I’ve recently started looking into getting casually involved in CTF competitions in the infosec space. And a common question I hear is: What’s the point of doing them? Often these competitions have almost trivia-like questions that involve knowledge, some meatspace social engineering or lock picking, radio manipulation, pcap analysis, malware analysis, image analysis, decoding/decryption, reverse engineering, network service fuzzing, and so on. Sometimes, you either know it or you don’t, and if you learn it on the fly, you’ve eaten up your time to do the rest.
Well, the answer isn’t a direct one. Do you learn key infosec skills? Probably not directly.
But you do learn how to do things you sort of already know faster and better. Like knowing a bit of Python and then banging out a few snippets for some challenges. +2 to Python skill!
You also pick up the ability to do cheap, quick little things like that you can emulate in the day-job to analyze (quickly) some new exploit code that is released, or troubleshoot something quickly at work, or manipulate and fuzz a new app for a project.
It’s about practice, and in a sort of intense time-bound moment.
It’s about exposure to a few new concepts and skills that can be picked up.
It’s about meeting others and sharing some notes to get better and pick up those new skills easier.
But, if I had to just give one answer, it’s the common answer for those that desire to be an expert in something: practice, practice, practice.