DNV Cyber’s hack challenge tests hacking skills at one of the largest Nordic security events, Disobey


Capture-the-flag (CTF) games challenge players to solve cybersecurity-related puzzles to be the first to claim the prize, the ‘flag’. The more challenges competing teams solve, the more points they earn. CTF challenges are fun but also have a more serious side, inviting players to think like cyberattackers so they can become better defenders.

For instance, many participants at the recent Disobey cybersecurity event in Helsinki, Finland, attempted to tackle a CTF challenge created by DNV Cyber’s Principal Application Security Specialist, Teo Selenius. Disobey, held annually in Helsinki, attracts a diverse array of cybersecurity professionals, tech enthusiasts, and experts from around the globe. The event features numerous talks, workshops, and competitions, making it a significant gathering for the cybersecurity community.

Your mission, should you choose to accept it…

On entering Teo’s game, players discover they are a dog, Rex Tailspin, an agent in the Pawthorized Access Welfare Squad (PAWS). The fate of ‘snacks, humans, and dogkind’ rests on Rex because the Supreme Council of Cats (CATS) is orchestrating a sinister plan called “Operation Pawcalypse”. Rex must infiltrate CATS’ military intelligence HQ Purrveillance to steal and decrypt a digital file (the ‘flag’) on the plan and upload its contents to his superior, Commander Barksworth.

Intelligence suggests CATS’ IT system may be vulnerable to injection attacks with Structured Query Language (SQL), commonly used to manage data. However, CATS has installed advanced cybersecurity measures after attending a DNV Cyber lecture.

Solving the challenge requires the player to have a solid foundation throughout multiple cybersecurity domains, including Open-Source Intelligence (OSINT), databases, web applications, cryptography, coding, and forensics. Advanced knowledge in any of these areas, however, is not required.

Creating a good CTF challenge

Rex’s mission was designed with three principles in mind, according to Teo.

First, the challenge should not be what he describes as “guessy”; instead, it should be logical regarding what to do next and how to do it. Second, it should require players to have a well-rounded understanding of technical application security without demanding deep or advanced knowledge in a particular topic.

For example, the DNV Cyber challenge at Disobey required contestants to understand a little about coding and databases. “If you want to do a security assessment for an application (which, more or less, is code), you need to know how to code. That's just something our industry really needs to understand, and one reason we put it in this year’s CTF,” says Teo.

Third, the challenge should not be solvable without a genuine understanding of the underlying technologies and vulnerabilities. “For example, instead of being able to rely on tools like SQLMap and Burp intruder, the player is challenged to manually exploit the SQL injection vulnerability and write a small script for the code brute-forcing section,” Teo explains.

For the record, only two out of more than 100 teams competing in the CTF at Disobey managed to solve DNV Cyber’s challenge. It seems to have been tough to crack, as the event organizer suspects most teams did try to solve it. But don’t worry; the challenge will be available on the upcoming DNV Cyber Challenge website, so everyone will have the opportunity to see if they have what it takes to be a P.A.W.S. agent!

The broader value of CTF challenges

CTF challenges have value beyond exercising cybersecurity skills in a competitive environment. Tapio Vuorinen, who manages the CTF at Disobey, comments: “I guess my view on this is rather biased, but I would say that according to me and the numerous competitors who were cracking down on the challenges, Disobey would not be Disobey without the CTF. It would be a bit like an arcade without pinball machines; one part of the audience would be left unserved.”

DNV Cyber experts like Teo are part of the ethical hacker community, and designing CTF challenges is a way of giving back to that community at Disobey. He says, “They bring together people whose work is often solitary or done in rather small teams. In CTFs, we collaborate, have some pizza and beers, and enjoy music while doing it, and we are usually physically in the same room. That’s the true value.”

Are you interested in joining DNV Cyber’s global team of cybersecurity experts and solving real-life cyber challenges? Visit our website to learn more about the challenges we solve and the industries we serve, or you can also explore our open positions.

2/21/2025 1:42:00 PM

Keep up with the threat landscape

We continuously monitor and evaluate the dynamic threat landscape and how it applies to your organization. We curate the intelligence and put it into the only context that matters: yours.

Strengthen cyber security culture

Cybersecurity concerns everyone, not just IT. We tailor security awareness programmes and plans based on the existing culture and needs of your organization, from prevention to recovery strategies.