We are big supporter of the community-sourced local Security BSides events, and BSides Dallas/Fort Worth (BSidesDFW) is just around the corner (November 2, 2013), so we are taking this opportunity to give you a little taste of what will be missing if you can’t attend the event.
Thomas Bennett (@TwoPipe) and Brian Mork (@Hermit_Hacker) will be presenting on proven tips, techniques, tactics, and methodologies developed by Team Cryptolingus (@Cryptolingus) for success in Capture the Flag (CTF) competitions.
Bennett and Mork will cover crypto selection, network design, counter-intelligence, task management, tool selection, and attack methodologies that will maximize the amount of damage you can inflict in your next showdown.
We caught up with Bennett, an Information Security Specialist at Alliance Data Systems, Inc. (ADS), to find out more about the presentation.
Bennett got his start in to the hacking world in 2011 for multiple reasons, like the thrill of finding ways in when there seems to be no access, and also as a way to gain a deeper understanding of how the differing operating systems work and how best to properly secure them.
Bennett has a BS with an emphasis on Electrical Engineering, and says his first job took him in a different direction as he was tasked with risk management, system administration, signals analysis, and working with high-fidelity simulators for electronic warfare.
“Two years ago was convinced to change careers and moved in to the Information Security world, and I started out as a systems security engineer working on projects for both the US Navy and Air Force programs,” said Bennett, a Red Hat Certified System Administrator who holds the CompTIA Security+ certification.
“I now spend part of my free time working on Linux hardening scripts and working with my hacking team to continually improve our attack vectors during competitions, as well as building out the knowledge-base through collected data.”
In recent years, the Information Security realm has been gaining public awareness due to breaches at large organizations such as Sony, Microsoft, Infragard, LinkedIn and Evernote, so companies are hard pressed to find the right people with the right skills to help combat these threats.
“One way to find people is to witness differing hacking competitions like a CTF competition in which one or more teams attempt to penetrate the weaknesses of other teams’ systems using hacking techniques while also protecting their own systems,” Bennett said.
“These competitions allow prospective employers and colleagues to observe and validate the technical skills of the participants in a simulated but realistic environment. Team-based CTFs also allow the potential employer to see the person working in a high stress environment with a team and delegating tasks.”
Bennett says that one of many reasons for wanting to discuss this topic at BSidesDFW is to highlight the fact that companies do in fact use competitions such as CTFs as a way to find talent that they believe will fit well into their organization.
“Another reason is that we would like to show an engineering approach to CTFs,” Bennett said. “There are many steps along the way to building a structured attack plan, but we’ll stick to some of the high level ones like physical device setup, network setup, protection for communications between various components, minimum roles for success, and some common tools used by those roles.”
This presentation will be most useful to two audiences: Those looking to improve CTF performance, and the “first timers” who are looking to employ a logical approach to without in-depth knowledge of all the tools in front of them.
“Our first goal is to start seeing a more structured approach to team based CTFs. Preparation beforehand can lead to better results as you have a plan to follow rather than just jumping down each rabbit hole, said Bennett. “Another goal is for attendees to come away with a better understanding of the various items used within our approach (roles, tools, devices).”
Bennett believes that the future for CTF competitions looks bright, and they are not going to disappear anytime soon.
“In fact, the exact opposite is the case. They are increasing in popularity, as we see more and more groups sponsoring and creating CTFs ranging from colleges to local, state, and federal governments,” Bennett said. “This will all lead to teams studying together, filling voids in their knowledge gaps, growing as members of the Information Security field.”
Related BSides Articles:
- Grounding Anti-Phishing Programs in Cognitive Foundations
- Exploiting SOHO Routers to Gain Root
- The Object Monitor for Enhanced Network Security (OMENS)
- Fun with WebSockets Using Socket Puppet
- Open Source Pentesting and Forensic Distribution
- Vulnerabilities in Application Whitelisting
- Effective Communication in IT Security
- Baking Assurance into Software
- Wireless Pen Testing and Assessments
- Using Machine Learning for Security Analytics
- Wireless Pen Testing and Assessments
- No Magic Bullets
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock