keynote:ctf: all the cool kids are doing it by chris eagle
DESCRIPTION
The past decade has seen a proliferation of network security games euphemistically known as "Capture the Flag" exercises. The fun of participating in these exercises is well known to those who choose to play. These exercises expose participants to new challenges, offer them the chance to meet new people with similar interests, build "street cred" and increasingly, offer significant prizes. Perhaps most significantly, when done properly, these exercises offer a considerable opportunity to spark interest in the computer security field in the next generation of computing professionals. This talk will take a look at the challenges of using such exercises as training or evaluation opportunities and will consider how to improve our ability to do so. Chris Eagle Chris Eagle is a Senior Lecturer of Computer Science at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 28+ years, his research interests include computer network operations, forensics and reverse engineering. He has been a speaker at conferences such as Black Hat, Defcon, Infiltrate, and Shmoocon and is the author of "The IDA Pro Book", the definitive guide to IDA Pro. He is a multiple winner of the Defcon Capture the Flag Competition and was the organizer of that competition from 2009-2012. He is currently working with DARPA to build their Cyber Grand Challenge competition.TRANSCRIPT
Chris EagleCode Blue
18 February 2014
! Everything I say today is my own opinion and not necessarily the opinion of the US Naval Postgraduate School (NPS), US Department of Defense (DoD) or the United States Government
! Senior Lecturer ◦ Naval Postgraduate School, Monterey CA (1997-
present) ! Leader ◦ Sk3wl0fRoot Capture the Flag team, winners of
Defcon CTF (2004, 2008) ! Co-founder ◦ DDTEK, Organizers of Defcon CTF (2009-2012)
! First and foremost a game ! A chance to excel! ! Meet new people ! Lose some sleep
! Opportunity to (legally!) apply skills associated with all aspects of computer security ◦ System administration ◦ Network traffic analysis ◦ Digital forensics ◦ Vulnerability analysis and exploitation ◦ Cryptography ◦ Web and database security
Courtesy of Kenshoto
! Organizer's develop challenges to be solved by participants
! Two main formats ◦ Jeopardy style game board ◦ Full spectrum team vs. team in head to head
competition
! Typified by Defcon qualification round
! No head to head interaction between teams ! Solve puzzles to earn points ! Solution to puzzle usually reveals a secret
value known as a key or flag ◦ Hence “capture the flag”
! Wider variety of puzzles because each one does not need to be “live”
! Teams directly attack each other while organizers act as judges to award points
! Defcon CTF is longest running ! Others ◦ UC Santa Barbara iCTF ◦ Positive Hack Days CTF ◦ Codegate CTF
! Apply skills in hostile environment ! Exploit development ! Vulnerability mitigation ! All challenges are live “services” ◦ Must be kept running and defended while
simultaneously attacking other team’s services ◦ Successful exploitation results in access to a flag
! Generate interest in computer security ◦ Attract new people to the field
! Fresh challenges test anddevelop skills ◦ Interesting challenges motivate
tools development ! Builds a community of talent
and shared knowledge aboutsolutions
! Desire to learn ◦ Creative challenges spark interest
! Legal, low risk way toexercise offensive skills
! Bragging rights ◦ Winning Defcon carries some
prestige ! Prizes ☺ ◦ Codegate – 4.3M ¥ ◦ PHDays – 900K ¥ ◦ Defcon – Black badge
! Defcon ◦ Defcon 10, 2002 8 American teams ◦ Defcon 21, 2013 20 teams, ~66% international ! Hundreds of teams attempted to qualify
! UCSB iCTF ◦ 2003 – 14 teams ◦ 2012 – 90 teams
! Almost weeklyevents today
! Large body of past challenges ! Large body of publicly available solutions ◦ Generally self-study
! Each new CTF provides an assessment opportunity ◦ Only metric is final score ◦ No feedback to assist with improvement
! DON’T DO IT!! ◦ Trust me on this one
! If you must, then consider why ◦ It is totally thankless ◦ Give back to the community ◦ Talent identification ◦ Educational opportunity ! Coach people/teams up prior to event ! Provide feedback after event ! Teach people about challenges after CTF ends
! Japan, like many other countries, faces a shortage of skilled cyber professionals ◦ By one study as many as 80,000 people needed
! Identifying and attracting new talent as well as retaining existing talent is essential
! Competitions such as CTF both spark interest and offer an opportunity to evaluate ◦ Huge growth in participation in past 10 years
! Just get out and play!
