Capture The Flag (CTF) competitions have long been a tradition in the cybersecurity community. I remember all the way back when I was a school kid, my class would go to a soccer field to play the game the old-fashioned way. My teacher would divide the class into two teams, and each team had to hide a little fabric flag and physically defend it from the opposing team. But that exercise involved running around and getting your shoes and jeans all muddy. Yuck.
I far prefer the kind of Capture The Flag games information security professionals play. A flag could be a line of code, or a text file, or something else of a digital nature. And it’s up to the competing hackers to hack their way into finding the flag in an application or otherwise in a network somehow. There’s far less mud involved, but it could involve a lot of mental frustration.
But whether you win or lose, playing the game is well worth it because you get to put useful hacking skills into practice and learn from your mistakes.
Chloé Messdaghi is the VP of Strategy at Point3, and the founder of @WomenHackerz. When she let me know about a CTF competition she was organizing, I was excited. Women Unite Over CTF takes place several times a year, with some competitors in Baltimore, and others logging in over the Internet. Yes, this was an all-woman CTF competition, inclusive to cis women and trans women alike. There are a lot of very talented women in our industry, and I really enjoyed watching them compete at their last event.
After I watched the competition, I scored exclusive interviews with Messdaghi and the winner of the competition, programmer and self-described infosec nerd Jaime Lightfoot. If you’re curious about competing in a CTF event yourself one day, read on. Jump to the end of this blog for information on their next event in February 2020.
First, I spoke with Messdaghi:
KIM CRAWLEY: I watched the CTF a little bit. What was your inspiration behind it?
CHLOÉ MESSDAGHL: I wanted to create something that allowed all levels of webapp hacking in a fun and collaborative environment, to get more women to participate without being intimidated by it. But most importantly, bringing women from around the world together is powerful. More than ever, it is needed so women don’t feel isolated. By knowing there are communities such as WoSEC, WomenHackerz, WSC, and Gatebreachers, it allows them to receive support and empowering resources for them to enter and stay in infosec. Lastly, I was tired of hearing from men that women don’t want to do CTFs and that’s why there aren’t many participating.
KIM: How many women participated? How well did they do and which challenges did they face?
CHLOÉ: We had a thousand women registered as participants from all levels of hacking. They did amazingly well. We even had a six-person tie for third place. There was a good number of first timers on the leaderboard. For many first timers, they never used a VM (virtual machine) before so this was a bit difficult to get them set up and running properly. However, once ready to go, they were able to attend a walkthrough coordinated by my Point3 Security colleague, Nada.
KIM: What challenges did they face? Were there any surprises?
CHLOÉ: The majority of the challenges were around reverse engineering. I think the main surprises were finding out about the prizes since we didn’t advertise it, including a full paid trip to DEFCON 2020, along with a special guest appearance by Lauren Knausenberger, the Chief Transformation Officer for the U.S. Air Force.
KIM: What do you think was most difficult aspect of the competition?
CHLOÉ: After the event, many first timer participants reached out to me saying the most difficult aspect of the competition was believing in themselves and pushing back on the feeling of being intimidated. But once they got into the groove, they got really engrossed in it and became confident and supported. The encouraging aspect was afterward when they asked me when the next CTF is.
KIM: How were the flags hidden?
CHLOÉ: The flags were hidden within Point3 Security’s ESCALATE, our gamified learning ecosystem. The first place winner, Jaime, has done a fantastic write-up on solving a number of the challenges.
I spoke with Jaime Lightfoot next.
KIM CRAWLEY: How did you first get involved with the CTF event?
JAIME LIGHTFOOT: I learned about the Women Unite Over CTF event through the Women Hackerz slack group, an online community that Chloe (Messdaghl) started.
KIM: Have you participated in CTF events before?
JAIME: Yes, I played my first CTF last summer at a USCC (U.S. Cyber Challenge) camp and caught the bug there. I kept playing with a group of friends that I met there. I would play several times a month, all online, although that's slowed down a bit recently.
KIM: How did it differ from this weekend's event?
JAIME: That one was more focused on web and networking challenges, and I was new to infosec at the time. The Women Unite CTF was much more focused on reverse engineering.
KIM: Did you have a lot of experience with software reverse engineering?
JAIME: I've done many of the microcorruption levels before (an online embedded CTF), which teaches reverse engineering and a few Pwnables challenges. I recently switched over to working in infosec (a little over a month ago) as an embedded systems security researcher, and just had my first taste of doing reverse engineering professionally.
KIM: What were some of the more difficult aspects of this weekend's competition?
JAIME: There were some technical difficulties from all of the women playing, which was kind of annoying but still a good problem to have (very long load times for all the pages and downloads). Some of the later reverse engineering challenges had cryptographic components to them, which was difficult but fun.
KIM: What advice would you give people if they want to succeed in a CTF competition?
JAIME: Two things. I would tell them to do a CTF with other people (obviously not an option in this CTF, but lots of CTFs allow for teams). The reason why is because it's more fun, you can support each other - although we had lots of support in the CTF slack - and you can help each other get unstuck.
The other thing is to not be discouraged if you can't figure something out or you get stumped. Keep trying and keep participating in CTFs. in my view, CTFs are for learning, so if you come away from a challenge having learned about a new idea, method of attack, a new tool, that's super valuable even if you don't get a flag. And you'll be closer to getting the flag the next time.
KIM: Can CTF help someone pursue a cybersecurity career?
JAIME: I believe so. I don't want to say that that's entirely how I changed industries, but I think that's a big part of it. CTFs are contrived environments meant to teach or demonstrate different things, but while CTF challenges might not represent ‘real world’ scenarios, you can learn a ton and pick up new skills that will fit into a cybersecurity role.
In addition to leveling up your skills, there's also the opportunity to meet new people. And you might be able to bring it up in interviews as a way of demonstrating interest in infosec. I've interviewed at a few places that use CTFs to find applicants, as well.
Well, there you have it! CTF competitions might seem intimidating to newbies. But they’re well worth the challenge. You have nothing to lose by making mistakes until you find what works and having fun while applying your hacking skills in a practical way.
I also really like how there are CTF competitions that are just for women, like Women Unite Over CTF. I would love to see more CTF competitions focused on different underrepresented demographics within cybersecurity. What about an all neurodivergent CTF? Or an all LGBTQ CTF? Maybe if I throw those ideas out there, someone will make it happen.
About Chloé Messdaghi
Chloé Messdaghi (@ChloeMessdaghi) is the VP of Strategy at Point3 Security and a security researcher advocate. She is a security researcher advocate who supports safe harbor and strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online and offline, she is driven to change the statistics of women in InfoSec. She is the President and co-founder of Women of Security (WoSEC) and heads the SF Bay Area chapter. She also created WomenHackerz, a global online community that provides support and resources for hundreds of women hackers at all levels.
About Jaime Lightfoot
Jaime Lightfoot (@LightfootJaime) is an electrical engineer by degree, and now works as a software developer (web, mobile, and Internet of Things). She is also involved with SoftwareGR, a non-profit that hosts monthly talks, a conference, and learn-to-code camps for kids.
About Women Unite Over CTF
Women Unite Over CTF is a FREE laidback capture the flag competition just for those who identify as women. Never done a capture the flag competition before, or do you know what you’re doing and just want to have some fun for a few hours? This competition is for you! They’ll give you a tutorial on how to solve a challenge through Point3’s CTF ESCALATE and then let you compete at your own pace. Beginners will have the opportunity to practice their skills in our reverse engineering challenge while our advanced crowd will be able to venture through all the challenges our ESCALATE ecosystem has to offer!
The next event takes place on February 25th in San Francisco (also virtual/online), kicking off at 8-12amPST. All participants will need to bring a fully charged laptop to participate.
You can get register for this free event here. Slots are limited and by RSVP only.