Florence Liang [email protected]
You may remember Capture the Flag as “that tedious game” you played when you were younger. Some kids would enjoy playing as “attackers” by traveling to the enemy’s base to retrieve flags, while other children would play as “defenders” by protecting the team’s base. Yet, applied to cybersecurity, capture the flag (CTF) is an intense game constantly outgrowing the name it was given.
The win condition of CTFs in cybersecurity is largely the same as the goal of the childhood favorite: retrieve as many flags as possible and win. These flags are hidden throughout various cybersecurity challenges, challenging competitors in an array of unique subjects. However, many cybersecurity competitions are built with the intention to encourage a new age to explore the vast field of cybersecurity by teaching these concepts in a “gamified” fashion.
All CTF events will have prizes for competitors with the highest scores. Often, first, second, and third place are given awards, but honorable mentions are possible. PicoCTF, a competition popular among middle- and high-school aged students, awards 1st place $3,000, 2nd place $2,000, and 3rd place $1,000 in addition to an invitation to Carnegie Mellon University (the CTF’s parent organization).
Beginner CTFs often introduce players to the shell (a program which allows users to interact with the computer) and other basic operating procedures used in cybersecurity. In more advanced CTFs, you will participate in events that challenge your skills in web exploitation, forensics, cryptography, reverse engineering, and binary exploitation.
There are generally two common types of CTFs played throughout the world: Jeopardy and Attack-Defense. In Jeopardy-style CTFs, competitors aim to solve as many challenges as possible to stockpile as many points as possible. These challenges have hidden “flags” which competitors must find and exchange for points. On the other hand, Attack-Defense CTFs have a greater resemblance to “wargames,” where teams will defend their own machines and attempt to infiltrate opponents’ machines.
Depending on the type of Attack-Defense CTF planned, there is typically a red team —the attackers— and a blue team —the defenders. The blue team focuses on implementing measures to project a vulnerable piece of software. This could mean updating the software on the virtual machine or enabling a virus detection software, for example. There is an abundance of CTFs where competitors play on the blue team while the judges will attempt to siege their machines on the red team. The red team attempts to take control over the computer by exploiting its vulnerabilities. Usually, this involves pinpointing the blue team’s oversights, exploiting bugs in old applications, and attempting to gain power as the system’s administrator. The field of cybersecurity may seem daunting at first, but rest assured because these competitions are meant to help you learn!
With society advancing toward a greater online presence, it is crucial that more people are aware of ways they could be attacked and measures to defend themselves online. If you are ever interested in exploring cybersecurity, give a capture the flag competition a try!