Cybersecurity competition challenges next generation of security experts

Every year, the gladiators of hacking meet to sharpen their skills and compete in the world’s most elite digital coliseum — DEF CON.

A pillar of the cybersecurity industry, DEF CON is one of the world’s largest hacking conventions, with its first event taking place in 1993. It offers hands-on hacking opportunities, workshops and presentations from government, industry and education experts in the field. Attendees included those interested in protecting software computer architecture, digital infrastructure and anything vulnerable to hacking.

Since 2018, faculty, students and staff with the ASU Global Security Initiative’s Center for Cybersecurity and Digital Forensics (CFT) have organized DEF CON’s signature event, the Capture the Flag competition, which has multiple security challenges that competitors must identify and resolve. Hundreds of teams from all over the world compete each year to make the final round, with 16 teams emerging as finalists.

“Our goal is to identify the best hackers on the planet. We designed this competition to demonstrate just that,” says Adam Doupé, director of the Center for Cybersecurity and Digital Forensics and associate professor in ASU’s School of Computing and Augmented Intelligence.

Through the Capture the Flag event, Arizona State University has helped thousands of people develop an adversarial mindset — an understanding of how an adversary thinks, what information is valuable to them and what sort of tactics they may deploy. This knowledge is crucial in today’s world where cybersecurity professionals need to identify vulnerabilities before bad actors do.

With so much of our lives taking place online, cybersecurity is everyone’s concern."

– Sally C. Morton, executive vice president of Knowledge Enterprise at ASU

DEFCON poster

DEF CON’s Capture the Flag is an example of putting ASU’s mission of creating social impact and helping learners build the knowledge and skills needed to thrive in today’s workforce into practice.

“The university has a huge appetite for real impact, and one challenge we face in academia is showing that ideas being explored are relevant — DEF CON allows us to do that,” said Yan Shoshitaishvili, CFT researcher and assistant professor at the School of Computing and Augmented Intelligence. “ASU is the top university to attend for cybersecurity. The people in charge of the ‘Olympics of hacking’ are also professors you can learn from.”   

This year’s DEF CON, which was held in Las Vegas on Aug. 5–8,  concludes ASU's hosting of the Capture the Flag competition, as organization of the event rotates every few years. In 2020, the team pivoted to a fully virtual environment due to COVID-19. This year, the event became half remote, half in person.

“The team persevered, and I am proud to call this our last year hosting DEF CON CTF,” Doupé said.

As the United States continues to see threats to the nation's security and infrastructure, ASU professors have found that this competition brings to light just how much impact education and research can provide.

“With so much of our lives taking place online, cybersecurity is everyone’s concern. By organizing one of the world’s premier cybersecurity competitions, the university’s Global Security Initiative demonstrates the importance ASU puts on solving problems that affect everyone, all while training the next generation of security experts," said Sally C. Morton, executive vice president of Knowledge Enterprise at ASU.

Doupé said, “We try to translate academic research into practical application, which is where we’ve seen some of the best ideas and techniques disseminate. It’s very difficult to apply a theoretical concept from an academic paper until you’ve actually done it.”

One distinctive characteristic of the Capture the Flag competition is that despite the high caliber of competitors, anyone can try these hands-on challenges. The game’s architects are dedicated to the philosophy of applying theory to everyday situations and providing these kinds of advanced skill-building opportunities to anyone who is interested. To accomplish this, they have uploaded challenges used in the tournament to archive.ooo for easy access.

“When we look back at the history of DEF CON CTF, the same techniques and challenges we do now will be standardized five to 10 years from now for anyone in cybersecurity,” Doupé said.

Student competing in Capture the Flag, DEF CON 29

A Capture the Flag participant. Photo from hackerphotos.com

Organizers are embedded within ASU’s network of cyber educators, and the Global Security Institute team tailored competitions from their own areas of expertise. Over the four years of the institute's involvement, 3,229 teams from around the world competed in the Capture the Flag qualifying and finals, logging 276 hours of active game time. ASU faculty, staff, graduate students and external collaborators created 176 custom challenges.

Zion Basque, an ASU student pursuing a PhD in computer science with a focus on cybersecurity who competed at DEF CON29, aims to be the best of the best hackers while making the world a better place with his technical skills.

"The competition really puts your field into perspective. Engaging with and against world-class hackers makes you understand just how much this field has to offer,” Basque said. “As a PhD student, publishing papers is not enough. I believe good security should be applied to real-world situations. I am inspired by everything at DEF CON, helping the community and working hard toward my dreams.”

The Global Security Institute will continue to stay connected to the Capture the Flag community by inspiring DEF CON collaborators and competitors.

“We wanted our last year to be exceptional — pulling out all the stops on the novelty and scale of our challenges,” Shoshitaishvili said. “I am passionate about what DEF CON represents: an opportunity for aspiring hackers to find resources and inspiration.”

Shoshitaishvili and Doupé host a podcast exclusively focused on CTF competitions called CTF Radio.

The development of technical skills and applied, accessible knowledge is central to DEF CON and Capture the Flag. GSI is committed to increasing cybersecurity literacy for all learners, and DEF CON Capture the Flag has been a key pillar of these efforts.

“The best thing about DEF CON CTF is that it brings people together,” says Debbie Kyle, CDF project manager. “As the realm of cybersecurity continues to evolve, players will continue to rise to that challenge, and that’s exactly where CDF wants to be – right in the middle of the action.”

Top photo: The Capture the Flag team at DEF CON 29.

Oliver Dean
odean1@asu.edu