What is a Cybersecurity Capture the Flag?

Cybersecurity competitions are interesting events that are becoming more popular in the cybersecurity community. One common event type is a “Capture the Flag” (also referred to as CTF) competition, which are available both online and in-person in many areas.  In this article, I’ll explain what a capture the flag competition is, and why you need to attend one. 

What is a cybersecurity capture the flag? A cybersecurity capture the flag is a team-based competition in which participants use cybersecurity tools and techniques to find hidden clues or “flags”.  The team that locates the most flags during the event wins. These events are often entry-level and open to the public.

By reading this, you may get the impression that an event like this is not for you, especially if you’re just starting on your cybersecurity career journey.  That’s certainly not the case, as events like capture the flags are intended to help teach cybersecurity concepts and help those already in the field to keep their skills sharp.  They’re meant for everyone, including those of us who are just starting. Let’s take a closer look.

Capture the Flag Basics

CTFs are a really unique and interesting part of the cybersecurity community.  I’m not aware of any other career field that does something quite like this (I suppose fields like engineering have competitions, but I would assume they are intended for students only, and engineering professionals themselves don’t get involved.)  With cybersecurity capture the flags, professionals of all levels get involved to learn, keep their skills sharp, and enjoy the camaraderie the field offers.  

Cybersecurity capture the flag competitions are sponsored by cybersecurity companies or organizations.  They are also often held at cybersecurity professional events and conferences. Teams of people or individuals sign up to participate, with sign up usually occurring beforehand.  For competitions that allow for individuals to sign up and not just teams, those individuals are paired with other individuals to form a team. Teams can be as small as three or four individuals, and in some larger competitions teams may be as large as eight players.  Some capture the flag competitions may be intended for schools only, and therefore each team is comprised of students from a particular school.

During the event, teams race to gather as many flags as they can within the competition time limit.  Each flag is assigned a point value based on difficulty, so teams are actually attempting to gather as many points as possible, as that determines the winner (and not necessarily the number of flags captured).  Some competitions allow for each team to find the flag, while others may be set up that only the first team to find the flag gets the points for that puzzle.

Capture the flag events are sometimes held in a large, single room, however it is now common due to cloud technology for events to be held at multiple locations simultaneously.  These events are even held internationally between teams in separate countries and multiple time zones.

What is a Capture The Flag Puzzle? 

The term “puzzle” is often used to refer to one challange within a CTF competition that leads to a single flag.  There are usually three different levels of puzzle difficulty in each competition: easy, medium, and hard. The difference between the lower level puzzles and the higher level ones are usually in the complexity of the techniques required to find and retrieve the flag. 

An example would be something easy like converting from binary (which is a basic skill and fairly obvious in a puzzle) compared to something more difficult, like finding a packet stream from a Wireshark packet capture, getting the reference video file from it, decrypting the video, and then finding the flag in the video. A puzzle like this obviously requires some background knowledge and the ability to combine multiple skills.)  More challenging flags are worth more points than lower level flags, naturally.

With all the puzzles, but especially with the more difficult ones, teamwork comes into play as one member of the team doesn’t need to have the expertise to solve each part of the puzzle.  The team works as a team to solve the puzzle together, which makes the puzzles easier overall and introduces opportunities for learning.

The Start of a Capture the Flag Event

In many competitions, when the actual competition starts, you will be given access to different puzzle folders, organized based on difficulty. The folders will be named based on which puzzle’s contents they hold and always contain a readme text file, or some other form of directions. Within the text file, there are instructions and subtle hints about what the puzzle consists of and what might be required to decode it. 

Sometimes the directions are in the form of riddles with subliminal messages and references to different tools that may be needed to solve it, and sometimes it’s just written out in ambiguous plaintext (which can sometimes be a riddle in itself.) The variations in readme contents and syntax is usually based off the puzzle developer’s own preference. After completing the puzzle, you should be able to locate the flag, since the flag is not intended to be hidden once the cybersecurity task is completed successfully.  Flags are usually marked in an obvious way, often in something representing this format: Flag {contents of flag}.

Once a flag is found, the flag is entered into the answer field next to the corresponding puzzle name, and points are then awarded and placed on the leaderboard (if the flag that you entered is correct.) The amount of points that the flag is worth is posted next to the flag entry field. 

If the flag is incorrectly entered, then it will deny the entry and not award points. The flag fields usually have an unlimited entry count limit, which means that you can keep on typing in entries and it won’t lock you out of that field or block you from solving the puzzle later.  This is useful for puzzles where one or two letters or numbers in the flag are questionable as what they could be, and you need a few guesses to figure out the correct entry.

Who Can Participate in a Capture the Flag?

Capture the flag competitions have different rules and regulations based on the sponsoring organization’s preferences, but many competitions are intended for college students or junior-level professionals (although some will allow or even target high school students as well.)  There are also some competitions that take place online based on international precincts that the separate teams meet up at. There are many different variations of capture the flag formats, but they mostly have similar rules when it comes to who can participate.

College students are the primary attendees at many capture the flag competitions. The reason for this is that these students are the closest to entering the cybersecurity workforce.  This means that employers are willing to sponsor an event in order to find potential employee candidates from this group of college students, and the students are also in a place where they are looking to build their resume and their skills, and meet employers as well.

Why You Should Participate in Capture the Flag Competitions

Capture the flag competitions are also a good way to build up the experience and professional association sections of your resume, which is especially important when you’re just starting out and don’t have experience.  Consider that it is impressive to an employer to see “won first place in regional CTF against 30 other teams from 12 different colleges” or even “participated in online Capture the Flag competition” on a resume, because it shows you’re interested in the field, you’re involved and you’re learning.

Speaking of resumes, participating in CTFs can sometimes be a great way to find a job itself. Taking time before, after, and during the competition to connect with other competitors, coaches and sponsors is an excellent way to learn about cybersecurity opportunities in the surrounding areas and with local companies.  A sponsoring company might even hire you! 

Since many CTFs are hosted by cyber companies, it’s possible that they might take the opportunity to look for suitable talent at events like these. Paying attention and meeting people while at a capture the flag events like these are a great way to meet new contacts in the cybersecurity industry, find possible employment opportunities, and learn about what is up and coming in the industry experts.

What Are the Different Types of Capture The Flags?

There are a large variety of CTF competitions, depending on who is sponsoring the event and who is invited to participate.

Local CTF Events.  Local competitions might have a mix of high schoolers and college students, and will probably be easier larger competitions that are sponsored by technology or cybersecurity companies looking for new talent. 

Local events are usually smaller, with some times no more than 12 to 15 teams.  Local CTFs also frequently have technology volunteers (sometimes the event puzzle developers themselves) who observe and help teams that are stuck or a certain problem by giving them preapproved hints about a tool that can be used to solve the problem, or about what the puzzle consists of structurally.  Local CTF often have much less intricate puzzles. This means there are less steps involved and less complicated tools that are required to capture the flag and solve the puzzle.

Corporate-sponsored CTF Events.  Larger corporate sponsored events will often have thirty or more teams participating (or fewer teams that are each larger in size.) Larger CTFs often do not have coaches that help you with puzzles, which means that you and your team are pretty much on your own when it comes to solving them.  This is often because of higher expectations that corporate sponsors have of the attendees as far as knowledge and ability. The larger competition puzzles are almost always multi-step or require more complicated cyber tools or utilities to solve. 

Online CTF Events.  There are some capture the flag events that are hosted online.  These require an online registration and a computer and an internet connection from your home.  These competitions can vary in the number of competitors. Both local and corporate-sponsored events can include an online component to attach more competitors.

What Strategy Should I Use During a Capture the Flag?

There are different strategies that winning teams have utilized in order to successfully gather the most points and beat other teams during CTF events.  Let’s take a look at a few strategies you can use during your next CTF event.

High or Low First? That is the question, isn’t it? Many teams are often stuck between whether it’s worth the risk to go for the higher level puzzles first where there are the most points to be won or rake in a bunch of lower level flags to accumulate a lot of points in smaller chunks. 

What I recommend is to take a look at each puzzle’s readme file first, and pull out the ones that you have a good idea on how to solve, regardless whether it be higher level or lower level. Getting a good bearing on the required skills for the majority of the puzzles at a competition is a great way to determine how your team should approach the overall puzzle board.  You may be surprised how easy (or hard) the overall group of puzzles are compared to your expectations. If the high-point puzzles seem to be far beyond your team’s abilities, it would be wise to start with all the smaller ones to rake in the points you can definitely get, rather than go for the larger flags that would take your whole team and way too much time to solve.  Remember, during a CTF, time is precious, especially if a puzzle requires the time of more than one of your team members.

Divide and Conquer.  Another strategy to use before the day of the event is to determine everyone’s specialties. If your team is already set, then it is wise to determine everyone’s specific skills and backgrounds. It is helpful when the skills that team members have balance each other and complement each other.  With this approach, once competition day comes around, if you come across a puzzle you don’t know how to solve, you’ll know which one of your teammates has the required knowledge to cover for your team and find the flag.

Summary

There are many different variations of capture the flag competitions based on location, sponsoring entity, format and so forth. but they usually have all the same components, mainly consisting of teams that are solving puzzles to find flags and earn points. These events are excellent for learning about new technologies, gauging your practical skill level, and making connections with other cyber professionals.  Many cybersecurity organizations sponsor capture the flag competitions, and winners often earn money, gift cards, swag, or all of the above. Many colleges and sometimes high school students participate in these competitions to test their developing hacking skills and to know where they stand in comparison to other cyber professionals.

Evan Barnes

Evan Barnes

Evan Barnes is a computer technician who holds a Cisco CCNA Routing and Switching certification. His primary focus areas in cyber security are computer networking and digital forensics. Evan contributes articles on network security and certifications, as well as operating systems. Evan enjoys rock climbing, playing the bass guitar, and brainstorming app ideas.