Three years prior, I entered the CTF, or Capture The Flag, competitions with an unworthy level of confidence with an IT background and superficial knowledge of basic computer security skills and high self-assessment hacking skills. Getting humbled, as the kids say, was an understatement.
Many hours were spent looking at challenges and then witnessed them being solved in seconds by those with much more experience. The largest frustration and fascination phenomenon I had ever seen. The first time I got an ego bruise. CTF competitions sharpened my technical skills to give me the confidence and the most refined problem-solving practices, greatest security thinking, and tactical understanding of the attacker/defender mindset I needed to effectively do my job.
The CTF Phenomenon
‘Capture The Flag’ (CTF) competitions in cybersecurity are nowhere near similar when compared to the childhood versions of the game we played in a school playground. But the spirit of the childhood game remains intact considering CTF competitions involve similar strategic challenges and competitive thrills. A typical CTF event entails a structured competition where participants complete various challenges related to cybersecurity in order to find hidden flags.
Flags are usually in the form of strings of text and are proof of your successful achievement of an objective. These competitions are typically structured in two predominant formats, namely, a Jeopardy-style competition event where the competitive teams are able to choose and tackle challenges as a team in a particular category, and an attack-defense competition where teams play the roles of defenders and attackers, meaning that teams defend their own systems and attack the systems of the rest of the teams.
Different CTF competitions are distinct from other competitions in the learning experiences that they provide. One of the most unique experiences offered by CTF competitions include feedback; feedback is offered in the form of gamification, feedback is immediate, and the feedback is derived from a real-world competition scenario as opposed to traditional classroom-style learning training. Training that is traditional in nature and that is directed at learning CTF competitions, is again traditionally passive.
This is a stark contrast to CTF challenges, where the participants are given little to no instruction, and they are required to tackle the challenges while thinking, researching, experimenting, and problem-solving. Competitors are required to operate within a limited time frame; the time is a pressure-inducing constraint. CTF competitions are, in my opinion, some of the most effective learning experiences available to individuals.
The most important learning experiences are the ones that offer challenges to learners. The received challenges facilitate your learning experience and should replace passive learning experiences as a standard. The knowledge received stems from active learning and should increase the active participation of learners in the learning process.
Breakdown of Skills Required in CTF Events
CTF competitions help strengthen a variety of skills beyond just technical ones. Originally, I only thought about the exploitation of application vulnerabilities and the deployment of attack toolkits. I soon realized there was so much more, and I had the chance to broaden my horizon in many more of the events’ skills. Besides the exploitation of website apps, CTF events also involve challenges in binary exploitation, reverse engineering, cryptography, forensics, stage analysis, and networking. Each of these areas has its own unique tools and ways of thinking.
These challenges helped me develop many skills. My biggest growth came from thinking like a web application attacker by looking for SQL injection, cross-site scripting, and authentication bypasses. Additionally, I learned a lot about assembly language and memory management from reverse engineering and binary exploitation challenges. I also grew to understand the theory of some cryptographic implementation and its weaknesses from my work in the cryptography challenges. Finally, my forensics challenges helped teach me to review and analyze system artifacts, network traffic, and evidence to reconstruct events. This wide span of skills was instrumental in me becoming a more well-rounded security professional, rather than a jack of all trades.
Community Engagement and Learning
I will not sugarcoat starting your CTF journey; it is, at times, incredibly taxing, and can be a challenge to continue participating. I remember my first competitions and the extreme frustration I felt from only being able to complete maybe a single beginner challenge, while at the same time dozens upon dozens of challenges would be cleared by many seemingly experienced teams. I remember the feeling of wanting to quit and many newcomers unfortunately take part in a single CTF, feel the same sense of overwhelming defeat, and never come back. Fortunately, I was able to find the wonderfully supportive CTF community, and it made all the difference.
Many CTF competitions are about mass knowledge and skill competition; however, knowledge is power, and many CTF participants believe that their knowledge gives them a competitive edge, and this leads to an unsupportive competitive community. Fortunately, this is not the case.
In CTF competitions, the community prides itself on knowledge sharing, and many of the teams that win competitions will go on to publish explanations of their solutions and provide feedback on the tools that are used. These posts become my study guides and let me analyze not only the correct, or winning submissions, but also the analytical and strategic approaches that the experienced participants used to arrive at those solutions. I would spend countless hours learning their techniques and solving the challenges in my own virtual environment to make sure that I could actually internalize those techniques and strategies to an experienced level.
Numerous CTF platforms provide a means to hone your skills in a non-competitive practice environment. I made it a point to practice for several hours a week. It helped me build my toolbox and hone my skills in pattern recognition. This is what separates the mediocre players from the advanced ones and enables the advanced players to quickly spot vulnerabilities.
Developing Practical Skills in Penetration Testing
As I advanced in CTF competitions and penetration testing, the more obvious the relation became. Many critics argue that the CTF style of problem solving is not a skill used in real world penetration testing and I have found the opposite to be true. CTF competitions help develop skills like systematic enumeration, creative problem solving, and persistence. These same skills help make effective penetration testers.
CTF challenges helped me understand the importance of ample information gathering, data analysis, and scrutinizing every detail, recording, and artifact. I learned how to combine several smaller discoveries into larger compromises, understanding that a single low-severity detail could combine with others to create a major one.
The environment, which was focused on time, forced me to work effectively, set priorities on where to go based on how likely I would reach an accomplishment, and also to effectively know when to move away from dead ends instead of sticking to an idea and approach that was obviously not working.
For people that want to supplement their ethical hacking education and CTF, there are proprietary ethical hacking resources designed to provide a base and cover the necessary concepts and certifications. Industry recognized methodologies and other requisite concepts are integrated into CTF practice to ensure that students understand the materials. I discovered that practice-plus-theory approach helped CTF. I used to approach CTF practice without the rest of the materials which was not optimal. Theory helped CTF and vice versa.”
The Mental Game and Problem-Solving Mindset
Apart from the individual techniques needed to participate in CTF competitions, I also built a strong problem-solving framework, as well as the mental agility which I have used in all my professional engagements. The mental challenges involved in the security challenges require, above all, a great deal of creativity. You have to think and reason in ways that challenge the assumptions in the problem and to view the entire system from various unconventional perspectives. I have come to accept the feeling of being ‘stuck’ in a problem as a process in the challenges as opposed to feeling as though I am inadequate.
The overwhelming and dominating feeling of frustration has turned to complete euphoria in some of the best moments that I have experienced in CTF competitions when I have a breakthrough and obtain the problem with a fresh perspective. The mental challenges also taught me the importance of a proper system and method in an activity compared to a random series of trial and error. I can still recall the days in the early stages of my CTF competitions when I had no mental framework and would just pick a device at random and, in a frenzied state, designate various attacks to each individual device, maintaining the hope that at least one would achieve a ‘positive’ outcome.
I have been taught by the veterans to describe a problem and adopt a systematic method that begins with comprehensive enumeration prior to the decision to exploit any element of that system. I have been taught the importance of maintaining a structured series of documents and detailed notes that describe what steps you have adopted and what you have attempted. The CTF competitions have had an indisputable and profound impact on both my professional field of security and my impact in that field.
Career Advancement and Learning Outcomes
CTF contributed skills that were refined from a professional standpoint; however, it extended my learning and provided me with professional confidence to elaborate and provide insight into my skills that were directly aligned with the security positions that I was applying for, which ultimately set me apart from other candidates.
I interviewed for positions that other people applying to the position had CTF experience, and employers valued this experience most because they appreciated CTF participants as being professionally passionate about their crafts, valued self-education and the ability to solve technically challenging problems in a time constrained competitive environment.
Competitions also provided me with a network of peers that would go on to be very useful to me across the span of my professional life. I was able to participate and engage with a community of security participants that became professional colleagues, mentors, and friends. I had community security friendships that started as a professional part of my life in CTF events that created professional community job opportunities and community learning that I valued most in my life today that started with friendships in challenge forums and competition Discord channels.
Any prospective CTF competitor would benefit from beginning their journey on CTFs that offer graduated levels of difficulty CTFs that offer graduated levels of difficulty. First, use the competitions as a learning tool, rather than focusing on winning. After a competition, it is beneficial to read technique write-ups, as you will better understand the current competition.
Finally, appreciate the uncertainty and frustration of not knowing. These feelings indicate that your brain is expanding your professional capacity. All experienced CTF competitors have gone through the same phases, and those that persevere develop skills others cannot.
