Every October, when Cybersecurity Awareness month comes around, organizations roll out informational campaigns to help employees understand and avoid cybersecurity threats. October is also the time of year I sharpen my cybersecurity toolset and enter the arena that is the National Cyber League annual fall event.
The National Cyber League (NCL) hosts the largest cybersecurity competitions in the country. These cybersecurity competitions are held twice a year, in the spring and fall, and the most recent event attracted over six thousand competitors.
Competitors must be a student enrolled, at least part-time, in a wide range of institutions from high school through college, apprenticeships, and boot camps. The intent of the competition is to provide learning experiences for budding cybersecurity professionals. Alas, this means my days of eligibility for NCL are ending, but that does not mean I am hanging up the gloves.
While NCL is my favorite cybersecurity competition, it is far from the only one out there. In fact, during my time on my university’s cybersecurity competition team, I competed in a wide variety of competitions.
NCL is what they call a 'Jeopardy' style Capture-the-flag (CTF) competition. It gets this name by having categories of challenges of increasing difficulty and point values, following the model of the iconic game show. Typical categories include things like cryptography, network traffic analysis, and reverse engineering.
Other competition formats include Blue Team competitions with a focus on defending against an attack; Red Team competitions where you are the attacker; Attack and Defend events where you must manage both, and any number of variations on these themes. The size and prestige of the events vary from casual, beginner friendly, events like picoCTF all the way up to the super bowl of hacking, the DEFCON CTF, won this year for the sixth time in ten years by a team from Carnegie Mellon University.
Now that we have discussed what CTFs are, why should you compete? Simply put, they will make you better at your job. They are also fun and provide a real sense of accomplishment when you crack a tough challenge. In short, an engaging and rewarding way to keep learning.
If you are wondering how competition will make you better, consider some of the major breaches or vulnerabilities you have heard about over the years. You remember Log4J? Or Eternal Blue? Pretty famous vulnerabilities and most cybersecurity folks would be familiar with them. They may have even responded to incidents or read a white paper about them. But how many have exploited them other than penetration testers?
It may not be part of your job description, but having the opportunity to get your hands dirty exploiting a given vulnerability will develop a much deeper understanding of the associated risks than simply reading the latest tech news. This is an area I have found to be extremely robust in the CTF community, they rip challenges straight from the headlines.
CTFs also force you to exercise intellectual muscles that can become neglected. Cybersecurity is a huge field, and every cybersecurity professional ends up specializing. While specialization sharpens specific aspects of your game, as we specialize, we tend to let other skills atrophy.
For example, I am a software developer, and my team makes cybersecurity tools. While the bulk of my work is spent writing code, I also spend a lot of time interacting with cybersecurity professionals collaborating to create solutions for their problems. My competitive background has exposed me to a great many concepts that both allow me to understand the problems that are presented to me, as well as provide well informed solutions that incorporate the latest trends of the industry.
Beyond these tangible benefits of a broader knowledge base, we also gain an intangible skillset, which I believe is even more important: an increased comfort attacking unfamiliar problems.
The most foundational concept of a CTF is that you will be presented with some challenge which you must solve to capture a `flag`. These challenges can be anything from reverse engineering an android app to brute forcing an SSH (Secure Shell) password or extracting hidden messages stored in images with steganography tools.
The one thing all the competitions have in common (the tough ones anyway) is that they present you with things you have never seen before. As you get better, more of the challenges are things you *have* seen before, a benefit of your increasing knowledge base, but with every type of challenge you *have not* seen you grow more comfortable attacking the unknown.
This is exactly the intangible skill that lets me dissect a tough new work problem with confidence and I believe every cybersecurity professional can benefit from.
I know I have been speaking poetically about the myriad benefits of these sorts of competitions, but it is not just me. CompTIA has talked about how valuable competitions are and in fact, since 2020 they have been a title sponsor of the NCL and allow students to earn Continuing Education credits towards certificate renewals.
If you think these sorts of competitions could fit into your cybersecurity workout regimen, you can find a calendar of events, a great FAQ, and a massive collection of writeups over at CTFtime.
Struggle to find time to participate in a scheduled event? Head over to TryHackMe or HackTheBox for challenges you can work through at your own pace. Both sites have free and paid options, a leaderboard to track your progress, and learning tracks you can enroll in to work through a series of related challenges.
Do you think your company can benefit from a team of folks that love new challenges? Check out MindPoint Group’s cybersecurity services. Do you like solving problems and want to be part of a team that values keeping those skills sharp? Check out our careers page.