I am lucky enough to be on good terms with the guys in my agency’s InfoSec group and they let me know about the US Cyber Challenge Cyber Camps and vouched for the training that the attendees get at the camp. You can attend the camp for FREE, but like everything in life there is a catch. To attend for free you need to register and be a top scorer in Cyber Quests, though don’t worry you don’t have to be an expert to score that high, but you do need to spend some time learning and researching. If your willing to spend the time, you will have a good shot at getting a scholarship so you can attend for free, and trust me it is worth it.
I have a strong systems administration background and securing systems, but not as much on Cyber Security from the attackers point of view. To be honest that was a mistake, one of the most important things I learned that to be good at defense you HAVE to have an idea of what is going to be coming your way. In the week I was there, I picked up at least 3 different settings I knew were wrong in my environment and remedied it as soon as I got back in the office based on the instructor lectures.
I didn’t really know what to expect when attending the camp, and after looking at the group I realized I was probably one of the oldest there including the instructors. The classes were run at a pretty fast pace, and as we were told they are designed that way to really push the subject and expose the campers to as much as possible. It wont make you an expert but you will take away key concepts that you can explore on your own. That is one of the best things about the USCC camps, it gives you a breadth of experience to see if there are certain things you would want to focus on in InfoSec during the week, but it also gives you lessons on getting your first InfoSec position. For myself this wasn’t as important but I have a job already, a lot of the campers were either in their last year of school or close to graduating and would be looking for work soon.
The classes throughout the week were as follows (I will only go into general details on the classes as some of the info is proprietary and I wouldn’t want to abuse the generosity of the presenters):
Analyzing & Reversing Malicious Code – Instructor: Michael Murr – This class was a brief introduction to the world of malware and how it acts. For me this was probably one of the hardest classes for me to get into, but it was eye opening at how code works at the assembly/stack level. I would love to take some of the other that SANS classes that Mike offers, he has a wealth of info to share.
Cybersecurity Program Analysis – Instructor: Ben Holland – This is course has licensed under MIT and you can find the slides and material including virtual machines on his website. This course covered A LOT of materiel including offensive and defensive techniques. It covered exploit development, program analysis, bug hunting, antivirus evasion, and post exploitation techniques. Ben is a great instructor and related real life examples of the techniques and uses of his teaching as he went along.
Web Application Penetration Testing 2018 – Instructor: Doug Logan – This was one of the courses I was most looking forward to, as it aligns closer to my daily work load than the others had, as a major part of my job is hardening systems that run web applications. Doug was exceptional in covering a lot of material throughout the day and giving insight into what red teams/pen testers do when when they are trying to get into a system. His company CyberNinjas is actively on engagements in what he teaches, which makes the lessons especially interesting as he relates it to real life incidents.
Packet Crafting with Scapy – Instructor: Troy Jordan – This was an in-depth look at Scapy, a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Troy was exceptionally patient with questions I had as its been a long time since I had to look at TCP/IP traffic at that level as most of the time when problems arise I turn it over to our networking team to troubleshoot. I really enjoyed this class and while it was geared towards InfoSec uses, it also gave me ideas on how I can use scapy to troubleshoot issues on the network.
There were also non technical subjects like Resume Writing, Ethics Panel, and On-Line Presence Workshop that gave great tips in presenting yourself for potential employers and how to get to the top of the resume pile in the HR department. The ethics panel was especially interesting presenting legal and moral challenges you may face as a member of an InfoSec team.
The week ended with a Capture The Flag event that gave a number of challenges that you scored points for achieving. We were broken into teams and competed against each other, using the skills learned during the week to accomplish the tasks. This was both super fun and super nerve wracking for me as I have never experienced one before, though some in the camp had as their are several events held for college students throughout the year. While my team didn’t win, I felt this was an awesome way to end the camp learning sessions, giving you a practical exam for the different lessons.
The closing ceremonies had a number of speakers that talked about the growing challenges of getting enough InfoSec workers to combat the growing threat with a strong push to working in the public sector, which of course I being a federal employee couldn’t agree more. This was an extremely rewarding experience and I recommend that anyone even remotely interested in an InfoSec career take the quiz when it’s released next year and try to win a spot! Sign up at https://www.cybercompex.org/ to get notices when the next competition starts.