Everything you need to know about capture the flag exercises
As data becomes the most valuable product in a growing tech-dependent world, data security concerns are on the rise. As a result, cybersecurity is destined to be a highly demanding career field soon. But how do you get into cybersecurity?
"Capture the flag (CTF)" exercises might be the answer.
CTF, simply defined, is a competition for identifying "flags" in a computer system or environment. The flag has to be found or "captured" by the participants, hence the name "capture the flag". In general, the flag refers to vulnerabilities in the target system, which have to be identified. Although widely different in practice, CTF can be thought of as similar to competitive programming, but for cybersecurity.
Like competitive programming, CTF exercises also involve solving problems related to finding weaknesses or issues within a given system. But the similarity ends there. Whereas competitive programming is largely dependent upon logical thinking and problem-solving, doing better in CTF requires one to be an expert in different concepts related to computer science and computer systems.
Another difference between competitive programming and CTF is directly tied to the cybersecurity industry. The activities one performs in a CTF exercise are directly needed in the workplace, whereas the knowledge gained from competitive programming is not directly industry-focused. Rather, competitive programming can be used to hone skills that you can then use at your respective workplace.
Of course, competitive programming can be advantageous for CTF because it creates a base of logical and analytical reasoning, but it is also possible to do better at CTF without competitive programming expertise.
While it is not mandatory, having a Linux operating system and being adept at using it does boost one's performance in CTF. Being open-sourced makes Linux user-friendly and flexible, which in turn makes it easier to analyse the system where the flag resides. Linux distributions such as Kali Linux even have security-focused tools pre-installed. That's why, CTF forces participants to be well-versed in that environment.
As with any other competition, CTF consists of different types of problems. For example, in binary exploitation, the participant has to analyse a programme thoroughly to find a flag, usually in the source code, and exploit it further to do another task such as taking control of the programme and making it work to gain a specific output. Similarly, reverse engineering also focuses on finding vulnerabilities in a programme, but without the latter part of binary exploitation, meaning that there is no further exploitation of the flag.
Cryptography, as the name suggests, is the practice of encrypting and decrypting data based on hints or clues. Furthermore, there is web exploitation, where the participant has to analyse a website thoroughly to find the security issues in the website, such as SQL injection or cross-site scripting. Finally, another category can be forensics, where the focus is specifically on the malware in the system.
As can be seen, all of these require a thorough understanding of the problem and the knowledge of tools that have been used to create that problem. For example, if one wants to solve a problem related to web exploitation, it is required that one learn or at least understand the language in which it is written. Only then can the task be solved.
Another example is if one wants to do better at cryptography, one must know about different algorithms by which the data can be encrypted. This might mean reading a lot of research papers or browsing the web to find necessary information. Due to this diversity of problems, CTF participants acquire a detailed understanding of many sectors of computer science that might not be accessible to everyone. And as it is industry-focused from the start, it is easier to build a career in cybersecurity through such exercises.
CTF enthusiasts can pursue careers as penetration testers, security analysts, consultants, incident responders, and cybersecurity researchers. "Your CTF skills highlight your capacity to think like a hacker and defend against cyber threats, making you an invaluable asset to any cybersecurity team," says Navid Fazle Rabbi, Senior Engineer, Offensive Security Research, Product and Technology, bKash.
One major drawback of CTF competitions, however, is the lack of a level playing field. Usually, competitions are held without any institutional or age boundaries, so participants can range from first-year students to professional engineers. "However, that shouldn't be your reason not to take part in CTF, as explained by Imtiaj Ahmed Chowdhury, a lecturer at the Islamic University of Technology (IUT) leading the award-winning team IUT Genesis. According to him, "The extensive knowledge gained from solving CTF problems is an asset you can carry in any field of computer science."
Probably the most well-known site to begin practising CTF problems is picoCTF. Then there are websites like Hack The Box or TryHackMe. TryHackMe is better for beginners, as it is a guided website that can help one understand how to practice. But, according to experts, the best way to learn CTF is by diving right into live CTF competitions. This practice allows beginners to familiarise themselves with the contest environment.
CTFtime.org is a website which collects data from international CTF contests, their difficulty levels, and time constraints. Beginners can jump right into the contests with the lowest difficulty levels, and solve the problems there to gain experience. Alongside individual practice, participants should also engage with CTF communities to learn more about the exercise.