Among computer security professionals, there’s a popular competition known as Capture the Flag (CTF). You’ll often find them held at less conventional conferences such as Defcon, and at universities and infosec gatherings. Played in darkened rooms and stocked with enough hardware to put the Batcave to shame, these contests are teeming with elite practitioners seeking to dominate each other on a virtual playing field.
To an outsider, they might appear to be a primitive battle of egos, uber-nerds parading their specialized talents in a highly exclusive forum. However, these events are actually a critical element of the security professional’s development, helping to build and maintain skills essential to the protection of our institutions. In fact, CTFs increasingly are seen as a mainstream professional endeavor.
In most forms, CTF is based on the traditional physical competition, which has two territories with opposing teams, each seeking to “capture” the other team’s flag and return with it to their own territory. The cyber version becomes an exercise in protecting and attacking computer systems and networks, with participants divided into attackers (red) and defenders (blue).
Ultimately, it’s a simulation of real-world security operations, with the blue team defending a resource, which the red team attempts to compromise using the nefarious methods of a black-hat hacker. Similar to military drills, it allows practitioners to hone their skills in a sandbox, safe from causing damage to production environments.
In addition to instilling teamwork -- a requirement for incident response teams -- this type of competitive play provides an environment for curious minds. According to play research pioneer Stuart Brown, social, competitive play is essential for building confidence in humans by providing a setting for safe exploration, making it as important as sleeping and dreaming.
Besides learning to work under time constraints, CTF participants can also increase their tolerance for working under stressful conditions in a practice environment. There’s no question that incident response can be a tense experience, but there’s a place of heightened awareness that arises with the stress response that can actually improve functioning.
Operating under difficult or threatening situations can benefit from eustress, a form of psychological stress considered useful for high performance. Simulating attacks in a controlled environment can help an individual view such an event as a challenge, similar to an athletic competition, and not a threat.
While the number of certifications and academic programs in information security has exploded over the last decade, the industry still complains about the shortage of qualified professionals. Experts say organizations struggle to fill positions. This leads to fears that paper-only professionals, those with credentials but no practical knowledge, will flood the market. Maybe instead of focusing on traditional academic study, we should emulate law enforcement, with academies equally focused on practicing techniques used in the field, as well as learning theory.
[Read about the biggest threats to an organization in "The Banality Of IT Failure: Overlooking Mundane Insider Threats."]
Additionally, new threats are constantly emerging and working professionals must keep their skills current. Even after graduation, law enforcement officers are required to spend a minimum number of hours on a shooting range to maintain their ability to carry a gun.
While many certifications have Continuing Professional Education (CPE) credit requirements, there’s no focus on continuous practical training. What if we stipulated the same type of ongoing technical practice from security professionals by using CTF-like environments? Some universities already sponsor collegiate cyber defense competitions (CCDC) in an effort to facilitate the development of operational experience in students. Why couldn’t we expand these programs for working professionals?
Recently, there have been efforts to expanding the availability of CTFs to users outside of information security teams. A method of gamification, it’s being used to provide end users a way to walk around in a practitioner’s shoes by experiencing actual attacks. Too often vulnerabilities and threats seem like theoretical dark unknowns and unreal. This means it’s hard for users to take our warnings seriously.
By participating in CTF, they could watch a compromise in action, understanding the risks at a more cellular level. This could facilitate better communication, further solidifying a partnership with our users, leading to more successful operations.
In other educational settings, interactive, engaged learning methods have been demonstrated as superior to lecture and rote memorization. Maybe the type of play and dynamic exploration utilized in CTF could prove just as valuable for security training.
[Get tips for managing IT teams in Michele Chubirka's workshop "Humans Aren't Computers: Effective Management Strategies For IT Leaders"at Interop Las Vegas March 31-April 4. Register today!]