The team 4n0M4IY of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute” won the first student competition in cyber security UA30CTF, which was held by the State Service for Special Communications and Information Protection of Ukraine at the end of February. Moreover, the third place was taken by the Silent Sparrow team, which, in addition to representatives of Vadym Hetman Kyiv National Economic University, also included students of the Igor Sikorsky Kyiv Polytechnic Institute. In addition, another team of the Igor Sikorsky Kyiv Polytechnic Institute took fourth place! The tournament was organized with the support of the EU4DigitalUA project funded by the EU, and 156 students of 3-6 years from 22 institutions of higher education of Ukraine took part in the competition.
The competition took place in the format of the #Jeopardy CTF game. During six hours, the teams solved 25 problems both on logic and on finding and exploiting vulnerabilities with a combination of solving interesting logical problems.
"For our team, most of the tasks did not seem too difficult," Dmytro Moroz, the captain of the winning team, a first-year master student of the Educational and Research Institute of Physics and Technology, told "Kyiv Polytechnic"."
It would seem that all this is certainly pleasant, but why did IT specialists and media representatives pay so much attention to this tournament? Just the games of students who are fascinated by modern technologies. But in reality, everything is much more serious. Because some adult games are in fact tools for acquiring and improving their professional skills. Nowadays, examples are not far to seek - everyone has probably heard of command-post exercises, when the strategy and tactics of military units and formations are worked out. The games of cyber security professionals when they gain experience of fighting in virtual space are less well-known. But it is no less important to be able to win the battles of cyber warfare, because in today's conditions, even one successful enemy network attack can plunge critical infrastructure objects and entire industries into chaos, weaken the capabilities of combat management during hostilities, and cause a lot of other damage. It is not for nothing that the Computer Emergency Response Team of Ukraine recorded 2,194 cyber incidents and an even greater number of cyber attacks from the russian federation last year, according to the State Service for Special Communications and Information. Therefore, in such games, players not only practice information security skills, but also hone active security skills.
The members of the 4n0M4lY team, according to their coach, Mykola Ilin, lecturer of the Educational and Research Institute of Physics and Technology, are students of 3-5 years of the FTI who are also members of the dcua-school information security club created at the institute. Polytechnicians who performed as part of other teams also attend or previously attended this club. By the way, students of any faculties of the university can participate in its work, given the will. It is on the basis of this club that preparations are made for information security competitions (CTF).
What is CTF? This is an abbreviation of the English phrase Capture The Flag - the general name of a group of combat cybergames. This name reflects the essence of virtual battles: in a controlled environment, participants must find vulnerabilities that will help them hack into a certain information system or resource. The trophy of honour for the winning team is the enemy "flag" - in fact, a certain secret free format character string.
By the way, the coach’s name has already been familiar to our readers: "KP" wrote about him in 2016, when the team of White hat hackers dcua, in which he was the captain and, at the same time, the coach, was recognized in the international rating of ctftime.org as the best of more than 12 thousand teams of White hat hackers of the world. Note that from 2013 until 2019, they consistently occupied one of the honorable top ten rating positions. That is, Mykola Ilin has a lot to share with the team members not only as a leading domestic cyber security specialist, but also as an extremely experienced tournament fighter. And their share is persistent mastery of knowledge, training and practice in White hat hacker competitions. The latter, by the way, is perhaps even the only way to gain experience in the legal practice of attack (Attack-Defense class). It is worth adding that their tournaments take place every weekend online, and, depending on the results of the qualifying stages, in the host countries.
"Most of the tasks at the CTF are modeled on examples of real vulnerabilities and repelled attacks. CTF tournaments, if we make an analogy, are like weapons practice at the live-fire range compared to combat performance, - explains Mykola Ilin. - That is, range firing is not the same as what happens during real combat activity, for example, near Bakhmut. But without such fire training, you can't send people into battle. There is definitely no substitute for real fighting experience - no theory, no videos, etc. The same is the case with information security training: offensive security training is conducted here. In other words, attack specialists are trained: they undergo training in specially designed environments in order to acquire vital skills in war. And then life itself will teach."
After such training, technical specialists are able to perform a variety of tasks, not only defense, but also attack - for example, hacking an enemy website or a specialized information system.
It should be noted that the organizers of the competition also took care of new information for the participants, so to speak, first-hand knowledge: students had the opportunity to attend lectures on cyber security by leading Ukrainian specialists in this field. In particular, CISSP CISA OSCP Volodymyr Styran, CEO of the Molfar agency Artem Starosiek and Head of the Computer Emergency Response Team of Ukraine CERT-UA Yevheniia Volivnyk, and others.
After the tournament, its participants analyzed the tasks and their solutions together with the coach. According to Mykola Ilin, the problems that the students had to solve had a fairly high complexity level, so they gave the future, or rather, young specialists in cyber security, the opportunity to use most of the knowledge and skills that they had acquired in classes at the university and during club training.