Welcome to Part 4 of the Cyber Security Capture the Flag (CTF) Series. So far in the series, we have discussed how to design/plan the CTF event, how to develop the event and how to implement the event (Cyber Security Capture the Flag (CTF): What Is It?, Cyber Security Capture the Flag (CTF) Series Part 1: Planning/Design, Cyber Security Capture the Flag (CTF) Series Part 2: Developing, Cyber Security Capture the Flag (CTF) Series Part 3: Implementing). This part will discuss the monitoring phase in which the admin team monitors the participants to ensure the rules are being followed.
In this phase, the admin team will make sure the participants are following the rules and not trying to “cheat” the system. This phase will be going on at the same time as the “Implementing” phase because the admin team would not be able to monitor anything after the CTF event has taken place. Monitoring is a crucial piece of the CTF because if the admin team does not ensure the rules are being followed, then one of the teams could be doing something they should not be doing and having an unfair advantage against the other teams. There are three types of monitoring that will be discussed: monitoring the participants, monitoring the traffic going through the system, and monitoring the scoreboard server.
During the CTF event, the admin team will need to monitor the participants to ensure they follow the rules the entire time of the event. The way the admin can do this is by going to each team to check on them and “ask” if they need any help. Admin team will need to make sure everyone is following the rules and not cheating. The rules will state what resources can be used and if anyone is caught using unauthorized resources for the competition, their team may get points taken off or completely disqualified. This also means that no one can look over a different team’s shoulder to find out the answers.
The traffic going through the system will need to be monitored in order to make sure there is nothing going on that makes one team with an advantage over the other team(s). You can use Wireshark or a different type of monitoring tool to ensure that teams are not trying to attack the scoreboard server or web server. The admin team will need to set alerts in order for the monitoring tool to send an alert to the team to notify that the server(s) is/are being attacked. If any team is attacking the server, they can be disqualified from the event or given a warning (depending on the timing of the attack on the server). If the event is not over and the same team continues to attack the server, they will get removed from their machines and automatic disqualification. If the attacks are serious, the team may also end up being banned from participating in future CTFs (admin team discretion).
In the next, and final, section, we will wrap up with an overview of what was discussed and I will give you some resources so you can research more into implementing a CTF event. If you have any questions, please comment on this post.