ENISA released a report addressing the contemporary use of Capture-The-Flag (CTF) competitions around the world. It explores how these competitions work and provides a high-level analysis of the dataset of the most recent major public events.
Based on the results of the findings, the report suggests recommendations for consideration in the design phase of these types of competitions.
CTF competitions: What are they?
Capture-the-Flag events are computer security competitions. Participants compete in security-themed challenges for the purpose of obtaining the highest score. Competitors are expected to “capture flags” to increase their score, hence the name of the event. Flags are usually random strings embedded in the challenges.
CTFs have increased in popularity as they attract a higher number of young talents each year. They help develop the essential skills required to follow a career path in cybersecurity.
These competitions can take many forms but the most common are Jeopardy and Attack-Defence. The report specifically focuses on these two types of CTF. An explanation and analysis is developed for each of them on the format, scoring, discussion and variants.
Findings: What kind of analysis and methodology was used?
The themes used to qualitatively analyse CTF events were chosen with the objective to provide readers with sufficient information about all aspects of organizing a CTF event. This analysis, therefore, explores the following elements of the competition in details:
- Entry requirements: consolidates data on age, status, qualifications, location, etc.
- Diversity and inclusion: gender balance, socio-economic background of or ethnic proportionate representation, etc.
- Challenge format: explores challenge categories, scoring, platform used, prizes, length of the competition, etc.
- Competition format: analyses information on team sizes, mentors and coaches, qualifiers or parallel contests
- Event organization: looks at other activities organized such as catering and transport or accommodation facilities provided
- Post-event actions: explores actions performed after the event such as challenge and solution distribution, the release of result data or subsequent publications.
CTF competitions: Main recommendations
Recommendations are provided in relation to the themes and areas explored. Formats for instance should be chosen according to the audience the competition is designed for.
The accessibility and lower deployment costs of the Jeopardy format make it more suitable for non-professional participants. The Attack-Defence however, being more similar to wargame formats, is better suited to professional training exercises.
The report includes recommendations covering the following areas:
- Team requirements
- Team sizes
- Scoring and rules
- Parallel competitions
- Challenge formats
- Communication and media
Who is the report intended for?
The report on CTF competitions will be of particular interest to all individuals and organizations who are involved in their design. It will also help participants and organizations who intend to promote such events to find valuable information on how such events are structured and made functional.