The past decade has seen a proliferation of network security games euphemistically known as "Capture the Flag" exercises. The fun of participating in these exercises is well known to those who choose to play. These exercises expose participants to new challenges, offer them the chance to meet new people with similar interests, build "street cred" and increasingly, offer significant prizes. Perhaps most significantly, when done properly, these exercises offer a considerable opportunity to spark interest in the computer security field in the next generation of computing professionals. This talk will take a look at the challenges of using such exercises as training or evaluation opportunities and will consider how to improve our ability to do so. Chris Eagle Chris Eagle is a Senior Lecturer of Computer Science at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 28+ years, his research interests include computer network operations, forensics and reverse engineering. He has been a speaker at conferences such as Black Hat, Defcon, Infiltrate, and Shmoocon and is the author of "The IDA Pro Book", the definitive guide to IDA Pro. He is a multiple winner of the Defcon Capture the Flag Competition and was the organizer of that competition from 2009-2012. He is currently working with DARPA to build their Cyber Grand Challenge competition.

1. Chris Eagle
Code Blue
18 February 2014

2. ! Everything I say today is my own opinion and
not necessarily the opinion of the US Naval
Postgraduate School (NPS), US Department of
Defense (DoD) or the United States
Government

3. ! Senior Lecturer
◦ Naval Postgraduate School, Monterey CA (1997-
present)
! Leader
◦ Sk3wl0fRoot Capture the Flag team, winners of
Defcon CTF (2004, 2008)
! Co-founder
◦ DDTEK, Organizers of Defcon CTF (2009-2012)

4. ! First and foremost a game
! A chance to excel!
! Meet new people
! Lose some sleep

5. ! Opportunity to (legally!) apply skills
associated with all aspects of computer
security
◦ System administration
◦ Network traffic analysis
◦ Digital forensics
◦ Vulnerability analysis and exploitation
◦ Cryptography
◦ Web and database security
Courtesy of Kenshoto

6. ! Organizer's develop challenges to be solved
by participants
! Two main formats
◦ Jeopardy style game board
◦ Full spectrum team vs. team in head to head
competition

7. ! Typified by Defcon qualification round

8. ! No head to head interaction between teams
! Solve puzzles to earn points
! Solution to puzzle usually reveals a secret
value known as a key or flag
◦ Hence “capture the flag”
! Wider variety of puzzles because each one
does not need to be “live”

9. ! Teams directly attack each other while
organizers act as judges to award points
! Defcon CTF is longest running
! Others
◦ UC Santa Barbara iCTF
◦ Positive Hack Days CTF
◦ Codegate CTF

10. ! Apply skills in hostile environment
! Exploit development
! Vulnerability mitigation
! All challenges are live “services”
◦ Must be kept running and defended while
simultaneously attacking other team’s services
◦ Successful exploitation results in access to a flag

11. ! Generate interest in computer security
◦ Attract new people to the field
! Fresh challenges test and
develop skills
◦ Interesting challenges motivate
tools development
! Builds a community of talent
and shared knowledge about
solutions

12. ! Desire to learn
◦ Creative challenges spark interest
! Legal, low risk way to
exercise offensive skills
! Bragging rights
◦ Winning Defcon carries some
prestige
! Prizes ☺
◦ Codegate – 4.3M ¥
◦ PHDays – 900K ¥
◦ Defcon – Black badge

13. ! Defcon
◦ Defcon 10, 2002 8 American teams
◦ Defcon 21, 2013 20 teams, ~66% international
! Hundreds of teams attempted to qualify
! UCSB iCTF
◦ 2003 – 14 teams
◦ 2012 – 90 teams
! Almost weekly
events today

14. ! Large body of past challenges
! Large body of publicly available solutions
◦ Generally self-study
! Each new CTF provides an assessment
opportunity
◦ Only metric is final score
◦ No feedback to assist with improvement

15. ! DON’T DO IT!!
◦ Trust me on this one
! If you must, then
consider why
◦ It is totally thankless
◦ Give back to the community
◦ Talent identification
◦ Educational opportunity
! Coach people/teams up prior to event
! Provide feedback after event
! Teach people about challenges after CTF ends

16. ! Japan, like many other countries, faces a
shortage of skilled cyber professionals
◦ By one study as many as 80,000 people needed
! Identifying and attracting new talent as well
as retaining existing talent is essential
! Competitions such as CTF both spark interest
and offer an opportunity to evaluate
◦ Huge growth in participation in past 10 years
! Just get out and play!