The cybersecurity industry has been attracting increasing attention in recent years. And within the job market in Japan, many people are considering a job change into cybersecurity-related positions because of the potential the industry has. In order to do so, we recommend that you obtain a cybersecurity-related certification to make your job transition easier.
In this article, we will cover Capture The Flag (CTF) and how you could prepare for it. If you’re interested in other certifications, we covered about OSCP and how you could prepare for OSCP certification which you can read about here.
What is CTF?
CTF stands for "Capture The Flag" and refers to an information security competition that challenges participants to solve a variety of tasks. Essentially, participants use their knowledge of information security to find and submit a string of characters (Flag) hidden in some way, and receive points.
The CTF has become a popular event for professionals seeking to advance their careers in the information security field, where it requires specialised knowledge and advanced skills, and allows participants to improve their skills while having fun at the same time.
CTF has both individual and team competitions, and the most famous team competition event is DEFCON which is held in the United States. SECCON is well-known in Japan, and is held annually along with SECCON Beginners CTF for CTF beginners and CTF for Girls, which targets women.
The rules of the competition are quiz-style, where the individual or team that earns the most points by solving the most questions within the time limit wins. In recent years, more companies are organising their own CTFs to discover potential security personnel and to improve their skills.
Basic rules of CTF (SECCON example):
- Limit: 24 hours
- Eligibility: None (regardless of nationality, age, or gender)
- Search: Online or offline
- Prohibited: Sharing FLAGs, solutions, and hints with others
The content of CTF competitions covers a very wide range of topics. This means that you will be able to acquire a broad knowledge of the information security field and the IT industry in general as you prepare for it.
Advantages of participating in a CTF
- Gain a wide range of knowledge about information security
- Acquire comprehensive IT knowledge
- Attain practical skills
- Acquire the intuition necessary for troubleshooting
- Become an appealing factor for your current company or when changing jobs
What does CTF competitions consist of?
In CTF competitions, participants will solve a variety of problems using technologies related to information security. The scope of the questions is very broad and are categorised to include genres such as PWN, Crypto, Reversing, and Web as per below:
- PWN – Problems that exploit programme vulnerabilities
- Crypto – Ciphertext problems
- Reversing – Problems that explain binaries
- Web – Issues relating to web security, including SQL and XSS
- PPC (Professional Programming and Coding) – Competitive programming
- Forensic, Steganography, Network – Data extraction problems
- Misc – Other issues apart from those listed above
As you can see, the CTF requires knowledge and skills in a very wide range of areas. Therefore, by preparing for the CTF, you can expect to reap benefits such as a deeper understanding of the technical aspects of information security and a broader scope of work within IT.
Recommended preparation methods for CTF
As mentioned above, the CTF requires a wide range of knowledge, so it is essential to know the most efficient way to learn when you’re preparing for it. As a basic part of the programme, you should have the following knowledge as a prerequisite:
- Web applications
- Networking and OS
- Linux and command operations
Start with the basics by making use of past questions. Both beginners and experienced CTF users are recommended to start by working on past problems. If you don't understand the solution at all after looking at the questions, look at the explanations and work your way through them. A recommended free site with past questions is GitHub.
Other free CTF exercise sites and files on the web include:
- Security contest challenge book support site (includes exercise files)
Study groups for more efficient learning of CTF
If you have decided to participate in the CTF and want to learn more efficiently in a short period of time, you may consider joining a study group. SECCON holds regular workshops, which can be attended at venues around Tokyo, Fukuoka, Hokkaido, and online. (Click here for the schedule).
In addition to SECCON, there are also a lot of information on the web about workshops for beginners which we recommend that you actively participate in if you are a CTF beginner.
As CTF exists not only for individual competitions but also for team competitions, it is also possible to gather a group of friends to share roles within a team. Especially if you have no experience, we recommend that you participate in the team competitions and focus on your strengths whilst allocating other areas to different team members. If you want to join this competition with a group of colleagues and belong to an information security company, you can opt for SECCON-sponsored events.
The advantage is even if you participate in team competitions, you can still expect to be recognised as an individual who has gained knowledge in the field of cybersecurity when looking for a new job in Japan, as with individual competitions.
Specific learnings you can do for CTF by genres
The following is a description of how you could prepare for CTF by genres which make up the bulk of the competition:
PWN in the CTF refers to problems that exploit a vulnerability in a programme to access and manipulate memory areas that are normally inaccessible to obtain flags. In the actual problem, the user connects to the vulnerable programme or the server running it via "SSH" or "NC" to crack it.
PWN can be very difficult for beginners, so it is recommended that you do not solve it on your own from the beginning, but rather read the answers and explanations to understand each step of the process as you go along. Make use of information such as the Security Contest Challenge Book and web-based explanation sites. Since the PWN also requires knowledge of other areas, such as Reversing, which will be discussed later, it is recommended that you start the PWN after you have completed some level of study in other areas.
Crypto is a set of cryptography-related problems, where the easiest consist of Caesar ciphers, and the most difficult of which require in-depth knowledge of the number theory. There are many practice problems on the web, such as the Crypto challenges list, so use these to advance your understanding. A recommended study for those who want to score well in this Crypto field is "All about Cryptography".
This field is related to reverse engineering, and the main focus is on analysis using IDA, Ghidra, and gdb. It will be necessary to learn how to use the tools, and it may take some preparation time to be able to solve problems, but be persistent in your studies and keep learning. A recommended study is the “Reverse Engineering Bible”.
On the web, there is a free learning site called Web Security Academy, which explains not only XSS and SQL, but also more complex vulnerabilities such as XXE and SSRF, and provides a free lab where you can actually attack, allowing for learning that combines theory and practice. Other recommended study include "How to Create Secure Web Applications (2nd Edition)".
PPC refers to competitive programming. The most effective way to learn is to actually participate in competitive programming, such as TopCoder, AtCoder, yukicoder, Google Code Jam which is organised by Google and Facebook Hacker Cup by Facebook.
This focuses on extracting information from data and finding Flags. You can learn the main tools and techniques required for the competition at the following sites:
CTF is often thought of as a hurdle due to the wide range of knowledge and skill areas required, but learning how to prepare for this can help you acquire advanced skills which can be very useful in your career later on.
Are you looking for a job change into cybersecurity or would like to know more about CTF?
At Computer Futures, our consultants specialise in the cybersecurity field and are ready to assist you in your job change. If you are considering a job change in this area, please feel free to contact us using the form at the bottom of this page at no obligation. You may also check out our current non-confidential job openings via the button below.