Cybersecurity is a serious business. The end result of a poor security program can lead to lost data, reputational damage or financial ruin.
However, just because the work itself is serious doesn’t mean lessons can’t be learned in a fun manner. In fact, a great deal of research indicates people tend to learn faster, retain knowledge, and are simply happier when their lessons are conducted in a fun and exciting manner.
This methodology, dubbed gamification, is something our Trustwave SpiderLabs team and consultants have embraced to become sharper at their jobs, build camaraderie and attract newcomers to the cybersecurity field.
I chatted to Nigel Hardy and Max Caminer in the Pacific region, both heavily involved in creating and running CTF competitions, for their insight on why this type of gamification benefits cyber specialists.
Capture The Flag (CTF) competitions are a great way for people to exercise and test their skills. The “game” can be held in person, online or self-directed, but mostly they’re run across a dedicated day or weekend. Individuals, or teams of cyber ‘hackers’ consisting of a group of local friends or specialists from around the world, some in person and some virtual, work through a specific set of cybersecurity puzzles to find the ‘flag’ and prove that they solved the challenge.
CTFs are not just for the cyber pro but cover different levels of technical experience, from people just starting out in the cybersecurity field to incredibly complicated problems designed to test even the most experienced cybersecurity specialists. For example, an entry-level game might focus on a team’s ability to access open-source materials, essentially using common search engines to find clues leading to the target. More difficult CTFs will likely use exploitation of vulnerabilities, reverse engineering, programming, and cryptographic skills to test the participant’s skill levels. For the most part, skills used in a cyber specialist’s day-to-day job are involved because the goal, besides winning, is to learn amongst our peers and improve our abilities.
Trustwave doesn’t just sponsor a bunch of industry activities to make this happen, but staff are actively involved in engaging the next generation of threat hunters by building challenges at these CTF events. Max and Nigel both have hands-on experience setting up challenges and running these competitions in the Pacific region. In Max’s case, the very first CTF he played at his university cyber security society, lead him to realise this is what he wanted to do for his career. He now leads in the southern hemisphere's largest CTF competition DownUnder CTF running on September 23, with over 4,000 participants and 1200 teams (2021). Nigel and Max are also involved in WACTF - Western Australia’s CTF, a 2 day event running in December with challenges built from real life examples with significant industry input. We also have team members involved in Pecan+ CTF, UTS CSECCON, Crikeycon, and BSides events across Australia.
CTF As a Path to a Cybersecurity Career
Many participants first join CTF events at university. The great thing about a CTF is that at some events, skill level is not as important as a desire to learn more about cybersecurity. What is needed is the urge to figure out a problem. For high school and college students, and older postgrads looking for a career change, the benefits of participating in a CTF include the ability to learn new skills, develop hands on experience in the cybersecurity industry, and build a network of peers to continue your cyber journey.
A CTF is a great place for a person to showcase their cybersecurity skills. While these events are not recruitment driven, players know that cybersecurity companies, like Trustwave, and organizations like the ACSC and ASD are sponsors and have an eye on who is attending with a view to identifying and nurturing top talent.
Essentially, if your team does well at a CTF you will be noticed. And indeed, that is working for some of our interns in the Pacific region. We spotted a top performer at DUCTF who has joined Trustwave as an intern and was recently offered a role in our elite pentesting team as a casual penetration tester as he completes his high school studies.
The good thing for Trustwave is there are so many people that participate and our presence throughout the event just means that people are coming and talking to us, looking for tips and insight.
Prove your skill
At Trustwave, we also use our own CTF challenges, as well as software as a service hacking platform like HackTheBoxbox and PentesterLab, to upskill our own staff, showing them how to identify new malware techniques and how to identify and exploit vulnerabilities. We can use the results of challenges to identify development plans for individuals and cross-skill people into new teams to broaden their capabilities.
We also sometimes use short CTF challenges as part of the job interview process to test potential candidates for technical roles before they join our business – giving them an opportunity to show us how deftly they can complete the task, as well as better understanding their troubleshooting process and problem solving skills.
As with any team effort, a CTF helps generate a great deal of camaraderie as people with different skill sets come together to solve the problem. Nigel shares, “What we often see is a team with a fantastic cross section of skills coming together to utilize all of their strengths to figure out how to approach and complete a challenge. Watching how the team learns from each other, and recognize who is best placed to work a problem, can be really satisfying.”’
CTFs are very helpful to both sides of the hacker 'game' – with blue teams on the hunt for the attackers inside their system and working to block malicious activity, while the red team conducts a 'sanctioned' attack. Pulling people in from both sides of an attack, offense and defense, requires multiple skill sets within that technical space and is remarkably hard to set up. When done correctly, is one of the most challenging types of CTF events as each ‘side’ tries to outwit and circumvent the other.
Max advised that the best teams that come to these events bring people with diverse and varying skill sets. Somebody is on hand to deal with web apps, another person will deal with reverse engineering, while a third is on crypto. Everybody tries to pull together to stay one step in front of the other team.
To continue the fun and training, the event organizers post the challenges online on GitHub after the CTF event is completed so people can spin up the challenges themselves, and view the solutions to each challenge. This creates a training ground for people looking to develop specific skill sets. Max advised that you can easily find published challenges that can help you improve, or watch the available YouTube videos that show how the challenges are solved.
The skills acquired in CTF competitions are the foundation of great cyber specialists. Our SpiderLabs team members spend an average of 25% of their time doing research, producing analysis such as this recent in-depth study on the tactics used in the Ukraine/Russia war. Our threat hunters and DFIR teams use this research data together with a human-driven approach to detect unknown threats for our clients. CTF competition participants exercise essential skills, making them outstanding pen testers, as they hone their craft looking for clues and understand evolving attack methods.
For people like Nigel and Max, participating in setting up and running CTFs is a passion – they want other people to experience the camaraderie you get when you join a team and the sense of accomplishment when solving the challenges and scoring on the leaderboard. Their goal is to provide supportive and inclusive entry points into the cyber industry in Australia, to help develop everyone’s ability, and to grow the cybersecurity community across the Pacific region.