Capture the flag (cybersecurity)

Last updated
A team competing in the CTF competition at DEF CON 17 DEF CON 17 CTF competition.jpg
A team competing in the CTF competition at DEF CON 17

Capture the Flag (CTF) in computer security is an exercise in which participants attempt to find text strings, called "flags", which are secretly hidden in purposefully-vulnerable programs or websites. They can be used for both competitive or educational purposes. In two main variations of CTFs, participants either steal flags from other participants (attack/defense-style CTFs) or from organizers (jeopardy-style challenges). A mixed competition combines these two styles. [1] Competitions can include hiding flags in hardware devices, they can be both online or in-person, and can be advanced or entry-level. The game is inspired by the traditional outdoor sport of the same name. CTFs are used as a tool for developing and refining cybersecurity skills, making them popular in both professional and academic settings.

Contents

Overview

Capture the Flag (CTF) is a cybersecurity competition that is used to test and develop computer security skills. It was first developed in 1996 at DEF CON, the largest cybersecurity conference in the United States which is hosted annually in Las Vegas, Nevada. [2] The conference hosts a weekend of cybersecurity competitions, including their flagship CTF.

Two popular CTF formats are jeopardy and attack-defense. [3] Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a various categories such as cryptography, web exploitation, and reverse engineering. [4] In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking their opponent's systems. [3]

The exercise involves a diverse array of tasks, including exploitation and cracking passwords, but there is little evidence showing how these tasks translate into cybersecurity knowledge held by security experts. Recent research has shown that the Capture the Flag tasks mainly covered technical knowledge but lacked social topics like social engineering and awareness on cybersecurity. [5]

Educational applications

CTFs have been shown to be an effective way to improve cybersecurity education through gamification. [6] There are many examples of CTFs designed to teach cybersecurity skills to a wide variety of audiences, including PicoCTF, organized by the Carnegie Mellon CyLab, which is oriented towards high school students, and Arizona State University supported pwn.college. [7] [8] [9] Beyond educational CTF events and resources, CTFs has been shown to be a highly effective way to instill cybersecurity concepts in the classroom. [10] [11] CTFs have been included in undergraduate computer science classes such as Introduction to Information Security at the National University of Singapore. [12] CTFs are also popular in military academies. They are often included as part of the curriculum for cybersecurity courses, with the NSA organized Cyber Exercise culminating in a CTF competition between the US service academies and military colleges. [13]

Competitions

Many CTF organizers register their competition with the CTFtime platform. This allows the tracking of the position of teams over time and across competitions. [14] . These include "Plaid Parliament of Pwning", "More Smoked Leet Chicken", "Dragon Sector", "dcua", "Eat, Sleep, Pwn, Repeat", "perfect blue", "organizers" and "Blue Water". Overall the "Plaid Parliament of Pwning" and "Dragon Sector" have both placed first worldwide the most with three times each. [15]

Community competitions

Every year there are dozens of CTFs organized in a variety of formats. Many CTFs are associated with cybersecurity conferences such as DEF CON, HITCON, and BSides. The DEF CON CTF, an attack-defence CTF, is notable for being one of the oldest CTF competitions to exist, and has been variously referred to as the "World Series", [16] "Superbowl", [9] [17] and "Olympics", [18] of hacking by media outlets. The NYU Tandon hosted Cybersecurity Awareness Worldwide (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world. [4] In 2021, it hosted over 1200 teams during the qualification round. [19]

In addition to conference organized CTFs, many CTF clubs and teams organize CTF competitions. [20] Many CTF clubs and teams are associated with universities, such as the CMU associated Plaid Parliament of Pwning, which hosts PlaidCTF, [4] and the ASU associated Shellphish. [21]

Government-supported competitions

Governmentally supported CTF competitions include the DARPA Cyber Grand Challenge and ENISA European Cybersecurity Challenge. [22] In 2023, the US Space Force-sponsored Hack-a-Sat CTF competition included, for the first time, a live orbital satellite for participants to exploit. [23]

Corporate-supported competitions

Corporations and other organizations sometimes use CTFs as a training or evaluation exercise.[ citation needed ] The benefits of CTFs are similar to those of using CTFs in an educational environment.[ citation needed ] In addition to internal CTF exercises, some corporations such as Google [24] and Tencent host publicly accessible CTF competitions.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

DEF CON is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, hardware modification, conference badges, and anything else that can be "hacked". The event consists of several tracks of speakers about computer and hacking-related subjects, as well as cyber-security challenges and competitions. Contests held during the event are extremely varied and can range from creating the longest Wi-Fi connection to finding the most effective way to cool a beer in the Nevada heat.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert (born 1975)

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

<span class="mw-page-title-main">George Hotz</span> American software engineer

George Francis Hotz, alias geohot, is an American security hacker, entrepreneur, and software engineer. He is known for developing iOS jailbreaks, reverse engineering the PlayStation 3, and for the subsequent lawsuit brought against him by Sony. From September 2015 onwards, he has been working on his vehicle automation machine learning company comma.ai. Since November 2022, Hotz has been working on tinygrad, a deep learning framework.

<span class="mw-page-title-main">David Brumley</span> American cryptographer

David Brumley is a professor at Carnegie Mellon University. He is a well-known researcher in software security, network security, and applied cryptography. Brumley also previously worked as a Computer Security Officer at Stanford University.

<span class="mw-page-title-main">Computer security conference</span> Convention for individuals involved in computer security

A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts. Common activities at hacker conventions may include:

<span class="mw-page-title-main">Wargame (hacking)</span> Cyber-security challenge and mind sport in hacking

In hacking, a wargame is a cyber-security challenge and mind sport in which the competitors must exploit or defend a vulnerability in a system or application, and/or gain or prevent access to a computer system.

Positive Hack Days (PHDays) is an annual international cybersecurity forum. It has been held by Positive Technologies since 2011. PHDays brings together IT and infosec experts, government officials, business representatives, students, and schoolchildren. The forum hosts talks and workshops on the most interesting information security topics, The Standoff cyberexercises, practical competitions in which participants analyze the security of industrial control systems, banking and mobile services, and web apps.

The 2016 Cyber Grand Challenge (CGC) was a challenge created by The Defense Advanced Research Projects Agency (DARPA) in order to develop automatic defense systems that can discover, prove, and correct software flaws in real-time.

<span class="mw-page-title-main">PACTF</span> Computer security competition

PACTF was an annual web-based computer security Capture the Flag (CTF) competition for middle and high school students. It was founded by a group of students at Phillips Academy in Andover, Massachusetts. The competition's sponsors include the Abbot Academy Association at Phillips Academy; the Information Networking Institute and CyLab at Carnegie Mellon University; the Hariri Institute for Computing, Massachusetts Open Cloud (MOC) project, and Modular Approach to Cloud Security (MACS) project at Boston University; and other entities.

The Carnegie Mellon CyLab Security and Privacy Institute is a computer security research center at Carnegie Mellon University. Founded in 2003 as a university-wide research center, it involves more than 50 faculty and 100 graduate students from different departments and schools within the university. It is "one of the largest university-based cyber security research and education centers in the U.S."

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

<span class="mw-page-title-main">Rob Joyce</span> American cybersecurity official

Robert E. Joyce is an American cybersecurity official who served as special assistant to the President and Cybersecurity Coordinator on the U.S. National Security Council. He also began serving as White House Homeland Security Adviser to President Donald Trump on an acting basis after the resignation of Tom Bossert from April 10, 2018, to May 31, 2018. He completed his detail to the White House in May 2018 and returned to the National Security Agency, where he served as the Senior Advisor to the Director NSA for Cyber Security Strategy, until July 2019 when he went to London and served in the US Embassy as the NSA's senior cryptologic representative to the UK. Joyce previously performed as acting Deputy Homeland Security Advisor since October 13, 2017. On January 15, 2021, the NSA announced that Joyce would replace Anne Neuberger as its Director of Cybersecurity.

Cyber Discovery was a United Kingdom initiative to get teenagers interested in cyber security. The initiative was funded £20 million by the UK Department for Digital, Culture, Media and Sport in partnership with SANS Institute Started in 2017, each year the program had followed a similar pattern of 4 stages.

<span class="mw-page-title-main">Christopher Hadnagy</span> American author, hacker, and computer scientist

Christopher James Hadnagy is an American author and information technology security consultant. He is recognized for his contributions to the field of social engineering in information security.

Magda Lilia Chelly is a Polish-Tunisian cybersecurity expert and is amongst the first Tunisian women to be on the advisory board of BlackHat Asia Executive Committee. Born in Krakow, Poland, and educated in Tunisia and France, Chelly worked as an IT consultant, university lecturer, business leader, and cybersecurity professional.

<span class="mw-page-title-main">Black Hat Middle East and Africa</span> Cybersecurity convention in Saudi Arabia

Black Hat Middle East and Africa, formerly @HACK, is a three-day cybersecurity and hacking convention held annually in Riyadh, Saudi Arabia, during Riyadh Season. It is one of the largest conventions in its industry.

Cybersecurity in popular culture examines the various ways in which the themes and concepts related to cybersecurity have been portrayed and explored in different forms of popular culture, such as music, movies, television shows, and literature. As the digital age continues to expand and the importance of protecting computer systems, networks, and digital information grows, the awareness and understanding of cybersecurity have increasingly become a part of mainstream culture. Popular culture often portraits the gloomy underworld of cybersecurity, where unconventional tactics are used to combat a diverse range of threats to individuals, businesses, and governments. The integration of dark and mysterious elements into cybersecurity stories helps create a sense of uncertainty, rule-breaking, and intriguing ambiguity. This captures the public's attention and highlights the high stakes involved in the ongoing struggle to protect our digital world. This article highlights the creative works and cultural phenomena that have brought cybersecurity issues to the forefront, reflecting society's evolving relationship with technology, privacy, and digital security.

ThriveDX is a global cybersecurity education provider. The company partners with educational institutions and organizations to deliver online training bootcamps teaching cybersecurity, software development, information technology, AI coding, and various digital skills.

Kyle Hanslovan is an American engineer and information technology security analyst who served as a US Air Force Cyber Technical Sergeant.

References

  1. "CTFtime.org / What is Capture The Flag?". ctftime.org. Retrieved 2023-08-15.
  2. Cowan, C.; Arnold, S.; Beattie, S.; Wright, C.; Viega, J. (April 2003). "Defcon Capture the Flag: Defending vulnerable code from intense attack". Proceedings DARPA Information Survivability Conference and Exposition. Vol. 1. pp. 120–129 vol.1. doi:10.1109/DISCEX.2003.1194878. ISBN   0-7695-1897-4. S2CID   18161204.
  3. 1 2 Says, Etuuxzgknx (2020-06-10). "Introduction To 'Capture The Flags' in CyberSecurity - MeuSec" . Retrieved 2022-11-02.
  4. 1 2 3 Chung, Kevin; Cohen, Julian (2014). "Learning Obstacles in the Capture The Flag Model".{{cite journal}}: Cite journal requires |journal= (help)
  5. Švábenský, Valdemar; Čeleda, Pavel; Vykopal, Jan; Brišáková, Silvia (March 2021). "Cybersecurity knowledge and skills taught in capture the flag challenges". Computers & Security. 102: 102154. arXiv: 2101.01421 . doi:10.1016/j.cose.2020.102154.
  6. Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN   1573-7608. PMC   9950699 . PMID   36855694.
  7. "ASU's cybersecurity dojo". ASU News. 2021-02-15. Retrieved 2023-07-18.
  8. "picoCTF aims to close the cybersecurity talent gap". www.cylab.cmu.edu. Retrieved 2023-07-18.
  9. 1 2 "Wanted: hackers. Reward: the best may get a spot at CMU". Pittsburgh Post-Gazette. Retrieved 2023-07-18.
  10. McDaniel, Lucas; Talvi, Erik; Hay, Brian (January 2016). "Capture the Flag as Cyber Security Introduction". 2016 49th Hawaii International Conference on System Sciences (HICSS). pp. 5479–5486. doi:10.1109/HICSS.2016.677. ISBN   978-0-7695-5670-3. S2CID   35062822.
  11. Leune, Kees; Petrilli, Salvatore J. (2017-09-27). "Using Capture-the-Flag to Enhance the Effectiveness of Cybersecurity Education". Proceedings of the 18th Annual Conference on Information Technology Education. SIGITE '17. New York, NY, USA: Association for Computing Machinery. pp. 47–52. doi:10.1145/3125659.3125686. ISBN   978-1-4503-5100-3. S2CID   46465063.
  12. Vykopal, Jan; Švábenský, Valdemar; Chang, Ee-Chien (2020-02-26). "Benefits and Pitfalls of Using Capture the Flag Games in University Courses". Proceedings of the 51st ACM Technical Symposium on Computer Science Education. pp. 752–758. arXiv: 2004.11556 . doi:10.1145/3328778.3366893. ISBN   9781450367936. S2CID   211519195.
  13. "National Security Agency/Central Security Service > Cybersecurity > NSA Cyber Exercise". www.nsa.gov. Retrieved 2023-07-18.
  14. "CTFtime". CTFtime. Retrieved 2023-08-18.
  15. "CTFtime rankings". CTFtime Rankings. Retrieved 2023-08-18.
  16. Producer, Sabrina Korber, CNBC (2013-11-08). "Cyberteams duke it out in the World Series of hacking". CNBC. Retrieved 2023-07-18.{{cite web}}: CS1 maint: multiple names: authors list (link)
  17. Noone, Ryan (2022-08-15). "CMU Hacking Team Wins Super Bowl of Hacking for 6th Time - News - Carnegie Mellon University". www.cmu.edu. Retrieved 2023-07-18.
  18. Siddiqui, Zeba (2022-08-18). "Hacker tournament brings together world's best in Las Vegas". Reuters. Retrieved 2023-07-18.
  19. "CSAW Capture the Flag". CSAW. Retrieved 2022-11-02.
  20. Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN   1360-2357. PMC   9950699 . PMID   36855694.
  21. "These grad students want to make history by crushing the world's hackers". Yahoo Finance. 2016-08-04. Retrieved 2023-09-02.
  22. "European Cybersecurity Challenge". ECSC. Retrieved 13 June 2024.
  23. Hardcastle, Jessica Lyons. "Moonlighter space-hacking satellite is in orbit". www.theregister.com. Retrieved 2023-07-18.
  24. https://capturetheflag.withgoogle.com/ [ bare URL ]
  25. Woodward, Alan (2022-07-07). "'Some staff work behind armoured glass': a cybersecurity expert on The Undeclared War". The Guardian. ISSN   0261-3077 . Retrieved 2023-07-18.
  26. Qin ai de, re ai de (Drama, Romance, Sport), Zi Yang, Xian Li, Mingde Li, Shanghai GCOO Entertainment, 2019-07-09, retrieved 2023-08-15{{citation}}: CS1 maint: others (link)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.