28 Jan 2022
Cyber threats may be increasing in number and getting more sophisticated, but we are staying ahead of the game! To keep ourselves equipped with the latest cybersecurity knowledge and skills, we organised the third edition of our Capture-the-Flag (CTF) competition.
Held virtually for the first time on 26 January 2022, this year’s CTF saw over 200 participants from across DSTA race against time to solve cybersecurity challenges in reverse engineering, decode metadata, and conduct penetration testing, among others. Apart from cybersecurity engineers, the competition also included participants less well versed in the domain – from procurement professionals, engineers specialising in non-cyber fields, interns, and fresh additions to the DSTA family.
The competition consisted of three different tracks, with everyone starting off with a challenge dubbed Campaign 101 - Santa’s Red Hat. It comprised a variety of tasks such as finding and decoding hidden metadata within images, and performing port scans on servers to find vulnerable services.
Depending on their scores, teams then progressed to either the Anatomy of Attack track – where they had to conduct penetration testing and exploit vulnerabilities to escalate privileges – or the Apocalypse Now track – which focused on reverse engineering a software. Points were awarded for completing objectives and doing so in the shortest amount of time.
We spoke with some of the participants to find out more…
Team The Potatoes emerged champs in the Apocalypse Now route. Team members included (clockwise from top left): Senior Engineer (Information) Kerk Kok Hui, Senior Engineer (Information) Oh Yoke Chew, and Senior Engineer (Information) Vincent Ngik. |
Tell us about your experience in the competition!
Kok Hui: We had an amazing time at the CTF. It was very fun and fulfilling to crack all the puzzles and complete the challenges. Best of all, the competition allowed us to work, bond and learn from one another – it was great to be able to improve our skills in enumeration and reverse engineering by exchanging knowledge and ideas!
What I enjoyed most was how the CTF provided a holistic learning experience for everyone, regardless of our training and level of cyber knowledge. For those less well versed, a team from Cybersecurity Programme Centre (PC) conducted a walkthrough session of Campaign 101 to make sure everyone understood and could solve the puzzles. That made the CTF a fun way to learn about cyber concepts with our colleagues.
|
Team KFZ took first place in the Anatomy of Attack route. Team members included (clockwise from top left): Principal Engineer (Robotic C3 Integration) Foong Huei Rong, Senior Engineer (C3 Development) Zhang Zhikai, and Senior Principal Engineer (Mobile C3 Solutions) Koh Ming Jin. |
Any key takeaways from the CTF?
Huei Rong: I’m not a cyber engineer by training, so I joined the CTF to learn more. It made me realised how systems with unpatched vulnerabilities can be infiltrated easily, so it really brought home the importance of incorporating cybersecurity features early when designing systems, and not as an afterthought.
Ming Jin: The CTF helped me recap and learn more about cyber tools, and reinforced the importance of performing threats analysis and risk assessments for our projects. It also emphasised the need to update third-party library versions periodically, to ensure entire systems leveraging the libraries are secure at all times.
|
Team SweetPlumPotato from Procurement PC ranked in the top 10 of the Anatomy of Attack route. Team members included (clockwise from top left): Procurement Manager Pang Chong Wei Shawn, Assistant Procurement Manager Ang Chin Sin, and Procurement Manager Khoo Chai Luan. |
Considering that all of you specialise in procurement and not cybersecurity, what prompted your team to take part in the CTF?
Chin Sin: Our curious minds! We are always looking forward to learning new skills, so we saw this as an opportunity to excel outside of our usual job scope. We also wanted the exposure – the CTF was a good opportunity for staff with no cybersecurity training to better appreciate what our colleagues in Cybersecurity PC do.
Chai Luan: It wasn’t easy, but good communication allowed us to keep progressing in the challenge. We made sure to bounce ideas off one another openly, and at the same time, celebrated every time we solved a mission to encourage ourselves. There was also definitely a lot of research and referencing.
|
A team of relatively young engineers made up Team SWaK. Team members included (clockwise from top left): Senior Engineer (Cybersecurity) Chua Wei Han, Senior Engineer (Cybersecurity) Chua Li Qun Shawn, and Senior Engineer (Cybersecurity) Tay Kai Yuan. |
What’s your favourite thing about the CTF?
Shawn: Everyone definitely went all out for the competition! It was great getting to know our colleagues better through the challenges, and also gaining a better understanding of their various areas of work and the different approaches they adopt. For instance, we saw how penetration testing in IT systems is executed, and that was immensely exciting to us as it’s out of our usual scope of work.
|
Our interns from Information PC also gave the CTF a go! They included (from left): Mun Kei Wuai, Marcus Leong, and Gan Kah Ee (not in photo). |
Before the CTF, did you know that DSTA organises such learning activities regularly?
Kei Wuai: The CTF was the first event I joined, and it really showed me how DSTA isn't all about work. DSTA looks at giving everyone fulfilling and enriching learning experiences, and we are encouraged to learn and explore new concepts, while challenging ourselves to step out of our comfort zones. I’m thrilled that I got to participate in the CTF, because it made work more interesting and enjoyable. The competition also allowed us to foster deeper ties with our friends as we worked towards a common goal.
|