Entering the world of cybersecurity can be a process that has many more questions than answers, particularly if you don’t have a community to help you along the way. Finding the resources, guidance, and time to jump into a challenging field can intimidate many and often discourages talented minds from fully exploring their capabilities.
While many new cybersecurity learners know they’ll be challenged by technologies, tools, and ways of thinking, they often don’t realize the amount of perseverance required to be successful. Put another way, if you want to become a hacker, get ready to bang your head against many proverbial walls before finding that one little hint, clue or error that will lead you to an ever so satisfying exploit.
Much like learning a trade, learning to hack is best done with an open mind, positive attitude, approach, and acknowledgment that the challenges presented can be overcome. This approach to learning is why our team was so excited to discover a blog post written by Drew Wade. Drew is a former Academic Anthropologist making a mid-life career change to cybersecurity. In his blog Drew shared his methodologies in exploring Security Innovation’s Shadow Bank and Instafriends Cyber Ranges, tools he used, lessons he learned, successes, failures and final results - not bad for a post of under 1,000 words!
Drew was kind enough to answer more questions for our team in hopes of helping others interested in a cybersecurity career. Take some time to read Drew’s suggestions then sign up for our Attack in Autumn competition.
Security Innovation (SI): What names and handles do you normally go by?
Drew: My name is Drew Wade. I usually participate in CTFs as Whiskey++.
SI: Tell us about yourself and how you became interested in cybersecurity.
Drew: I began my career in Academic Anthropology where I would CT scan mummies and develop forensic identification techniques. I’ve always had a technical inclination so I enrolled at Mohawk College’s Network Engineering and Security Analysis program where I have also helped start Mohack - the Mohawk Cybersecurity Club.
During a career panel at last year’s SecTor conference, the presenters explained that participating in CTFs was beneficial for a few reasons - it demonstrates involvement in the security community, built offensive security skills, and showed employers you were truly interested in cybersecurity. It doesn’t hurt that they’re a lot of fun too! Since then we’ve started bringing CTFs and wargame challenges to the club on a regular basis. I also started attending security community events like TASK and OWASP Toronto, which is how I found out about Security Innovation’s Cyber Range events.
SI: How have Cyber Ranges and CTFs played a role in your cybersecurity education?
Drew: Despite the time required at Mohawk and my associated co-op I have managed to participate in over a dozen CTFs and hackathons. I do my best to blog about my experiences to help others learn - you can find my CTF and hackathon writeups here. Many of the CTFs I participate in are found through CTF Time, but others like March Hackness are found during OWASP events.
This summer I also had the great pleasure of volunteering with the Canadian Collegiate Cybersecurity Exercise where a mix of student blue teams, industry red teams, and business white teams train together in a well organized and realistic way. I look forward to Mohack participating next year!
SI: Your blog does a great job describing your methodology, successes and dead ends. What helps you dig deeper for issues even if you’re not sure you’re on the right track?
Drew: I’m really curious and there to learn as much as possible. I keep asking “What if?” and looking for resources, hints, tips or indicators that give me a new lead to chase. My go-to resource is Google for all variety of searching and learning, but I generally stay away from other people’s write-ups so I can get the full learning experience.
I’ll stick with a line of inquiry as long as I’m still finding resources or signs that might lead to a solution. There are times I give up on a line of inquiry because it’s beyond my understanding or is frustrating, but I always try to go back to those unexplored avenues. Occasionally I’ll even go back to a particularly interesting challenge after a CTF is over just to see if I can solve it.
SI: What are your goals when participating in Cyber Range events or CTFs?
Drew: I don’t go into the events expecting to win, I go into them expecting to learn and have fun. The worst-case scenario is that I only learn one thing while trying to understand the site. Even if that one thing is identifying a new area where I need to learn more then it makes my effort worthwhile.
As it was, March Hackness allowed me to learn quite a bit. I got the chance to practice some skills I learned previously and also explore the site architecture. I also got a glimpse of things I didn’t know, and still don’t know how to exploit, but those just give me an idea of where I need to learn and explore in the future.
SI: What would you recommend to others new to cybersecurity and figuring out where to start?
Drew: CTFs and Cyber Ranges are a great entry point, but there is a wide range of difficulty levels. Start at one that’s aimed at education and training rather than competition, even if they’re aimed at middle or high school students and require you to ditch your ego!
I also like wargame sites like CTFLearn, CyberTalents, and OverTheWire. They have a variety of difficulty levels that allow you to build your skills and gain experience. If you decide you want to learn more about a particular type of challenge then there are topic-specific sites focused on reverse engineering (crackmes.one), mobile security (MOBISEC) and network attacks (Hack The Box).
SI: What else would you like the world to know about learning through hacking?
Drew: Learning through hacking is how most day-to-day problems are tackled and how most professionals learn on an ongoing basis. Whether through malice or ignorance, people are constantly breaking, misusing and poking holes in the systems we work hard to secure. A hands-on approach to learning allows security professionals to better understand and fix those issues now while also designing better solutions in the future. Remember, these are not issues that people or businesses plan out in advance - they are problems and solutions that pop up along the way and require immediate solutions.
Also remember that individual CTF challenges aren’t always necessarily realistic or common, but do provide you with interesting technical problems that can be overcome by understanding the underlying issue and attempting possible solutions - the same creative process as solving those day-to-day problems. Luckily Cyber Ranges and CTFs provide the opportunity to learn and apply your skills while allowing you to risk nothing during the learning process.
The Security Innovation team would like to thank Drew and all those who participate in our Cyber Range events. If your team, organization or group would like to find out more, simply get in touch with us.