Competing in the International Cyber Security Challenge 2022

Competing in the International Cyber Security Challenge 2022


This is a brief and non-technical blog about my experience taking part in the inaugral International Cyber Security Challenge (ICC), a challenge hosted by ENISA for young adults in cybersecurity. The main event took place from the 14th to 17th of June 2022 in the city of Athens, Greece. I participated as a member of team Oceania alongside 15 other incredibly talented folks from New Zealand and Australia. 

Trials and Tribulations 

The first round of the competition involved a game of capture the flag (CTF). I’ve been playing CTFs for about 3 years, usually as part of the team skateboarding dog. I’d heard that this particular CTF would be a little bit like Cyber Security Challenege Australia CYSCA, an Australia-wide competition that discontinued a few years ago. 

The CTF was hosted by UQ Cyber (the University of Queensland) and served as the first of two rounds in the qualifiers for team Oceania. The competition only lasted for 6 hours, making it the shortest CTF I have ever played. Unlike CYSCA, the ICC qualifiers were only open to individual players. This meant that for the first time, I had to compete against 3 of my teammates from skateboarding dog. All things considered, I knew that I wouldn’t be able to complete all the challenges, so I stuck to what I was most familiar with in the Web, Forensics and Cryptography categories. This ended up bagging me enough points to advance to the next round. 

The second round of the competition was an in-person attack/defence simulation held at the University of Queensland. Shea Security kindly sponsored my travel and supported me and I was able to stay with my folks in Brisbane for a week. The timing couldn’t have been better, since my parents had just adopted a baby kitten whom I got to meet for the first time. 

Figure: My offering to the Internet

The platform for round 2 was an incident response and mitigation simulation provided by Cyberbit. It was my first time taking on a defensive role in security, which put me at quite the disadvantage. I spent some time prior to the competition learning Splunk, but it didn’t end up being installed on our machines. To my dismay, I was given a toolkit full of software I’d only ever seen from the other side of the wall. Needless to say, the simulation turned out to be incredibly insightful as a red teamer, and I left with a brand new appreciation for folks who work in the SOC. 

By some miracle, I made the team alongside two of my teammates from skateboarding dog, and a few of the new friends I had made in Brisbane. 

Figure: OCE (is best)

It’s all Greek to me 

Before heading to Athens, I was determined to learn at least the basics of the Greek language. Unfortunately for me, I’d taken a few linguistics classes in university, which renders me completely useless at learning natural languages. I decided that I basically know the Greek alphabet already – I mean, how hard can a Phoenician-derived script be? Plus, I should know at least half of it already from maths classes. As for the vocabulary, well, surely there would be many cognates with Latin, which is famously just English++. 

Figure: The strategy didn’t completely fail

Arriving in Athens 

Fast forward a couple of months and I found myself in Athens with a group of hackers who were finally meeting off Discord for the first time. We were jetlagged, dehydrated, and dying from the summer heat, which made for the best kind of first introductions. This was also my first in-person security event since lockdown, so I was excited to be making friends in security again. 

The competition itself was to last for 3 days – one day of CTF, one day of attack/defence, and half a day per side for the opening and closing ceremonies. This left us with about 3 more days of wandering around in the cradle of western civilisation, petting stray cats and eating cheap gyros. 

Figure: Turns out, those two activities are strongly related.

I also impulsively bought a copy of The Little Prince from a street vendor, as it reminded me of a friend who collects translations of the novel. I only had enough time to flip through the pictures, but I’m convinced that my favourite Greek word is μπαομπάμπ. 

Figure: τα μπαομπάμπ

As for tourist-y things, our rough plan of attack was to “speedrun the attractions”, then spend the rest of the time choosing to do whatever cultural/historical/consumerist activities made our brains happy. Having not done so well on the speedrunning part (there were too many cats to pet), I missed out on seeing the Antikythera mechanism at the National Archaeological Museum. I ended up making a visit to the smaller Herakleidon Museum instead for its EUREKA exhibit, and was very happy to find a large section dedicated to ancient greek machinery and automata. 

Figure: This one fell asleep while I was petting them so I had to stay (Credit to joseph for the photo)

Competition Day 

The Jeopardy round of the competition consisted of over 50 challenges in the categories pwn, rev, crypto, web and forensics. There was also an escape room challenge worth the points of one flag, which was designed to teach us security awareness and OSINT. The challenges were extremely difficult for a 1-day competition, but we weren’t expecting any less. Team Oceania ended up scoring 4th, missing the podium by a small margin. 

The second day was the attack/defence round, which required all teams to defend 4 vulnerable services while attacking the same services running on other teams’ machines. Compared to the first round, this required much more communication between teammates, especially between the attack and defence roles. Luckily for us, we’d spent meetings beforehand discussing organisational strategies and communication channels, so nobody was left behind on the day. Our preparation paid off and we ended up scoring a close 3rd, a result that gave our team a happy conclusion to the competition. 

Both rounds of the competition were extremely well designed, and fun to play as a participant. As someone who had no prior attack/defence experience, and made it onto the team entirely through solving CTF challenges, I was surprised to find myself liking the A/D round the most. Coordinating a team of 15 people who had only known each other for 3 days was no small feat, and I was well aware of how things could go horribly wrong. The fact that we were able to pull through so much stress for a whole day without any arguments within the team is still incredible to me, and it made our small victory feel all the sweeter. 

Thank you! 

I’d like to thank ENISA for hosting the competiton, and to Ryan, Joshua and Abigail from UQ Cyber for dedicating so much of their time to organising team Oceania, and for travelling all the way out to Athens to make sure none of us got in trouble (before Friday). 

Figure: Travelling with hackers