Profile of Emerging (Ethical) Hackers
AppSec California 2019 Recap
Last week Security Innovation hosted a two-day CMD+CTRL Cyber Range session at AppSec California in Santa Monica. The CMD+CTRL Cyber Range is designed to provide emerging AppSec practitioners and champions with an engaging learning, simulator-like, experience while also challenging and testing seasoned professionals skill-set. Security Innovation's CMD+CTRL challenge was put to the test against 75+ very inquisitive participants who were able to explore, hack and exploit over 100 challenges across our Shadow Bank and Gold Standard Cyber Ranges.
The best part of the event was the enthusiasm displayed by the attendees! For every skilled attacker with a virtual work-belt full of tools, there were a dozen more first time hackers looking for engaging, new ways to expand their skill set. Even better, more than a couple of those beginners outscored the self proclaimed experts!
I sat down with a couple of these high performing beginners who were more than willing to share their experience with CMD+CTRL as well as where they are hoping to apply their expertise. Their recommendations are great for anyone interested in learning how to think like an attacker but aren’t sure where to start.
The Emerging Security Experts:
Julian Runnels: Winner of Shadow Bank, Production Support/ E-commerce Analyst for Taco Bell
Kuan Xiang Wen: Top scoring student, Cyber Security Intern at Ariento
SI: Have you participated in Cyber Range events before?
Julian: I have never participated at an in person event, but I recently took part in KringleCon 2018. Other than that I spend a lot of time on online CTF sites like hackthebox.eu and VulnHub, which are great tools to learn at your own pace.
SI: Did you feel nervous or concerned about joining the CTF?
Julian: No, because I knew it was mostly a learning experience. For those that are nervous, just think of it as a game where even "losing" lets you learn a lot. Plus you are safe to not accidentally break anything or get in trouble.
Kuan: I was nervous that it might be a team format, but was relieved since this event was focused on individuals.
SI: What did you enjoy most about the event?
Julian: The automated score keeping of the website and the on-hand staff. When doing a lot of other CTF's, especially online ones, it’s a solo effort without a ton of feedback. Being able to collaborate and ask for help was a really different and fun experience.
Kuan: The way many of the vulnerabilities chain into one other. It was also great to try what I learned from Jason Haddix's training workshop on offensive web security testing, the previous days.
SI: What would you recommend to others who are interested in thinking like an attacker but don’t know where to start?
Kuan: The best way to start is by first seeing some of these vulnerabilities in action. If fortunate, the mischievous excitement from seeing that will fuel the learning process. First, I recommend watching videos like those from John Hammond. Then try entry level CTFs, like The Beginner Challenge and OverTheWire. Once you’ve watched the videos and tried entry level CTFs then work on more instructive materials like the Web Application Hacker’s Handbook or OWASP Testing Guide.
Julian: One key point for thinking like an attacker is to try everything, and to sometimes take a step back and relax. Often times I have bashed my head on a piece of code for days, only to find vulnerabilities after I took a walk or looked at another part of the target. Also, asking for help on forums or places like Discord is always a good option.
SI: What else would you like the world to know about learning through CTFs and Cyber Ranges?
Kuan: The events are a great way to learn, and the best part about in-person events is meeting people.
Julian: CTFs and Cyber Ranges are some of the best ways for people to understand what issues look like in a realistic setting. Being able to sit at a terminal or website and exploit vulnerabilities really helps researchers understand what is happening. For example, before AppSec California I knew the concepts of a CSRF attack, but had never exploited one. At the event I was able to create my first CSRF attack, and now have a much better understanding of what they are and how they work.
Thanks again to Kuan and Julian for their feedback and guidance. We look forward to seeing the great places they’ll go in their security careers and the people they’ll help educate along the way!
Interested in what CMD+CTRL is all about? Attend our next Demo on Feb. 13 @ 1:00 EST. Click to register: