The most common categorization we encounter about the available categories include:
Jeopardy, Attack – Defense, King of the Hill, Linear, Mixed.
In a Jeopardy contest, the participants are individuals or teams who are called upon to solve a series of challenges that are usually in different categories to cover as much as possible the research field of Information Security in a limited or not timeframe.
Some examples of categories are Cryptography, Stenography, Binary Exploitation, Web Exploitation, Forensics, Reverse Engineering, Programming, Packet Analysis, Miscellaneous. In addition, each category has a difficulty rating so that the contest is eligible for participants with different backgrounds. In addition, Jeopardy contests give participants the opportunity to focus on challenges of their choice where they are more familiar with that specific field or think that it’s more entertaining.
Each player or team, by the time he solves a challenge he submits the flag on a scoring board provided by the organizers and acquires the corresponding points for resolve it.
Winner is the one who accrues most points.
Contests of this type are the most common as they have a low degree of complexity, require less preparation and configuration than other types.
They also require simpler software and hardware infrastructure, can be monitored and rated more easily, and allow a large number of groups or individuals to participate.
Examples of such CTFs are the qualifying rounds of the known DEFCON CTF as well as the NYU Polytechnic Institutes Cyber Security Awareness (CSAW).
In an Attack – Defense scenario, players are divided into groups. Each team is given by the organizers one or more servers with weaknesses and hidden flags.
The team’s primary responsibility is to take on a defensive role, also known as the blue teaming.
Its role is to effectively defend its systems and to identify and patch on time the weaknesses that exist in the system in order to repel the attacks of the opposing groups aimed at obtaining the flags.
The team is not allowed to exclude or prevent attacks, for example by using a firewall and blocking any incoming connections. Instead, it is called to start filtering the data traffic to its systems, detecting malicious connections, and preventing attacks. An important factor in the rating of the competitions besides the protection of flags is also the availability of the services-systems that need to be protected.
It is customary at regular intervals to check with automatic procedures the availability and proper operation of the services of the systems of each group.
The team also has an aggressive role, known as red teaming, that is to attack the systems of the rival teams in order to violate their servers and to intercept the flags.
This type of contests are more demanding for the organizers. They have greater complexity than Jeopardy, higher infrastructure requirements, more difficult configuration and more complex assessment so that is why they are usually organized locally rather than online.
They also have limitations on the number of groups that can participate that do not exceed a few dozen. Finally, the Attack – Defense contests are quite demanding for the participants as there is considerable time pressure and many pre-requisites to meet the requirements. The most famous contest of this type is DEFCON CTF.
King of The Hill
In the King of the Hill category there are multiple vulnerable Servers ready to get exploited that do not belong to any group. Also, teams do not have their own servers to defend as in Attack – Defense scenarios.
The teams are called upon to break vulnerable servers and if they do, the first team is rewarded with the original conquering points to acquire the server. They are then asked to defend this site from rival teams by patching the vulnerabilities. The team that manages to break into the server and then maintain access to it is rewarded with the most points.
In such competitions, there are mechanisms called scoring bots, which are simple programs that check over a specific time interval which team controls each server. Then they reward the tream that maintains access to that location at a specific time.
King of the Hill competitions usually have “blackbox” challenges where participants have no knowledge or information about the system that they are trying to break and then defend.
Linear contests, a not-so-common type of contest, are based on challenges that need to be solved in a linear order. Typically, the challenges are narrative and present a story with multiple challenges that need to be solved mandatory in a specific order. Linear contests may remind you of the treasure game we used to play when we where kids where the participants solved multiple puzzles leading one to the other ending the treasure.
Such competitions are usually organized by companies aimed at finding competent employees who wish to prove their abilities. A set of challenges is a form of an evaluation test will only be designed once but will be effective to evaluate hundreds of participants as to whether their skills are sufficient to be recruited by the company concerned. Additionally, because participants can only deal with a challenge at any time, as opposed to contesting types of Jeopardy for example, they are more suited to individual entries rather than groups. Cicada 3301 is the perfect example. Google it, it has an awesome story behind it.
The Mixed category may include features from Jeopardy and Attack – Defense competitions where participants are asked to solve a set of predefined challenges from the organizers but at the same time to have an aggressive and defensive role on opposing teams.