CTF: Field Guide
Sumber: https://trailofbits.github.io/ctf/
CTF Field Guide “Knowing is not enough; we must apply. Willing is not enough; we must do.” - Johann Wolfgang von Goethe
Welcome! We’re glad you’re here. We need more people like you.
If you’re going to make a living in defense, you have to think like the offense.
So, learn to win at Capture The Flag (CTF). These competitions distill major disciplines of professional computer security work into short, objectively measurable exercises. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft.
Whether you want to succeed at CTF, or as a computer security professional, you’ll need to become an expert in at least one of these disciplines. Ideally in all of them.
That’s why we wrote this book.
In these chapters, you’ll find everything you need to win your next CTF competition:
Walkthroughs and details on past CTF challenges Guidance to help you design and create your own toolkits Case studies of attacker behavior, both in the real world and in past CTF competitions To make your lives easier, we’ve supplemented each lesson with the Internet’s best supporting reference materials. These come from some of the best minds in the computer security field. Looking ahead, we hope you’ll collaborate to keep this book evolving with the industry.
We’ve tried to structure this so you can learn as quickly as you want, but if you have questions along the way, contact us. We’ll direct your question to the most relevant expert. If there’s enough demand, we may even schedule an online lecture.
Now, to work.
-The Trail of Bits Team
Capture the Flag
Why CTF? Computer security represents a challenge to education due to its interdisciplinary nature. Topics in computer security are drawn from areas ranging from theoretical aspects of computer science to applied aspects of information technology management. This makes it difficult to encapsulate the spirit of what constitutes a computer security professional.
One approximation for this measure has emerged: the ‘capture the flag’ competition. Attack-oriented CTF competitions try to distill the essence of many aspects of professional computer security work into a single short exercise that is objectively measurable. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft.
A modern computer security professional should be an expert in at least one of these areas and ideally in all of them. Success in CTF competitions demands that participants be an expert in at least one and ideally all of these areas. Therefore, preparing for and competing in CTF represents a way to efficiently merge discrete disciplines in computer science into a focus on computer security.
Find a CTF
If you ever wanted to start running, you were probably encouraged to sign up to a 5k to keep focused on a goal. The same principle applies here: pick a CTF in the near future that you want to compete in and come up with a practice schedule. Here are some CTFs that we can recommend:
PicoCTF and PlaidCTF by CMU HSCTF is made for high school students Ghost in the Shellcode (GitS) CSAW CTF by NYU-Poly UCSB iCTF is for academics only Defcon CTF Visit CTF Time and the CapCTF calendar for a more complete list of CTFs occuring every week of the year.
How is a Wargame different? Wargames are similar to a CTF but are always ongoing. Typically, they are organized into levels that get progressively harder as you solve more of them. Wargames are an excellent way to practice for CTF! Here are some of our favorites:
Micro Corruption SmashTheStack OverTheWire Exploit Exercises What about CCDC? There are some defense-only competitions that disguise themselves as CTF competitions, mainly the Collegiate Cyber Defense Challenge (CCDC) and its regional variations, and our opinion is that you should avoid them. They are unrealistic exercises in frustration and will teach you little about security or anything else. They are incredibly fun to play as a Red Team though!
Find a Job
Career Cheatsheet [Editor's note: this is an older article written for pentest.cryptocity.net and that we are in the process of updating.]
These are my views on information security careers based on the experience I've had and your mileage may vary. The information below will be most appropriate if you live in New York City, you're interested in application security, pentesting, or reversing, and you are early on in your career in information security.
Employers Roles Learn from a Book Learn from a Course University Communication Meet People Conferences Certifications Links Friends of the Guide Employers As far as I can tell, there are five major employers in the infosec industry (not counting academia).
The Government Non-Tech Fortune 500s (mostly finance) Big Tech Vendors (mostly West coast) Big Consulting (mostly non-technical) Small Consulting (mostly awesome) The industry you work in will determine the major problems you have to solve. For example, the emphasis in finance is to reduce risk at the lowest cost to the business (opportunities for large-scale automation). On the other hand, consulting often means selling people on the idea that X is actually a vulnerability and researching to find new ones.
Roles I primarily split up infosec jobs into internal network security, product security, and consulting. I further break down these classes of jobs into the following roles:
Application Security (code audits/app assessments) Attacker (offensive) Compliance Forensics Incident Handler Manager Network Security Engineer Penetration Tester Policy Researcher Reverse Engineer Security Architect The roles above each require a different, highly specialized body of knowledge. This website is a great resource for application security and penetration testing, but you should find other resources if you are interested in a different role.
Learn from a Book Fortunately, there are dozens of good books written about each topic inside information security. Dino Dai Zovi and Tom Ptacek both have excellent reading lists. We recommend looking at:
Gray Hat Hacking The Myths of Security Hacking: The Next Generation and any book from O'Reilly on a scripting language of your choice If you're not sure what you're looking for, then you should browse the selection offered by O'Reilly. They are probably the most consistent and high-quality book publisher in this industry.
Don't forget that reading the book alone won't give you any additional skills beyond the conversational. You need to practice or create something based on what you read to really gain value and understanding from it.
Learn from a Course If you're looking for something more hands-on and directed, there are lots of university courses about information security available online. I listed some of the best ones that have course materials available below (ordered by institution name). The RPI course is the most similar to this one and Hovav gets points for the best academic reading list, but every course on this list is fantastic.
Course Instructor(s) Institution Secure Software Principles RPISEC RPI Modern Binary Exploitation RPISEC RPI Computer Security various Berkeley Computer and Network Security Dan Boneh Stanford Web Programming and Security Dan Boneh Stanford Intro to Web Application Security Edward Z. Yang MIT Intro to Software Exploitation Nathan Rittenhouse MIT UNIX Security Holes D. J. Bernstein UIC Malware Analysis and Antivirus Technologies various TML System Security and Binary Code Analysis Zhiqiang Lin UT Dallas Cybersecurity Specialization various UMD Graduate Computer Security Hovav Shacham UCSD University The easiest shortcut to finding a university with a dedicated security program is to look through the NSA Centers of Academic Excellence (NSA-COE) institution list. This certification has become watered down as more universities have obtained it and it might help to focus your search on those that have obtained the newer COE-CO certification. Remember, certifications are only a guideline. You should look into the actual programs at each university instead of basing your decision on a certification alone.
Once in university, take classes that force you to write code in large volumes to solve hard problems. IMHO the courses that focus on mainly theoretical or simulated problems provide limited value. Ask upper level students for recommendations if you can't identify the CS courses with programming from the CS courses done entirely on paper. The other way to frame this is to go to school for software development rather than computer science.
Capture the Flag If you want to acquire and maintain technical skills and you want to do it fast, then you should play in a CTF or jump into a wargame. The one thing to note is that many of these challenges attach themselves to conferences (of all sizes), and by playing in them you will likely miss the entire rest of the conference. Try not to over do it, since conferences are useful in their own way (see the rest of the career guide).
There are some defense-only competitions that disguise themselves as normal CTF competitions, mainly the Collegiate Cyber Defense Challenge (CCDC) and its regional variations, and my opinion is that you should avoid them. They are exercises in system administration and frustration and will teach you little about security or anything else. They are incredibly fun to play as a Red Team though.
Communication In any role, the majority of your time will be spent communicating with others, primarily through email and meetings and less by phone and IM. The role/employer you have will determine whether you speak more with internal infosec teams, non-security technologists, or business users. For example, expect to communicate more with external technologists if you do network security for a financial firm.
Tips for communicating well in a large organization:
Learn to write clear, concise, and professional email. Learn to get things done and stay organized. Do not drop the ball. Learn the business that your company or client is in. If you can speak in terms of the business, your arguments a) to not do things b) to fix things and c) to do things that involve time and money will be much more persuasive. Learn how your company or client works, ie. key individuals, processes, or other motivators that factor into what gets things done. If you are still attending a university, as with CS courses, take humanities courses that force you to write.
Meet People Find and go to your local CitySec, an informal meetup without presentations that occurs once monthly in most cities. At Trail of Bits, we attend our local NYSEC.
ISSA and ISC2 focus on policy, compliance and other issues that will be of uncertain use for a new student in this field. Similarly, InfraGard mainly focuses on non-technical law enforcement-related issues. OWASP is one of the industry's worst examples of vendor capture and is less about technology and more about sales.
Conferences If you've never been to an infosec conference before, use the google calendar below to find a low-cost local one and go. There have been students of mine who think that attending a conference will be some kind of test and put off going to one for as long as possible. I promise I won't pop out of the bushes with a final exam and publish your scores afterward.
Information Security Conferences Calendar If you go to a conference, don't obsess over attending a talk during every time slot. The talks are just bait to lure all the smart hackers to one location for a weekend: you should meet the other attendees! If a particular talk was interesting and useful then you can and should talk to the speaker. This post by Shawn Moyer at the Defcon Speaker's Corner has more on this subject.
If you're working somewhere and are having trouble justifying conference attendance to your company, the Infosec Leaders blog has some helpful advice.
Certifications This industry requires specialized knowledge and skills and studying for a certification exam will not help you gain them. In fact, in many cases, it can be harmful because the time you spend studying for a test will distract you from doing anything else in this guide.
That said, there are inexpensive and vendor-neutral certifications that you can reasonably obtain with your current level of experience to help set apart your resume, like the Network+ and Security+ or even a NOP, but I would worry about certifications the least in your job search or professional development.
In general, the two best reasons to get certifications are:
If you are being paid to get certified, through paid training and exams or sometimes through an automatic pay raise after you get the certification (common in the government). If your company or your client is forcing you to get certified. This is usually to help with a sales pitch, ie. "You should hire us because all of our staff are XYZ certified!" In general, it is far more productive to spend time playing in a CTF, then using your final standing as proof that you're capable.
Links Reddit and Hacker News threads about this post Security Advice
How to Break Into Security, Ptacek Edition VRT: How to Become an Infosec Expert, Part I Five pieces of advice for those new to the infosec industry How to Milk a Computer Science Education for Offensive Security Skills Kill Your Idols, Shawn Moyer's reflections on his first years at Defcon Thoughts on Certifications
My Canons of (ISC)2 Ethics Not a CISSP (ISC)2's Newest Cash Cow Why You Should Not Get a CISSP General Tech Advice Advice for Computer Science College Students Don't call yourself a programmer, and other career advice The answer to "Will you mentor me?" is .... no.