Flag competitions can help to improve safety skills and identify talent. Use these tools and frameworks to design and conduct your own CTF event.
It is not so long ago that such activities were of dubious reputation and dubious legality. Nowadays, everything is disclosed and very respectable, even if the participants take an alias and play Bond villain. To stop the cyber-attacker, you need to think like the cyber-attacker. Hackers created Capture the Flag (CTF) contests to hone their skills where they compete for p0wn servers and gain credibility.
CTFs for corporate security personnel are a win-win situation for the white hats. Security personnel learn new techniques, practice dealing with challenging scenarios and network with other members of the security community. But that’s not all.
Bobby Kuzma, Director, Cyber Threat Strategy and Empowerment for IT automation and security software vendor HelpSystems, says: “I see that a respectable number of companies are actually using CTFs as part of their community outreach and recruitment strategies. They help to get people, especially students, excited about cyber security and identify promising, non-traditional candidates”.
A personal favorite resource of mine is Didier Stevens and his tools. Didier’s original specialty is tools for analyzing PDFs, Microsoft Office documents, and other complex data files, many of which are used to launch attacks. His collection is now much more diverse. They are invaluable for examining and creating malicious files.
The largest group is resource hacking. These are the resources: network scanners, static source, decompilers, heap visualizers, packet capture, debuggers, binary analysis, hash crackers, and image editors,. All security professionals have their own preferred tool sets, but a CTF can challenge them to find new ones.
I will discuss other instruments that are more specifically geared to the CTF, but let me first discuss the two main styles of the CTF: Attack-defense and danger style.
In an attack-defense competition, there are two teams, each with a computer environment that can be as simple as a single server. Each team tries to attack the other team’s systems and defend its own system from attack. Each system contains a set of information flags that the attacker tries to find and capture. Hence the name “Capture the Flag” (that and the traditional outdoor game).
The attacker, on the other hand, uses intrusion techniques to gain privileged access to the server. If the attacker can gain root access, the game is certainly over soon, but depending on the applications and services involved, more limited attacks may be sufficient.In such a scenario, the defenders have to do all the things they want to do on their own servers in the real world: Patch all software vulnerabilities, even the obscure ones; leave only the very necessary services open through the firewall; ensure that all passwords are secure and that accounts have the least necessary privileges; and so on.
Jeopardy style tournaments have any number of teams and a Jeopardy style board with challenges worth different amounts of points. When a team accepts a particular challenge and finds the flag, it submits it to the point system, receives the points, and moves on to the next challenge. When time runs out, the team with the most points wins.
Because they are much easier to set up and manage, Jeopardy style contests are far more common than attack-defense.
King of the Hill
In a King-of-the-Hill event, each team tries to take and keep control of a server. When the clock runs out, the team that has held it the longest wins. This is a variant of the attack-defense CTF.Why would you prefer one type of competition over another? Kuzma says that “Jeopardy events are good for building problem-solving skills.” King of the Hill events are great for strengthening incident response, collaboration and planning.
The closest thing to CTF-in-a-box is the OWASP Juice Shop. OWASP (the Open Web Application Security Project) is an organization of security experts who design tools and policies to help developers and other IT professionals create secure applications.
The Juice Shop is a fictional web-based store that sells juice, T-shirts, and other items whose details are not important. What matters is that the site is peppered with vulnerabilities of almost every known type. The website is customizable, so you can brand it as you like and change the products as you like. OWASP includes different forms like a docker image and runs with a single server instance.
The OWASP Juice Shop does not prevent users from running scriptsJuice Shop also includes the scoreboard and account management required to run a contest.
Capturing the Flag Frames
These are some of the most popular CTF frameworks, as well as some that are a bit more opaque. CTFd is a CTF platform widely used by security vendors, universities and hacker groups. It includes the scoreboard and other infrastructure of a contest. They simply add the actual challenges, i.e. the puzzles solved by users, and their scores.
Other important frameworks are:
- The CTF frame of Facebook
- iCTF from the UC Santa Barbara computer security lab
Capturing the Flag Tools
Google holds some significant CTFs. It hasn’t published its entire framework, but it has published its scoreboard code and most of the challenges.
The list of helpful tools is long. Here are a few of them:
- Damn Vulnerable Web Application is an open source PHP/MySQL web application designed to highlight known and unknown vulnerabilities. The user selects a vulnerability (e.g. SQL injection) and calls it via the UI. The DVWA does not have an amusing front-end like the Juice Shop, but sometimes the easy way is the best.
- The Security Scenario Generator (SecGen) creates semi-randomized vulnerable virtual machines.
Where to Find CTF Descriptions
The records are so detailed that with little work you can change things so that you can make the challenge your own. The main problem with the archives of records is that many of them are lists of challenges for which the record is “to do”. Another disadvantage of many transcripts is that many of the authors do not write well.
Performing a Capture the Flag event in the public cloud
Because of the volatile nature of CTFs, it is tempting to run them in a public cloud where you can allocate resources to them and then release them again, paying only for what you use. You can do this if you are careful and follow the rules.
Microsoft also has strict rules for pen testing at Azure, but they do not require pre-approval for this.
Many of the best resources, especially for Jeopardy CTFs, are the records of CTFs in the past and postmortem records of participants describing them. If you look around, you will find records of CTFs describing the challenges and how they were solved. If you find enough of them, you may already be finished. On this github CTFs page you will find a large archive of recordings as well as tools to create recordings.
Google also does not require pre-authorization, only that you comply with the Google Cloud Platform Acceptable Use Policy and the Google Cloud Platform Terms of Service.
A CTF is likely to be a popular event among employees, more so than traditional training and perhaps more useful. At a time when many security positions remain unfilled, a CTF can be a valuable recruitment tool that objectively helps you find the most qualified candidates. Think of it as a tool to maximize the skills of your team, and the fun is free.