Where cyber champs test their mettle
Raytheon researchers sharpen their skills at cybersecurity contests
To catch a hacker, you've got to think like a hacker.
Many cyber professionals compete in Capture the Flag, or CTF, events, to get in the mindset, sharpen their skills and gain a little street cred inside the profession. One CTF team, founded by current and former Raytheon employees, is among the top competitors in the nation. Dubbed the "NASA Rejects," it's ranked fourth in the U.S. out of more than 2,000 teams, and 24th worldwide among more than 13,400 teams, according to CTFTime, a website that tracks and ranks CTF competitions.
A CTF competition is typically a gamified set of challenges designed to hone cybersecurity skills in a variety of categories. There are three main types of CTF: Jeopardy-style, attack-defense and mixed.
“We mainly focus on the Jeopardy-style CTFs,” said Justin Wright, a Raytheon security researcher and member of the NASA Rejects, which are styled after the well-known game show. Divided into different categories, such as cryptography, steganography (hiding a file inside another file), web exploitation and reverse engineering, the contest requires teams to perform certain tasks or answer questions. The team with the most points at the end of the allotted time wins.
The Jeopardy-style CTFs are the most common and better suited for teams with a wide range of expertise, Wright said.
“Typically, six to seven of us participate in the CTF,” said NASA Rejects member DeMarcus Williams, a Raytheon security researcher.
For the larger competitions, like DEF CON, 0CTF, Google CTF, Plaid CTF, and SECCON, among others, the team rents a house to use as a home base.
“It gives us a spot where we can all meet up and work together,” said Cyrus Malekpour, a NASA Rejects member. “It is more motivating to wake up and see people working on a challenge. It gets you in the mood to start working.”
The team members perform in the competitions on their own time.
“It’s a way to keep my skills sharp,” said Williams. “The skills you use are real-world. They are the skills you need to reverse-engineer a program or take advantage of a vulnerability or break into a website.”
The value of CTFs is reflected in the large number of associated events, the prominence of the organizations that host them and the caliber of participants.
“It’s good practice,” said Wright. “A lot of the CTFs will take things that are just coming out and they will make (them into) a challenge. This helps us stay on top of the latest research and techniques.”
So with all of that said, why the name NASA Rejects?
“It’s supposed to be a joke about how cybersecurity isn’t rocket science, and we’re not rocket scientists, but we do something that people think is (just as hard),” Malekpour said.
To learn more about how to how to play a CTF or how to host a CTF click this link.