Five years ago, when we started Seekintoo, I never imagined we would be developing a rather extensive training program for on-boarding Threat Hunters and Penetration Testers. Well, we've been working on that for the past few months and I have some thoughts about the CTF participation that organically became a part of it. It's not all we've been working on, but I'll save that for another blog post.
We've posted some CTF articles in the past (wherever we're not breaking the rules) that show off solutions and strategies our team has come up with. For example the LabyREnth challenge! This blog post though, is more about how company sponsored CTF activity can help your team be more skilled, successful, and ultimately more profitable.
Success is not a zero-sum game. There is always room for more than one person, software product, or company in any particular arena. The not-so-sugar-coated truth is that the “best” is often more subjective than objective, especially for individuals that are just starting their careers, or trying to skill up in a specific area. Here are some of the oft quoted reasons why competition can be beneficial for individuals:
Motivation. CTF competitions can foster motivation for individuals who normally aren't keen on measuring their own success. We have a person who normally excels at work, but is very hard on themselves; never taking time to appreciate their own work, often despite accolades from coworkers and supervisors! The same person meticulously tracks the CTF teams progress and takes great pride in our rankings!
Stress Management CTFs push you out of your comfort zone. You're working against the clock and other teams. You have to develop solutions and skills on the fly, in some instances completing focused research on complex topics. Sounds a lot like a penetration test (pentest) doesn't it?!
Risk Taking Once people realize that competition is not a terrifying thing, they can take bigger risks, and ultimately reap bigger rewards. CTFs can develop our confidence to do things that are hard or uncomfortable.
Commitment Data shows that high school students who play competitive sports are less likely to drop out. That could be part of "big sports" propaganda, but I do believe that competitive team activities value individual commitment more than the functional team structures you might be working in.
Confidence Good consultants can solve any problem. The issue with less experienced consultants is the confidence to take on tough problems without being overwhelmed, or feeling as though they are unable to deliver satisfying results to the customer.
Information security (infosec) professionals are notoriously competitive, but not known for avid participation in physical sports. In a small tech company, you are far more likely to get interest in a LAN party, than a softball tournament.
Since we started our CTF team, we've seen a massive increase in Slack activity that spills into other channels and discussions. #ctf has become the most used channel in the past few months. I often see notifications on the weekend, and in the wee morning hours that someone got a flag!
Like the seemingly built-in aversion to sportsball, strong infosec resources like to stay away from traditional classroom education.When we're hiring, demonstrated experience is worth as much, or more than a degree. At the very least, serious consideration is taken for candidates that can demonstrate breadth of experience, but might have less than impressive formal education.
CTFs are an excellent way to learn new skills, and polish or maintain existing ones, especially competitions with complex problems and large time frames. We've seen (and support within reason) extensive research and testing being done to solve CTF problems.
The technical and problem solving skills developed through participation in CTFs have spilled over into the work of our resources, often in more useful ways than the more-commonly pursued infosec certifications have.
We had our summer development interns participate in the CTF team this year. I really thought they wouldn't be interested, but it turns out they were, very much in fact. They hosted some team lunch-and-learns about techniques, and helped to contribute to some of the content here! Everyone who was on the team this summer is welcome, and still does come in on some weekends to participate. I guess I'd rather do that than study.
With the number and diversity of challenges out there. It's advantageous to try to involve anyone who might be interested in competitive problem solving. Generally, the broader the skills of the CTF team, the better the team will be. As a bonus for your team, more specific skills will cross-pollinate creating more balance overall.
One thing we did know five years ago was that we didn't want to have our "hacker culture" eroded by influences from customers or partners with conflicting cultures. We stress to everyone that we're a results driven company, and we mean it when we say it. The formation of an in-house CTF team has helped foster this culture as our company has grown. They allow us to take more time to focus on becoming better in our core competencies.
CTF competitions allow us to take more time to focus on a team activity that is fun, carries broad appeal (within IT at least,) and has no "company achievement" burdens attached. How and what we do in CTFs has no bearing on our day-to-day business.
When I first became interested in infosec, circa 2001, CTF competitions were not nearly as popular. I don't even think Defcon was formally hosting anything at that time. I could be wrong on that given that I had not attended the now illustrious Vegas con until many years later.
Today, we can participate as little or as much as we want. There are meta sites like ctftime.org that track teams and competitions. There are entire frameworks written by tech giants to run and score CTFs!
We truly are in the golden age of CTFs, and I say there is no real downside here. Purists will likely turn their nose up and say things like "I was doing it before it was popular," or "It's mainstream now, there is no challenge or prestige." That's all fine and dandy for them. As a company we're not interested in the 1337 super gold star badges, we're just looking to have fun and skill up.
Unfortunately, to show you that we have some fantastic increase in sales or revenue since implementing this program would be inaccurate since the fantastic growth we have experienced is not wholly attributable to our CTF team's progress or activity. I can however, state anecdotally that developers participating in CTFs have since brought far more ideas to the table in design and planning meetings, and consultants (especially pentesting teams) are able to get far more interesting, relevant, and valuable items into their deals by telling CTF stories during the scoping. This leads to more billable time in the latter, and more efficient development in the former.
Overall, we've seen a company sponsored CTF team as a huge benefit. Keep in mind we provide resources, and time. The team(s) have zero obligation to hype our company or brand!
If you run a red team, a pentesting firm, a research company, or anything in the sphere of infosec, you're doing yourself, and you team a disservice by not getting on the CTF bandwagon. Don't make participation mandatory though; don't be that guy. Try to keep work and CTFing separate; don't let it become a tool to measure people against. Let it become an organic cultural aspect of your culture and I'm positive you'll see beneficial results as we have, even in people who don't participate.