CTF – “You keep using that word. I do not think it means what you think it means.”

As a gamer, every time I hear “capture the flag”, or “CTF”, my memories bring me back to playing games like Team Fortress, Counter Strike, and other team FPS (First Person Shooter) games where you would literally try to steal (a.k.a. “capture”) the other team’s flag (usually placed deep within their base or stronghold), as you tried to defend your own. Board game enthusiasts may have memories of the game Stratego. However, over the years and as I have joined the IT/OT cybersecurity community, the term “CTF” has come to mean something different than what I remember and, in my opinion, misused. Now days, “CTFs” seem to involve more puzzle and challenge solving, much more like a scavenger hunt, rather than an actual capture the flag competition in the traditional sense. Points are awarded for each challenge that is solved (called a “flag”) and usually displayed on a Jeopardy style scoreboard. Whereas, in a traditional capture the flag, no points are awarded and there is simply one goal… to win the game (by capturing your opponent’s single flag). Don’t get me wrong; there is significant merit to these, often extremely technical and advanced, scavenger hunt style “CTFs” for skill building, but they are not true capture the flag competitions. Technically, they should probably be called find the flag competitions rather than capture the flag.

Why does it matter what we call it?

Admittedly, it does not really matter what you call it. The concept behind it is what is important. However, today’s version of “CTF” is missing a very important component that traditional capture the flag exercises were literally built upon (well, apart from having an actual flag). Historically, CTFs were military exercises (or “war games”) to practice how to attack and defend against a live and active adversary. These teams were also typically designated as “red team” and “blue team” to represent each side. This concept is further illustrated in gaming dating all the way back to 1946 with the board game Stratego, where each player’s “military” is represented by either red or blue, and the goal is to capture the other team’s flag. The traditional CTF format has been around for a very long time, and the active team versus team (or player versus player) aspect of it is a crucial part of the experience and training. History would suggest that it is the entire point.

Whether we are discussing war or cybersecurity, it is important to practice offensive and defensive skills against active opponents because in real life, our adversaries will be actively working against our own efforts, not giving us static puzzles to solve. Today’s “CTFs” are still a great way to hone technical skills, but they do not provide the same level of experience that practicing against a live “threat” can achieve. Think of it like self-defense. You can hit a punching bag a million times and have perfect form, but it does not teach you how to dodge a punch.

If you really want to build your skills in preparation for real-life live threats, then you need to train and test your skills against a live opponent.

Where Can You Find Traditional Capture the Flag Training for Cybersecurity?

The good news is, it is often much closer than you think. If you have performed a penetration test (or your organization has had one performed), you are halfway there. You might have also heard of “red teaming” and now the more emerging industry buzzword, “purple teaming.” A red team exercise (or red teaming) is a form of penetration testing where one team (the red team) replicates adversarial techniques to identify security weaknesses and measure defensive capabilities. When done properly, the blue team also actively monitors for signs of intrusion and responds accordingly. This type of red team versus blue team exchange of attack, defend, and respond (now, so cleverly deemed “purple teaming” by marketing aficionados… because red and blue make purple) is a direct translation of the very same military style exercises.

Full scale exercises do require immense logistical and technical planning, and they do not come around that often. So, how can you do something similar but in a way that is a bit more scalable? One way is to use a lab or “cyber range”, which represents a scaled down version of the systems and environment being tested. Cyber ranges are becoming more common in today’s “CTFs” because they can provide a more realistic technical environment; thus, the opportunity for more realistic technical training. However, it is all too often overlooked that cyber ranges are also a great environment for more active red team versus blue team training and exercises. Due to their scaled-down size, they do not require the logistical coordination as a full scale, organization-wide, exercise, and they can be held more often. In terms of competitions, however, it is more complicated than creating static challenges, and as the number of participants increases, managing an active red team versus blue team format in this type of environment can get very complex and difficult. Another challenge is that there is often a rather steep technical learning curve, especially on the red team side. Therefore, without proper instruction or skilled red team participants, it can be a frustrating experience for beginners or those that are less technical and can also provide for unrealistic training.

So, what if you are a beginner, or just less technical in general, and want to participate in a traditional CTF or red team versus blue training competition? What if you wanted to hold a traditional, red versus blue, CTF for a large number of participants?

This is where modern cybersecurity gamification platforms, like ThreatGEN® Red vs. Blue, really shine! (Sorry for the shameless plug, but this really is literally what Red vs. Blue does.) Through the use of computer gaming technology, beginners, students, and professionals alike (of any skill level) can all experience the benefits of a traditional CTF, active opponent versus opponent, just like it has been done for centuries, now on the digital battlefield of cybersecurity. Modern computer gaming engines are designed to support competitive styles such as traditional capture the flag. In fact, Multiplayer Online Battle Arena (MOBA) games are designed based on a capture the flag like format. Cybersecurity is a natural fit for this style of game play, especially red team versus blue team and traditional capture the flag training and competitions. As a result, configuration and logistics are much less technical, and platforms can support 100’s, even 1000’s, of simultaneous users, as compared to today’s typical cyber ranges.

Today’s version of a “CTF” absolutely has its merits as a technical skill building platform. Not to mention, it is fun! However, cybersecurity is not always just a scavenger hunt (sometimes it is… shout out to the forensics and threat hunter folks out there). Many of the skills and strategies that cybersecurity professionals use every day need to be exercised and tested in real-world like conditions, against live opponents actively working against you. And this is what the traditional CTF, the red team versus blue team, provides.


For further reading:


About Matt Anderson

Matt Anderson is one of ThreatGEN’s founders and Chief Operations Officer (COO). Matt is our point man for ICS risk assessments, vulnerability assessments, penetration testing, and threat analysis. Throughout his career, Matt held various roles at Kaspersky Lab, Critical Infrastructure Defense Group, U.S. Support, Convergys, and Systems Evolution Inc.

Matt has also served as an Adjunct/Volunteer Cybersecurity Lab Leader for North American University (NAU).

Matt Anderson

About ThreatGEN

Founded in Sugar Land, Texas in 2017, ThreatGEN delivers a solution to bridge “the Operations Technology (OT) Cybersecurity skills gap” utilizing its ThreatGEN® Red vs. Blue and ThreatGEN Services.

ThreatGEN® Red vs. Blue training uses cutting-edge computer gamification to provide an exciting & modernized approach to OT cybersecurity training, both practical and cost effective!

ThreatGEN Services are delivered worldwide by world-renowned OT cybersecurity experts (we literally wrote the books industry uses) using strategically chosen partnerships to create a holistic service offering.

Books written by Clint Bodungen, Aaron Shbeeb, and Pascal Ackerman.

Categories