In an increasingly digitalised world, cybersecurity has become a priority for companies of all sizes to defend themselves against malicious attacks. The attackers come in all shapes and sizes, and as they become more sophisticated, the security experts who have to battle them need to up their game as well.
Enter Capture the Flag (CTF), the premier competition that pits these cybersecurity teams against each other. CTF is an information security competition that challenges contestants to solve tasks of varying difficulties, requiring them to exercise different skill sets. In these challenges, contestants are usually asked to find hidden “flags”, which may be in the form of a specific piece of text, image or folder, while solving the tasks.
The competitions, which can get as intense as e-sports games, are used as a tool to help the contestants (who are studying cybersecurity) to apply what they have learnt while sharpening their existing capabilities, among other objectives.
In Malaysia, competitions are held internally within organisations or independently. CyberSecurity Malaysia (CSM), the country’s national cybersecurity specialist and technical agency, for instance, uses CTF and other platforms to enhance partnerships as well as establish technical skills with industry players and public sector agencies. CSM is an agency under the Ministry of Communications and Multimedia.
CTF originated as a form of cybersecurity training in 1993 at DEFCON, the largest cybersecurity conference in the US. CSM CEO Datuk Dr Amirudin Abdul Wahab says the first CTF competition held in Malaysia was Hack in The Box (HiTB) in 2003. Aside from organising an annual security conference in the Netherlands and Malaysia, HiTB also provides users with free knowledge related to hacking and internet security.
“This was later adapted by local universities such as Universiti Teknologi MARA (UiTM), Universiti Tenaga Nasional and Universiti Kuala Lumpur. Schools, universities and industry professionals participated,” he adds.
Last year, three representatives from CSM’s Malaysian Computer Emergency Response Team (MyCERT) emerged as champions at the Asean CTF competition in Perth, Australia. Specialist Mohd Hafiz Mat Tabrani, senior analyst Fathi Kamil Mohad Zainuddin and analyst Muhammad Hafizuddin Sharul Lazi defeated 10 other teams of cybersecurity professionals in the region.
“As Malaysian cybersecurity expert representatives, we need to ensure our team is ahead of other Asean countries’ teams. We did our best studying overnight about the challenges to answer all questions given. It tested our cybersecurity skills such as incident response, windows forensics, reverse engineering, cryptography and networking,” says Fathi Kamil.
The team’s past participation in the Cyber Drill and CTF exercises organised by local and international organisations such as Asia Pacific Computer Emergency Response Team, Organisation of the Islamic Cooperation Computer Emergency Response Team and Asean Computer Emergency Response Team helped train them to ace the competition, he adds.
MyCERT operates the Cyber999 Help Centre, a public service that provides emergency response to computer security-related emergencies as well as assistance in handling incidents such as computer abuses, hack attempts and other information security breaches.
Meanwhile, independent organiser Wargames.my (WGMY) holds CTF competitions almost annually. The organising committee, consisting of cybersecurity experts and enthusiasts, opens the competitions to all Malaysians, be it their peers, students, academics or hobbyists seeking challenges. Unlike regular CTF competitions, which may go on for a few hours, WGMY organises wargames-style, 24-hour competitions, with levels that get progressively harder as more challenges are solved.
WGMY started organising the CTF competitions in 2011. Team member Muhammad Abdul Aalim Ahmad Rozli says the first generation of the organising committee are the same group of people who helped organise the HiTB conferences.
“They ran the wargames for a few years. But because this is done only as a side project, the competitions were paused until we revived it in 2015. This year will be our fifth year organising the independent CTF competition,” says Aalim.
He says CTF comes in a few formats, most commonly Jeopardy and attack-defence. WGMY organises its competitions in the Jeopardy format. Competitors are presented with categories such as forensics, cryptography and reverse engineering. Contestants can score higher by solving more difficult challenges.
In the attack-defence format, each team attacks the other team’s system while defending their own. Typically, teams must keep their services up and running while solving additional tasks and achievements. Aalim says the team plans to use this format, but there are several barriers to introducing it, such as not having the right infrastructure.
The wargames have seen increased participation in the past few years, as the team has started to promote it to university students. WGMY’s Ahmad Haziq Ashrofie Hanafi says the country has seen increasing demand for more cybersecurity professionals, owing especially to the rise of the fourth industrial revolution and the use of cloud computing as well as the Internet of Things. As such, there are more students doing courses in cybersecurity.
He notes that playing CTF also provides an edge for students who want to land a job in the field. Based on his own experience, Haziq says putting CTF on his résumé helped his employer determine whether he could demonstrate his capabilities. “Of course, participating in CTF does not mean I am a good hacker, but it shows them that I may have a good level of critical thinking, which separates me from the other applicants who have never participated in such competitions.
“The thing about CTF is that the tools we use for the challenges are the actual tools used by industry experts in the cybersecurity field. Knowing how to use these tools provides us with leverage,” says Haziq.
Another representative from Wargames, Ahmad Ramadhan Amizudin — who is involved in hiring for his company — prioritises candidates with experience competing in CTF events. “It doesn’t matter whether they won or lost — participating alone gives me an idea of the candidates’ level of competency,” he says.
Aalim concurs. “Let’s say the candidate has a background in chemical engineering but wishes to jump into IT, specifically into cybersecurity. Normally, we would not consider such a candidate, but if we see that the candidate has participated in CTF competitions before, we will give him a chance. It is definitely a game-changer.”
To get more university students interested in the competitions, Wargames.my has worked with universities such as Universiti Teknologi Malaysia, UiTM and Universiti Malaya. The team would go to the universities and explain to students the essence of the games and how it would help them with their future careers.
“For the record, many tertiary institutions in Malaysia are organising their own CTF competitions, which may be open to professionals as well. UiTM’s iHack, for example, is the most seasoned CTF game in Malaysia and has created quite a number of security professionals,” says Aalim.