Bloodsport: Using Games and CTFs to Improve your Industry Skills
Participating in virtual and IRL challenges is a tremendous way to improve your Security and OSINT skills. I have gathered a few games that I find useful and I hope that my list will inspire you similarly. This is by no means an exhaustive list and I implore you to search on Google or locally for conferences to find even more.
CTFs/Hacking Games
Capture the Flag events are generally hosted virtually or at conferences and can come in several different formats (Red Team/Blue Team, Red Team) and cater to all skill levels. Working as an individual or with a team, players attempt to solve a timed series of challenges to earn a “flag” that is then translated to points. In the end, the points are totaled and a winner is announced based on the highest score. There are a wide variety of skills used when participating in CTFs such as critical thinking/problem solving, programming, OSINT, exploitation, reverse engineering, and cryptography to name a few.
I would like to stress to all people new to the field who may feel intimidated by CTFs — all skill levels can and should participate! If a newbie signs up for a CTF with zero experience and a will to learn, they will 100% come out the other side with new skills. Here are a few curated suggestions to get you started in the world of CTF:
Trace Labs CTF
The Trace Labs CTFs are a fantastic place for a new player to start because they rely almost entirely on a player’s ability to perform online searches and no prior skills are necessary! Using open-source intelligence, players attempt to find information on real missing people to help find them and bring them home.
National Cyber League
NCL is a CTF specifically for High School and College students and the challenges are based on CompTIA Sec+ and EC Councils CEH certificates. This CTF runs in both spring and fall seasons and the challenges are made up of Open Source Intelligence, Scanning, Enumeration and Exploitation, Password Cracking, Traffic Analysis, Log Analysis, Wireless Security, Cryptography, and Web Application Security. As a bonus, at the end of this CTF you get a certificate which you can then users a talking point along with your resume when applying for jobs.
HacktheBox
HacktheBox is less CTF and more PenTesting Lab with CTF type challenges that allow you to collaborate and exchange ideas with other members. Sign-up is free but players will need to hack the page to get the signup code. This site is excellent for entry-level PenTesters to learn basic to advanced skills.
HackThisSite
HackThisSite is a hacker war game site that offers the player several challenges that when unlocked lead to another page/challenge on the site. HTS 0ffers a free and legal way to practice hacking skills while also engaging with the community to learn or work through challenges. I really enjoy this site for quick, fun challenges when I am looking to mix things up a bit from a standard CTF.
Root.me
This site offers 300+ different challenges and realistic learning environments to train on. The final objective for players of Root.me is to compromise <root> the host. Root.me also provides a learning path for beginners to help them work through the site in a way that builds on skills learned in the previous challenge.
CTF365 (Offensive)
CTF365 is a security training platform focusing on security, system administrators, and web developers. These challenges are more offensive (blue team) in nature and it simulates what would happen in the real world when servers and networks are under attack.
GEOINT Quizzes
If you are a lover of OSINT like myself, I highly suggest checking out free Geospatial-Intelligence (GEOINT) quizzes available online. Not only are these quizzes a great learning tool but they are incredibly fun and challenging!
QuizTime on Twitter
The daily QuizTime is posted in the form of a photo, sound, video, etc. and challenges players to figure out and verify where or what it is. As with TraceLabs, no special skills are required just the ability to search online, curiosity, and willingness to follow a lead down a rabbit hole.
GeoGuesser
In this game, the player gets dropped in a random location on Google Maps and has to click through street view to try to figure out where they are. No advanced skills required here! Just click around until you see a clue and then search for an answer. The points per location depend upon on how close your guess is.
Bug Bounties
I don’t consider Bug Bounties to be a game per se but I felt it necessary to mention their existence so that people new to the field could research further. Bug bounties are (sometimes large) monetary rewards for finding vulnerabilities in important internet software.
HackerOne
HackerOne is a very popular bug bounty platform and they offer several things that would be of interest to someone new to the field. Hacker101 is a collection of videos and resources designed to train beginner to intermediate hacking skills. Hacker101 also provides a Capture the Flag to help players learn in a realistic environment.
Final Thoughts
Using a game as a learning tool is a fun way to enhance industry skills without it feeling so much like work. Tip: When playing any of the above games, if you run into something that you don’t understand or can’t get past use that as a study tool and motivation for further research.
Be sure to search for events local to you such as BSides that often host CTFs for a very low entry fee! Not all CTFs are expensive and the community will welcome you with open arms. Just start by starting, there is no special amount of skills needed to play any of these games and there is no better time than now to start building up the skills that will translate to real-world success.