Let the Cyber Games Begin
Cyber competition student teams prep with Capture-the-Flag contests
The teams training for this year's Raytheon-sponsored National Collegiate Cyber Defense Competition have no pre-season, no exhibition games and no adversaries in a scrimmage, other than themselves. And as the regional qualifiers for the NCCDC championship kick off, each team knows that if they lose in any of the run-up events, it’s one and done.
So you can bet teams want to find ways to sharpen their cyber skills before they compete. Many take part in Capture the Flag contests; each team is assigned to a virtual server on an isolated network, which they must defend. Teams are scored on both their successful defense and their ability to attack, or capture, machines defended by other teams.
The“flag” that must be captured is often a hash value: a string of letters and numbers that are used to validate and compare data. As the contest progresses, the challenges and flags get more and more difficult.
“For example, a flag challenge might be that computer user John Smith has stored a photo of a restaurant somewhere in the cloud, and the location of that restaurant is the flag," said Paul Krier, a Raytheon cybersecurity assessment services analyst in Richardson, Texas, and a mentor for the Southern Methodist University team. "The rest of the challenge is how to get that location—the flag.”
First, the team needs to figure out the systems, devices and accounts John Smith is using, Krier explained. Next, they have to figure out how to get in and access his user data.
"He could have multiple devices and multiple accounts, and the team needs to either crack his password or find a hole," Krier said. "And once they do get in, they’ve got to find out where he stores his photos, and this guy could have thousands of images out there without any naming convention. When they do find the right photo, they need to have the right tool to extract the latitude and longitude of the restaurant location, and then represent that as a hash value to submit as answer."
In some competitions, teams must uncover which computer system contains the game board, which is typically a server with all the challenge questions on it, and, furthermore, find out where it’s hidden on that particular system.
“For some teams in a contest that I participated in, it was game over before they even got started, because they couldn’t find the game board,” said Mark Hoffman, a Raytheon cyber intelligence specialist and coach of the Southern Methodist University team.
Hoffman compared Capture the Flag to the game Clue, because one bit of information leads to finding the next bit, building upon itself and scoring points along the way. Plus, “the best CTFs usually have a good story line,” he said.
The competition can be tricky. During one early challenge in a CTF that required teams to gain access to a mail server and retrieve an encryption key that served as the flag, a team deleted the key so their competition couldn't advance to the next challenge.
“That team, for obvious reasons, went on to win,” Hoffman said. “The game writers weren’t expecting that, and from then on, changed the rules.”
In many Capture the Flag competitions, event organizers reset the system every time a team captures a flag.
“If you compare it to the traditional outdoor game, where you have real, physical flags, they want to prevent players from burning the flag or burying it 10 feet underground so there’s no way for opponents to retrieve it,” said Tim Bryant, a Raytheon cybersecurity engineer.
Bryant is a member of Raytheon's Deep Red team, one of seven elite groups competing in the U.S. Department of Defense's DARPA Cyber Grand Challenge in August. The challenge will be the world’s first all-machine, Capture the Flag competition, with a goal of developing a fully autonomous, self-healing, computer-driven system that would seek out exploits and vulnerabilities and then patch them on its own.
“We’re going to basically press ‘Play,’ step away and then stand there and watch for 24 hours,” said Mike Stevenson, Raytheon Deep Red team mission manager. “It's the closest simulation of what live-fire cyber warfare would be like, and if this is what a cyber conflict is going to look like, then we better automate as many attack/defend activities as possible.”
Capture the Flag competitions help NCCDC student teams to hone a wide variety of cyber skills, according to Mirek Bartik, a Raytheon cybersecurity engineer and coach of the University of Texas at San Antonio NCCDC team, which won its regional finals last year.
"They need to understand how stuff works under the hood and how exploits work before they can mitigate them and prevent the 'red team' from getting into their systems," Bartik said.
Capture the Flag competitions teach students to think on their feet and adapt to unknowns, Bartik added. While the students are familiar with today's most prevalent operating systems like Windows and Linux, they aren't up to speed on every OS out there.
"We know the judges are going to throw a monkey wrench into the mix," he said, "to get the students out of their comfort zone."