Capture the Flag – An experiential yet collaborative learning approach
When you think of security, data protection, data privacy or compliance trainings and e-learnings; what is the first thought that comes to your mind?
“Wow, I look forward to participating in this challenging yet interesting e-learning with 13 videos and 37 slides which I have to finish this week.”
I bet you know this kind of training. You do it for several reasons. Because you have to be compliant. Because your team has to be compliant. Because it is mandatory. Because the notifications will annoy you day by day until you finish it. Because it is important? Because it is interesting? Because it is … challenging?
Trainings are important, especially the trainings I mentioned above. These trainings are not only important for the company you work for, but also for you as an employee. Completing the trainings might be boring, it might be tedious, it might be annoying, it might be … motivating?
Take a step back and think about all the trainings you already have participated in so far and try to remember where you have learned the most.
“I learned a lot whenever I had to absorb the knowledge to be successful in a hands-on task.”
I often hear this when I talk to friends, to colleagues, to customers; and it is the same for me. I learn the most when I have to get my hands dirty.
In 2015 a small team of Security Experts began implementing a new way of security education, Capture The Flag. In 2016, SAP’s CTF premiered during our Cyber Security Awareness Month and instantly became a great success. But what the heck is a CTF?
Capture The Flag has different meanings. It is an outdoor game where two teams compete against each other, a computer game for MS-DOS, a game mode for computer games but in cyber security it is a special form of competition with different kinds of challenges. In case you want to learn more about it I highly recommend CTF? WTF? from CTFtime.org.
Of course, we did not invented the concept of CTFs or the idea of using gamification to enhance learning experiences and results. Due to SAP’s heterogeneous employee structure it was fundamental to develop an own approach in doing CTFs.
We need to address every single employee and skillset in SAP: sales colleagues, colleagues from facility management, marketing, our service and support organization as well developers and security experts. Thus, our CTF Approach was born:
Our approach is based on one central Platform, enriched with hundreds of Challenges with different difficulty levels and driven by a bunch of CTF Mentors guiding participants through the challenges.
To provide you with a more comprehensive insight of our CTF I will explain the three pillars in a few words.
Our central CTF platform is a self-developed experiential learning platform with a competitive yet collaborative experience based on web technologies which enables us to bring all our colleagues and/or external participants to this central place to be part of our CTFs.
With its 2D or 3D background it enables us to provide multiple, exchangeable storylines with a seamless integration of our challenges. Participants are able to modify their profile, put an avatar in place, read about the mission, compare each other via the dashboard, follow an activity stream or even team up to rule the CTF collaboratively.
The storylines are an important part of our CTF approach to keep our participants eager to play it every year. Of course, our CTF platform is deployed on SAP Cloud Infrastructure. Below you can find a preview of one of our previous CTFs:
Keeping our participants busy and keen to proceed is not only granted by an interesting and attractive 2D or 3D environment or a well-made storyline; it is necessary to have interesting, demanding challenges. Our platform enables us not only to change the background environment and storyline when needed, but also select or deselect challenges.
All challenges are categorized in three profiles (= difficulties):
- Challenges for everyone, no technical knowledge or development skills needed. All these challenges can be solved with the help of search engines and without any previous cyber security knowledge. No experience in playing CTFs needed.
- Challenges for participants with a deeper technical knowledge and development skills. All these challenges can be solved without any prior knowledge of cyber security. No experience in playing CTFs needed.
- Challenges for participants with experience in cyber security. Experience in playing CTFs is an advantage.
What do you think is the most important thing in playing CTFs in such a heterogenous environment? It is not the well-designed platform with an awesome storyline, also not the challenge itself or the prizes (if there are some). My experience is that it is key to keep the barrier to enter the CTF as low as possible and the frustration level in an adequate range for every participant. But how to achieve it? We at SAP introduced the CTF Mentors; a bunch of experienced CTFers, Security Experts, Nerds and Enthusiasts.
Managing participants frustration level while guiding them through challenges is not their only task; they also create and test the challenges before we run them. This means that every challenge available in our CTF is a challenge coming from our community for our community, tested by our community: A fully collaborative approach, as everywhere in our CTF.
“Why is this worth 900 words so far?”
We were searching for a way to increase our employees security awareness and knowledge with an easy scalable methodology without the negative aspects of e-learnings or gamified e-learnings. Gamification is a nice way to make e-learnings more attractive but still has its limitations.
We took an already existing and well-known concept of playing CTFs and upgraded it to a well-scaling, experiential yet collaborative and highly customizable learning platform for everybody. While our participants are playing the CTF to learn and grow, we are able to identify talents, hire new Mentors and grow our security community.
“Embed security into the DNA of every employee.”
This is what our Chief Security Officer Justin Somaini pointed out in one of his interviews, at the beginning of 2018, to fight cybercrime’s $6 trillion price tag. And this is exactly what we are doing with CTF: Increasing the hacker mindset and embedding security into the DNA of every employee in SAP.
To prove that our approach is working even with complete newcomers and early talents we brought it together with our colleagues from SAP Next-Gen to talKIT this year, the biggest technology forum organized by students in the German speaking area, where we played our CTF over several hours with lots of students in multiple teams. Surprisingly and unexpected the winning team, students of economics, scored just a few points apart and won the CTF.
We are continuously adding new functionalities to the Platform and creating new Challenges for upcoming events like the Cyber Security Month in October or some of our big SAP Events, SAP TechEd 2018 Las Vegas and SAP TechEd 2018 Barcelona, where we bring our CTF to its participants, sharing our security mindset as well as the CTF approach.
With this I want to conclude about our vision of an attractive, empowering and experiential way of security education. I hope you enjoyed reading it as much as I enjoyed writing about it.
PS: Never forget to Try Harder!