Capture the Flag: A Primer

Note: this article was written in June 2017

A lack of skills

For a number of years technology firms have been complaining about facing problems hiring enough security staff. The Financial Times reports a similar story - on average cyber security jobs are harder to fill than other roles, something which is only going to get worse as demand for experts grows faster than supply. According to industry association ISC squared two thirds of UK companies do not have enough information security personnel to meet their needs, with the global shortfall in cyber security experts predicted to rise to over 1.8 million by 2022 . As events like the recent WannaCry attack continue to raise the profile of cyber security in the public consciousness, an increasing number of businesses are going to find themselves facing a problem without a solution.

It's true that cyber security related courses and certifications are becoming more popular. But it will take a long time to build and develop a workforce of the size that is needed, both globally and in the UK. For less experienced employers the broadness of the field and lack of universal certifications can make it difficult to get what they want. That these certifications are practical in nature undoubtedly increases their appeal to organisations, but very few of them reflect the adversarial nature of the security game in reality. Static questions, like those you'll find on the CIISP exam, won't adapt and fight back. A real attacker will.

So with a number of years before the industry slows its growth and begins to mature, and a disconnect between the nature of certifications and reality, what's the best way for employers to fill the security related positions they have now?

Introducing Capture the Flag

Penetration testing, offensive security, ethical hacking - all terms you've doubtless heard before. Capture the Flag (CTF) may not be, but it takes the above and moves away from a production setting while adding a competitive spin. The CTF scene has taken off in the UK over the past few years: across the country hundreds of students regularly get together to take part in cyber security themed competitions, with Cyber Security Challenge UK (CSCUK) coordinating the majority of the nation's events. The online community is even larger; international events take place every week, open to both teams and individuals (see ctftime.org).

Perhaps better thought of as competitive security, challenges require a combination of problem solving and technical prowess to solve. Competitions vary from groups attacking and defending infrastructure to individuals solving small puzzles. Any topic is fair game: cryptography, forensics and reverse engineering are favourites, but it's not unknown to see participants tackling phishing emails or physical locks. Knowing how to use the industry standard tools required to solve these problems is a valuable skill in itself. Hands-on experience cements good practice - you can be told WEP secured networks are bad, but breaking one in 5 minutes with Aircrack really drives it home.

CTFs thrive because they focus on the thrill of solving problems, which means that there's plenty of discussion about solutions. This environment fosters learning and collaboration, with newcomers being encouraged to grow rather than being put off due to inexperience. And it's easy to forget that while these skills are obviously applicable to a career in cyber security, knowing how the bad guys get in is beneficial for developers, managers, and other IT roles as well.

The New Infosec Interview

CTFs represent a unique opportunity for employers to directly connect with the best and the brightest when it comes to cyber security skills. As the introduction to this article suggests, the benefits of competitive security are not limited to those competing. Many companies are already waking up to the opportunity; CSCUK alone has 35 sponsors and 41 affiliates. Because participants attend events out of a passion for computer security, many are actively looking for jobs or internships and are only too happy to be approached by employers looking for talent.

In this way, the downtime between competition rounds acts like an informal interview process - sponsors are able to see how candidates work and highlight their own offerings, while students are given the opportunity to ask questions about life in the industry. It represents a low-cost, high-impact way to engage with students who may miss schemes buried in the usual deluge of marketing material given to soon-to-be graduates.

Beyond Technical Skills

One would be forgiven for thinking that CTFs are focused solely on technical knowledge. While there are rewards for the most technically adept, competition organisers are looking for more than just hard skills. Students advancing to the CSCUK Face to Face (F2F) events must show maturity and leadership. These events have a dress code and the atmosphere is more of professionals at work than hooded teenagers staring at screens in their bedrooms.

On the international stage, the Atlantic Council runs a yearly cyber security policy competition - Cyber 9/12. Taking place in Geneva, Washington, and Sydney, it simulates the day after a cyber crisis. Participants are given a briefing from which they must develop policy options that are judged by a panel of diplomats, industry practitioners, and military personnel. The real-world application is clear - this year's scenario depicted ransomware attacks on hospitals and public transport a month before the NHS and Deutsche Bahn fell victim to the Wannacry attack.

In Summary

All indications point to the continued growth of the competitive security scene. Students are seeing cyber security as an increasingly accessible and fulfilling career path. Changes to the national curriculum also promise to engage upcoming generations with computing.

For companies, being part of CTF events (either alone or in collaboration) presents a golden opportunity for recruitment, PR, and outreach. Active involvement in hands-on cyber security events can also sharpen your own technicians' skills, drawing on their experiences to craft devious challenges. And for students? It's certainly more exciting than the traditional interview process.

CTF Events: Where to Get Started

1. CSCUK Face to Face: Taking place four times a year, F2F events pit the best players from CSCUK's online games against fiendish scenarios devised by cyber security organisations. Those impressing the judges are invited onto a prestigious yearly `Masterclass' event, and are open to anyone 16 or over not currently employed in a cyber security role. See cybersecuritychallenge.org.uk/competitions for more information on all CSCUK events.
2. CyberCenturion: For younger competitors CSCUK run the CyberCenturion program for teams aged 12-18. The battle lasts for three rounds, culminating in a national final.
3. CyberGames: Aimed at schools, CyberGames is a one day event run by CSCUK similar to the face to face competitions mentioned above.  In addition to engaging pupils it also offers resources and training to teachers.
4. Inter-ACE: Students at any of the 13 universities identified as Academic Centres of Excellence in Cyber Security Research can enter this yearly event at the University of Cambridge. The university also runs the Cambridge to Cambridge contest in collaboration with MIT. See https://inter-ace.org and http://cambridge2cambridge.csail.mit.edu.
5. Cyber 9/12: For those wanting a less technical focus the Atlantic Council runs Cyber 9/12, a two day event hosted at the Geneva Centre for Security Policy. Participants must develop policy solutions and pitch them to practitioners, diplomats, and NATO personnel. See http://www.atlanticcouncil.org/programs/brent-scowcroft-center/cyber-statecraft/cyber-9-12.