Capture the Flag cybersecurity competitions offer unique learning opportunities – and for some, job opportunities
Author: Madelaine Millar
Date: 01.25.21
Photo (2016): Guevara Noubir by Adam Glanzman/NU
The students on Northeastern University’s NUSec competitive cybersecurity team are very, very good at what they do. Just how good? At this year’s MITRE embedded security Capture the Flag competition, the NUSec team—which played under the name “Husky Records”—didn’t just win; they got more points than all the other teams, 20 of them, combined.
“Our design for the last competition was so overblown and convoluted that I don’t think anyone had a chance to even understand what it actually did,” said Cameron Kennedy (BSCY, ‘20). The team, captained by PhD student Dennis Giese, lost only one flag in this year’s competition; last year, they lost none at all.
Photo (2019) of Dennis Giese by Matthew Modoono/NU
Cybersecurity competitions exist at all levels and in a variety of styles, but Northeastern’s NUSec team is focused on a specific style called defend-and-attack Capture the Flag (CTF). This semester-long two-phase competition first gives teams a period of time to design and implement a secure system based on a set of challenge requirements. In the case of the embedded security competition offered by the MITRE corporation, which the Northeastern team has won two years running, the allotted time was a little over two months. The secure system to be designed and implemented in this year’s CTF had to be a music player.
After the design phase, all the teams are given access to each other’s designs and have roughly another month to try to hack into them and capture a series of “flags” by compromising the system enough to perform specific actions. MITRE’s 2020 competition had five flags, three of which could be captured by making the system play a song on a music player from a different region, “illegally” acquired music, or a song the user didn’t own. The other two could be captured by tampering with audio files or stealing user credentials. Points are awarded based on how many flags a team captures and how quickly, as well as on how many of their own flags a team is able to defend. (Additional points are awarded for things like maintaining good documentation.)
From Classes to Co-op
Professor Guevara Noubir, executive director of Cybersecurity Programs at Khoury College, first introduced cybersecurity competitions to the school as a classroom tool back in 2004. Once students had a solid foundation in cybersecurity concepts, the competitions were a way for Noubir to give them an opportunity to start applying those concepts and solving real problems.
“In the classroom and at that level, I think that I was one of the pioneers in organically integrating cybersecurity competitions within the context of the class,” said Noubir. “The students get to apply the concepts that are taught in the classroom, such as designing secure networked systems and security protocols, but also deploy and operate their system, and the competition makes it a bit more fun and challenging.”
As more cybersecurity classes became available at Northeastern, CTF competitions became just one of many ways for students to be introduced to newer or more niche cybersecurity concepts. Instead of continuing to stress them in the classroom, Noubir pivoted to cybersecurity competitions as an extracurricular way for students to build their cybersecurity skills. He now advises NUSec, the Northeastern cybersecurity CTF team that dominated the MITRE competition in 2019 and 2020.
Photo of NUsec 2020 CSAW ESC software code provided by team
According to competition alumni and currently participating students, CTF competitions are a great way to practice existing cybersecurity skills, improve your ability to research, discover specializations that you might be interested in, and learn to approach cybersecurity collaboratively. Most competitions require a solid grasp of cybersecurity fundamentals, but if you’re looking to build on an existing skill set, they’re a lot of fun.
Several students and alumni have also found the skills they built in CTF competitions helped them in other areas of their work too. Erik Uhlmann (BSCS ’21) even landed a co-op through their participation in the MITRE Capture the Flag competition.
“My current co-op is actually at MITRE, which is the company that organized the CTF. After the embedded CTF is over, MITRE puts out a call for people to apply to internships and co-ops, like the students who are participating in the CTF,” said Uhlmann. “During my co-op, I got the opportunity to do novel embedded security work. The skills that I developed in the Embedded CTF have been directly applicable to the work that I’m doing here. So that’s also been really cool.”
Beyond Northeastern
Another ex-captain of the NUSec team, Sashank Narain (PhD ‘18 in cybersecurity), who focused his studies on mobile system security, is now an assistant professor at UMass Lowell doing research directly related to embedded security concepts that he first encountered in a MITRE Capture the Flag competition.
“I felt that I was very unfit for (that competition) because before that, I had never ever written a program in C before, and that competition basically required you to implement a full fledged system using the C programming language…I was not comfortable with embedded security, which was the kind of security you have to implement for that specific competition,” said Narain.
He attributes his knowledge of embedded security to his participation in that competition. Narain explained, “Having that system be used by other teams, and other teams having trouble actually exploiting that system, gave me a lot of confidence.”
Across the board, participants said they would advise students curious about cybersecurity competitions to jump right in and give them a try. Most competitions require a significant time investment, but, according to MITRE co-op Erik Uhlmann, it’s worth it.
“That’s the thing with these competitions; I do them because they’re fun to me. Even if I don’t do well in the competition, if I don’t get a prize, if I don’t win – you know, most people aren’t going to win, but it’s still valuable for learning,” Uhlmann said.
They added cheerfully, “It’s still fun to just take a crack at the problems, and for the ones that you can do, it’s really satisfying to be like, ‘Hey! There’s this thing, and I hacked it!’ you know? That’s pretty cool.”
NUsec 2020 CSAW ESC team: (L to R) Cameron Kennedy, Erik Uhlmann, Dennis Giese