By Guest Blogger Marius Corîci, ctf365.com
Before I start, I would like to thank the Metasploit team at Rapid7, and the Kali Linux team at Offensive-Security for their kindnesses to let us use their logos on our platform. I'd especially like to thank hdmoore and ckirsch at Rapid7 as well as Mati Aharoni at Offensive Security. This means a lot to us.
Note: If this article is TL;DR, then I recommend you just go to CTF365.com create an account, create a team and start play with it.
A little bit of history before introducing CTF365
In October 2011, we started the HackaServer Project, a web security testing platform using the power of crowd sourcing. When we were building HaS we had to come up with a way to create a spin off in case things were not moving in the direction that we anticipated. I have to mention that HaS is not open for business yet because of one simple reason: We are a very small team.
A short recap
Information Security through Gamification is not a brand new concept. In fact is quiet old, as old as the Internet: It is called CTF – Capture The Flag. The DefCon conference had one of the first CTF competitions. You can check CTF Time to see where a CTF has taken place, which are organized by CS faculties, companies or even governments agencies.
The best way to learn is to learn on the job. Gamification improves skills, and provides education and training. Learning information security through gamification increases students/employee engagement, improves retention rate and speeds up the learning curve/process. At the same time, it is entertaining, challenging, community-driven and hands-on for the students and employees participating in it.
Today's CTF competitions are very diverse, going all the way to attack-and-defense scenarios where Red Teams and Blue Teams play against each other. Teams often show an unparalleled level of effort and dedication.
However, traditional CTFs have these issues:
- Short duration – CTFs typically only take between 24 hours and a few days.
- On-site – Many CTFs require you to be physically present at the venue.
- Few and far between – CTFs don't happen on a regular schedule, and they happen all over the globe.
- Not beneficial for work – Because CTFs aren't centrally organized, there are no universal scores that are meaningful to a penetration tester's hiring manager.
- Artificial – Many CTFs don't resemble a real-life network and restrict the players with plenty of rules.
So why another CTF when there are already so many?
We, the team behind CTF365, decided that is time to change the way CTF is designed and held by bringing a brand new approach and push security gamification at a bigger scale: World Wide. Our goal is to create the Internet replica of a real-life network where security professionals, security students and security wannabe to get continuous training on real man-made servers and infrastructures, not intentionally vulnerable servers.
How is that possible?
We did asked ourselves, too. It looks like we've made it. Although there is a lot more to do, our IaaS is flexible enough to mimic the real world. CTF365's flexible platform allows users to connect their own infrastructure, whether they are cloud-based, private or dedicated servers. We have already proven that is possible to have servers tested in the cloud, for example with Metasploitable on HackAServer.com. You can read this article right here on the Rapid7 Community.
Companies and organizations can set up their own CTF infrastructure within minutes, and all their users achievements can be added to the user's general performance. This feature will engage more users at future conference CTFs.
Who is it for?
- Blue Teams, Red Teams, CERT/CSIRT - Offensive and defensive specialists can improve their trainings on life-like enviroments.
- CTOs, System Administrators – Can experiment with server configurations and see if they can be defeated.
- Security Vendors – Can test their WAFs and other software as well as hardware.
- Security Training Companies – Improve their students retention rate on life-like environments.
- Information Security Recruiters – Security Certificates are very important but user performance and achievements as security professional are a true testament of their abilities.
- Web Security organizations like OWASP – Spread awareness among web developers and DevOps.
- InfoSec Conferences – Participants really want to have fun and have their achievement count.
Where are we now?
At this moment, CTF365 is in Alpha Stage which means it's up and running with a small number of teams (over 30 teams) and there are 11,000 registered users and 900 teams ready to play all over the world. Being in Alpha means that we're still in the developing stage and those who have access to Alpha and future Beta can experiment and get a sneak peak at the live system.
Once we have scaled up our hardware, we'll be ready to let everyone to get in. During the Alpha and Beta phases, most users are security professionals from various pentesting and security training companies. As referrals for the pre-release environment, we also accept infosec professionals as well as infosec instructors/teachers. If you would like early access, just let me know.
The bottom line
“Security will never be perfect, but can be pushed to perfection.”
According to Frost & Sullivan, the global population of information security professionals will increase by 332,000 to 3.2 million at the end of year and reach ~5 million by 2017. The Internet grows faster than the world's capacity to provide security-aware system administrators and engineers. We need to close this gap.
CTF365 aspires to build a playground to improve the training possibilities for information security professionals.