We've just got back from the first Cyber Security Challenge Insight Camp which was held at Coventry University. These camps are designed to introduce university students to the cyber security industry. It went really well and there was definitely lots of positive feedback. We were asked by the students to give them our advice on how they can self improve and what types of things they should be doing and looking at etc. So as promised here is our guide to getting ahead of the pack.
[Disclaimer] If you become addicted to CTF's I will not be held responsible ;)
Be part of the Community
The cyber security community is, in my opinion, one of the best out there. Be part of it. I am always humbled by the sheer amount of great people within the community, people willing to share their time and knowledge to help others. There are numerous conventions and hack meets around the UK and numerous ways you can help out. Give presentations, volunteer to help, take part in the challenges or just be an attendee. If you can't afford the ticket price, look at volunteering or presenting as an option. Not only will being part of the community look great on your CV, you'll find that the sponsors of these events will normally be in attendance and those people might just be sat across from you at interviews! If they already recognise you from the community then you'll already be a step ahead.
Some of the noteworty cons that you should be attending are:
Don't be afraid of submitting CFP's for these cons. Most of the time you will be assigned a mentor to help you through it. It's also worth noting that the current highest voted talk at BSides was non-technical! Don't think you need to be dropping l33t 0-Days! Doing presentations will get you used to talking infront of an audience, boost your confidence and increase that recognition.
Challenge yourself online
There are a whole host of sites on the internet that are geared towards improving your skillset. Some of them are available to dip in and out of as you feel the need, others are competitions that take place over a time period. They range in difficulty from beginner to advanced and cover many areas and aspects.
Capture the Flag
Capture the Flag (CTF) competitions are usually broken down into two groups, 'Jeopardy Style' and 'Attack/Defend'.
CTFTime.org is a great resource for finding out about upcoming CTFs and also has a nice archive of write-ups from previous challenges.
Jeopardy Style CTFs are small puzzles/challenges usually broken down into the following areas:
- Reverse Engineering
- Mobile Security
- Binary Analysis
One of the best things about taking part in Jeopardy Style CTFs is that you get the opportunity to see how others solved the problems after it's finished by reading through write-ups.
Generally in an Attack/Defend CTF teams will be given their own network (or a single host) with vulnerable services. You must patch your own services to make them secure and maintain their availability whilst trying to exploit the other teams.
Top Tips for CTFs
Don't get disheartened early on in these CTFs, your skillset WILL improve over time and you'll also get used to the thought process that involved with solving them.
If you are new to CTFs I'd recommend starting with CSAW and Plaid. They have a good range of challenges for all levels and are generally well run.
Try and get your friends involved in the same challenges, form as a team, get on group chat, work through them together, bounce ideas.
Online Training Resources
Here is a (by no means complete) list of challenges we recommend you trying.
- Pico CTF
- Hacking Lab
- Hacky Easter
- Over The Wire
- Smash The Stack
- Exploit Exercises
- CTF 365
- Pentester Lab
- Can you Hack It
- MWR Hackfu 2015
- NCC Graduate Challenge
- The Honeynet Project Challenges
- Google Gruyere exercises
It's also worth mentioning that on completion of the time sensitive CTF's a lot of the writeups are available from https://github.com/ctfs/write-ups-2015
Cyber Security Challenge
I've no doubt in my mind that one of the best ways of getting yourself noticed in industry is to take part in the Cyber Security Challenge. With their new 'Play On Demand' for the virtuals events there really is no excuse to not take part. The level of exposure you get and the networking opportunities are well worth putting the time in.
Never stop learning. Have fun. Stay safe.