Capture the flag (cybersecurity)

Last updated
A team competing in the CTF competition at DEF CON 17 DEF CON 17 CTF competition.jpg
A team competing in the CTF competition at DEF CON 17

Capture the Flag (CTF) in computer security is an exercise in which participants attempt to find text strings, called "flags", which are secretly hidden in purposefully-vulnerable programs or websites. They can be used for both competitive or educational purposes. In two main variations of CTFs, participants either steal flags from other participants (attack/defense-style CTFs) or from organizers (jeopardy-style challenges). A mixed competition combines these two styles. [1] Competitions can include hiding flags in hardware devices, they can be both online or in-person, and can be advanced or entry-level. The game is inspired by the traditional outdoor sport of the same name.

Contents

Overview

Capture the Flag (CTF) is a cybersecurity competition that is used to test and develop computer security skills. It was first developed in 1996 at DEF CON, the largest cybersecurity conference in the United States which is hosted annually in Las Vegas, Nevada. [2] The conference hosts a weekend of cybersecurity competitions, including their flagship CTF.

Two popular CTF formats are jeopardy and attack-defense. [3] Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a various categories such as cryptography, web exploitation, and reverse engineering. [4] In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking their opponent's systems. [3]

The exercise involves a diverse array of tasks, including exploitation and cracking passwords, but there is little evidence showing how these tasks translate into cybersecurity knowledge held by security experts. Recent research has shown that the Capture the Flag tasks mainly covered technical knowledge but lacked social topics like social engineering and awareness on cybersecurity. Therefore, researchers recommend that there should be a focus on non-technical topics as well in order to address cyber threats that are advanced. [5]

Educational applications

CTFs have been shown to be an effective way to improve cybersecurity education through gamification. [6] There are many examples of CTFs designed to teach cybersecurity skills to a wide variety of audiences, including PicoCTF, organized by the Carnegie Mellon CyLab, which is oriented towards high school students, and Arizona State University supported pwn.college. [7] [8] [9] Beyond educational CTF events and resources, CTFs has been shown to be a highly effective way to instill cybersecurity concepts in the classroom. [10] [11] CTFs have been included in undergraduate computer science classes such as Introduction to Information Security at the National University of Singapore. [12] CTFs are also popular in military academies. They are often included as part of the curriculum for cybersecurity courses, with the NSA organized Cyber Exercise culminating in a CTF competition between the US service academies and military colleges. [13]

Competitions

Many CTF organizers register their competition with the CTFtime platform. This allows the tracking of the position of teams over time and across competitions. [14] These competitions can be community, government or corporate. Since CTFtime began in 2011, there have been seven teams who have ranked as #1 in the worldwide position[ original research? ]. These include "Plaid Parliament of Pwning", "More Smoked Leet Chicken", "Dragon Sector", "dcua", "Eat, Sleep, Pwn, Repeat", "perfect blue" and "organizers". Overall the "Plaid Parliament of Pwning" and "Dragon Sector" have both placed first worldwide the most with three times each. [15]

Community competitions

Every year there are dozens of CTFs organized in a variety of formats. Many CTFs are associated with cybersecurity conferences such as DEF CON, HITCON, and BSides. The DEF CON CTF, an attack-defence CTF, is notable for being one of the oldest CTF competitions to exist, and has been variously referred to as the "World Series", [16] "Superbowl", [9] [17] and "Olympics", [18] of hacking by media outlets. The NYU Tandon hosted Cybersecurity Awareness Worldwide (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world. [4] In 2021, it hosted over 1200 teams during the qualification round. [19]

In addition to conference organized CTFs, many CTF clubs and teams organize CTF competitions. [20] Many CTF clubs and teams are associated with universities, such as the CMU associated Plaid Parliament of Pwning, which hosts PlaidCTF, [4] and the ASU associated Shellphish. [21]

Government-supported competitions

Governmentally supported CTF competitions include the DARPA Cyber Grand Challenge and ENISA European Cybersecurity Challenge. In 2023, the US Space Force-sponsored Hack-a-Sat CTF competition included, for the first time, a live orbital satellite for participants to exploit. [22]

Corporate-supported competitions

Corporations and other organizations sometimes use CTFs as a training or evaluation exercise.[ citation needed ] The benefits of CTFs are similar to those of using CTFs in an educational environment.[ citation needed ] In addition to internal CTF exercises, some corporations such as Google [23] and Tencent host publicly accessible CTF competitions.

See also

Related Research Articles

<span class="mw-page-title-main">L0pht</span> American hacker collective

L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. The group famously testified in front of Congress in 1998 on the topic of ‘Weak Computer Security in Government’.

DEF CON is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, hardware modification, conference badges, and anything else that can be "hacked". The event consists of several tracks of speakers about computer- and hacking-related subjects, as well as cyber-security challenges and competitions. Contests held during the event are extremely varied and can range from creating the longest Wi-Fi connection to finding the most effective way to cool a beer in the Nevada heat.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

<span class="mw-page-title-main">George Hotz</span> American software engineer

George Francis Hotz, alias geohot, is an American security hacker, entrepreneur, and software engineer. He is known for developing iOS jailbreaks, reverse engineering the PlayStation 3, and for the subsequent lawsuit brought against him by Sony. From September 2015 onwards, he has been working on his vehicle automation machine learning company comma.ai. Since November 2022, Hotz has been working on tinygrad, a deep learning framework.

EC-Council is a cybersecurity certification, education, training, and services company based in Albuquerque, New Mexico.

<span class="mw-page-title-main">David Brumley</span> American cryptographer

David Brumley is a professor at Carnegie Mellon University. He is a well-known researcher in software security, network security, and applied cryptography. Prof. Brumley also worked for 5 years as a Computer Security Officer for Stanford University.

<span class="mw-page-title-main">Computer security conference</span> Convention for individuals involved in computer security

A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts.

Jeffrey Carr is a cybersecurity author, researcher, entrepreneur and consultant, who focuses on cyber warfare.

<span class="mw-page-title-main">Wargame (hacking)</span>

In hacking, a wargame is a cyber-security challenge and mind sport in which the competitors must exploit or defend a vulnerability in a system or application, and/or gain or prevent access to a computer system.

<span class="mw-page-title-main">Radare2</span>

Radare2 is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processor architectures and operating systems.

Positive Hack Days (PHDays) is an annual international cybersecurity forum. It has been held by Positive Technologies since 2011. PHDays brings together IT and infosec experts, government officials, business representatives, students, and schoolchildren. The forum hosts talks and workshops on the most interesting information security topics, The Standoff cyberexercises, practical competitions in which participants analyze the security of industrial control systems, banking and mobile services, and web apps.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

The 2016 Cyber Grand Challenge (CGC) was a challenge created by The Defense Advanced Research Projects Agency (DARPA) in order to develop automatic defense systems that can discover, prove, and correct software flaws in real-time.

<span class="mw-page-title-main">PACTF</span> Computer security competition

PACTF was an annual web-based computer security Capture the Flag (CTF) competition for middle and high school students. It was founded by a group of students at Phillips Academy in Andover, Massachusetts. The competition's sponsors include the Abbot Academy Association at Phillips Academy; the Information Networking Institute and CyLab at Carnegie Mellon University; the Hariri Institute for Computing, Massachusetts Open Cloud (MOC) project, and Modular Approach to Cloud Security (MACS) project at Boston University; and other entities.

The Carnegie Mellon CyLab Security and Privacy Institute is a computer security research center at Carnegie Mellon University. Founded in 2003 as a university-wide research center, it involves more than 50 faculty and 100 graduate students from different departments and schools within the university. It is "one of the largest university-based cyber security research and education centers in the U.S."

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

Chris Kubecka is an American computer security researcher and cyberwarfare specialist. In 2012, Kubecka was responsible for getting the Saudi Aramco network back up and running after it was hit by one of the world's most devastating Shamoon cyberattacks. Kubecka also helped halt a second wave of July 2009 cyberattacks against South Korea. Kubecka has worked for the US Air Force as a Loadmaster, the United States Space Command and is now CEO of HypaSec, a security firm she founded in 2015. She lives and works in the Netherlands.

<span class="mw-page-title-main">Christopher Hadnagy</span> American author, hacker, and computer scientist

Christopher James Hadnagy is an American author and information technology security consultant. He is recognized for his contributions to the field of social engineering in information security.

Magda Lilia Chelly is a Polish-Tunisian cybersecurity expert and is amongst the first Tunisian women to be on the advisory board of BlackHat Asia Executive Committee. Born in Krakow, Poland, and educated in Tunisia and France, Chelly worked as an IT consultant, university lecturer, business leader, and cybersecurity professional.

Cybersecurity in popular culture examines the various ways in which the themes and concepts related to cybersecurity have been portrayed and explored in different forms of popular culture, such as music, movies, television shows, and literature. As the digital age continues to expand and the importance of protecting computer systems, networks, and digital information grows, the awareness and understanding of cybersecurity have increasingly become a part of mainstream culture. Popular culture often portraits the gloomy underworld of cybersecurity, where unconventional tactics are used to combat a diverse range of threats to individuals, businesses, and governments. The integration of dark and mysterious elements into cybersecurity stories helps create a sense of uncertainty, rule-breaking, and intriguing ambiguity. This captures the public's attention and highlights the high stakes involved in the ongoing struggle to protect our digital world. This article highlights the creative works and cultural phenomena that have brought cybersecurity issues to the forefront, reflecting society's evolving relationship with technology, privacy, and digital security.

References

  1. "CTFtime.org / What is Capture The Flag?". ctftime.org. Retrieved 2023-08-15.
  2. Cowan, C.; Arnold, S.; Beattie, S.; Wright, C.; Viega, J. (April 2003). "Defcon Capture the Flag: Defending vulnerable code from intense attack". Proceedings DARPA Information Survivability Conference and Exposition. Vol. 1. pp. 120–129 vol.1. doi:10.1109/DISCEX.2003.1194878. ISBN   0-7695-1897-4. S2CID   18161204.
  3. 1 2 Says, Etuuxzgknx (2020-06-10). "Introduction To 'Capture The Flags' in CyberSecurity - MeuSec" . Retrieved 2022-11-02.
  4. 1 2 3 Chung, Kevin; Cohen, Julian (2014). "Learning Obstacles in the Capture The Flag Model".{{cite journal}}: Cite journal requires |journal= (help)
  5. Švábenský, Valdemar; Čeleda, Pavel; Vykopal, Jan; Brišáková, Silvia (March 2021). "Cybersecurity knowledge and skills taught in capture the flag challenges". Computers & Security. 102: 102154. arXiv: 2101.01421 . doi:10.1016/j.cose.2020.102154.
  6. Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN   1573-7608. PMC   9950699 . PMID   36855694.
  7. "ASU's cybersecurity dojo". ASU News. 2021-02-15. Retrieved 2023-07-18.
  8. "picoCTF aims to close the cybersecurity talent gap". www.cylab.cmu.edu. Retrieved 2023-07-18.
  9. 1 2 "Wanted: hackers. Reward: the best may get a spot at CMU". Pittsburgh Post-Gazette. Retrieved 2023-07-18.
  10. McDaniel, Lucas; Talvi, Erik; Hay, Brian (January 2016). "Capture the Flag as Cyber Security Introduction". 2016 49th Hawaii International Conference on System Sciences (HICSS). pp. 5479–5486. doi:10.1109/HICSS.2016.677. ISBN   978-0-7695-5670-3. S2CID   35062822.
  11. Leune, Kees; Petrilli, Salvatore J. (2017-09-27). "Using Capture-the-Flag to Enhance the Effectiveness of Cybersecurity Education". Proceedings of the 18th Annual Conference on Information Technology Education. SIGITE '17. New York, NY, USA: Association for Computing Machinery. pp. 47–52. doi:10.1145/3125659.3125686. ISBN   978-1-4503-5100-3. S2CID   46465063.
  12. Vykopal, Jan; Švábenský, Valdemar; Chang, Ee-Chien (2020-02-26). "Benefits and Pitfalls of Using Capture the Flag Games in University Courses". Proceedings of the 51st ACM Technical Symposium on Computer Science Education. pp. 752–758. arXiv: 2004.11556 . doi:10.1145/3328778.3366893. ISBN   9781450367936. S2CID   211519195.
  13. "National Security Agency/Central Security Service > Cybersecurity > NSA Cyber Exercise". www.nsa.gov. Retrieved 2023-07-18.
  14. "CTFtime". CTFtime. Retrieved 2023-08-18.
  15. "CTFtime rankings". CTFtime Rankings. Retrieved 2023-08-18.
  16. Producer, Sabrina Korber, CNBC (2013-11-08). "Cyberteams duke it out in the World Series of hacking". CNBC. Retrieved 2023-07-18.{{cite web}}: CS1 maint: multiple names: authors list (link)
  17. Noone, Ryan (2022-08-15). "CMU Hacking Team Wins Super Bowl of Hacking for 6th Time - News - Carnegie Mellon University". www.cmu.edu. Retrieved 2023-07-18.
  18. Siddiqui, Zeba (2022-08-18). "Hacker tournament brings together world's best in Las Vegas". Reuters. Retrieved 2023-07-18.
  19. "CSAW Capture the Flag". CSAW. Retrieved 2022-11-02.
  20. Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN   1360-2357. PMC   9950699 . PMID   36855694.
  21. "These grad students want to make history by crushing the world's hackers". Yahoo Finance. 2016-08-04. Retrieved 2023-09-02.
  22. Hardcastle, Jessica Lyons. "Moonlighter space-hacking satellite is in orbit". www.theregister.com. Retrieved 2023-07-18.
  23. https://capturetheflag.withgoogle.com/
  24. Woodward, Alan (2022-07-07). "'Some staff work behind armoured glass': a cybersecurity expert on The Undeclared War". The Guardian. ISSN   0261-3077 . Retrieved 2023-07-18.
  25. Qin ai de, re ai de (Drama, Romance, Sport), Zi Yang, Xian Li, Mingde Li, Shanghai GCOO Entertainment, 2019-07-09, retrieved 2023-08-15{{citation}}: CS1 maint: others (link)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.