Capture the flag (cybersecurity)

Last updated
A team competing in the CTF competition at DEF CON 17 DEF CON 17 CTF competition.jpg
A team competing in the CTF competition at DEF CON 17

Capture the Flag (CTF) in computer security is an exercise in which participants attempt to find text strings, called "flags", which are secretly hidden in purposefully-vulnerable programs or websites. They can be used for both competitive or educational purposes. In two main variations of CTFs, participants either steal flags from other participants (attack/defense-style CTFs) or from organizers (jeopardy-style challenges). A mixed competition combines these two styles. [1] Competitions can include hiding flags in hardware devices, they can be both online or in-person, and can be advanced or entry-level. The game is inspired by the traditional outdoor sport of the same name. CTFs are used as a tool for developing and refining cybersecurity skills, making them popular in both professional and academic settings.

Contents

Overview

Capture the Flag (CTF) is a cybersecurity competition that is used to test and develop computer security skills. It was first developed in 1996 at DEF CON, the largest cybersecurity conference in the United States which is hosted annually in Las Vegas, Nevada. [2] The conference hosts a weekend of cybersecurity competitions, including their flagship CTF.

Two popular CTF formats are jeopardy and attack-defense. [3] Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a various categories such as cryptography, web exploitation, and reverse engineering. [4] In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking their opponent's systems. [3]

The exercise involves a diverse array of tasks, including exploitation and cracking passwords, but there is little evidence showing how these tasks translate into cybersecurity knowledge held by security experts. Recent research has shown that the Capture the Flag tasks mainly covered technical knowledge but lacked social topics like social engineering and awareness on cybersecurity. [5]

Educational applications

CTFs have been shown to be an effective way to improve cybersecurity education through gamification. [6] There are many examples of CTFs designed to teach cybersecurity skills to a wide variety of audiences, including PicoCTF, organized by the Carnegie Mellon CyLab, which is oriented towards high school students, and Arizona State University supported pwn.college. [7] [8] [9] Beyond educational CTF events and resources, CTFs has been shown to be a highly effective way to instill cybersecurity concepts in the classroom. [10] [11] CTFs have been included in undergraduate computer science classes such as Introduction to Information Security at the National University of Singapore. [12] CTFs are also popular in military academies. They are often included as part of the curriculum for cybersecurity courses, with the NSA organized Cyber Exercise culminating in a CTF competition between the US service academies and military colleges. [13]

Competitions

Many CTF organizers register their competition with the CTFtime platform. This allows the tracking of the position of teams over time and across competitions. [14] . These include "Plaid Parliament of Pwning", "More Smoked Leet Chicken", "Dragon Sector", "dcua", "Eat, Sleep, Pwn, Repeat", "perfect blue", "organizers" and "Blue Water". Overall the "Plaid Parliament of Pwning" and "Dragon Sector" have both placed first worldwide the most with three times each. [15]

Community competitions

Every year there are dozens of CTFs organized in a variety of formats. Many CTFs are associated with cybersecurity conferences such as DEF CON, HITCON, and BSides. The DEF CON CTF, an attack-defence CTF, is notable for being one of the oldest CTF competitions to exist, and has been variously referred to as the "World Series", [16] "Superbowl", [9] [17] and "Olympics", [18] of hacking by media outlets. The NYU Tandon hosted Cybersecurity Awareness Worldwide (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world. [4] In 2021, it hosted over 1200 teams during the qualification round. [19]

In addition to conference organized CTFs, many CTF clubs and teams organize CTF competitions. [20] Many CTF clubs and teams are associated with universities, such as the CMU associated Plaid Parliament of Pwning, which hosts PlaidCTF, [4] and the ASU associated Shellphish. [21]

Government-supported competitions

Governmentally supported CTF competitions include the DARPA Cyber Grand Challenge and ENISA European Cybersecurity Challenge. [22] In 2023, the US Space Force-sponsored Hack-a-Sat CTF competition included, for the first time, a live orbital satellite for participants to exploit. [23]

Corporate-supported competitions

Corporations and other organizations sometimes use CTFs as a training or evaluation exercise.[ citation needed ] The benefits of CTFs are similar to those of using CTFs in an educational environment.[ citation needed ] In addition to internal CTF exercises, some corporations such as Google [24] and Tencent host publicly accessible CTF competitions.

See also

Related Research Articles

DEF CON is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, hardware modification, conference badges, and anything else that can be "hacked". The event consists of several tracks of speakers about computer and hacking-related subjects, as well as cyber-security challenges and competitions. Contests held during the event are extremely varied and can range from creating the longest Wi-Fi connection to finding the most effective way to cool a beer in the Nevada heat.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert (born 1975)

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

<span class="mw-page-title-main">George Hotz</span> American software engineer

George Francis Hotz, alias geohot, is an American security hacker, entrepreneur, and software engineer. He is known for developing iOS jailbreaks, reverse engineering the PlayStation 3, and for the subsequent lawsuit brought against him by Sony. From September 2015 onwards, he has been working on his vehicle automation machine learning company comma.ai. Since November 2022, Hotz has been working on tinygrad, a deep learning framework.

<span class="mw-page-title-main">David Brumley</span> American cryptographer

David Brumley is a professor at Carnegie Mellon University. He is a well-known researcher in software security, network security, and applied cryptography. Brumley also previously worked as a Computer Security Officer at Stanford University.

<span class="mw-page-title-main">Computer security conference</span> Convention for individuals involved in computer security

A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts. Common activities at hacker conventions may include:

<span class="mw-page-title-main">Wargame (hacking)</span> Cyber-security challenge and mind sport in hacking

In hacking, a wargame is a cyber-security challenge and mind sport in which the competitors must exploit or defend a vulnerability in a system or application, and/or gain or prevent access to a computer system.

Positive Hack Days (PHDays) is an annual international cybersecurity forum. It has been held by Positive Technologies since 2011. PHDays brings together IT and infosec experts, government officials, business representatives, students, and schoolchildren. The forum hosts talks and workshops on the most interesting information security topics, The Standoff cyberexercises, practical competitions in which participants analyze the security of industrial control systems, banking and mobile services, and web apps.

<span class="mw-page-title-main">Iftach Ian Amit</span> Israeli Hacker

Iftach Ian Amit is an Israeli Hacker/computer security researcher and practitioner. He is one of the co-founders of the Tel Aviv DEF CON Group DC9723, the Penetration Testing Execution Standard, and presented at hacker conventions such as DEF CON, Black Hat, BlueHat, RSA Conference. He has been named SC Magazine's top experts and featured at Narratively's cover piece on Attack of the Superhackers and is frequently quoted and interviewed

The 2016 Cyber Grand Challenge (CGC) was a challenge created by The Defense Advanced Research Projects Agency (DARPA) in order to develop automatic defense systems that can discover, prove, and correct software flaws in real-time.

<span class="mw-page-title-main">PACTF</span> Computer security competition

PACTF was an annual web-based computer security Capture the Flag (CTF) competition for middle and high school students. It was founded by a group of students at Phillips Academy in Andover, Massachusetts. The competition's sponsors include the Abbot Academy Association at Phillips Academy; the Information Networking Institute and CyLab at Carnegie Mellon University; the Hariri Institute for Computing, Massachusetts Open Cloud (MOC) project, and Modular Approach to Cloud Security (MACS) project at Boston University; and other entities.

The Carnegie Mellon CyLab Security and Privacy Institute is a computer security research center at Carnegie Mellon University. Founded in 2003 as a university-wide research center, it involves more than 50 faculty and 100 graduate students from different departments and schools within the university. It is "one of the largest university-based cyber security research and education centers in the U.S."

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

<span class="mw-page-title-main">Jake Braun</span> American political, cyber and national security expert

Jacob H. Braun is an American politician, cyber and national security expert. He was appointed by President Joseph Biden as the U.S. Department of Homeland Security (DHS) Secretary's Senior Advisor to the Management Directorate. Braun is also a lecturer at the University of Chicago’s Harris School of Public Policy Studies where he teaches courses on cyber policy and election security. He previously served as the Executive Director for the University of Chicago Harris Cyber Policy Initiative (CPI).

Cyber Discovery was a United Kingdom initiative to get teenagers interested in cyber security. The initiative was funded £20 million by the UK Department for Digital, Culture, Media and Sport in partnership with SANS Institute Started in 2017, each year the program had followed a similar pattern of 4 stages.

Jack Cable is an American computer security researcher and software developer who currently serves as a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency. He is best known for his participation in bug bounty programs, including placing first in the U.S. Department of Defense's Hack the Air Force challenge. Cable began working for the Pentagon's Defense Digital Service in the summer of 2018.

<span class="mw-page-title-main">Christopher Hadnagy</span> American author, hacker, and computer scientist

Christopher James Hadnagy is an American author and information technology security consultant. He is recognized for his contributions to the field of social engineering in information security.

<span class="mw-page-title-main">Ibrahim Baggili</span> American cybersecurity scientist (born 1981)

Ibrahim "Abe" Moussa Baggili was named the Chair of the Division of Computer Science and Engineering at Louisiana State University and the Roy Richardson Professor in 2024. He is also a digital forensics and cybersecurity scientist with a joint appointment between the college of engineering and the Center for Computation and Technology. Before that, he was the founder and director of the Connecticut Institute of Technology (CIT) at the University of New Haven. Baggili was also a full professor and Elder Family Endowed Chair at UNewHaven. He has a B.S., M.S., and Ph.D. in Computer and Information Technology from Purdue University's Purdue Polytechnic Institute. Baggili is a Jordanian/Arab American first generation college graduate and a well-known scientist in the domain of Cyber Forensics and Cybersecurity with seminal peer-reviewed work in the areas of Virtual Reality Forensics (VR) and security, mobile device forensics and security, application forensics, drone forensics and memory forensics.

Magda Lilia Chelly is a Polish-Tunisian cybersecurity expert and is amongst the first Tunisian women to be on the advisory board of BlackHat Asia Executive Committee. Born in Krakow, Poland, and educated in Tunisia and France, Chelly worked as an IT consultant, university lecturer, business leader, and cybersecurity professional.

Cybersecurity in popular culture examines the various ways in which the themes and concepts related to cybersecurity have been portrayed and explored in different forms of popular culture, such as music, movies, television shows, and literature. As the digital age continues to expand and the importance of protecting computer systems, networks, and digital information grows, the awareness and understanding of cybersecurity have increasingly become a part of mainstream culture. Popular culture often portraits the gloomy underworld of cybersecurity, where unconventional tactics are used to combat a diverse range of threats to individuals, businesses, and governments. The integration of dark and mysterious elements into cybersecurity stories helps create a sense of uncertainty, rule-breaking, and intriguing ambiguity. This captures the public's attention and highlights the high stakes involved in the ongoing struggle to protect our digital world. This article highlights the creative works and cultural phenomena that have brought cybersecurity issues to the forefront, reflecting society's evolving relationship with technology, privacy, and digital security.

Kyle Hanslovan is an American engineer and information technology security analyst who served as a US Air Force Cyber Technical Sergeant.

References

  1. "CTFtime.org / What is Capture The Flag?". ctftime.org. Retrieved 2023-08-15.
  2. Cowan, C.; Arnold, S.; Beattie, S.; Wright, C.; Viega, J. (April 2003). "Defcon Capture the Flag: Defending vulnerable code from intense attack". Proceedings DARPA Information Survivability Conference and Exposition. Vol. 1. pp. 120–129 vol.1. doi:10.1109/DISCEX.2003.1194878. ISBN   0-7695-1897-4. S2CID   18161204.
  3. 1 2 Says, Etuuxzgknx (2020-06-10). "Introduction To 'Capture The Flags' in CyberSecurity - MeuSec" . Retrieved 2022-11-02.
  4. 1 2 3 Chung, Kevin; Cohen, Julian (2014). "Learning Obstacles in the Capture The Flag Model".{{cite journal}}: Cite journal requires |journal= (help)
  5. Švábenský, Valdemar; Čeleda, Pavel; Vykopal, Jan; Brišáková, Silvia (March 2021). "Cybersecurity knowledge and skills taught in capture the flag challenges". Computers & Security. 102: 102154. arXiv: 2101.01421 . doi:10.1016/j.cose.2020.102154.
  6. Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN   1573-7608. PMC   9950699 . PMID   36855694.
  7. "ASU's cybersecurity dojo". ASU News. 2021-02-15. Retrieved 2023-07-18.
  8. "picoCTF aims to close the cybersecurity talent gap". www.cylab.cmu.edu. Retrieved 2023-07-18.
  9. 1 2 "Wanted: hackers. Reward: the best may get a spot at CMU". Pittsburgh Post-Gazette. Retrieved 2023-07-18.
  10. McDaniel, Lucas; Talvi, Erik; Hay, Brian (January 2016). "Capture the Flag as Cyber Security Introduction". 2016 49th Hawaii International Conference on System Sciences (HICSS). pp. 5479–5486. doi:10.1109/HICSS.2016.677. ISBN   978-0-7695-5670-3. S2CID   35062822.
  11. Leune, Kees; Petrilli, Salvatore J. (2017-09-27). "Using Capture-the-Flag to Enhance the Effectiveness of Cybersecurity Education". Proceedings of the 18th Annual Conference on Information Technology Education. SIGITE '17. New York, NY, USA: Association for Computing Machinery. pp. 47–52. doi:10.1145/3125659.3125686. ISBN   978-1-4503-5100-3. S2CID   46465063.
  12. Vykopal, Jan; Švábenský, Valdemar; Chang, Ee-Chien (2020-02-26). "Benefits and Pitfalls of Using Capture the Flag Games in University Courses". Proceedings of the 51st ACM Technical Symposium on Computer Science Education. pp. 752–758. arXiv: 2004.11556 . doi:10.1145/3328778.3366893. ISBN   9781450367936. S2CID   211519195.
  13. "National Security Agency/Central Security Service > Cybersecurity > NSA Cyber Exercise". www.nsa.gov. Retrieved 2023-07-18.
  14. "CTFtime". CTFtime. Retrieved 2023-08-18.
  15. "CTFtime rankings". CTFtime Rankings. Retrieved 2023-08-18.
  16. Producer, Sabrina Korber, CNBC (2013-11-08). "Cyberteams duke it out in the World Series of hacking". CNBC. Retrieved 2023-07-18.{{cite web}}: CS1 maint: multiple names: authors list (link)
  17. Noone, Ryan (2022-08-15). "CMU Hacking Team Wins Super Bowl of Hacking for 6th Time - News - Carnegie Mellon University". www.cmu.edu. Retrieved 2023-07-18.
  18. Siddiqui, Zeba (2022-08-18). "Hacker tournament brings together world's best in Las Vegas". Reuters. Retrieved 2023-07-18.
  19. "CSAW Capture the Flag". CSAW. Retrieved 2022-11-02.
  20. Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN   1360-2357. PMC   9950699 . PMID   36855694.
  21. "These grad students want to make history by crushing the world's hackers". Yahoo Finance. 2016-08-04. Retrieved 2023-09-02.
  22. "European Cybersecurity Challenge". ECSC. Retrieved 13 June 2024.
  23. Hardcastle, Jessica Lyons. "Moonlighter space-hacking satellite is in orbit". www.theregister.com. Retrieved 2023-07-18.
  24. https://capturetheflag.withgoogle.com/ [ bare URL ]
  25. Woodward, Alan (2022-07-07). "'Some staff work behind armoured glass': a cybersecurity expert on The Undeclared War". The Guardian. ISSN   0261-3077 . Retrieved 2023-07-18.
  26. Qin ai de, re ai de (Drama, Romance, Sport), Zi Yang, Xian Li, Mingde Li, Shanghai GCOO Entertainment, 2019-07-09, retrieved 2023-08-15{{citation}}: CS1 maint: others (link)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.