Fancy developing your cyber capabilities in a fun and social setting? You should try a game of Capture the Flag (CTF) in which participants attempt to hack a computer system. A CTF benefits everyone involved: hackers get to show off their skills, and companies can test their systems in a controlled environment. How is it played? What are the challenges? We explain all there is to know about this phenomenon.
What does a Capture The Flag (CTF) game consist of?
CTFs involves a team of hackers (or anyone else) trying to penetrate a computer system, usually in search of a file. This file acts as a flag and provides proof they achieved their goal. The flag has no monetary value, but points are earned for each completed task. The winners is the team with the most points at the end of the competition.
There are two types of CTF:
- Attack-Defence: two teams are pitted against each other. They take it in turns to attack or defend in an (almost) no-holds-barred contest. It is the organiser who decides the rules and the tools to be used.
- Jeapordy-style: participants tackle one or several challenges over successive stages, but not all of them. They pick a category according to their specialisation and the number of points up for grabs. The game ends when the time runs out, so speed is a crucial factor.
A CTF organiser can also offer different difficulty levels, allowing participants to play according to their level of expertise. In addition, CTFs give participants the opportunity to hack simulated systems that are very close to the real thing. These controlled attacks highlight legitimate system vulnerabilities that can subsequently be fixed, helping prevent a malevolent hacker from penetrating a genuine system.
The benefits of immersion and serious games in IT security are widely recognised. Nowadays, CTFs are feature in all the biggest cybersecurity meetings and conferences, like Google, DefCON, NuitDuHack and BreizhCTF.
How to tackle a CTF?
This type of game can be used across several fields, and multiple categories within each field. Each category comprises challenges classified according to their difficulty, thus combining entertainment with ability.
In the world of CTFs, there are a few main cybersecurity disciplines:
- Binary Analysis/Reverse Engineering: this generally involves reversing a programme’s execution to find the password.
- Web: participants analyse scripts with a view to exploiting a website or application’s weaknesses and finding a password.
- Forensics: the problem consists of a compromised machine. The aim is to find a specific piece of information that it contains by using other machines (RAM, disks, logs).
- Network: the system has suffered, for example, a DDoS attack (Distributed Denial of Service). The teams must find the culprit and his method.
- Cryptography: the goal is to exploit an algorithm’s weakness through human error and thus read the messages that are meant to be encrypted.
- Mobile Security: specialists are given the task of finding a weak mobile application on the test telephone. The flag is in this application.
- Steganography: the flag is hidden inside a document or media file.
- Physical: like an escape game, the aim is to decrypt a USB key in a closed room to find the flag. This is the rarest type of CTF.
In most cases, organisers install a system with the most common weakness (like a weak password or a folder which shouldn’t be accessible). The flag position can range widely from something very visible to a piece of information hidden deep down.
What are the advantages?
For the company:
- Demonstrate its interest and proactive efforts in cybersecurity
- Headhunt new talents
- Promote, support and develop the IT security ecosystem
- Learn and hone skills
- Meet potential employers
- Engage and meet with other experts in the ecosystem
Which tools are required to take part in an CTF?
The gear needed for such events depends on the type of CTF. In most cases, all you need is a computer. In certain competitions, participants must bring specific equipment like lockpicking, radio or NFC kits. For some on-site competitions where participants must be physically present, they must also bring an Ethernet cable to connect to the CTF infrastructure. More generally, the tools needed are similar to those for a pentest: a Linux machine (ideally Kali Linux) and any specific/specialised tools or scripts.
CTF: an increasingly popular ‘practice’
Google has organised its own annual CTF since 2016 with three main objectives: to improve security, promote the movement and grow the white hacker community.
Over the last four years, the number of such events has skyrocketed to keep up with increasing demand from participants. A passionate community, a fun concept and fierce competition…its success isn’t hard to explain.