Putting together the Athcon 2012 CTF - Part I

Like we promised on the previous post, here is the first part about how Athcon 2012 CTF was designed and implemented, what the contestants had to deal with and how we made the visuals you saw there.

Having been at the 2011 Athcon CTF one thing was clear, the people surrounding the contest were eager to take a look, see how and what is being going on.

On the other side, the contestants of the CTF were so crowded (people standing all around them) that made it really hard for them to concentrate.

So here is our take, on the Athcon CTF 2012.

This made clear certain key elements that we had to keep in mind during the design:

  • We need a story line, in order to get everyone involved, to get intrigued (admins far away from their work office discover their network is attacked by a fleet of skillful hackers and the game is on...)
  • The entire setup has to be realistic. Real network with real software (mail, pbx, web, db servers).
  • The CTF has to be based on up to date software (When was the last time you saw vulnerable mountd running on a linux 2.4.7?)
  • We have to keep as far away from riddles (these require time and the ability concentrate, something very difficult on a room packed with 50+ people)
  • We need a scoring system. Automatically detect when hackers discover key elements of the network.
  • Allow multiple paths for people to achieve high score. There should be no single solution.
  • We need to allow "non-hackers" to participate and have a chance at winning a prize
  • It should promote innovation rather than running already packet automated tools. (nikto, nessus, nmap etc were the first things that admins detected during the game)
  • We need to be able to provide a real time view of the contest (scores, packets)
  • Provide a nice visualization to keep by-standers entertained (real time network representation through gource and logstalgia)
  • ...and the most important aspect of any type of game It should be fun to play and watch

Story line

The first thing we needed was a catchy scenario to get everyone involved, keep them interested and help set certain rules about the game (eg if you are administrator you cannot perform scans).

The story line was different for each type of participant. The administrators part read something like this.
You work for a famous security house, AcmeSec LLC, as a member of an overworked but dedicated team of administrators that maintain and monitor the systems on a daily basis. You regularly have access to a variety of systems ranging from corporate web, mail and telephony servers to intrusion detection systems and test servers at your disposal, however, there is a catch…

At this moment you are far away from your workplace accompanied by your colleagues (attending a security conference - perhaps AthCon ?!?!), when all hell breaks loose. A massive wave of skillful hackers attacks AcmeSec's corporate networks, while you are unable to deal directly with the attacks. Your best friend in this war is the abuse department of your IP provider (CTF Committee) in conjunction with emergency security tools that you have in place.

On the other hand the hackers had something like this...

Your target is a large security house, AcmeSec LLC. You have been approached by AcmeSec to try and hack their network. However, the admins of AcmeSec have not been notified. This means that although you have the paper work that proves you work on the clear, you will get blocked by the admins. Oh and something else, you are not on your own here, AcmeSec has approached other top researchers for this post also, this is not just a challenge, its a competition…

With this in place we are now almost three months away from the official Athcon 2012 opening day... and this sets the start for our three month marathon to deliver what we said... the Athcon 2012 CTF.

Stay tuned for Part II which will include details about the network infrastructure.