Cyber security has long since become a strategic priority for organizations across the globe and in all sectors. Therefore, training and hiring young potential in information security has become a crucial goal.
To raise awareness of cyber security threats and help train a generation of security aware security experts, we at NVISO organize Capture the Flag (CTF) Cyber Security Events in two countries, Belgium and Germany and reach a broad audience.
Each year, we organize the Cyber Security Challenge Belgium and the Cyber Security Rumble Germany. After six successful editions in Belgium and two in Germany, we want to share a little information on how the events came to be, and what the main challenges are that we face.
The organization team of this year’s Challenge
The Capture the Flag events at a glance
Capture the Flag is most known as a game you used to play when you were kids. The field is divided into two camps, and the goal of your team is to steal the opponent’s flag and bring it to your own camp. Although that version of CTF is a lot of fun, the context in Cyber Security is slightly different. In a security CTF, flags can be stored on a vulnerable webserver, compiled into malicious executables, or encrypted using flawed cryptography. Teams then need to solve the various challenges using very broad skills to get the flag and score the points.
CTFs have been very popular in the information security field for a long time – the DefCon CTF has been organized since 1996! – and are a great way to learn new skillsets, hang out with friends and colleagues and generally have a great time. The rush of finally getting that flag after hours (or days) or work really gets the adrenaline flowing. 😉
CTFs are very popular as well. If you want, you can play one almost each week(end), often even multiple CTFs are running at the same time! For an overview of all CTFs, you can take a look at ctftime.org.
Why do we organize ‘yet another CTF’?
With a CTF being organized every week, why would we want to add yet another one? Well, the goal of our CTFs is quite different than a typical CTF. Most CTFs act as a competition for experienced security professionals, where incredibly skilled hackers show off their skills and take home the prizes. When we started organizing the first CTF in Belgium in 2015, there was just one goal: Get more students into the information security community.
It’s no secret that the industry is desperately searching for more motivated people to join us, and positions often stay vacant for a long time. Universities and colleges often offer security courses, but the amount of students that actually end up joining the information security sector is rather low.
With our CTF, we want to show students that:
- Hacking is fun (Who doesn’t like breaking stuff?)
- General computer skills and the right attitude can take you very far
- Even though it looks like a niche market, the cyber security field is very broad with many different aspects
As our target audience, we chose all graduating students from local colleges and universities, as they will most likely be choosing a career after graduating and it would be nice if we can push them into our direction 😎.
But this ain’t no ordinary CTF
To reach our goal, we’ve created the Challenge in Belgium. We chose for a jeopardy-style CTF (as opposed to an attack/defense style) to keep the entry level low and give us the possibility to introduce a wide range of challenges to students.
A participant at the Rumble 2019 life-event
While the core of both the Challenge and the Rumble is a CTF, there’s a little bit more to it to accommodate these sub goals.
The first one is probably the easiest. Each year, we contact everyone we know in the Belgian/German infosec field and ask if they want to create a challenge. By outsourcing challenge creation, we can both shine a spotlight on talented individuals, as make sure that there is a very wide range of challenges to solve.
Testing social skills is quite difficult for a CTF, as contestants typically sit behind their laptop screen for the entirety of the competition, and don’t really have to interact with other contestants or the organizers. To add this aspect to our event, we came up with the concept of challenges created by our sponsors. For these challenges, the qualifying teams have to face a panel of experts where they have to solve problems interactively. We’ve had live forensics investigations, incident response roll-playing, debates on the pros/cons of a cashless society, and calling up people to social engineer them into giving you valuable information.
These challenges also automatically allow students and future employers to interact, which is a double win.
Expanding to Germany
After 6 years, the Cyber Security Challenge in Belgium is reaching over 700 students from more than 30 schools and the Challenge is even used as a preselection for the Belgian team for the European Cyber Security Challenge, organized by ENISA. Due to this success and the interest of the industry, NVISO launched a sister event in Germany in 2019, called the Cyber Security Rumble. With the focus on mainly German academic students, the event was set up in cooperation with RedRocket (a famous German CTF team), the University of Bonn-Rhein-Sieg, SANS, and the German Federal Office for Information Security. The collaboration between these parties already shows that the goal remains to have the CTF driven by the community, and not by a single company.
Even though the Challenge in Belgium had been organized successfully for quite a few years, it was still a gamble to see if Germany was as receptive to the students-only concept. Luckily, the first year managed to reach 300 participants in the qualifier rounds, from which 13 teams made it into the finals.
The Challenge and Rumble in 2020
The organization of the latest edition of the Cyber Security Challenge & Rumble was, as with all other events in 2020, defined by the COVID pandemic. While we love the interaction we have with the students during each edition, it was clear that we had to move to an online-only event to make sure everyone can stay safe.
For the Challenge in Belgium, we decided to open the finals CTF to all the students that would have qualified for our computer-less CTF, and once again the top 12 teams would continue on day 2 with interactive challenges, this time in an online format. The online format took a lot more work on the day itself, as we needed to make sure everyone was joining (and leaving 😉) the correct meeting rooms. Discord allowed us to interact directly with students in case there were issues or questions, and also helped to still have a relaxed atmosphere in the general channels. The second day ended with an online prize ceremony, where all top 12 teams received their prizes, such as a trip to DefCon Las Vegas, a SANS course and much more.
The German Rumble, in turn, was a full two-day online event organized on Halloween and welcomed more than 470 active teams, both German academic teams as well as international teams. By also communicating with the participants via a Discord chat, the players could get in contact with the sponsors that created the challenges and to interact with other participants about the challenges. Moreover, a scoreboard showed the progress and listing of the teams so that the speed and team spirit was cheered up a little more. Also the Rumble was rounded off with a prize ceremony, in which a representative of SANS announced the prizes.
Tweet from the Rumble during it’s online prize ceremony
The challenges we still face each year
There are various challenges and questions that pop up each year. While we don’t have a solid answer on all of them, we still want to share them, and any input in the comments is of course appreciated!
Reaching students
Although both the Challenge and the Rumble have grown in popularity, it’s a very large effort each time to reach all the students. We have to actively communicate with professors, schools and student unions to make sure students participate, often even visiting schools and presenting our challenge in security-focussed courses.
Keeping the competition fair for everyone
With such awesome prizes on the line, there’s always the possibility of teams collaborating, sharing solutions or flags. This is something that’s hard to prevent, although we do have various technical checks in place to detect weird behaviour. Additionally, we try to rely on the schools to do the right thing. Some schools even organize a small on-campus event during the qualifiers so that teams can be in the same room. However, through our good connections with the relevant professors, we can be sure that students are behaving and that we don’t have to fear dishonest collaboration.
A participant in this year’s online Challenge
Keeping it students only
Another issue that regularly pops up is how we define a student. For example: Can PhD students participate? Technically they are students, with a valid student card. In practice, they would have a huge advantage over other students. Similarly, what if someone who has been in the industry for many years decides to join an online course at a registered university/college? Can they join? The hardest part here is being consistent while also being fair to everyone involved…
NVISO as the common organizer
With our efforts to organize these great initiatives and thus to enhance the Cyber Security Communities in both countries, we are constantly supporting cross border activities. Both can learn from each other, are in constant communication and help to drive individual events to their success. We’re happy that both events can reach a substantial number of students and that we create interactivity between Belgium and Germany.
Come join us!
If you’re a cyber security specialist in Belgium or Germany, we’d love your help in creating challenges. It’s a great way to show your skills and connect with other challenge creators, sponsors and of course the awesome organizing team.
And of course, if you’re still a Belgian/German student, don’t hesitate and sign up for either the Challenge or Rumble and take home some of the awesome prizes. 😊
If you are not convinced yet, check out our after movies and catch a glimpse of the sphere of the last years:
After movie Cyber Security Challenge Belgium
After movie Cyber Security Rumble Germany
Stay tuned for the events in 2021 and for exciting and fun challenges to crack!
About the authors
This article was jointly written by:
Annika ten Velden, Operations Manager 
Marina Hirschberger, Senior Consultant 
Jeroen Beckers, Mobile security expert
They are all working at NVISO and are actively contributing to the organization of the events. While Annika and Jeroen are taking care of the Challenge in Belgium, Marina is part of the organization team of the Rumble in Germany.