What is Capture the Flag in Cybersecurity?
The traditional game of Capture the Flag (CTF) is a game where two teams have different flags hosted in their respective zones. The first team to capture their rival’s flag and return to their zone is considered the event’s winner. The game of CTF has inspired educators to adopt it for educational purposes. Since the adoption of CTF as an educational tool, cybersecurity training will routinely have a CTF component. It has become common that the events are more commonly referred to as Cyber Security Capture the Flag (Brown, 2019).
The Cyber Security Capture the Flag competitions have grown in popularity and are commonly occurring across the globe. On a global level, different international teams often compete to test their skills. The benefit of competing is notoriety and the possibility to win cash or other similar prizes (Harmon, 2016).
There are three types of Cyber Security Capture the Flag events:
Attack-Defense CTF: This is a type of CTF where two teams attack one another. The game takes place in two rounds. In the first round, one team attacks the other one, and the other has to defend. Then the round changes, and now the first team has to defend the second team’s attack. The goal may be to obtain flags hosted on the defender’s systems or disrupt services (Isseihorie, 2019).
The Jeopardy-style CTF: This CTF is similar to the actual game of Jeopardy. In this event style, there is a scoreboard with different categories with corresponding point tables and values. Jeopardy-style events are capable of supporting numerous teams. The goal of the Jeopardy-style events is to obtain the most points (Isseihorie, 2019).
Mixed CTF: As attack/defense is a trendy event style, it is understandable that a blend of the two would occur. This event style may have different formats that contain a combination of the first two competition styles.
Numerous websites host popular competitions and educational CTF in the cybersecurity field, which include PicoCTF, National Cyber League, Try Hack Me, OvertheWire, CTFTime, Cyber Quests, US Cyber Challenge, Panoply, CyberPatriot, iCTF Competition, CyberForce Competition, and Sans NetWars, etc.
The picoCTF is a free game-based cybersecurity competition for middle & high school students, created by security experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge. The challenges are all set up with the intent of being hacked, making it an excellent, legal way to get hands-on experience.
It emphasized 5 main categories with 57 challenges as follow;
1- Forensics includes 16 challenges for students to find flags in files and file systems, network traffic, and hidden data.
2- Cryptography has 8 challenges that require learners to practice decode hashing, decipher text, and audio messages, and encryption
3- Reverse engineerings have 9 challenges to retrieve confidential data using a programming language to reversing compiled, obfuscated, or hidden program code.
4- Web exploitation offers 13 challenges students to practice and attack to prevalent web vulnerabilities like SQL injection to understand controlling database exploitation.
5- Binary exploitation has 11 challenges requiring students to perform buffer overflow, format string, debugging and ROP (return-oriented programming) attacks to control a target system. https://picoctf.com/resources
For more information and participation to the PicoCTF you may visit their website
National Cyber League (NCL)
The National Cyber League (NCL) is a biannual cybersecurity competition. In May 2011, the National Cyber League (NCL), powered by Cyber Skyline, was founded to provide a continuous virtual training spot for learners to acquire and prove cybersecurity knowledge and skills using content arranged with individual and team games. It’s open to U.S. high school and college students. Participants must be enrolled in a high school or collegiate institution. They have a large growing population, as they specified on their web site, more than 10,000 learners of all ages and levels, serving over 450 colleges and universities, and high schools across the U.S. to participate each year in the biannual competition. Also, learners may have continuous access to the Cyber Skyline’s challenges with an annual professional account subscription.
Participants would exercise their skills through cyber scenarios using real-world tools to reach from incident response to offensive cyber. This platform helps learners enhance skills for current or future job roles like Security Operation Center (SOC) Analyst, Incident Response, Security & Network Engineers, Software Engineers, Pentesters, and all other information security-related professionals.
Challenge categories are labeled with difficulty levels of easy, medium, and hard, first-time players can navigate the competition environment and try their hand at a variety of skills.
Complete list of how NCL works https://cyberskyline.com/events/ncl/info
They provide the following 9 important security modules for their participants;
Open Source Intelligence
Network Traffic Analysis
Wireless Access Exploitation
Scanning & Recon
Web Application Exploitation
Enumeration & Exploitation
The cost to register per season is $35. The competition is fully virtual and meaning players can participate from anywhere.
At the end of this competition, participants may see the result of their skills based on the module completion in the dashboard, which is very helpful to understand the gap of knowledge and skills.
Registration is available at the following link for the 2020 Fall Season https://cyberskyline.com/events/ncl.
National Cyber League YouTube channel and some useful videos; https://www.youtube.com/user/NationalCyberLeague
- What you need to know about the National Cyber League
- Coaching Individuals vs Teams
- Coaches Calls: What is an NCL Coach? How to sign up and participate as an NCL Coach
- Coaches Calls: Where can I find coaching resources
- Coaches Calls: How to make group payments for your NCL team
- Spring Season Coaching (2020): Lets talk about the elephant in the room: How to NOT CHEAT in the NCL
- Coaches Calls: What is the NCL and why your students should get involved
- Coaches Calls: Rules and Code of Ethics You need to follow
- Top 10 Do’s and don’ts for the NCL Games
- How to register as a coach and purchase game codes for your game code
- Where to find the NCL resources you need for you students to succeed
- The secret life of NCL: Best Practices every coach should know!