Over 1,400 registered for GovTech’s first-ever “capture-the-flag” cybersecurity competition
GovTech’s organised it’s first-ever “capture-the-flag” (CTF) cybersecurity competition (Stack the Flags 2020), with top teams walking away with a grand total of $57,000 in prize money.
STACK the flags 2020 was a huge success with more than 1,400 participants. PHOTO: UNSPLASH
Over 1,400 participants (437 teams) registered, making Stack the Flags 2020 one of the largest CTF competition in Singapore till date.
Held over a 48-hour period in early December, teams of up to four raced to tackle challenges based on real-world scenarios in 11 cybersecurity domains such as cryptography, cloud, and the Internet of Things.
The virtually held event was organised by GovTech’s Cyber Security Group (CSG) to engage the cybersecurity community as well as to spark interest in participants who are just beginning to explore the field.
How do CTF competitions work?
In the traditional outdoor game of CTF, each team has a flag planted in its base. To win, you must capture your opponent’s flag and bring it back to your own base – a concept that has been adapted widely to different contexts such as first-person shooter video games.
In the realm of cybersecurity, the flag is a digital one that can be as simple as a sequence of characters hidden in a database. Competitors will have to identify and exploit vulnerabilities in the system to get to the flag.
STACK the Flags 2020 was a Jeopardy style CTF, so named because of the similar format to the long-running TV game show. Challenges are categorised based its relevance to various cybersecurity domain and there is a varying level of difficulty among the challenges. This is to create a rich CTF experience and offer a different flavour for participants of different skills and experience. (For more on CTF cybersecurity competitions, read this introductory piece by one of our GovTech colleagues.)
All walks of life
Indeed, Stack the Flags 2020 drew both international and local participants ranging from cybersecurity professionals to students still learning about the field.
Teams were divided into three categories: Category 1: Open Category 2: Universities and Polytechnics; and Category 3: Junior Colleges, Integrated Programmes and Institutes of Technical Education
One team – a family of four – even comprised two primary school pupils aged 12 and 10! Although the team found many of the puzzles challenging, they managed to crack one just a few hours into the competition, catapulting them to sixth place at one point. “On the whole, our family had a really enjoyable time,” said Rachel, the mother in the team. She added that, more than a month on, her children were still “laughing and reminiscing about the experience”.
A Close Call It was a close race that got only tighter towards the end. From the get-go, the top 10 teams in each category were constantly swapping ranks and in the final 12 hours, the top three were jockeying for pole position till the very last moment.
The Final Scoreboard
Figure 1. CAT 1. OPEN. PHOTO: GOVTECH
Figure 2. CAT 2. Universities & Polytechnics PHOTO: GOVTECH
Junior Colleges & Integrated Programmes and Institute of Technical Education. PHOTO: GOVTECH
It was also heartening to see that the fierce rivalry was within the confines of the competition. Participants across teams grew closer as time went by, chatting about their hobbies and other casual topics in the event’s Discord channel.
Most Popular Challenge Domain
Open Source Intelligence was voted the “Most Liked” challenge domain, with 37.64% of the corresponding teams (across all three participation categories) voting for it. Challenges in this category required participants to piece together publicly available information, such as unearthing the social media accounts and other digital trails of the target to gather his/her whereabouts.
Let’s take a deep dive at the breakdown of the “Most Liked” challenge domains across the 3 participation categories.
The percentage represents the number of teams within the participation category that voted for that particular domain. PHOTO: GOVTECH
While the open category was won by a group made up of mostly cyber security professionals, they were closely followed by the runner-ups – three students and one full-time national serviceman. Named Chicken RCE, the group was initially placed in Category 2 (Universities and Polytechnics) but requested to be in the open category as they wanted to challenge themselves and pit their skills against non-students.
“We were definitely humbled by the amazing efforts put up by other teams. There were many challenges we struggled with but saw other teams breeze through them early into the competition,” said the team. “In our efforts to strategise for this CTF, we experimented with various team collaboration strategies and workflows, and we believe we’ve left this CTF better equipped to collaborate on larger challenges in future.”
The cybersecurity expertise of Singaporean students was also showcased as participants in category 2 and 3 performed as well as those in category 1. This is testament to Singapore’s investment to develop cybersecurity talent and a spur to continue nurturing future generations for an evolving cyber security landscape.
Category 3 winner Mitsuha, a team comprising students from the Infocomm and Robotics Society in Hwa Chong Institution, said the competition exposed them to various aspects of cyber security they had not encountered before.
“Although we did not know how to approach certain challenges, we utilised alternative methods to try and solve the challenges. In addition, we also learnt the need to learn the concept being tested on the spot so as to understand how to approach the challenge,” the team said.
See you at the next edition
CSG had a great time hosting the competition. Even though members of the Organising Committee had to rotate through 12-hour shifts over the weekend, they had fun answering enquiries from participants and kept its spirits up through a constant supply of snacks and meals provided by the CSG leaders.
With the success of the very first STACK the Flags, GovTech plans to host the next iteration sometime in 2022. It’s never too early to start training for the next STACK the Flags!
Till then, #hackyeahhttps://www.tech.gov.sg/media/technews/capture-the-flag-competition