Rigorous training as to how hackers are able to get into systems and access sensitive data and how to defend against an onslaught of cyberattacks has given rise to a specific type of training and competition for cybersecurity professionals: Capture the Flag (CTF).

To find out more about these competitions, we talk to Dr. David Brumley, CEO of ForAllSecure, Inc. and Professor of Electrical and Computer Engineering and Computer Science at Carnegie Mellon University. 


Security magazine: What is your title and background?

Brumley: I received my PhD in Computer Science from Carnegie Mellon University, MS in Computer Science from Stanford University, and a BA in Mathematics from the University of Northern Colorado. I then became a tenured professor of Electrical & Computer Engineering at Carnegie Mellon University in 2016 and went on to become the Director of CyLab Security & Privacy Institute. With over 20 years of cybersecurity experience in academia and practice, I’ve authored over 50 publications in computer security and have received numerous awards, including the US PECASE award from President Obama, the highest award in the US for early career scientists and engineers. Alongside my graduate students, Athanasios Avgerinos and Alexandre Rebert, we co-founded ForAllSecure in 2012 with the mission to secure the world's critical software.


Security magazine: What are “capture the flag” exercises? How do they work?

Dr. Brumley: Capture the Flag (CTF) exercises are online or in-person hacking competitions. They are fashioned after the childhood game “capture the flag”, only the “flags” are not physical flags, but digital ones. Each CTF event is made up of a number of computer security problems or puzzles. When you solve the puzzle, you “capture the flag” - a unique token that shows you have solved that challenge. 

CTFs are a type of deliberate practice. They break down skills into specific problems. They have a systematic path: problems get harder and harder as you progress up the levels and ranks.


Security magazine: Are there different formats of CTFs?

Dr. Brumley: There are several approaches to creating effective CTFs, and you should know them if you are looking to play.

They are:

  • Jeopardy style, where you’re given challenges with different point values. The more points, the harder the challenge.
  • Attack/Defense “Live Fire” contests, where the players are on a closed network and the goal is to hack other teams while defending yourself.

When you first start with CTFs, you should start with Jeopardy style. They are there to build skills. 

Attack/Defense CTFs are more advanced: it’s like hacking in the real world, while jeopardy is practice. But like the real world, they can be unforgiving. If you’ve not spent time in jeopardy style building up skills, you’re likely to get demolished in an attack/defense contest.

One word of caution: I generally recommend against any hacking contest or challenge that claims to be defense-only. In sports, you’d never just teach a team defense. Just imagine if your favorite football team said “we’re not going to try and score goals, we’re only going to prevent the other team from scoring goals.”  It doesn’t work well in sports, and doesn’t work well in computer security.

Fundamentally what a hacker does - and the best security experts - is to first think about what can go wrong (thinking like an attacker), and then figure out how to fix it (thinking like a defender).


Security magazine: What are the different challenges in CTF exercises?

Dr. Brumley: CTF challenges are based on computer security topics and tend to focus specifically on finding and exploiting vulnerabilities. The five main areas are:

  1.  Reverse engineering: This is the process of taking a "compiled program” - for example, machine code - and converting it back into a format that a human might create.
  2. Binary exploitation: This relates to finding a vulnerability in the program and then exploiting it to gain control of a shell or modifying the program's functions.
  3. Web exploitation: There are issues fundamental to the internet regardless of the chosen language or framework that can be exploited to gain higher level privileges. For example: SQL injection, directory traversal, and cross-site scripting.
  4. Cryptography: Cryptography is one of the older disciplines in computer security and probably the one that requires the most mathematical background. Alan Turing, the great code breaker of World War II, was a cryptographer. The interesting thing about crypto is that theoretically the algorithm itself is often secure; the problem lies in how it is implemented.
  5. Forensics: both disk and network: Forensics is about figuring out what an attacker did once they broke in. You look at network traffic, what was left on disk, and try to reconstruct something left by the attacker. A flag could be something like a hidden message in a deleted image.

To learn the theory for these categories, you can do both formal education, such as a computer science degree, or read the work of others. But the best way to learn is through practice by playing CTFs.


Security magazine: Overall, how does it help security professionals or students to learn about cybersecurity?

Dr. Brumley: CTF’s help security professionals and students learn by utilizing real-life challenges and using hands-on experience in order to solve them. It’s what we call “auto-didactic” learning.  An auto-didactic is a self-taught person. Computer security moves so fast that there is no “end” or “fixed set” of concepts. If you want to be really good, you need to get in the mode of always learning and trying new things.

Another unique way CTFs help those to learn is by pairing the concept with a challenge problem. Research shows that there are at least two things you need to do to really learn something:

  • Understand the theory: It means learning the fundamental concepts, such as how a particular cryptographic algorithm works.
  • Application: That’s taking the theory, and showing you can apply it. 

You may remember from school that courses that were based in theory were not exactly useful. The key step to really understanding a new concept is applying and practicing those concepts in real life. That’s what CTFs allow security professionals and students to do.


Security magazine: Could these exercises help close the cybersecurity skills gap? How so?

Dr. Brumley: The gamification of security can help draw in new talent. The jeopardy CTFs are good for beginners because they build basic knowledge. The attack/defense CTFs are good because they are competitive, like sports, requiring both offensive and defensive skills. CTFs expose more people to information security and begins to address the cybersecurity skills gap.


Security magazine: How can individuals or organizations get involved in these exercises?

Dr. Brumley: There are a number of ways you can get started with CTFs. The first is to understand the fundamental concepts of CTFs, you can do this by visiting Capture the Flag 101 (https://ctf101.org/), an online guide to getting started with CTF contests. Capture the Flag 101 breaks down each CTF category with an overview and dives into each of its components.

After you have a good understanding of CTF fundamentals you can start practicing in real time. At Carnegie Mellon University, we use picoCTF as an introduction into CTF challenges. PicoCTF started as a competition for middle and high school students and has now expanded to help learners of all experience levels. The picoCTF challenges are designed to provide a graduated set of examples, each harder than the next - Jeopardy style.  Once you’ve mastered picoCTF you can check CTFtime for a maintained list of upcoming contests ranging in size and difficulty.