Challenges of organizing and hosting a CTF
We just wrapped up the 2018 Santa Barbara Capture The Flag and it was another spectacular turnout. With over 60 people in attendance, we kicked off what turned out to be the most challenging event to date. A lot goes into having a CTF such as rallying a team of volunteers, sorting out the funding, writing a bunch of challenges, and then finding attendees. In addition to all of that, we undertook two additional mini events this year for Social Engineering and Lock Picking. It’s always amazing to see the complete and utter chaos of a CTF event turn out to be such a successful and enjoyable weekend of hacking!
So given how complicated, time consuming, and chaotic organizing a CTF is, why on earth would a person choose to undertake such a task? The answer is a combination of passion and interest, but also an obligation to help encourage a new generation of Information Security professionals. There is still a large gap between the would-be Security Professionals in training and the open positions on the market today, and this gap is increasing every year. I found that a CTF event is a fantastic venue to bring together the aspects of security and introduce them to people in a way that is easy to digest. Whether you’re a college student interested in a security job, a QA Engineer interested in expanding knowledge, or a hobbyist learning to pick a lock, we had something for everyone.
Well we know why one might want to subject themselves to the stress of not sleeping for months to plan one of these events. The question now is how do I go about it? This was particularly difficult when I set out with a colleague to try this years ago. As time goes on we see more of these type of events but there is still a shockingly limited source of information on what people have done to successfully host a CTF. I will not pretend to have all the answers but I do have some experiences and lessons learned I will share in hopes others choose to take up the call to host security events like our CTF.
The basic requirements I found to make this possible are challenges, a location, and some funding.
In order to make a CTF work, you have to have challenges. Those can be a wide range of topics like web application vulnerabilities, operating system hardening, reverse engineering, encryption, social engineering, and the list goes on. The challenges can be any combination of these topics and are generally based on the combination of experience and passion of the volunteer willing to write it. In addition to writing challenges we had to write automation so we could orchestrate all the infrastructure and scale it based on attendance. We also needed several people to help cover the event and assist with logistics (i.e., ordering food, setting up the office, answering questions). Overall I would recommend no fewer than five dedicated people.
During our first couple of CTF events, we quickly learned that we needed more people to spend cycles creating challenges. It was extremely costly and focused with only a single challenge-writer. In later events we set out much further ahead of time to figure out the challenges so we had decent coverage of topics. Being proud nerds, we went right to mathematics to solve the problem. We chose to calculate points based on estimated time-to-solve which we then could determine the rough number of challenges needed. If we started at 5 PM on Friday and ended at 10 AM on Sunday, we had a total of 41 hours or 2,460 minutes of potential hacking to occupy. To get an even distribution of time and difficulty we split the time into three difficulties.
The easy category was 30 minutes, the medium category was 180 minutes, and the hard category was 300 minutes. This could easily be whatever time commitments you wanted the challenges to total.
Total Minutes of CTF / Difficulties / Minutes to Solve = total number of challenges for that difficulty
2460 / 3 / 30 = 27 Easy Challenges
Once you have challenges, you’ll need to present them in some way to attendees. We found that leveraging Docker was a huge help in both scalability and cost. Each challenge was in a container and each team got a node (server) running all of the challenges. This provides some isolation between teams so one doesn’t inadvertently knock something over for everyone.
We’re fortunate to have an incredibly CTF-friendly office space which includes an open floor plan with numerous meeting rooms and common areas. Teams tend to gravitate towards privacy given the competitive nature of the event. This means you’ll need places where teams can post up and coordinate amongst themselves, while still having common areas to eat, drink, and socialize with the other attendees. Based on our experience, 30% of teams hunker down for the weekend while the others tend to congregate more in the social areas.
We’ve operated on a fairly modest budget over the past several events but wanted to ensure there were incentives for people attending. We started with a decent sized prize pool of $600 for the top three teams and have been experimenting with other prizes. Random prizes for “Last person standing” or “First Blood” were neat and had some appeal. We opted for mini events like Social Engineering and Lock Picking at the last CTF and were extremely happy with the increased engagement. In fact, Day 2 of the CTF was as popular, if not more than, as the kick off.
We certainly learned our lessons on a few things. The first and most expensive was ordering food. We initially made the mistake of planning to feed 100% of attendees for 100% of the event. That resulted in one of our volunteers carrying a truck load of burritos home and eating nothing but that for a week. While we’re still improving this, I would offer the tip to plan on feeding 75% of attendees from a budgeting perspective. Then have polls prior to meals to gauge actual attendance. Large orders of tacos or sandwiches are very cost effective and bagels for breakfast are a solid choice. Kick-off with pizza is always great because even if you over-order, people will eat it throughout the weekend as snacks. Secondly, make sure to have a variety of sizes for swag and ensure there is enough swag ordered ahead of time for all that RSVP.
The CTF event has been extremely fun and challenging to organize, and I look forward to the next one and my ability to continue sharing whatever I can to help encourage others to host their own events. Hearing how much fun someone had or how much someone learned is incredibly gratifying and we have received a lot of great feedback thus far. We’re increasing the knowledge, interest, and fun in Information Security while we’re doing it too!