{"id":8540,"date":"2020-01-26T12:41:28","date_gmt":"2020-01-26T20:41:28","guid":{"rendered":"https:\/\/origin-www.parsons.com\/?p=8540"},"modified":"2023-08-22T09:54:21","modified_gmt":"2023-08-22T13:54:21","slug":"leveling-up-your-cyber-skills-a-guide-to-capture-the-flag-part-1","status":"publish","type":"post","link":"https:\/\/www.parsons.com\/2020\/01\/leveling-up-your-cyber-skills-a-guide-to-capture-the-flag-part-1\/","title":{"rendered":"Leveling Up Your Cyber Skills – A Guide To Capture The Flag (Part 1)"},"content":{"rendered":"\n
\"Cyber<\/figure>\n\n\n\n

Hosting A CTF, Part 1: What Type Of CTF Do You Want To Run?<\/strong><\/h3>\n\n\n\n

There are a lot of factors to consider when you think about what type of Cyber Capture the Flag (CTF) you want to run. In addition to its type<\/strong>, you\u2019ll have to decide on its location, length, content focus, and skill-level target. <\/strong>I\u2019m going to discuss these in a way that hopefully makes them easy to think about\u2014and to make a decision on. <\/p>\n\n\n\n

Type: <\/strong>Jeopardy<\/strong><\/em>-style, attack versus defend, or hybrid\/both<\/strong>. <\/p><\/div>\n\n\n\n

The two most common types of CTFs are Jeopardy-style and attack\nversus defend.<\/p>\n\n\n\n

Jeopardy<\/em>-style CTFs are where you have a scoreboard\nthat looks like a Jeopardy board, with topics and questions relating to those\ntopics.<\/p>\n\n\n\n

Attack versus defend (sometimes called red versus blue) CTFs\nare where teams have to attack and\/or defend other teams’ services and\/or\nservers. You can run these with one team solely running defense and the other\nteam solely running offense, or you can have lots of last that have to cover\nboth. <\/p>\n\n\n\n

You can also run what I\u2019d call a hybrid CTF, which has both\na Jeopardy<\/em>-style scoreboard and an attack-versus-defend portion.\nIdeally, the two interact and enhance each other. We\u2019ve done this in the past\nfor a government agency to pit military academies against each other, and it\nwas a rousing success (but it is a lot more work than running a single type of\nCTF).<\/p>\n\n\n\n

Location: Physical, virtual, or both <\/strong><\/p><\/div>\n\n\n\n

Do you want\nparticipants to have to come to a physical location to participate, or will you\nmake the CTF available online? <\/p>\n\n\n\n

Some types of challenges are much easier to do in person.\nFor example, if you\u2019re on a physical LAN, participants can more easily download\na several-gigabyte-large virtual machine. And in person, participants can do\nthings that require them to physically interact with devices (such as breaking\ninto a wireless access point or playing with a hardware device). <\/p>\n\n\n\n

If you want them to come to a venue, you will, however, have\nto do some groundwork and be aware of some limitations. For starters, you\u2019ll have\nto find and book a venue (which will likely limit participation to people near that\nvenue). You\u2019ll need to ensure the venue has ample seating, ample power outlets,\nand network connectivity. You may also want to provide food and\/or drinks for\nthe participants. <\/p>\n\n\n\n

Bars, for example, can be great venues because access to\ndrinks and, usually, food is readily available. We\u2019ve hosted CTFs in pubs a few\ntimes. Participants appreciate seeing their opponents face to face, stoking\nboth the competitive fire and camaraderie of the teams. However, note that a\nvenue like a bar may present problems, for example, not having enough power\nsources for participants\u2019 computers. <\/p>\n\n\n\n

Making a CTF available online can open it up to the entire\nworld (although you can choose to limit participation, too). You don\u2019t need to\nworry about booking a venue or setting it up in the real world, so there is a\nlot less work involved with hosting it. Of course, you do lose some of the\nface-to-face interaction, and some types of challenges are easier to host by\nbeing in the same room.<\/p>\n\n\n\n

Your CTF could also be available at both a physical location\nand online. Although doing both also has limitations, we\u2019ve started doing it because\nwe felt that enabling remote employees to join in the fun while area-based\nemployees meet at a venue for some camaraderie and competition was worth it. (We\ncurrently limit online participation to a subset of personnel to keep the\nnumber of participants manageable).  <\/p>\n\n\n\n

Length: Duration of CTF <\/strong><\/p><\/div>\n\n\n\n

The CTF\u2019s length is an important decision, often heavily\ndependent on other variables. Do you want the CTF to be just a couple of hours?\nAn all-day event? An all-weekend event? I\u2019ve run a CTF in as little as an hour\nand a half, and I\u2019ve seen CTFs running for longer than 3 days. <\/p>\n\n\n\n

The length will need to be aligned with the location; if\nyou\u2019re hosting a physical event you\u2019ll need to ensure you have the location for\nthe duration of the event (the location will sometimes dictate and\/or limit the\nevent length). <\/p>\n\n\n\n

If you\u2019re doing an attack-versus-defend CTF, which usually\ntakes longer to get up and running and for folks to find and exploit the\nvulnerabilities, I recommend the CTF lasts more than a few hours. The skill-level\ntarget\/amount of content will also need to be adjusted based on the length (or\nvice versa). Because more-difficult challenges often take longer to solve, you\u2019ll\nlikely want a longer CTF if the CTF is focused on challenging the best and\nbrightest. I\u2019ve done some online CTFs where it seemed like every challenge was\nmeant to take a seasoned person at least 2 hours to 3 hours, so obviously a CTF\nlike that (unless it has only a few questions) will need to be longer (the CTF\nI\u2019m referring to lasted 48 hours). We typically run 3-hour CTFs, which seem to\nkeep people\u2019s attention without exhausting them and enable us to include both easier\nquestions (which can be solved quickly by experienced participants but may take\nnewbies 15 minutes to 30 minutes to learn about and solve) and harder questions\n(that may take experienced participants 60 minutes to 90 minutes to solve).<\/p>\n\n\n\n

\"Cyber<\/figure>\n\n\n\n

Content Focus: Defensive, offensive, both, or other. <\/strong><\/p><\/div>\n\n\n\n

For Jeopardy<\/em>-style CTFs, the two most-common content focuses\nare defensive (cybersecurity) and offensive. Most CTFs have elements of both. Some\nhave programming or off-the-wall questions.<\/p>\n\n\n\n

Your content focus will help determine who will attend your\nCTF. If you have a target audience, you may want to engage them beforehand to\ndetermine what they\u2019re looking for. Or think about who you\u2019re trying to attract\nto your event. If you\u2019re unsure, I recommend going for a nice mix of both\noffensive and defensive to try to give everyone at least something they\u2019ll like\nor be interested in. There are tons of sites that list potential topics for a Jeopardy<\/em>-style\nCTF. The following is a list of our previous topics, grouped by field\/type:<\/p>\n\n\n\n