The only time hackers are welcome to attack a network is when they’re participating in a cybersecurity Capture the Flag (CTF) competition, such as the one hosted Aug. 2 by Tekla Research, which supports the Cybersecurity Test and Evaluation branch of NAVAIR.
“I coordinated the event to use it for multiple purposes,” explained Tim Rodgers, senior cyber test engineer at Tekla. “First, it was a project that I assigned to one of the summer interns working with me as a method to teach him about cybersecurity and networking. Additionally, it provided an outstanding training environment for the Cyber T&E branch to sharpen their skills.”
Summer intern Brantley Vose, a senior studying Math and Computer Science at Iowa State University, was tasked by Rodgers to set up the server and install the software for the event.
“He also designed the virtual machines and networks and purposely planted security vulnerabilities,” Rodgers said. “We had about 30 participants who came from Cyber T&E and MilCorp; many of them interns. The cyber professionals in attendance assumed mentoring roles.”
The event, which lasted about five hours, was a network attack style and the participants were split into three teams situated in different conference rooms where they could communicate while working individually on laptops.
“Each team was assigned one of three identical copies of a network to hack into, each of which had multiple virtual machines with deliberate security vulnerabilities,” Rodgers noted. “Hidden in these virtual machines were various ‘flags,’ which are text files placed where the participants cannot access them without hacking in.”
As the teams attacked their network, three referees – including Rodgers and Vose – checked on their progress, provided hints, answered questions, and made suggestions.
“I was happy to see people getting competitive,” commented Vose, who says he knew “absolutely nothing” about cybersecurity or networking prior to his internship with Rodgers. “The participants seemed really engaged and the teams did well. Some people solved the problems I’d created in creative ways that I hadn’t anticipated, so I learned something myself.”
In addition to providing a safe and legal environment for cyber security students and professionals to apply learned skills and tools in a realistic environment, there are other benefits to an event like this, Rodgers said.
“It not only provides an environment to conduct training, it can also be used as a recruiting event or a method of screening potential hires,” he added. “People can talk about their skills and knowledge, but a CTF is an opportunity to prove themselves as experts.”
Vose is getting ready to return to school after what he says was a valuable learning experience during his eight-weeks spent interning at Tekla.
“The first half of summer was Tim teaching me all the basic concepts,” he said. “Around the halfway point, he put a server on my desk and told me to apply what I’d learned and make this [CTF] event happen. It taught me a lot. Tim Rodgers has been an excellent teacher.”
Meanwhile, Rodgers has plans to do the event again next year with a new batch of interns, with the potential of possibly doing it a few times a year.
“The event was a huge success,” he noted. “All the participants – pros and interns – walked away with new skills to place in their tool belt. And I was quite impressed with Brantley and how quickly he learned. He did most of the work on this event and I’d highly recommend him for any position he’d apply to.”