CTF365 turns Information Security into an Epic Battle through Training Gamification

Training Gamification

Security Training Gamification

I receive tons of emails from around the world regarding gamification, asking me for feedback or share their story. I read all of them and many of them are interesting but because of my 24/7 limited time and full agenda (between my clients, my video show, writing my own content, and writing my book, along with a few startup projects) I’m forced to dig deep only a few projects. ?Few days ago, I received an email from Marius Corici, CEO and Co-founder for theĀ CTF365 startup project, asking me to take a look at what he’s working on it. That, really caught my attention and I started to do a little research.

We live in a digital, connected world and security is one of the most important issues that today’s world confront with. According to Scientific American’s blog, last year there were 20 threats per second world wide which translates into over 1.7 millions threats per day. Don’t believe me? Google ā€œhackedā€.

The Gamification Challenge

Security training is generally dull and boring, but essential.

When it comes to learning information security, there are a few ways that people do. Through CS faculties (basics), security training companies (dull) or self taught ā€“ Google, forums, blogs (monotonous).

However somebody has to do it because is essential.

Frost & Sullivan predicts global employment of information security professionals to increase by 332,000, ending 2013 at 3.2 million and reaching ~5 millions by 2017. These 5 million we talk are these that get a world wide recognized security certificate. Beside them there are around 25 millions users that regularly check into security, hacking and system administrator forums.

The Gamification Solution

What if we could have a method of security training that is not dull and boring – a method that would be fun, entertaining, challenging and community driven?

We all know the best way to learn is to learn through applications, and that’s where gamification excels at with great results on education and training. Learning information security through gamification would increase students/employee engagement, improve retention rate and speed up the learning curve/process.

I recently wrote a post about the Top 10 Education Gamification Examples that Will Change Our Future. Feel free to take a look.

CTF = Capture the Flag Gamification

Information Security through Gamification is not a brand new concept. In fact it’s been around for a while since the internet started. It is called CTF ā€“ Capture The Flag. The DefCon conference has one of the first CTF competitions and you can even check CTF Time to see where a CTF (within the information security industry) will take place. If you dig into CTFs, you’ll find CTFs organized by CS faculties, companies or even governments agencies.

However there are a few problems thatmany CTF competitions have:

ā€¢ They Don’t last ā€“ Nowadays CTFs last between 24 hours up to 3 days only.
ā€¢ Most have Geographical Limitations ā€“ Often times you have to be physically in that room/building.
ā€¢ They are Scattered ā€“ it happens all over the world but they are scattered and short, which means almost all of them are small too.
ā€¢ They Don’t Count ā€“ because of the problems described above, HR departments don’t concern themselves too much to high-achievers in these games.

That’s why the team behind CTF365 decided that it is time to change the way Capture the Flag is designed and held by bringing a brand new approach to push security gamification into a bigger scale:

Game Design of CTF365

Team-Based

The game is team-based which means it will improve and strengthen communication skills as teams are forced to work together under pressure developing critical attributes of any enterprise security team, especially for those like Red Teams, CERT, CSIRT etc.

Teams are from all around the world

There are over 8500 registered users and more than 590 teams waiting for launch.

Basically they’ve built an internet within The Internet. A place where security professionals, security students and security wannabes, system administrators and programmers can play and get continuous training over information security.

How does CTF365 work?

CTF365 is a real life game where ā€œPlayersā€ build their own Fortress/VPS (virtual private server) and defend them while attacking other servers. It’s what happened in real life when your server or computer networks are under attack by hackers.

Below are some questions I asked Marius:

Define CTF365 in one sentence.

ā€œWorld of Warcraft for Hackers.ā€Ā As a ā€œPlayerā€, the awesome magic moves and fighting techniques will be represented by your ability to write crazy powerful scripts to hack.

How did CTF365 get your initial 8500 registered users before launch?

We do the usual strategies when your marketing budget is close to none:

ā€¢ Word of Mouth ā€“ Very powerful tool. This got us to hit the top on Hacker News and we got over 12,500 unique visits in one day and over 1000 registered users.

ā€¢ Referral campaigns ā€“ Bring 5,10, or 15 Players and get access to the Private Alpha, Private Beta, as well as premium accounts for testing.

ā€¢ Strategic partnerships ā€“ Free access for not-for-profit Information Security Conferences. This helped us to get featured on The Hacker News.

Why do you think CTF365 will catch your target Players’ attention?

I’m not an expert in gamification but looking at your Octalysis Framework I can tell that at the beginning, CTF365 will have 4 Core Drives out of 8:

Epic Meaning & Calling ā€“ Learning, Training and Improving Security Skills. As a ā€œPlayerā€, playing CTF365 is like haven for everyone interested in information security starting from security professionals and security wannabe, all the way up to system administrators and developers. They can do and test things that are forbidden like attacking and hacking everyone else system without worries about legality.

Ownership & Possession ā€“ They can build their bases from scratch, own virtual goods (e.g. servers, routers, etc.), speedup learning curve and improving retention rate.

Empowerment of Creativity & Feedback ā€“ Using different techniques they’ll be able to unlock certain milestone while having real-time control over their servers and receiving instant feedback.

Accomplishment Core ā€“ Nothing would make them happy than being in ā€œHall of Fameā€ leaderboard, wining prizes while collecting points and badges for their real skills.

What’s your ambition with CTF365 project

There are three goals that we want to achieve:

  1. We want CTF365 to become a prerequisite for the InfoSec industry. A security professional certificate is important, but more important is what you really can do hands on.
  2. Become the World of Warcraft for the ITC industry. Using specific hacking tools is one thing, writing powerful scripts as a programmer is even cooler. Programmers can team up with ethical hackers to boost their teams.
  3. Linkedin on steroids for HR departments when hire security professionals.

Get mentored by Yu-kai Chou

Octalysis Prime Gamification

Every week I hop on a conference call to teach, answer questions, and give feedback to members of Octalysis Prime. If you want to take your Gamification practice to the next level, then come join us.

WOULD YOU LIKE YU-KAI CHOU TO WORK WITH YOUR ORGANIZATION?

If you are interested in working with Yu-kai Chou for a business project, workshop, speech or presentation, or licensing deal, please fill out the form below..

Please enable JavaScript in your browser to complete this form.
Name

7 thoughts on “CTF365 turns Information Security into an Epic Battle through Training Gamification”

  1. 00101101100110101101110001110111000110101011 – ingenious hacking code I just invented. What was it someone said about the chances were of a monkey writing the works of Shakespeare randomly? Well, I think the monkey’s odds are better than mine. ;-P

  2. I wonder how a firm can use that for the real issue, their own security as it exists today. Sure, a new security system, “structure” may prove solid like entangled electrons, but what about current threats?
    Guess this fits the specific issue of training security IT types in non-specific systems.
    Hmm, wonder if they would consider addressing the social aspects of security hacking? E.g. Training people to mess with company staff to get illegitimate access & of course to prevent that. Look at the various types of IT garbage tossed with old computers or even hard copy documents.

  3. Brilliant concept, very logical in hindsight ,but a real stroke of genius to apply it to the digital security community. it’s the thin end of the wedge

You must engage in the conversation!!