Go to search feature Go to content

Preparing for a Capture-the-Flag event

SEB is one of the gold sponsors of the Midnight Sun CTF event, a Capture-the-Flag hacking contest, and we are also entering the competition with a team. A lot of preparations go into an event like this, and in this blog post we’d like to share some details on how our team is getting ready for a contest like this and the finals that are taking place in Stockholm on Sept. 18-19.

Firstly, there are a lot of challenges to consider. The normal teams that do this kind of stuff regularly know each other’s strengths and weaknesses by heart and have a playbook already in order. As a sponsored team, you are faced with the same challenges as the others, but luckily in an own playground separated from the finalists. Coming from all over the world, the competing teams are very good, which means that the flags and challenges are very hard to catch.

In a big technology company like SEB, you also face some additional challenges before the actual competition. For example, our team, which consists of people from all over the company with an interest in security, won’t get a chance to meet in real life prior to the contest because of the Covid-19 restrictions. Instead, we have had to prepare via digital channels.

We started out with some initial meetings over Teams just to be able to see each other and say hi. We then started to plan how to communicate during the game, since it’s completely outside the SEB perimeter and we use private computers. We decided to try use Discord as a communication channel since we think it might suit our needs.

We have also talked a lot about tooling and how to prepare individually for the event. For example, we have discussed pros and cons with using different intercepting proxies like Burp Suite and OWASP Zap. The topic of using dedicated penetration distributions of Linux like Kali, OWASP Samurai WTF and Parrot security has also been discussed. We also need to consider the big question of where to run that machine. If you have it as a desktop, you get more tools that use a graphical interface to work with, and so on. Tools that we have discussed but found probably less useful is the use of security scanners and things that use known vulnerabilities, since the flags in this event have been handcrafted for the event. It’s more about zero-day exploits and reverse engineering of the things we will see in front of us.

It’s very fun and inspiring to talk about all this stuff and also to get a chance to verify that your thoughts about security, vulnerabilities and risks that we have at the bank correspond with those of other people that you normally don’t interact with.

With all this said, we are entering this event with a very humble attitude.

One of the standard old questions about working in a bank is “what are you doing after 3pm”. Now you know that sometimes we prepare for fun events like trying to hack as far as possible in 48 hours.

Cyber Security Expert.

Håkan Edman

Cyber Security Expert.

Håkan Edman