Light Dark
December 7, 2017 By Richard Moore
John Clarke
5 min read
Incident Response
Intelligence & Analytics
X-Force

On Thursday, Nov. 23, 2017, the IBM X-Force Command Advanced Persistent Threat (APT) capture the flag (CTF) competition kicked off at the IRISSCON 2017 conference in Dublin.

Forty-eight contestants across 12 teams battled it out in a free-for-all competition that required hacking, defending and forensics skills.

What Is a CTF Competition?

A cybersecurity CTF competition is designed to highlight the strengths and weaknesses in a security team’s technical aptitude, response strategies and time management. Teams must amass as many points as possible, which can be achieved through multiple routes. Having multiple ways to score points encourages teams to organize and think carefully about where the focus of each team member should be.

The IBM X-Force CTF contest is broken down into four sections:

  1. Vulnerable servers built with publicly known vulnerabilities;
  2. Offline security puzzles (packet capture, forensics, steganography, cryptography, etc.);
  3. Fastest finger first security questions; and
  4. Controlling our hackable city, Hadley’s Hope.

Simulating an Advanced Persistent Threat

The CTF framework is designed around the idea of an APT. An APT is a network attack where the attacker’s main objective is to gain unauthorized access to a system and remain there undetected for an extended period of time. Once in the system, the threat actor can start siphoning out data or just lay in wait preparing for the next stage.

To simulate an APT in our CTF, participants must run the CTF’s custom-made malware to claim control of a server and begin scoring points. Once a team has control of a server, it must do everything it can to hold onto it and protect it from other competing teams.


Points are awarded for every minute a team can hold onto a server. As each team expands its botnet of vulnerable servers, it will harvest more points, pushing the team up the leaderboard.

Each server is mapped to a country, which lights up on the scoreboard when captured by a team. This allows everyone to follow the malware epidemic spread around the game globe.

Teams can also score points by completing offline security puzzles around the areas of packet capture analysis, forensics, reverse engineering and steganography. While teams work on those elements, they also need to keep an eye out for one-off security questions throughout the game, where only the first correct answer is accepted.

Read the report: Using gamification to enhance security skills

On the Day of the Competition

Participants arrive with their laptops, attack tools and any automation that they have developed to help them complete the challenges. Once everyone has connected to the CTF’s sandboxed network and the rules have been explained, a six-hour timer is started and the players are let loose.

Each vulnerable server is configured to report back to IBM QRadar, an event management and log aggregation tool. As players start to attack the vulnerable servers, QRadar’s dashboard begins lighting up. Brute-force attacks, privilege escalation attempts and a range of other messages highlight the player actions for anyone passing by to review.

The IBM X-Force Command team also leverages QRadar to monitor the competition for prohibited malicious activity. This is a hacking competition, after all.

Hacking Hadley’s Hope

Bringing attention to cyberattacks can be a tricky affair, especially when your audience is nontechnical. Most cyberattacks lack impact and meaning to some organizations, and more so to the public. This is a substantial hurdle to overcome when trying to draw attention to the growing volume of cyberthreats. How do you demonstrate the potential damage of a cyberattack in a visual, tangible and memorable way? An interesting solution is to use hackable Internet of Things (IoT) devices and pair them with models created using 3-D printing technology.

Hadley’s Hope is a science fiction-themed model city with physical, hackable services that are controlled by IoT devices. When a hacker gains access to one of these services, his or her actions are made visually apparent to anyone observing the model city. When the city’s train starts moving too fast, for example, or when its perimeter fence lights are flashing seemingly at random, it is very apparent that the system has been compromised. With these visual cues, it is much easier to demonstrate the potential dangers of a cyberattack to both technical and nontechnical audiences.

On the day of the competition, many teams attempted the Hadley’s Hope challenge, with one team managing to hack in and take control of the perimeter fence and train. The successful team revealed that this was one of the most enjoyable challenges — so enjoyable, in fact, that the team wanted to continue triggering events in the city even after the game had ended.

The Value of CTF Exercises

A CTF competition challenges participants to find and exploit security vulnerabilities, solve problems and fend off network attacks while keeping an eye on the game clock. Many contestants create automation scripts on the day of the competition to help them slow opposition teams taking control of their servers or to help them capture another server.

Team building is a big part of a CTF competition since individuals must work together as a team to succeed. Teams must communicate, divide work and assist one another to score high on the leaderboard.

The way we train the current and next generation of cybersecurity specialists will have a defining impact on the level of security we all feel when using technology. Fostering creativity and motivating your workforce can be challenging, but when we gamify these efforts, it takes advantage of our competitive side, improving our learning, innovation and preparation.

The Next Step: Red on Blue Training

A CTF is one approach to tackling the security skills gap. Another is red on blue incident response training. During the CTF, we managed to preregister 15 groups from organizations in the industry and colleges for our new red on blue experience, which is starting in January 2018.

Related: The Hunter Becomes the Hunted: The Value of Red on Blue Cyber Training

Groups of eight to 10 people will join us out at our Dublin campus, where they will be divided into two teams. The red team will be handed attack tools and small snippets of information about the targets that it must attack to disrupt normal service and exfiltrate mock customer data. The blue team will be given a sandboxed network with servers and web applications that it must defend from the red team.

These scenarios offer participants a chance to hone their technical skills, gain a hacker’s perspective and test team dynamics. They also give IBM an opportunity to showcase the IBM Security stack in live, configurable scenarios and generate new connections with businesses and academia. Throughout the year, we will grow and evolve the experience to incorporate more scenarios around malware, insider threats and social engineering.

 |  |  |  |  |  |  |  | 
Richard Moore
Security Gamification Specialist, IBM
John Clarke
Ethical Hacking Test Engineer, IBM

More from Incident Response
October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

September 27, 2023

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

August 31, 2023

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature