Chris EagleCode Blue

18 February 2014

!  Everything I say today is my own opinion and not necessarily the opinion of the US Naval Postgraduate School (NPS), US Department of Defense (DoD) or the United States Government

!  Senior Lecturer ◦  Naval Postgraduate School, Monterey CA (1997-

present) !  Leader ◦  Sk3wl0fRoot Capture the Flag team, winners of

Defcon CTF (2004, 2008) !  Co-founder ◦  DDTEK, Organizers of Defcon CTF (2009-2012)

!  First and foremost a game !  A chance to excel! !  Meet new people !  Lose some sleep

!  Opportunity to (legally!) apply skills associated with all aspects of computer security ◦  System administration ◦  Network traffic analysis ◦  Digital forensics ◦  Vulnerability analysis and exploitation ◦  Cryptography ◦  Web and database security

Courtesy of Kenshoto

!  Organizer's develop challenges to be solved by participants

!  Two main formats ◦  Jeopardy style game board ◦  Full spectrum team vs. team in head to head

competition

!  Typified by Defcon qualification round

!  No head to head interaction between teams !  Solve puzzles to earn points !  Solution to puzzle usually reveals a secret

value known as a key or flag ◦  Hence “capture the flag”

!  Wider variety of puzzles because each one does not need to be “live”

!  Teams directly attack each other while organizers act as judges to award points

!  Defcon CTF is longest running !  Others ◦  UC Santa Barbara iCTF ◦  Positive Hack Days CTF ◦  Codegate CTF

!  Apply skills in hostile environment !  Exploit development !  Vulnerability mitigation !  All challenges are live “services” ◦  Must be kept running and defended while

simultaneously attacking other team’s services ◦  Successful exploitation results in access to a flag

!  Generate interest in computer security ◦  Attract new people to the field

!  Fresh challenges test anddevelop skills ◦  Interesting challenges motivate

tools development !  Builds a community of talent

and shared knowledge aboutsolutions

!  Desire to learn ◦  Creative challenges spark interest

!  Legal, low risk way toexercise offensive skills

!  Bragging rights ◦  Winning Defcon carries some

prestige !  Prizes ☺ ◦  Codegate – 4.3M ¥ ◦  PHDays – 900K ¥ ◦  Defcon – Black badge

!  Defcon ◦  Defcon 10, 2002 8 American teams ◦  Defcon 21, 2013 20 teams, ~66% international !  Hundreds of teams attempted to qualify

!  UCSB iCTF ◦  2003 – 14 teams ◦  2012 – 90 teams

!  Almost weeklyevents today

!  Large body of past challenges !  Large body of publicly available solutions ◦  Generally self-study

!  Each new CTF provides an assessment opportunity ◦  Only metric is final score ◦  No feedback to assist with improvement

!  DON’T DO IT!! ◦  Trust me on this one

!  If you must, then consider why ◦  It is totally thankless ◦  Give back to the community ◦  Talent identification ◦  Educational opportunity !  Coach people/teams up prior to event !  Provide feedback after event !  Teach people about challenges after CTF ends

!  Japan, like many other countries, faces a shortage of skilled cyber professionals ◦  By one study as many as 80,000 people needed

!  Identifying and attracting new talent as well as retaining existing talent is essential

!  Competitions such as CTF both spark interest and offer an opportunity to evaluate ◦  Huge growth in participation in past 10 years

!  Just get out and play!