For a few years now, we’ve been a sponsor of Cyber Security Challenge UK - an initiative to encourage more people into working in cyber security. As part of this, we help with various events around the UK - at anywhere from primary schools to universities. Usually, we’ve run a talk or a small workshop - but this year we decided to go all out… and create our own CTF!
What?
CTF stands for ‘Capture The Flag’ - an interactive, fast-paced, problem solving challenge. Typically, it takes the form of questions and answers (‘flags’), with sections to practice both offensive and defensive security techniques.
All in all, it took us about 2 weeks of project time (20% of e2e analyst time is allocated for working on interesting projects such as this) to get our CTF up and running. For this first version, we used an external platform (the excellent CTFd.io) to host our scoreboard and most of the challenges, with some elements (such as a vulnerable web server to exploit) hosted in Microsoft Azure.
After a few days testing the challenges, tweaking the content, and a bit more re-testing, we were ready. Now, to find some players…
Event #1 - Cyber Roadshow @ Berkeley Green UTC
Fortunately, we found a few players at Berkeley Green UTC in Gloucestershire. Berkeley Green is a specialist ‘University Technical College’, including a cyber security department - even boasting a SOC-style classroom!
During the day, we hosted 3 groups of students, all ranging between 12-18 years, with varying skill levels. Fortunately, our CTF has questions for most skill levels - including a question called ‘salads, rulers, and cryptography’
Which cryptographic cipher also shares a name with a Roman ruler and a salad?
Caesar
Overall, we had some really pleasing results during the day - including a very tense few minutes at the end of our last session - two teams competing for first place, repeatedly leapfrogging each others’ scores on the board down to the last 10 seconds! We were very impressed by the enthusiasm and perseverance of the students, especially as many of them had only a small amount of cyber security knowledge.
Event #2 - Cyber Careers Day @ Manchester Metropolitan University
Our next event was at the Cyber Careers Day hosted at Manchester Metropolitan University. Despite the venue we were in being called ‘The Shed’, it was far from it - an up to date facility with co-working and lab spaces, with a room perfect for us to run our CTF.
Since our audience was this time entirely university students with experience of cyber security techniques, we allotted 2.5 hours for the CTF here (we did sessions of 1 hour in Berkeley). Pro tip - if you ever want to hear a pin drop in a room full of university students… run a CTF!
This string is encoded with a mystery algorithm. Can you find the flag? dGhpc19pc190aGVfZmxhZw==
Using a tool like Cyber Chef the string ‘dGhpc19pc190aGVfZmxhZw==’’ decoded from Base64 reads ‘this_is_the_flag’
It was a hard-fought battle, with two teams eventually holding the top spot - congratulations and thanks to all who took part, despite various attempts by the late Feb 2018 ‘snowmageddon’ to scupper the event!
Wrap-up
We’ve had some great feedback from the students about the CTF and would like to extend our thanks to Berkeley Green UTC, Manchester Metropolitan University, and Cyber Security Challenge UK for hosting us. We hope to see some applications for our current roles landing in our careers inbox soon!
Current roles are detailed on our careers page