CTF: training in cybersecurity

Capture the Flag (CTF) is an entertaining way of entering the world of cybersecurity and staying in shape. A series of events and trials that develop your most “hack3r” side. What do they consist in?

We can all picture a film in which a person known as a “hacker” accesses the most secure systems in the world after wrongly typing in three lines of code, activating several pop-up windows and seeing the words “access granted” in huge green letters. Whether it’s an aerospace defence system or a neighbour’s router, it’s not that simple. Reaching that level (putting science fiction to one side), it’s much more difficult than we imagine.

How can we make progress in the hacking world? Make no mistake. There’s no magic formula, nor is there an easy path to follow. To be the best you have to practise. No one would question that. And, to be one of the best at cybersecurity, a good training activity is to “play” at CTF (Capture the Flag). Whether you’re a novice or an expert.

CTF could be defined as a cybersport that isn’t played outdoors. Entertaining, addictive and, sometimes, with material rewards. What more could you ask for? Attributes that mean that CTF is gaining more and more popularity among people entering the world of cybersecurity. “These are highly technical practices carried out by companies specializing in ethical hacking in which they compete in an open manner, providing them with the satisfaction of overcoming great challenges, assessing themselves and enjoying the prestige of winning a competition of this kind”, underlines Rasha Aljelani, head of the SecOps team at BBVA IT España.

In CTF we can distinguish the following categories, each with its own rules and characteristics:
● Forensic Analysis [Forensics]. The most common: images of memories, hard drives and network captures that store different types of information.
● Cryptography [Crypto]. Texts encrypted by a given cryptosystem.
● Steganography [Stego]. Images, sounds and videos that conceal information inside them.
● Exploitation [Pwn]. Identification of vulnerabilities in a server.
● Reverse Engineering [Reversing]. Inferring the functioning of the software. The most common: Windows and Linux binaries.
● Programming [PPC]. Also known as PPC (Professional Programming & Coding). Challenges in which it’s necessary to develop a program or script that performs a certain task.
● Web. Identification of vulnerabilities within a web application.
● Reconnaisance [Recon]. Searching for the flag on different Internet sites.

Clues are offered to find it, such as the name of a person or a place.
● Trivial [Trivia]. Different questions related to computer security.
● Miscellaneous [Misc]. Random challenges that may belong to different unspecified categories.

Generally there are two forms of CTFs: Jeopardy, which involves resolving a set of challenges to capture a flag, and Attack-Defence, which consists of each team having a network/server with vulnerable services that they have to apply a patch to or do an exploit on when it’s their turn. In some places mixing these two modes can result in a third called Mixed.

CTF events

Events are organized within these training exercises in which participation is usually in teams. Each member of the team is given the tasks he/she is best at within each category so that each of them can pass all the tests with a greater degree of effectiveness and speed than everyone else.

Sometimes, although it’s rare due to the difficulty of the tests and the short time available, there may be single-player teams. However, these are exceptional and very rare cases, as most teams have members with lots of experience and good skills among their ranks.

For the youngest players, aged between 8 and 16, there’s a special form of CTF that enables them to join the world of cybersecurity. It’s an ideal complement allowing them to learn and to put into practice new concepts within the hacker world at each event.

All the CTF events are held in environments deliberately prepared to be attacked. Both the server and the web application have security high enough for the players to exploit their skills to the full. No one should imagine that CTF is a springboard for hacking the neighbour’s Wi-Fi network or an acquaintance’s Instagram, it’s all about learning and improving skills.

Becoming an IT security expert is a highly interesting option. It’s undoubtedly one of the skills most in demand among companies and one of the professions with the brightest futures.