[00:00:00] CS: Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? Well try this, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It’s got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and the team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free. Now, on with the show.
Today on Cyber Work, returning guests, Ken Jenkins stops by to talk about his work as the head coach of the US Cyber Games. If you’re intrigued by this emerging esport you’re going to want to keep it here. Ken discusses the selection process for the athletes, the role of the coaches, and mentors, and the competitions and the intense real time collaboration going on during the events. Polish up those tools and get ready to break in, its Cyber Work.
[00:01:26] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.
Our guest today, Ken Jenkins brings more than 26 years of information technology and cybersecurity expertise to his work in red teaming, penetration testing, threat hunting, threat emulation, incident response and systems engineering. Ken is a decorated combat veteran and retired soldier. His active-duty responsibilities covered operations and defense of DOD networks and battle command systems. Some of his assignments included a variety of combat units, the Army’s Criminal Investigation Command, Army Cyber Command, United States Cyber Command and the National Security Agency. Ken regularly complete competes in Capture-the-Flag competitions.
As we are about to find out, he is currently about to be the head coach of the US Cyber Games for the season two, which is starting now and is going to be going through 2023. He earned his BS in Technical Management from DeVry University and holds over 30 commercial certifications, including CISSP, OSCP and many more. I had Ken on year before and we had a really great time. I’m very interested in the US Cyber Game, so let’s find out some more. Ken, welcome to Cyber Work.
[00:02:50] KJ: Thanks, Chris. Appreciate it. Thanks for having me again.
[00:02:53] CS: My pleasure. Since you’re a returning guest to the show, listeners can tune into your past episodes to hear your origin story. I would like to start with an origin story, but you had a very good one, about how you got into cybersecurity and so forth. I encourage folks to listen to that as well. It will be on the exam. However, it has been almost two and a half years since then, and you’ve accomplished a lot in the meantime. You were the CTO of By Light when we last talked, and then you also spring boarded into AWS for a while, and then became VP of cybersecurity and resilience server services for SecurityScorecard since July of this year. This one was a new one to me, so I had to look it up. SecurityScorecard is, “The global leader in cybersecurity ratings with more than 12 million companies continuously rated.”
Ken, can you tell me about how SecurityScorecard works, how you go about rating these companies, what type of data and reporting you do as an organization and what this sort of data is used for by your customers?
[00:03:48] KJ: Sure, Chris. Thanks. SecurityScorecard is a ratings platform. That ratings platform is built by collecting large amounts of data. Some of the data we collect through various mechanisms are what we bring together. We enrich that data and we’re able to score companies based on their cybersecurity, posture and hygiene. We use some active techniques, which includes service discovery, content capture, fingerprinting, configuration, enumeration, different types of botnet integration, certificate discovery from SSL or HTTPS-enabled sites, name resolution through DNS.
Then on the passive side we use honeynets, honeypots, sinkholes, passive DNS, advertising exchanges and spam senders, different types of credential dumps from breaches, and of course, different emails, email information we have access. Then, we also look at different ways networks are partitioned on the Internet, whether they’re in different autonomous system numbers or they’re commercial networks or private networks. Now of course, we look at any steel records that we can find on the Internet. We take all this data, and we compile it, and we get a better understanding of attack surface intelligence to help those great companies.
Currently, we have 12 million companies that we have indexed on that we’re able to provide scoring for. If there’s another company that doesn’t exist in those 12 million that we index on, we can quickly pull up the data through some verification of IP addresses or domains. Phenomenal product, I do consider the best in breed product. I’m not just saying that because I work here. I’m saying that because I see how delighted our customers are with our platform. On top of that, we also have additional modules that we use to provide even more data. When you’re sitting on this type of data, I really feel like we’re also a pretty advanced threat intel platform, based on just the sheer amount of collection that we do. So yeah, that’s a little bit about the product.
[00:06:14] CS: Yeah. Just for a newbie like myself, when your customers are using your platform to evaluate, is this sort of like they’re checking out potential vendors or potential collaborators and they’re getting a sense of how secure they are? Is that sort of what the purpose of it is?
[00:06:33] KJ: That’s exactly right. What we do is, a customer can log in, and they can look at their risks, or their attack surface, they get a rating, but they can also add other companies that they have business relationships, business to business, maybe they’re a supplier. But somewhere, they’re either a third-party or fourth-party vendor they need to do business with in some capacity or want to gain insights to. Within security scorecard, they can actually set that up and configure their networks of companies that they want to monitor. You can think about for – there’s various reasons why you’d want to do that. One is for manufacturing, one could be for insurance underwriting, all types of mergers and acquisitions, and investments. That’s precisely what our platform can be used for.
[00:07:32] CS: Gotcha. Yeah. With the continuous aspect of it, I wonder, does that mean that like a project manager, or something would kind of have this this set of companies, or apps, or equipments, or whatever that we’re working with, and you’re checking to make sure that nothing crazy is happening with this new thing that you’re building out of maybe open-source pirates or whatever?
[00:07:51] KJ: That’s exactly right. They can monitor their scores and see them go up and down. Certainly, you could take action as the score goes up and down in your vendor portfolio.
[00:08:09] CS: Do you have enough – if you were to look up your own company, and then you gasp, and collect your pearls or whatever, because there’s something really wrong, is there enough information on your site to give that company the wherewithal to sort of figure out and patch their own problems?
[00:08:26] KJ: Yes. Obviously, there’s more to the product. Support wise, it’s not – I wouldn’t only use it as the source for determining that, but it’s definitely a data to giveaway. Looking across vendor risk management, and you see a company that maybe has a score lower than the rest of your companies that you’re monitoring is definitely can give you early indications and warnings.
[00:08:56] CS: Right. That makes sense. Yeah, I don’t want you to take this piece of technology and turn it into Seinfeld’s tip calculator here or whatever. I guess turning to your role within the company. Can you tell me about your own work as the VP cybersecurity and resilient services for SecurityScorecard? I know you said you have a pretty big team that you manage, but what are some of your average tasks, strategies, programs, or problems to be solved in average week’s work?
[00:09:25] KJ: Yeah, absolutely. In February of 2022, we acquired a company called LIFARS. LIFARS was an incident response forensics and penetration testing organization, so offer professional services. They had been around for eight years prior to the acquisition and had built up a pretty substantial capability in that space. With security scorecard, there was always customers asking for – we have ratings, you have a lot of access to our data, you may have access to some of our compliance documents through your questionnaires and Atlas, where you store the data that we upload. But if we have a cybersecurity requirement, maybe it’s advisory consulting or one of the services you offer. Can you help us with that? Now we can do that. Not only can we do that, but both companies are – as we integrate them, both companies are better for it. Now it’s security scorecard, right? There’s no more lifeforce. It’s one in the same.
This has enhanced our cybersecurity service offering, so we offer a handful of services. I’ll go through those, but the fact that we have access to the ratings, to attack surface intelligence in all the cyber risk intelligence capability within a company, I believe it differentiates and enhances our professional service offerings as well. We offer penetration testing, red teaming, vulnerability assessments. That’s one of the teams that resides in professional services. Then we have our team that manages Jumpstart. Jumpstart is a program that we started recently, to help onboard our customers to the platform, as we’ve added more modules, added more capability to the platform. The sophistication of the platform has went up substantially. To get the best bang for the buck out of the product, we stood up a jumpstart program to help onboard customers and help establish SecurityScorecard inside their vendor risk management program. That’s two teams.
The third team conducts incident response and forensics. Very similar to – responding to a breach, respond a ransomware attack will help a customer through either a retainer, or through – they call our 911 number, and we help them out right in the middle of the crisis. We’ll help them negotiate ransoms; we’ll help them recover from a breach. We provide that to our customers and to non-platform customers as a professional service.
[00:12:20] CS: Wow, cool. Yeah. That lines up so well with everything I know about your background in terms of things that you’re excited about and good at. I like that now you have the sort of massive teams that can sort of provide all of that stuff for the company. Thank you for the summary there. Ken, I wanted to ask – I have you on the show today, because I saw on LinkedIn that you had gotten involved with something that I think our listeners are going to be very excited to hear more about. That namely is your work as head coach for the US Cyber Games. That sounds fun. I’ll start with the basics. What are the US Cyber Games? What’s the purpose? How long has it been running? What do you do exactly in your role as head coach?
[00:13:01] KJ: Sure. The US Cyber Games, think of it as like a traveling team that competes internationally. Its team is comprised of young adults, we call them athletes, they’re 18 to 25 years old. Generally, they’re graduating college, but we have some high schoolers on the team as well. So 18 to 25, like I said, and they can compete in jeopardy style, CTFs Capture-the-Flag events, with a focus on cryptography, binary exploitation or PWN. They have forensics challenges, they have web application security challenges, or reverse engineering or malware. Those are generally the topics that you’ll see in Capture-the-Flag events. Our team is comprised of athletes that have specialties in those events. But then we also use the same team to compete in Red vs Blue challenges. That’s like offense versus defense in real time. So we’ll do that.
Also, during events, so Capture-the-Flag events, the Red vs Blue challenges. We do that on friendly competition. We will do that actually competition for something with stakes. The US Cyber Games is in a second season, so I’m using two – I’m the coach for season two. Last year, season one, the team competed and they went to the international cyber challenge within our competition, within Athens, Greece. The head coach then was a guy named – very brilliant guy named TJ O’Connor. TJ took the team from nothing all the way to international cyber competition and took third place in the world. I have some very, very large shoes to fill. I pinched myself that I was nominated in the committee, they selected me to be the season two head coach.
This year so far, we’ve had an open event similar to the NFL. You have an open event where athletes come and they compete. Then you have a combine event where you come, and you compete, and you’re observed by the coaching staff, by the technical mentors. Then we had a combine class shortly after that, then we had interviews after that. Then what you saw online was our actual draft. We had a live in-person down at the Commerce Building in Washington, DC. Many of our sponsors helped us set that up. [inaudible 00:15:47] and some of our major sponsors, but the website really showcases who our sponsors are. I mean, I’m tickled pink every day when I look at our sponsor who support us, but that was the team to do these great events and travel.
Then the committee for the US Cyber Games is a company called Katzcy. Katzcy really provides the staff, helps out the coaches and technical mentors. All the coaches and technical mentors are volunteers. The Katzcy team is really behind the scenes that makes all this possible. They’re really the might behind all this. That’s a little bit about the US Cyber Games, phenomenal team. I should probably elaborate. We drafted 30 athletes, and the athletes come from some of the best schools in the US. I mean, these athletes generally have many, many CTFs, and Red vs Blue challenges under their belt way before they were ever involved to US Cyber Games. They’re pretty seasoned in what they do. Hobbyist at heart and many of them have the academic prowess to back up their – what they do as hobbies, but it’s truly an esport that we have very good support. We started with around 83 – I might be off by a couple on there. But we started off about 80 athletes, we narrowed it down to 34 to make the team. Another 20-ish athletes that we put on our training and development pipeline for next year to prep. We’re always investing in talent for the next seasons coming.
[00:17:44] CS: Kind of like a farm team, I guess.
[00:17:45] KJ: Absolutely. I’ll tell you that farm team, that training and development pipeline that we have them is a phenomenal idea because they get to mimic what the actual team is doing. They get beaten open challenges, they get similar training to the actual Cyber Games team. It’s a great concept, and I’m super stoked to be involved with it.
[00:18:10] CS: I love that. They get all the challenges without necessarily having all the eyes on them, so they can maybe take bigger swings and not have to worry about like – I went down a weird rabbit hole and now I’ve lost us for the US team. That’s cool. I love that. I was looking at the different subdivisions. Can you tell me the respective roles of team captains, and especially the travel team versus the virtual team?
[00:18:35] KJ: Yeah. Let me start with the team captain. We do have coaches, head coach, assistant coach, technical mentors, junior mentors, Junior mentors are usually returning athletes that have aged out of the program, gotten a part of the staff to help mentor our athletes. That’s a bit about the coaching staff. Many of our coaching staff or technical mentors teach at some of the most prestigious schools in the US. For instance, the assistant coach, Dane Brown. Dr. Dane Brown, he’s a professor at the Naval Academy here in Maryland. We’re so lucky to have him. Many of the coaching staff have similar backgrounds. We have many of the challenge types covered throughout our coaching staff and our technical mentors.
You ask about the traveling teams. That’s the team that will actually go to different countries or travel across the US. This year, we’re going to focus a little more on having international or other countries join us here in the US. We recently finished up competition in Vienna, Austria for ENISA. There were 27 European countries that participated in this event, and there were four friendlies that were invited. That was the United Arab Emirates, the Canadians, the US and Israelis. So 31 countries participated in that. Those events are happening more frequently now. The traveling team will actually attend those events and compete. Some of those, our team can win, and some, we’re just as a guest. We do the same thing with our events as well. Then virtual team can compete without having to travel on site. That’s really the big difference, the difference in our cyber game breakout.
[00:20:51] CS: Is there a specific in-person events that the traveling team only can participate in, and then virtual – only ones that the virtual ones can, or is it like the traveling team is there and the virtual team are also there, but just sort of virtually working on the same challenges and such?
[00:21:11] KJ: In theory, that was the goal. But really, we’re going to task organize as appropriate to be competitive. But we have, like I said, we have these 30 athletes on the team, and then we have the 20 or so athletes within the development pipeline.
[00:21:27] CS: So yeah. I had planned to watch the draft for season two of the US Cyber Team a few weeks back, but it happened to be the one day in the past six months that my internet decided to go out neighborhood wide. Can you talk about what happened at the draft? I mean, you talked about the sort of the various competitions leading up to in the interviews and sort of winnowing things down a little bit like that. But what were some of the things when you get down to choosing your team. What are some of the things you’re looking for when drafting a team? I mean, is this something where a football team, like you’re looking to get all the different positions filled? Do you have a lot of different specializations?
[00:22:10] KJ: Before we started this season, we came together as coaches with Katzcy staff, and we asked ourselves, what is the perfect athlete look like to be on the US Cyber Team. There are few things we said. We want well-rounded athletes. We wanted to have a diverse team, we wanted to be very inclusive. It was not win at all cost, but we wanted to be highly competitive where we could. We looked at the different categories of Capture-the-Flag events, and we kind of broke out the skills necessary for each of those events. Earlier, I talked about cryptography, I talked about forensics, reverse engineering, binary exploitation, and web application, security. Those are just different disciplines, even after college or after academia.
We want to make sure our team was well rounded. To be able to figure that out, we had the open event, we had the combine, we had to combine clash and interviews. We were collecting data throughout that entire lifecycle of those events. We were looking at the skills, the soft skills, the hard skills. We’re looking at the data we have from last year, where the team could have done a little better maybe. We took those lessons learned, and that’s really how we started with building the team this year. Unfortunately, because of the great sponsors we have, we were able to have captured the flag platforms and events that we could put the athletes on to gauge their performance, and the depth of their skill sets, and how they could support our team this year.
Between assessing their skills, I talked about their soft skills, their ability to lead, their ability to work with each other. In representing the US, that is important to us. On national stage, we want people who represent our country as well. That’s really what we – the kind of perspective we started with. Then before the draft, we had all this data and then we gave the technical mentors a chance, and some of the team leads from season one a chance to come in and provide their observations, along with these massive amounts of data we collected over various weeks. We were doing this late at night. The combine for instance was anywhere from five or six at night till midnight, based on what time zone you’re in. We did this all week during the combine. We had a good amount of data and then each athlete was interviewed by coaching staff. So it would be the coaching staff or the technical mentors. We had a really good picture of where we stood on their athletes.
So then, the day before the draft, we came through when we validated at the coach’s summit. That’s how we picked the team. We racked, and stacked the team and broke them down into the categories. That’s what you saw on draft day. I could not think of a more equitable, data-driven method for choosing athletes to represent to US. I’m thoroughly impressed with what Katzcy was able to capture during the event, and what the technical mentors and coaches, whatever they agree upon. It was actually a well thought out, well executed draft. The day of the draft was, we drafted by categories. I’m jumping ahead of myself. We’re fortunate to have some pretty phenomenal keynote speakers. Along with the keynote speakers, the way the draft went, the excitement from the athletes and those who are in the development pipeline. It’s just a great success. Looking forward to getting the season started.
[00:26:28] CS: Yeah. I’m excited to hear more about that. Again, you told us about the sort of the delineations of the different athletes, and the teams, team departments, or team specialties or whatever. What are some of the challenges the team faced in the past season, and how as head coach you assist them in this. I’m trying to get a sense in my head of like when competitions are happening, are the coaches, and the mentors and staff with them like advising them as problems are being solved? Or is your role basically over once the competition starts and you’re kind of running drills beforehand, and kind of getting them ready, then you just kind of stand back and sort of watch them go?
[00:27:15] KJ: Yeah. There are multiple questions there. I’ll start with the first one. Season one. Season one, obviously just started from scratch. The team that built season one, they had much different challenges to overcome. First, they had to get the word out, they had to get athletes involved. I was shocked and impressed at how well they did that. Also, they had to grow the sponsors, they had to get the grants to be able to stand up the team. That was a pretty daunting challenge in itself. Season two, we’re starting with a bit more maturity from that. There was a lot more groundwork to lay in season one. Season two, we’re picking up from their successes, and were able to start optimizing and building on top of that. They pioneered this. Now, we’re kind of taking it to the next level and be a little more programmatic on how we run the team. I think the second part of your questions was about the coaching staff. Is that right?
[00:28:25] CS: Yeah. I’m just trying to get a sense of what the coaching staff does before the competitions and then during the competitions.
[00:28:34] KJ: Yeah. Very similar to a sporting event, right? If you’re practicing, or you’re doing skills assessments and drills, the coaching staff is on the field with you. Or they’re in a waiting room with you and you’re learning from them based on the things that they’ve done in their past or maybe in their career. But when the competition starts, the athletes run the show within the event. Certainly, they can take time outs, they can come talk to us. But our goal is prepare them, equip them, enable them to actually have competition, and maybe be able to travel and whatnot. But amongst them, they will appoint their own team captain. Usually, that team captain kind of grows itself out of the team, and then athletes rally behind that captain. Like in the military, take all the commands from the tower, but they still have the freedom to work amongst each other as well. So you’re spot on. The coaches and technical mentors are there to prepare them, and get them to the events and help them at the events. But in game or in competition, they’re really led by themselves.
[00:29:58] CS: Right. Okay, that’s perfect. That’s exactly what I was curious about. Now, you mentioned a little bit of team communication and so forth. Now, I’m again, I’m approaching this from having just learned about it a couple weeks ago here, but I’m assuming that there’s sort of multiple challenges happening at once. So you have like the specialty people who are working on reverse engineering over here. People who are working on red teaming or blue teaming over here. Is there a lot of cross specialty conversation? Like if this person is working on this challenge, and then someone over here says, “Hey, I need your cryptography know how on this thing that I’m working on over here”, is there a lot of that or is it more like a track and field, where it’s like, first, we do the red team, then we do the pen test, then we do the reverse engineering, then we do the CTF, then we do this, and that and that?
[00:30:48] KJ: Yes. With the Capture-the-Flag events, and you’ll hear us refer to as jeopardy style, Capture-the-Flag events. Oftentimes, those events are all – each of the challenges within an event or released all at once. Based on those other categories I mentioned earlier, there will be different disciplines on the team that will work on certain challenges, at the same time as some of the other team members working on other challenges. You’re just bouncing ideas off each other. They’re in discord talking to each other, they’re sharing artifacts they’ve discovered, they’re asking each other techniques. There is a lot of real time collaboration going on. But yes, there is a bit of discipline required to complete some of the challenges, where you put certain expertise on those challenges, until they solve them.
[00:31:45] CS: Imagine this is a case where the team captains are doing sort of the allocating of tasks, like the challenge comes down and they say, “You take care of this part and you take care of this part. Let me know if you’re having problems.” Then you sort of start communication that way.
[00:31:58] KJ: That is spot on. That is much exactly how it works. It is a bit of controlled chaos.
[00:32:05] CS: I imagine, yeah.
[00:32:07] KJ: Like I mentioned earlier, many of these athletes, this is not their first, this is not their fifth, this is probably their 10th time competing in these events. Because many of the athletes, either through academia or in their early careers, they’ve been doing this for years. Many computer science, computer engineering, different universities have captured the flag teams. They do the same thing as a US Cyber Game. We’re fortunate enough to have some of the best from each of those teams that make up our team.
[00:32:07] CS: That was a question I was going to ask next, because I’m assuming that every single – there’s a lot of these competitors that have been doing this for a long time now. But the US Cyber Game specifically is only sort of two seasons old. Are you kind of the new kids on the block at this point? Are there new sort of seasons, leagues, whatever sort of springing up all the time? How does that sort of match you up against – you’re done with other countries like Israel, or Germany or whatever. How does that match up with, like if you have a team that’s been doing this for five, seven years, so they have like a big sort of advantage in that regard?
[00:33:21] KJ: Sure. I think you’re probably aware. There’s a lot of CTFs or Red vs Blue challenges at different conferences: DevCon, BlackHat. In your CTF time, you can go on there, and you can see all – many of the CTFs that are happening across the globe at any given time. It’s definitely not a new concept now. Coming together under one flag here in the US is a new concept. There’s been schools competing against each other, at conferences competing each other, companies, staff and teams that go compete at events. This is definitely not a new thing. I would say, as far as organizing under a flag or a guide on for the country, that’s a much different approach. Our approach to how we – where we get athletes from, 18 to 25, right? We’re not looking to take the industry’s best practitioners in mid-career or late in their career and put them on this team. Think about the way Team USA was formed for the NBA. Well, from the NBA and anyone competed internationally, we’re not –
[00:34:33] CS: That’s what I was just going to ask. If this is like the US Olympic, like basketball team or something like that, like you have all these other teams and they’re coming together for this specific group. Okay, that makes more sense.
[00:34:43] KJ: Before, we would use colleges for that, right, the best athletes before they became professionals. That’s pretty much what we’re doing here. We’re not looking for someone mid or late-career to be on the team. We’re looking really, this is a career development process for athletes.
[00:35:04] CS: Okay. Can you give me a brief example or summary of some of the types of challenges that you’re trying, that you tend to try to solve in these. Again, I’m trying to get a sense of the moving parts involved in the challenges. Like you said, they’re dumping all at the same time. If you have seven different things in your challenge, is there a progression where you have to solve this, to allow you to solve, this to allow you to solve this? Or can they all be sort of solved independently and you’re just graded on once they’re all done?
[00:35:39] KJ: Yeah. That is CTF dependent, but many CTFs released the challenges. You go through target up, target down, and you get a score. Some have multiple steps to them, where you have to gain initial access. Then as you – or more successful in this scenario, the flags or the objectives that you get through have a higher points value. It’s not always one scenario, one points, one level of points. It could be multiple stages that get you incremental points as you go through. Yes, you’re spot on with that. Then the Red vs Blue challenges, those are – hey, I have a vulnerable application that I must defend. But I must keep that application up while a determined adversary is trying to take it down. If they take it down, it violates my service level agreement. If my service level agreement is impacted, I start losing points. While I’m trying to keep that vulnerable application up, I’m also having to attack the other team to do the same thing. This is real time Red vs Blue scenarios, where again, you’re competing with the service level agreement, you’re competing with the determined adversary, and then you’re also having to respond from an offensive capability. You can also score against the other team. Okay.
Those are kind of the two types of CTF or competitions you’ll see. But the first one, Capture-the- Flag events, those are generally categories that are released. Based on complexity or difficulty, they have different scoring. Easier challenges, scoreless, more complex, have multiple scores. You’ll see different strategies where maybe your team has more skills in, let’s say, cryptography, so they go after the very challenging cryptography challenges to get points very quickly.
[00:37:51] CS: Ah, yes. Okay.
[00:37:53] KJ: Because you got a good sense that you could get the lower scores. So spend effort on the harder ones.
[00:37:59] CS: Yeah, and then whoop up the other ones, right? Okay. So it is all points. I’m assuming there’s enough challenges that get thrown at you in a competition that you’re not going to completely wipe the board clean of them. Does anyone ever get them all in the same time?
[00:38:14] KJ: No. It’s almost also how long are the competitions, right. Some are just handful of hours, some are multiple days, some have different phases. It all depends, but majority of CTFs all events do not get completed by one team.
[00:38:33] CS: Got it. Okay. Now, thinking, and again, I apologize if these are kind of new questions. I know the CTFs obviously are things that are kind of pre-created as a puzzle to be solved ultimately, from multiple inputs and so forth. For Red team vs Blue team challenge is that more just – is that really just head-to-head competition and that you’re just throwing your offense and holding your defense in whatever way necessary? Are there certain like protocols or rules that are set up in advance? Or is it more like soccer or highlight, where you’re just trying to push forward, and the other people are trying to push back and then you’re pushing back?
[00:39:19] KJ: I mean, it’s it is real time exploitation, real time defense, real time denial of service degree. For attacking is denying, degrading, destroying, but within the rules of engagement for the event. Before one of those events kicks off, it’s very clear what the rules of engagements are. For instance, you will not block the scoring bot. The scoring bot must have access to your applications you have a service for, right?
[00:39:50] CS: Don’t be a dingus. Don’t cheap out.
[00:39:53] KJ: Right. You also can’t hack the infrastructure that’s hosting the challenges, right? There are definitely rules of engagement that really kind of drive the scenarios. Obviously, there’s staff during Capture-the-Flag or Red vs Blue challenges that are watching for those rules violations that are fallible.
[00:40:18] CS: Okay. I guess, the more I think about it, maybe like chess would be a more apt description for Red vs Blue where – yeah, okay, you’re always on both defense and offense. Okay, that’s cool. But it’s not like a thing where like the red vs blue is, we want you to use this specific channel, or you want to see if you can do it in this specific kind of way or anything like that. It’s up to the teams to decide how they want to attack and how they want to defend, right?
[00:40:46] KJ: That is, as long as they’re within the rules of engagement, and they are paying attention to how scoring is done. Because remember, you lose points by your service being down, or you can gain points by taking the other team service down. Then also, based on how much uptime your service has, there’s constantly like scoring going up and down, and you have different methods of doing both. Yeah, exactly.
[00:41:13] CS: Okay. I’m sure we have a lot of listeners right now who might be students or learners who are biting at the bit to find out how they could possibly get involved in the US Cyber Games in some capacity. What are the criteria for acceptance, either as athletes, or coaches or mentors? I see, as you said before, you narrow the field from 500, to 70, to 25. Can anyone sign up for those early scrimmages? Is it invite only? Do you go through schools, or can you sort of apply yourself in as a free agent?
[00:41:47] KJ: That’s a really good question. I get asked this all the time. For joining the team itself to be an athlete on the team, that is a competitive selection process, which we discussed earlier. Right? We will advertise when next year’s openness and next year’s combine. Follow us, US Cyber Games and US Cyber Team for announcements on that. Also, the US Cyber Games website is a perfect place for information. We’re on all different types of socials, right? Whether it’s LinkedIn, Twitter. Very easy now to keep up with US Cyber Games, and specifically the US Cyber Team.
For coaching, the head coach and the assistant coach, that is a nominative position. So you get nominated, and then a committee interviews you and then they select you. Those two positions have a different mechanism getting selected. In a technical mentors, we’re really looking for technical mentors with experience in Capture-the-Flag events, Red vs Blue, or in specific technologies or types of technology. For instance, I mentioned crypto, I mentioned forensics, I mentioned web application security. We’re looking for technical mentors that have great depth in those categories or specialties. These are all volunteer positions. We’re always looking to add additional staff, being as volunteer-only staff. Reach out to myself, reach out to the assistant coach, to Katzcy’s staff, any of our technical mentors. Katzcy has done a great job of showing how to get involved.
I think one of the ways that that many could get involved and anyone listening today is through sponsorship. That is a substantial way to help the team. Also, you get a good bit of interaction with the athletes, the mentor staff, and you’ll be on our website, you’ll be on our logos, you’ll be on our jerseys, and be there rooting along the team. So always looking for more sponsors,
[00:44:12] CS: Jerseys. We got jerseys. Folks, they got jerseys. I love it.
[00:44:15] KJ: We have jerseys, we have polos, we have pullovers. The has some nice swag. That’s for sure.
[00:44:22] CS: Some merch. All right. Can you talk in a sort of educational way about some of the ways that the skills honed while competing in the Cyber Games mapped to the types of challenges that cyber security professionals of the next several decades will face? I mean, I’m sure this event is fun, but I’m guessing it’s not just for fun. Like I guess, first, are these challenges sort of built to sort of solve the types of problems that you would see in future careers, and also like – I guess also, in like – what is the challenge level of these vs – are they similar to what actual challenges you would have in a business, or federal, or military situation?
[00:45:08] KJ: Yeah. Good question, Chris. I think historically, you could get a degree, and then you could go learn how to do your job, right? But you may not have dedicated hands on or be comfortable on day one of starting a new job, right? Also, since cybersecurity is ever evolving, what we were doing last year, the year before is substantially different with what we’re doing even this month, right? Being able to continuously hone your skills through competition, and through a team of events, I think really helps overcome something. I think plagues in our industry is impostor syndrome, right? You can actually come out and compete with like-minded folks, similar academic backgrounds, maybe similar, it doesn’t have to be similar. And can try your hand against all these different specialties in Capture-the-flag events, or the more real time, Red vs Blue challenges.
To answer your question, does it help – it helps substantially. The confidence – learning to write code in a computer science class, but never dealing with a determined adversary during incident response. That’s quite a gap that to close from a classroom. Doing things like that in a challenge, real time, real live event, definitely builds up confidence, prepares you for those moments when you are working somewhere and providing a company that level of skill. Also, many of the athletes will go on to work at product companies, cybersecurity companies. It may help with data science. They may develop behavioral analytics, maybe machine learning, AI from what they’ve learned through Capture-the-Flag events whatever challenges. It just moves the whole profession forward, in my opinion.
[00:47:28] CS: Yeah. I guess that probably also ensures that if you have this particularly intensive type of hands-on experience, as you’re a student, and as you’re moving towards your first jobs, that you’re probably going to almost naturally start in a higher position than you would otherwise, because you have such a demonstrated sort of range of skills.
[00:47:52] KJ: That’s fine. I mean, you know have demonstrated academic success. You’ve also showed your willingness to compete, and do something either before or after hours of d your career. It’s constantly honing your skills. It’s like athlete. You don’t go to the gym for a couple of weeks. You start feeling degradation, right? No different in cybersecurity. I think the confidence building, the workforce development that US Cyber Games is responsible is phenomenal.
[00:48:27] CS: Yeah. Well, that’s great. That goes to my next question. In terms of, as you say, exercising that muscle or those muscles. One of the things we feature on our InfoSec resources website over the years, is we have authors who will do walkthroughs of decommissioned CTFs, and sort of showing what techniques they used and how they got to the end. Obviously, there’s a million ways you can do any challenge. It’s just one of several, but it’s kind of like a hinge book if you’re really stuck. For listeners who – unlike those in my previous question were aren’t as confident in their skills at these types of challenges, but who want to get better? Do you have any advice for how to break through tricky problems when you hit the wall? Do you have sort of cool down, rethink, sort of redirect strategies for people when they get really – when they start grinding their gears on hard things.
[00:49:18] KJ: This is precisely what we run into with the US Cyber Team. Some of these challenges, they’ve just never seen them before. They’re so obscure. Maybe the technology they run into, it was nowhere in their career thus far or in their academic programs. Yeah, some of the coping mechanisms or taking a deep breath back in away, taking a break. Also leveraging folks around you. Hey, I’m struggling with this. Here’s what I’ve tried. What you’ll find in the profession of cybersecurity is, many people are willing to help you if you’ve exerted effort first. If you’ve exerted effort, and it is a logical sound approach, but you’re stuck. Generally, someone will help you. But if you’re just throwing your hands up and having – one of the things I like about the company off in security is, they had this mantra, to try harder.
Many years ago, when I was going through the OSCP certification, it frustrated me to no end, but it taught me to fish. It didn’t just give me give me what I needed, but it taught me to fish. I knew how to do my research. I knew how to train myself without having to sit in a classroom. That’s what the cybersecurity profession really does. Have you applied effort? If you have, then ask me some questions, I’ll help you. But don’t come to me empty handed, right? Apply some effort, if that doesn’t work, try harder. Do a bit of more research, and if you’re stumped, reach out for a lifeline from other people competing in those same events and those same challenges.
[00:51:12] CS: All right. That’s a great way to wrap up today. As we do, if people want to follow along with the US Cyber Game’s team, and the competitions that they’ll be taking part in, is this something that that audiences can watch virtually? Do you have to be at the events? Are there ways that folks like me or listeners can tune in?
[00:51:34] KJ: This is changing in real time. We are getting closer to like live esports. I do not believe we’re quite there yet. You can see scoreboards, and obviously, there’s video clips on social media from time to time during events. You can certainly route us on through socials, but that is improving. Just be on the lookout on different social media outlets for US Cyber Games and US Cyber Team. This is changing in real time, so I – today, can you watch the CTF from end to end? It’s very difficult because, who would you watch? Would you watch an individual challenger? Would you watch an individual team? Would you watch individual event, the whole event? There’s a whole lot that goes on during the event.
What I like is attending in person. Fortunately, as a coach, I can see it happening in real time and I can visit other teams. I can’t interface with the athletes, but I kind of get a sense of what’s going on, where the struggles and challenges are and who’s doing well. But that’s certainly something that’s already improving. I know there’s twitch for watching video games. Not quite there yet, but it’s not far behind.
[00:52:47] CS: It will not be far behind for sure. Now, will there be sort of recaps? Once you solve certain problems, and once those sorts of challenges are out of the competition, are there any sort of like recaps of how your team solve problems or anything like that?
[00:53:05] KJ: We haven’t done them for the large competitions. But for challenge walkthroughs, they’re all over the place. That’s certainly something we can look into. I talk with the staff, and then the mentors, and coaches to see how much of this can we actually release? Because a lot of times during our particular events, these challenges, this is the first time these challenges have ever been seen.
[00:53:31] CS: Exactly. Yeah, you have to really make sure you’re not sort of showing the end before it can be used by everybody, I suppose.
[00:53:38] KJ: That’s right. We want to protect it as much as possible from event to event, just so there’s not a writ ups. A lot of writeups that are floating around that events are just very easy to repeat. We actually want there to be authenticity to solving them, and giving others out, that didn’t compete in the competition a chance to go through them themselves as well.
[00:54:04] CS: Okay. If people want to just start poking around, looking at the US Cyber Games, where should they go online?
[00:54:09] KJ: Oh my gosh. We have a lot. Our Katzcy team does a phenomenal job of keeping up with this. First, I will start with the US Cyber Games website, so uscybergames.com. I will start there, and all our socials is on there. Then I would follow some of our sponsors. Our sponsors are constantly helping us out with donating funds or resources. I think many folks that are tuned in today have heard of MetaCTF, Hack the Box.
[00:54:44] CS: Oh, yeah.
[00:54:46] KJ: They certainly have heard of NICE, and SISA, and Microsoft, and CyberWire and all of our sponsors. I would follow them online, go to our website, and check us out on YouTube, check us out on LinkedIn and Twitter, of course.
[00:55:05] CS: Love it. Ken Jenkins, thanks for joining me today. I’m looking forward to following along with your team through the entire series two.
[00:55:11] KJ: Thanks, Chris. Appreciate it and thanks for having me on today.
[00:55:15] CS: My pleasure.
[00:55:15] CS: As always, thank you all for listening to and watching the Cyber Work podcast on an unprecedented scale. We’re delighted to have you all along for the ride. Before we go, I just want to have you go to infosecinstitute.com/free to get your free Cybersecurity Talent Development eBook. It’s got in-depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employers and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is, or customize them to create unique training plan that aligns with your unique career goals.
One more time, go to infosecinstitute.com/free or click the link in the description, it’s probably down there and get your free training plans, plus many more free resources for Cyber Work listeners. Do it. Infosecinstitute.com/free. Thank you once again to Ken Jenkins, and thank you all so much for watching and listening. As always, we’ll talk to you next week. Take care now.