Defenders get their first CTF Experience!

Editor’s Note: Thank you Gregory Moore for putting this summary together, and helping organize the event along with other institutions.

This past week, the San Jose City College (SJCC) Cyber Defenders participated in their first Capture The Flag (CTF) event. Competing against teams of Cyber Defenders from various national laboratories, two teams from SJCC held their own and earned the respect of the field by capturing numerous flags in each challenge category.

So What’s CTF, you ask

CTF events, Capture the Flag, are online team-based competitions in which groups race against one another to solve a list of cybersecurity challenges (i.e. “capture flags”) in a fixed amount of time. The team that earns the most points from capturing flags wins. These competitions have become a hallmark of cyber-security and hacking culture and give students a chance to gain practice and exposure to cybersecurity skills as well as broader problem solving and critical thinking strategies.

The Style

The Cyber Defenders CTF competition was played in a Jeopardy-style format, in which students were required to provide answers to challenge prompts. This style contrasts from the other popular CTF competition format, the attack-defense model, in which teams try to defend their network and penetrate the networks of other teams. Being new to the cybersecurity field, SJCC students benefited from the Jeopardy format as it focused more on general problem-solving and math skills rather than prioritizing in-field cybersecurity experience.

Challenge categories for the competition included a “Base” question category, in which teams were given large files of numbers which each file number’s having a different base. Capturing flags for these challenges required changing bases to binary or decimal and identifying a noticeable pattern, and then decoding a message in the pattern by converting to a code format such as ASCII or Base64. It was excellent math practice!

Another topic area for the competition was “Sequence Identification.” In these challenges the students were presented with a sequence and were required to identify the pattern and enter the next few elements of the sequence to capture the flag. Some of these were numerical, again involving different bases, and others were text and geometric shapes. This was the highest scoring category for the SJCC teams!

A third flag category was “Code Breaking.” To capture these flags, teams were required to decode/decrypt an encoded message. Many of the ciphertexts were created with shift, substitution, and affine ciphers. The key to solving these challenges was to identify the type of cipher used. This provided an excellent opportunity to review cryptography fundamentals and learn more about the different types of ciphers.

The final flag category was Steganography. In these challenges, teams were required to identify a secret message obfuscated within a larger body of information. In many cases this larger body of information was a jpeg file. These challenges proved to be some of the hardest, as there were many different obfuscation strategies that could be used and needed to be checked for. On the deceptively easy end of the spectrum, some messages were actually visible within an image as small text in a color that blended with the image background. On the hardest end of the spectrum, finding a message required converting the jpeg to binary and finding a pattern that could be isolated and decoded through conversion to ASCII. These challenges gave students the chance to investigate file formats, conversion possibilities, and to see the relative ease of embedding messages (or malware) in seemingly benign files.

All in all, participation in the event was a resounding success. Students got a crash immersion course in manipulating number bases into the bases common for information storage applications, cryptography and cipher varieties, file conversion and embedding, and pattern recognition. They performed much better than what a group of newcomers were expected to! Several students mentioned it was the most fun they’d had all summer, and that they planned to continue participating in CTF competitions as they improve their cyber skills over the coming academic year.