Last month, Antisyphon InfoSec Training hosted a livestream where they unpacked the answers to three web security challenges from a flash CTFs (i.e. short competition that can be completed in a day) designed and run by MetaCTF. By the way - this is going to be a recurring thing going forward, so keep an eye out for more info!
If you want to watch the whole thing (and we recommend you do!), check it out on Antisyphon’s YouTube page.
If you don’t have time to watch, we summarized some of the biggest takeaways from the livestream.
1. CTFs are an engaging way to learn
Yes, CTF security trainings are a great way for companies to offer employees ongoing career education. But Antisyphon’s livestream is proof of how engaging these competitions can be. The 250 players in this one competition spent their own time and money to play, then spent even more of their free time watching a livestream of the answers. By gamifying the security training, CTFs help cybersecurity students learn more and learn faster by staying engaged.
2. CTFs often mirror real-life scenarios
After reviewing one challenge that required competitors to hack into an online document library, John Strand of Antisyphon noted the similarities between the CTF and a recent real world scenario. “I have seen almost this exact same thing…in a library system,” Strand said, bringing up a penetration testing consulting project he completed earlier this year, noting that the library system’s security network “was similar to this [CTF challenge], where the keys matched a specific pattern.”
BB King (also of Antisyphon) replied “Yup, I believe it,” underscoring the direct relevance of CTF trainings to real-world cybersecurity problems.
3. But sometimes CTFs don’t mirror real-life scenarios, and that’s great too
After solving the final and most difficult challenge, King observed that the solution made for “a fantastic CTF challenge that is unlikely to show up this way in a real application.”
Strand joked that the unrealistic complexity of the solution to a SQL injection challenge was just “Roman being mean” (referring to MetaCTF Founder Roman Bohuk). He went on to note that the challenge forced participants to build a more advanced cybersecurity skill and learn SQL more in-depth. Because a CTF is a safe, controlled environment, the challenges can push participants to learn skills outside their comfort zone.
4. Cybersecurity is a team sport, and diversity matters
While introducing the final challenge, Strand emphasized how cybersecurity is a team sport requiring multiple perspectives and skillsets. He noted, “I think it’s so important to have a diverse team” while explaining how this cybersecurity threat could most effectively be handled by collaboration between teams on the web app and network teams.
Participants generally take place in CTF competitions as part of a team, which teaches them to trust and rely on their coworkers . But even when the participants play the CTF on their own, the competitions have the potential to help participants appreciate the value that other colleagues can bring to their everyday work.
Want to learn more about cybersecurity training options for your team? Schedule a demo here or contact us!