Today, in 2019, I see an increasing popularity of playing a Capture The Flag (CTF) by Cybersecurity students.
What are the advantages and disadvantages of playing CTF's in relation to developing the right skills for Cybersecurity students (Bachelors and Master degree)? Does it ad value to the cybersecurity skills gap? On what way it does or does not?
CTF definition from Wiki: en.wikipedia.org/w/index.php?title=Capture_the_flag#Computer_security
There are a lot of competitions online and offline. Just a few examples:
Online: ctftime.org, www.hackthebox.eu, picoctf.com
Offline: ecsc.eu (Europe), defcon.org (Americanas)
Example Curricula from ECSC: ecsc.eu/about/ecsccurricula.pdf/download
Good reads about the intersection of Cybersecurity and education (related to playing CTF's) are also welcome.
Other questions i have in mind: 1) How does playing CTF games ad an value to the quantitave and qualitative cybersecurity skills shortage worldwide? 2) Can playing CTF's be a (partial) replacement for Cybersecurity-education (under- and graduate level)? 3) The quality of a CTF strongly depends on the developer(s). Is there (some kind of) framework to measure the quality and levels of CTF's? 4) What is the future of CTF's? (Serious gaming/cybersecurity simulation environment/other) 5) How can we make CTF's more reality based / realistic? 6) The sooner students start with playing CTF's, the better?
Sources for CTF frameworks: https://github.com/cliffe/SecGen https://github.com/CTFd/CTFd https://github.com/easyctf/librectf https://github.com/facebook/fbctf https://github.com/Gallopsled/pwntools https://github.com/koromodako/mkctf https://github.com/legitbs/scorebot https://github.com/mcpa-stlouis/hack-the-arch https://github.com/moloch--/RootTheBox https://github.com/Nakiami/mellivora https://opencyberchallenge.net/ https://github.com/UnrealAkama/NightShade
Good reads: https://trailofbits.github.io/ctf/ https://github.com/s1gh/ctf-literature https://www.endgame.com/blog/technical-blog/how-get-started-ctf
https://doc.lagout.org/security /Packt.Kali.Linux.CTF.Blueprints.Jul.2014.ISBN.1783985984.pdf
Hello,
the CtF I have experience with have been single day events. That means the event itself is not where any learning is taking place. The important time, for participants as well as organizers, is the preparation. That is also where students learn, but the CtF at the end gives a huge boost for motivation and provides a target to define what to learn.
The topics that can be learned depend on the type of CtF you are playing. The CtF I participated in where focused on application security, very practical implementation and configuration vulnerabilities with the occasional reverse engineering of buggy protocols. It is your, assuming you are the teacher, responsibility to select a fitting curriculum beforehand. But there are plenty of challenges and writeups of historical CtF events out there.
And then CtF provide an opportunity to setup a whole setup for security monitoring and operational processes. But the focus with us normally has been on bug hunting and reverse engineering and that, in my eyes, is not sufficient to motivate a full course in IT-security.
CtF tend to require a lot of preparation and part of it is development of "sport utilities" like efficient flag-submission services or exploit automation, but given that you can engage your students deeper with the prospect of a CtF competition in the end, and the potentials to run a competitive group continuously running over many years, where knowledge and skills can be honed and taught by the experienced students makes up for all the work. And, it is, in my experiences, one of the most fun and most effective ways of standing by while students learn.
I agree with Lars' take. CTFs all depend on how you set them up etc. We're doing one in December at IITSEC 2019 and it'll be a 15 hour event that will pit various schools and academies against each other using the new Persistent Cyber Training Environment (PCTE). Pretty exciting stuff and CTFs are definitely good learning tools for cyber defenders.
Most of the great security researchers I've know are CTF players. Besides this anecdotal evidence, there are some scientific reports on the subject: https://dl.acm.org/results.cfm?query=capture+the+flag
- Badges
- Science topic
- Similar topics
- Education