of what we mean when we talk about “CTFs.”
Capture the Flag (CTF) events are cyber competitions where participants test their skills in various subdomains representing different offensive security practices.
Some popular CTF subdomains right now are binary exploitation, reverse engineering, cryptography, web, and forensics, with new categories, like blockchain, appearing too.
There are two main kinds of CTFs that our team plays, “jeopardy” and “attack-defence”.
Jeopardy
Named after the classic TV game show (Jeopardy!), jeopardy CTFs are where participants compete to find as many flags as possible from challenges in various categories.
Sometimes, players compete alone; other times, they play in teams.
Each jeopardy category, like cryptography, has challenges where you must score more points than the other team.
Jeopardy-style CTFs are the most popular type of CTF competition. They are often open to the public and held online (though they can also be in-person).
You can see a list of upcoming jeopardy CTFs here that are mostly open to the public.
Attack - Defence
Attack-defence CTFs see participating teams go head-to-head to try and find flags in each other’s environment while at the same time stopping the other teams from doing the same to them.
Participants have to defend a virtual machine/network (known as a “Vulnbox”) that hosts vulnerable applications and, simultaneously, find vulnerabilities in them to attack the other team’s Vulnbox.
Competing teams are connected to the same network but will run exploits from their own machines against each other.
As a kind of cyber wargame, attack-defence CTFs tend to be more involved than jeopardy-style CTF competitions, require more teamwork and are designed to mimic real-life cyber warfare exercises.
Some of our team competes in Locked Shields every year, the world's largest and most complex international live-fire cyber defence exercise. This attack-defence style exercise focuses on real-time attack and defence scenarios with participants representing their home countries.
Locked Shields is designed to help prepare cyber responders (and NATO forces as a whole) for real-life threats and ongoing cyber warfare.
CTF Competitions Show You Things You Can’t Google
Our team members feel that taking part in cybersecurity CTFs is a way to learn skills you (probably) will not learn about in a course, cert, or through search engines. Or persistence, i.e., approaching a challenge from many different angles and having patience are critical to success as an offensive security pro.
In the real world (i.e., during an offensive security engagement), you may never see the same exact vulnerability or attack chain as you do in a CTF challenge, but CTF challenges give participants knowledge and problem-solving abilities that are identical to the skills they need in reality. Our team members all agree that doing CTFs for fun has made them better at hacking for a living.
“That’s the best thing about CTFs. Being able to solve a problem and learning a lot about how to research something that is not Googleable,” said one of our team members.
The consensus is that CTFs give players a chance to step outside their comfort zones without real-world consequences. Afterwards, they can also read write-ups about how people approached similar challenges.
“[With CTFs], you get a chance to try your skills in areas/categories you are not skilled in. Someone that usually only solves web challenges can try their hand at cryptography-related challenges,” said another of our team members.
One SECFORCE team member remembers trying his hand at a binary exploitation challenge from a wargame website for an extended period of time while getting advice from more experienced players on the topic before being able to solve the challenge in question.
This kind of experience is common among CTF players. While certifications help professionals obtain certain skills, their slow update pace only gets a person so far. CTFs give players constantly changing challenges to hone their skills.
There’s no real barrier to taking part in a CTF, either. Some of our team members have been participating in cybersecurity competitions since high school.
Come for the Prestige and Points; Leave with…New Friends
Or at least a broader professional network.
CTFs teach skills, but another benefit of participating in a CTF is the network you get as a result. Our team members find that CTFs help you meet skilled offensive security practitioners in real life, often people they might have talked to online for years but never met.
Teamwork is also important for creating and testing a CTF challenge.
“In attack-defence CTF challenges, a lot of teamwork is needed. Not just completing the challenge but also making sure others don’t exploit you,” said a SECFORCE team member.
You might think your challenge can only be solved in one way, but once you start collaborating with others, you could find that there is actually a much simpler solution you did not intend for your challenge.
Designing a CTF Challenge Is a Challenge In Itself
You can buy CTFs, but it's better to build your own.
Our team does a lot of work to design and prepare a challenge in a way that doesn’t expose anything it shouldn’t. The infrastructure must be secure enough to create a fair playing field.
“It shouldn’t be possible for someone to hack the system and allow themselves to collect more flags than they’re supposed to or harass other players,” said one of our team members.
Especially important, according to our team members, is that the underlying infrastructure of a challenge isn’t open to abuse to make the challenge unsolvable for other teams.
SECFORCE’s Internal CTF Challenge Has Been Running for Several Years
We mostly run jeopardy-style events, though we have also done attack-defence.
Our aim is to create a fun challenge that our team can use to learn new things and compete with each other. Competitiveness varies, but we focus mainly on creating an opportunity to learn and encourage collaboration.
Last year, we also invited our clients to take part in our CTF and play against our internal teams.
CTF Fan? Consider Joining the Force
If the above sounds fun to you, why not join us?
Cybersecurity CTF FAQs
How long do CTFs take?
CTFs usually last 24-48 hours but can also go on for a week or even longer. For example, Mandiant's FLARE runs a yearly six-week competition (FLARE-ON).
It’s up to the players themselves how long they want to spend on challenges within a CTF’s timeframe.
We will say that one of our team members once played for 20 hours straight!
Where do CTFs take place?
CTFs can be both physical and virtual.
Some can be split. For example, a teaser might be open to the whole world, and then the top teams will get to come to the onsite CTF.
Onsite cybersecurity CTFs are often attached to some kind of conference, like the DEFCON CTF.
Whether physical or virtual, it depends on a particular CTF, budget, etc.
Can anyone take part in a CTF?
CTFs can be open to everyone or by invitation only. For a list of upcoming CTFs, visit CTFtime.org.
