Tech Insight: Playing 'Capture The Flag' To Hone Your IT, Security Teams' Skills

Quality security training isn't cheap and often requires trainees to be out of the office for a week at a time. Even with the economic recovery, many organizations' training needs continue to go unfunded. But one training method that started as a recreational competition at conferences has been gaining ground as an internal training exercise in enterprises, and is helping in the recruitment of new talent: capture the flag (CTF).

CTF is an alternative training platform that breaks the traditional training model and carries a number of benefits to the employees and enterprise. These exercises come in a variety of different formats, but the simple goal is to get participants applying newly learned skills, dusting off old ones, and thinking critically. By forgoing the mind-numbing, death-by-PowerPoint traditional training, participants get the chance to learn by doing instead of sitting, listening, and hoping they remember when they get back to work. And team-based exercises promote team-building, boost morale, and strengthen communication skills as teams are forced to work together under pressure -- developing critical attributes of any enterprise security team.

Another plus: CTF is conducted in-house, so it's cheaper than sending your security team to classes for a week or so.

The flexibility of the different CTF formats also makes them an attractive training opportunity because they can be extremely simple or very complex. The simplest form is one that has a series of challenges that get progressively difficult. The Ghost in the Shell code CTF that takes place at the annual ShmooCon conference is a good example of a progressive format. It has a series of challenges requiring participants to perform reverse engineering, exploit development, forensic analysis, and packet analysis. Each challenge is more difficult than the previous one, requiring teams to work together toward a solution.

The less complex CTF formats are definitely easier to implement in an enterprise environment, but there's a lot to be gained from more advanced exercises, too. The annual Defcon CTF event falls into the advanced CTF format category. It is a weekend-long, team-based competition that takes place during the Deacon security conference in Las Vegas. Eight to 12 teams are each provided a server running a variety of unknown services. Teams must analyze the services for vulnerabilities, develop weaponized exploits that can be used to attack other teams, and protect against attacks against the same vulnerable services on their own servers. Besides being extremely difficult, it ties together elements of both attack and defense in one event.

One of the best CTF events that gives participants a real-world-type experience is the Collegiate Cyber Defense Competition (CCDC). Although designed for college students, it serves as a good model for enterprises to base CTF-style training exercises. The CCDC students are tasked with securing and defending a real-world IT environment that includes managing mail, Web, and file servers -- all while handling service requests from fictitious users and corporate executives.

During the daily management duties, they must also defend against a "red team" whose purpose is to attack the collegiate teams in every way possible. CCDC brings in CTF elements with a realistic environment, making it one of the best CTF examples.

Deciding which model works best for your environment and security team's learning style might take some experimentation with the different formats, but the team-building and hands-on experience will be invaluable. Start with some basic challenges and build up to one-day- or two-day-long events with sysadmins defending as the security team attacks -- and vice versa to mix things up a bit and keep everyone learning.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.