CT-what? CTF! Capture the Flag events have long since become established at many universities. Students compete playfully in attack scenarios in areas such as cryptography, web exploitation, forensics, or OSINT (Open Source Intelligence). The individual challenges depict realistic vulnerabilities or issues in IT security and thus provide training. Whoever collects the most “flags” in the end wins.

When I joined CarByte and heard that we also offer CTF events, I was thrilled, but I could not imagine what potential this would have for companies: I thought we only offered this for students, to scout talent and convince them how cool CarByte is. In fact, that was also the origin of our CTF activities, but we quickly realized that we could achieve much more with them.

CTF – Practical training with a playful learning approach

In contrast to other training formats, CTFs offer an active, realistic use case in which current attacks can be simulated and thus trained sustainably. Competing against each other in teams simultaneously boosts team spirit and motivates everyone involved — another essential difference from conventional training. Anyone who regularly takes part in CTFs develops a deep understanding of attack vectors and security vulnerabilities while also learning to deal with IT vulnerabilities in a structured and reproducible way. This is a major advantage, especially in sensitive industries such as the automotive sector. CTFs can be put together individually and can therefore actually be tailored to the needs and difficulty level of the participants.

CTF challenges for all levels

We started with expert challenges. That is our “home turf” and therefore the most obvious choice. But over time, we actually discovered that this only covers a small part of the training companies need. So we began developing beginner and medium challenges as well.

Beginner

No prior knowledge is required for the beginner challenges. They are aimed at all employees whose day-to-day work has nothing to do with the topic and who bring no technical background knowledge — in other words, the majority of employees. Not only are topics such as password security and handling phishing emails trained, but participants also adopt the attacker’s perspective. A tremendous sense of accomplishment for everyone who does not deal with IT security on a daily basis.

Advanced

The medium challenges, by contrast, are traditionally aimed at IT professionals such as IT administrators. They have technical understanding without being specialized in IT security. Engaging with the topic is enormously important for their day-to-day work (and I would even go further and say: for corporate security). However, few training formats are currently aimed at exactly this target group.

Experts

Expert challenges are aimed at IT security experts with extensive prior knowledge. Attack and defense techniques are constantly evolving; therefore, these challenges are particularly well suited to training participants.  

How does a CTF event work?

What does a typical CTF event with us look like? We prefer to travel to our customer with 2–4 colleagues. From our perspective, it works best on site in groups of 10–40 people, undisturbed by the normal workday and stress. After a short introduction to the platform, things can get started right away. Teams form themselves or you compete alone — of course 100% compliant. We set up the players on the platform so that no personal data such as email addresses has to be collected. We are also happy to embed the setting in an overall story: from the Middle Ages to a spy in your own company, the challenges can be used in any context, which increases the fun of playing. And then it begins: 3–X hours of gameplay with our experts at your side, who can support and explain. Especially for beginners, it makes sense to accompany the CTF challenges with an awareness training session. If you still have not had enough afterward, you can keep playing once the event is over. Caution: this decision can, however, spark ambition and lead to significant sleep deprivation.

Finally, there is a small awards ceremony with the naming of the winners, who receive certificates from us. We also offer a walkthrough of a selection of challenges to clarify questions or show and discuss solution approaches.

For everyone who wants to enter the world of CTFs, the rule is: getting started is easier than you think, even if your university days are long behind you. In addition to the sustainable training of employees and active team building, you may also discover untapped talent within your own ranks.