There are a lot of factors to consider when you think about what type of Cyber Capture the Flag (CTF) you want to run. In addition to its type, you’ll have to decide on its location, length, content focus, and skill-level target. I’m going to discuss these in a way that hopefully makes them easy to think about—and to make a decision on.
Type: Jeopardy-style, attack versus defend, or hybrid/both.
The two most common types of CTFs are Jeopardy-style and attack versus defend.
Jeopardy-style CTFs are where you have a scoreboard that looks like a Jeopardy board, with topics and questions relating to those topics.
Attack versus defend (sometimes called red versus blue) CTFs are where teams have to attack and/or defend other teams’ services and/or servers. You can run these with one team solely running defense and the other team solely running offense, or you can have lots of last that have to cover both.
You can also run what I’d call a hybrid CTF, which has both a Jeopardy-style scoreboard and an attack-versus-defend portion. Ideally, the two interact and enhance each other. We’ve done this in the past for a government agency to pit military academies against each other, and it was a rousing success (but it is a lot more work than running a single type of CTF).
Location: Physical, virtual, or both
Do you want participants to have to come to a physical location to participate, or will you make the CTF available online?
Some types of challenges are much easier to do in person. For example, if you’re on a physical LAN, participants can more easily download a several-gigabyte-large virtual machine. And in person, participants can do things that require them to physically interact with devices (such as breaking into a wireless access point or playing with a hardware device).
If you want them to come to a venue, you will, however, have to do some groundwork and be aware of some limitations. For starters, you’ll have to find and book a venue (which will likely limit participation to people near that venue). You’ll need to ensure the venue has ample seating, ample power outlets, and network connectivity. You may also want to provide food and/or drinks for the participants.
Bars, for example, can be great venues because access to drinks and, usually, food is readily available. We’ve hosted CTFs in pubs a few times. Participants appreciate seeing their opponents face to face, stoking both the competitive fire and camaraderie of the teams. However, note that a venue like a bar may present problems, for example, not having enough power sources for participants’ computers.
Making a CTF available online can open it up to the entire world (although you can choose to limit participation, too). You don’t need to worry about booking a venue or setting it up in the real world, so there is a lot less work involved with hosting it. Of course, you do lose some of the face-to-face interaction, and some types of challenges are easier to host by being in the same room.
Your CTF could also be available at both a physical location and online. Although doing both also has limitations, we’ve started doing it because we felt that enabling remote employees to join in the fun while area-based employees meet at a venue for some camaraderie and competition was worth it. (We currently limit online participation to a subset of personnel to keep the number of participants manageable).
Length: Duration of CTF
The CTF’s length is an important decision, often heavily dependent on other variables. Do you want the CTF to be just a couple of hours? An all-day event? An all-weekend event? I’ve run a CTF in as little as an hour and a half, and I’ve seen CTFs running for longer than 3 days.
The length will need to be aligned with the location; if you’re hosting a physical event you’ll need to ensure you have the location for the duration of the event (the location will sometimes dictate and/or limit the event length).
If you’re doing an attack-versus-defend CTF, which usually takes longer to get up and running and for folks to find and exploit the vulnerabilities, I recommend the CTF lasts more than a few hours. The skill-level target/amount of content will also need to be adjusted based on the length (or vice versa). Because more-difficult challenges often take longer to solve, you’ll likely want a longer CTF if the CTF is focused on challenging the best and brightest. I’ve done some online CTFs where it seemed like every challenge was meant to take a seasoned person at least 2 hours to 3 hours, so obviously a CTF like that (unless it has only a few questions) will need to be longer (the CTF I’m referring to lasted 48 hours). We typically run 3-hour CTFs, which seem to keep people’s attention without exhausting them and enable us to include both easier questions (which can be solved quickly by experienced participants but may take newbies 15 minutes to 30 minutes to learn about and solve) and harder questions (that may take experienced participants 60 minutes to 90 minutes to solve).
Content Focus: Defensive, offensive, both, or other.
For Jeopardy-style CTFs, the two most-common content focuses are defensive (cybersecurity) and offensive. Most CTFs have elements of both. Some have programming or off-the-wall questions.
Your content focus will help determine who will attend your CTF. If you have a target audience, you may want to engage them beforehand to determine what they’re looking for. Or think about who you’re trying to attract to your event. If you’re unsure, I recommend going for a nice mix of both offensive and defensive to try to give everyone at least something they’ll like or be interested in. There are tons of sites that list potential topics for a Jeopardy-style CTF. The following is a list of our previous topics, grouped by field/type:
(We’ll cover categories in a future post.)
Skill-Level Target: Beginner, intermediate, expert, or a mix.
Do you want it friendly for newbs, or do you want it challenging for the best and brightest? It can be hard to pull off both. Your choice can also impact the length—it can be harder to come up with challenging questions for the best and brightest that can be solved quickly, so a CTF focused on experts may have to be longer (or have fewer questions). A CTF focused more on less-experienced folks can be shorter but may have more questions (because the questions are easier). We try to provide a balance of questions for our CTFs, with about 40% of the content focused on less-experienced participants, 40% of the content focused on mid-level participants, and then a few hard (30 minutes to 60 minutes for a single person) to very hard (60 minutes to 90 minutes for a single person) problems for the more-seasoned participants.
Once you decide (or at least have a starting idea) of what you want for the type, location, length, content focus, and skill-level target, you can focus on the next two important steps (which mostly depend on each other but can be done concurrently or in any order with only a little rework): creating the content and choosing/setting up a CTF-hosting platform. Our next post will cover creating the content, which, assuming you’re hosting a Jeopardy-style CTF, is more fun.