by Kat Sweet

Shall we play a game?

Four friends walked into an information security conference: a computer science educator, a web developer-turned-hacker, a game developer, and me, a self-taught “infosec padawan” with, at the time, no formal tech education. (There was also a baby, who proved to be quite the social engineer.) Together, we formed Team Encrypted Firewalls—hey, I never said we took ourselves too seriously—and spent several hours that weekend playing Capture the Flag (CTF). Many Red Bulls were harmed.

When I first started going to security cons a couple years earlier, I saw the CTF as a mystical event where only the security industry’s most elite, established hackers went head-to-head. I never imagined myself as someone who would have the technical know-how to compete. But strip away the lore around CTFs, and you find that rather than being a test of what you already know, they’re a way to expose you to what you don’t know.

WTF is a CTF?

Not to be confused with the sport, the term “capture the flag” describes a type of computer security competition. CTFs are an exercise in problem-solving, team-building, and learning on the fly; in short, they are a hands-on way of getting you into a hacker state of mind.

Most CTFs are set up in one of two ways: attack/defense-style (red team vs. blue team), or jeopardy-style. Attack/defense CTFs revolve around teams trying to break into each others’ intentionally vulnerable networks (“red team”) while attempting to defend their own networks (“blue team”). Some of these challenges have teams simultaneously attacking and defending, while others have teams focusing on one or the other. Jeopardy-style CTFs are just what they sound like: they have different categories of challenges ranging in difficulty from easy to scary, and teams are awarded points for challenges completed. These are a more flexible time commitment than attack/defense CTFs, since teams aren’t engaging in real-time attacks—a team can devote as much or as little time to a jeopardy-style CTF as they want.

These two styles lend themselves to infinite variations. Some CTFs focus on a specific skillset—several security conferences have a Wireless CTF involving capturing radio traffic. Some CTFs aren’t even done in front of a computer—participants in a Social Engineering CTF flex an entirely different set of security muscles, hacking humans instead of machines.

The flags take many forms. Security is a vast field, and CTFs can include challenges in digital forensics, cryptography, web security, and so on. A flag could be a phrase hidden in a single network packet, a timestamp in the metadata of a photo, a cipher sewn into a quilt—and that was just at one conference. Challenges will contain clues to point you toward a flag, as well as superfluous information to throw you off. Expect to occasionally overthink a challenge and get frustrated. Failing is part of the fun, and it’ll all be worth it when you find a flag.

How to find CTFs

Security conferences usually have at least one CTF competition on their schedule. A few of them, such as DEFCON’s LegitBS CTF, require teams to go through a qualifying round, but most CTFs at cons are open to all attendees. Outside of cons, some cities’ local hacker meetups will organize CTF events, and online CTFs are becoming increasingly prevalent.

There are also CTFs geared toward college students, such as National Cyber League and Collegiate Cyber Defense Challenge (CCDC), which aim to get students hands-on experience with information security before they hit the job market. Others are targeted specifically at businesses providing security training for their employees, such as the CTF 365 platform.

Why capture flags?

While CTFs have traditionally been the domain of the security community, they have tremendous value for anyone with an interest in tech. Because security touches all areas of technology, awareness of it is good for non-security tech workers or hobbyists. In fact, there are CTF practice sites geared specifically toward introducing people to hacking, such as Hack This Site for web security, or Over the Wire for system administration.

Games are more fun than lectures. Games are better learning tools than lectures. Those who don’t work in security might only get exposed to security education in the context of being yelled at for clicking links from Nigerian princes or writing their passwords on a sticky note. CTFs offer people a chance to play around with security in a low-consequence environment, and have fun doing so. At the end of the day, it’s just a game in the land of make-believe—the network you’re defending is isolated, your actual personally identifiable information is outside the scope of the competition, and the only thing that matters is having a good time.

CTFs are also a rare opportunity for security education in a collaborative setting. We all have knowledge to share, and CTFs help to broaden our knowledge base by using problem sets that require a team with diverse skills. Some CTFs are meant to emulate real-world vulnerabilities, others are ridiculous things that you will never encounter out in the wild. No one is actually hiding a top secret piece of information inside a ROT-13 cipher and sticking the ciphertext on their website. But even the challenges that have little basis in reality still help participants build valuable problem-solving skills, and teams end up playing off of members’ wide ranges of expertise in order to carry the day.

Areas for improvement

CTFs aren’t without their limiting factors. For example, group CTFs at security conferences assume that you can 1) get to a con, and 2) find a group to join there. If you don’t know anyone at the con, this can seem daunting. Additionally, there is a perceived high barrier to entry. CTFs vary in difficulty, and many times highly experienced people will say that a CTF is open to “all skill levels” when in fact the subject matter ends up excluding beginners. However, clarifying the fact that some challenges require little prior experience would help make them more accessible, and it wouldn’t be too difficult to set up a group CTF specifically for lower experience levels. Finally, participating in a CTF at a conference can have a huge time commitment, which makes it difficult to participate in other conference events. It would be worthwhile to have conference CTFs where the amount of additional programming is kept to a minimum in order to allow participants to fully engage with the game.

How about a nice game of hacking?

Hackers have used CTFs for decades as a way to relax, have fun with friends, and hone their skills in a low-pressure environment. In many ways, society is just now beginning to realize something that the security community has known for years: the best way to learn is to play. With information security becoming more and more important, now is the time to get some friends together—black hoodies and balaclavas optional—and let a CTF teach you some new things.

Kat Sweet is a network security student with a gender studies degree, frequent security conference volunteer and presenter, wielder of pointy objects (mainly lock picks and knitting needles), and executive assistant to two fluffy cats.

Listen to an interview with Kat on our podcast.