10 Steps to Build & Lead a Cybersecurity/CTF Team

an instructor's bible in book so again case if you want to deep dive with more of us I literally have something that's available and accessible for our teaching a little bit of Linux and stuff on the keyboard on the console step number two is grow a central repository of the training material that you build up as a team so this can take any kind of format you want right this can be a github repository it can be a list of whiteboard if you want but remember the more kind of engaging more dynamic and active than it is the better and more accessible it is for all of your people so for an example like like a web portal

right say your team members have an account and a login they can join weather and then they can interact with everything related to your team and I think that it shouldn't be everything everyone can touch everything newcomers veterans alike get these personally access so that they can create and add to their own content material so you as a leader should be doing that thing right you should be creating and developing custom challenges or training material and make them accessible to your team give them your people and then encourage others to do that exact same thing so once someone breaks the glass ceiling when someone reads their own challenge or their turning material like just a team member

does any any one major group suddenly that excitement will like spread like wildfire because for one thing they're gonna want to show off what they've made their don't want other people to play with it and try and then all the others are going to be kind of in that same movement man I want to try I want to make something and show it to me because that's cool that's exciting I think that that is the secret to kind of growing that internal growth and development now that you've got your self training door people suddenly you're going to have your people training your people and that's awesome we've got this internal feedback win-win ok step number three

now that your people are kind of learned up there kind of find their way find stuff they really liked and want to specialize in let the team members share their knowledge give them the spot let them teach offer opportunities for like each individual present and showcase their own tools their own techniques vulnerabilities and exploits are finding plate so every Sunday I would kind of a pain like our team slack channel and that's a tangent step three and a half have like a slack channel or some kind of discord server from out of those a means of communication like constantly be in touch with leader group back to step three I would paint them on select

my kind of ask paid to Sunday because we coming up is there anyone that wants to give a presentation or can you give a demonstration or a briefing to kind of showcase our angles and the whose immense to be an opportunity for veterans for the people that have kind of hone and sharpen their skills to teach and train the other members but that can be just about anything like a person could give something little more theoretical or just a very general topic or they could go deep in the weeds right they can talk about RSA cryptography or binary X points etc they could talk about how to code applied sequel injection attack and pipe anything or just stuff it's silly and

fun like the steam locomotive commandments just to showcase cool thing so this team a lot more like life to our practices and it helped kind of spread the wealth like as one person grows they share what they learn and then others grow with them and the same thing with like creating challenges and creating custom training material this is contagious like as soon as someone presents some of their stuff then that's going to grow like wildfire again someone else is going to say that's cool okay step number four this is kind of in addition to that slack channel or discourse or keep constant communication and I mean like worthwhile communication right you don't want to hang off an email an

article that you haven't even read yet you want to kind of digest and curate the cool stuff that are given to people so I always start off with whatever I would start to practice I would kind of do what we would call fondly the shield that was really just a segment for announcements of updates and that would include stuff from CTF time so CTF time for the online kind of horrible and management stuff for monitoring upcoming games or homecoming CTS competitions I would include stuff from a daily newsletter a real-world cybersecurity stuff you wanted to share and I would catch things in maybe a supper so our / savior security TIR / sa and at

the end of this like at the end of when you were passing your information open the floor and give it to the so number five provide incentive for your people to engage and encourage them to do so right you want to give praise to people and recognize them to work hard so one way to do this and there are a lot of different ways maybe your central repository or your challenges or stuff you do your hub maybe that has a leader board and people that solve more challenges right will climb up on the leader or just like any regular see ya but that's your homemade custom challenge again fosters more of that internal growth or maybe team members

that give more presentations or right or right arrows can also eating points in a climb up on that border and whenever you provide an update like whenever you're making announcements or doing it the field whatever you want to call it on a daily or weekly basis don't hesitate to like call people by name that are doing stuff do that public celebration if someone on your team is consistently willing to give a presentation like on a daily or every week all that wow that's awesome if someone is doing something and in solves a challenge in a recent competition that requires some hard core or cyber lead to still call them out that's awesome same thing if maybe a few

people like a select teamwork the only capitalist lag but not everyone that's okay celebrate the people that did so the maybe next time the people that do it and they missed out of the game would be willing to join okay step number six is constantly lookout for new events your priority like your number one abroad should be training about exposing people to new things so do everything in your power to share the most amount of experiences with the most amount of people and that may mean like kind of spend the funding to get so many people who are one of them you want to be thirsting to like new events it goes so look on the internet follow

those sub reddits check the pulse of upcoming events stay on top of like these live conferences like this no one would tickets go on sale so you don't miss when they sell out and check if they have a cap supply check if you've got something to really again get engaged be on the keyboard but again you want to stay on that whole plan the availability to go see as many as you can so step number seven is the real thing right this is the most important step like playing capture the flag and actively practicing frankly do it for real plate CTS and play so many CCS that you grow kind of an association like this underground tribal knowledge of

each game that comes up so that when you see something on the calendar you can tell your people oh I played this last year before I seen this two years ago this is a really hard competition or hey this one is pretty pretty nice beginner-friendly there's a lot of training value I want everyone to do I want everyone in play that's awesome and when it's ETF is into online play organs right practice over the wire or smash the stack ring 0iq crush and extra exercises the list goes on and on and if the war games are kind of out of reach for the newcomers they just don't have the skill center that have built up a

competency just yet that's okay that is again where your custom and home and chapel to school because you can define that learning curve you can set the granular difficulty right maybe some of the stuff or advanced or goes deep into reverse engineering providers rotation for web stuff if you want to again hold the hand of your people are growing and learning I think that's what you want to put the custom stuff and we can talk about that if you want to learn doctor or a really accomplished okay step number eights read the rights and rights rights analyze if you're about ethics whatever you and your team play tackle a competition keep track of what you solve and then we didn't keep in

mind the category right the actual like general subject for what you doing solve so right write-ups to the Chavez that you did solve and then read write-ups for the challenges that you did exalt one of the best things now is that write-ups aren't just a wall of text that like make your eyes glaze over you have a lot of different form of media or how you - right so video right us live overflow to do a whole point myself have set a lot of people on the internet they're trying to produce stuff and on board it's not the best right because you can't copy paste cover but with a video run or with a screen tap you can see literally

everything that happens and that's so I think that's important but the biggest thing is just reviewing how something to solve or how what the answer really was when you see a challenge with haven't seen so when you're going through right up video or not don't just read the writer but like actively participate and the right follow along do it do it too if you did solve a challenge or someone on your team didn't make a presentation right showcase how that's done if some other people didn't solve it just to spread that knowledge and recreate maybe some similar challenges or something to steal again in that central hopper for you repository and tell your team members

once write-ups go lock but if you're monitoring seeds you have time and maybe someone else doesn't but the middle your announcements your speed whatever the case may be keep that communication step number nine repeat do this again and over and over and over I'm sure you probably notice that not all of these are a one and done thing you're going to have to do this over and over again and that builds the pulse or the heartbeat of the routine of the people that you're trying to try okay step number of tests the final step stretch your people so this is the icing on the cake like a lot of these steps when you implement them when you do them

they inherently you as kind of believe or the example that you want that seems to be but if you want to hit the next level so once you're gone someone can pass the torch or whatever the case may be if you want to go all in you have to stretch it you have to drag them out of their comfort zone so walk around during practices like actively see what people are doing to make sure everyone's engaged and has something to preoccupy themselves with or is learning something and what a competition comes up that you know it has a lot of training value like hold people to make sure that they play tell them oh I want

people to solve climate challenges or ten towns for 15 towns keep pushing them to break that glass um and show them the people that are succeeding or the people that are solving like things so that they know who they can reach out for who they can ask for help so one thing that we did during the IEP CTF was could be wanted to improve each member individually sure that's it it's a team account but we still want everyone to solve everything even if someone else's are to solve it just so thank you and it was as if each player was playing a lone woman but we're all in the same group so you can ask for help just hang out with your

friends you need a little bit more dots so something that we did was literally create a new Google Doc like a spreadsheet and each team member would mark the challenges that they solved this was again only one map one form of how you want to find you wanna keep people benchmark in check but that would at least be a visual display like who has done the most work who can help me or help someone on a specific challenge who needs a little more work and it provides kind of this accountability and I hate that word I think feedback is a lot of though I think that that kind of affect us you can advance work yourself with the

other people in the room and you can measure what we're learning for how we were growing that's a really cool thing especially when it's with people used to decide every day so when you train when you do these competitions and the whole point is to do as many competitions of CGS as you can even if it's hard even if you put your head in the sand wins and it just sucks you still want to expose yourself to the new technologies whether or not you solve challenges whether or not you after you make it almost over where do you want to eat just plugging yourself in and being in that scene is what's going to help you grow same thing

with your team same thing they're so encouraged that possible okay so I kind of liked there is no 10 step formula to build or develop assignment that was just a sneaky trip to David comment talk but I think what we can kind of come to and what we can know and decide on is that if we ever do want people to improve and to grow there's no way to encapsulate there's no way to like put in a book or packages or anything but what we can see is that it requires constant practice for one thing every requires kind of a platform a platform or a framework to monitor your progress and see how you grow and it

also requires a means for Elaine to feel good so the most important thing is to really just keep your people happy but you want to keep them in the scene keep them excited keep them working kind of a short talk sorry but thank you hopefully this the 10 steps do you guys have how do you avoid the cliquish nature that can sometimes develop in any team and especially with technical things where you have some people who are leaps and bounds ahead of all these how do you prevent this cliquish behavior and the lower performers are newer performers feeling like they don't think yeah so we tried to figure out a real answer for that rolling on I think again the physical

space house you've got more collaboratively designed desks sit beside people that you know are new or plug them in to where they can help maybe move a newcomer or someone that is more interested in a different field write some really big cryptography but this other individual wants to do reverse engineering maybe put them aside to see what they can share when it comes to that kookiness oK we've got an elite a team and we've got an encounter B team one thing that we tried was cheesy like buddy system where you did a couple of one person with another and just bring them up to speed or please sit them together for one we have to apply one

thing I think is temple to this what is very cool is what you said that that struggle and hardship trying to keep teaching your players and those people that are good strong skill set well you want to actively grow in your new comers having a little bit more Hannibal I think the custom challenges and the developing your own materials when you do that especially if your veteran players are still feedback from to themselves creating their own does that kind of come close to answering your question okay what a minute from besides oh yes so sports teams you're always going to have somebody that is betters my newer not a skill and whatever sport is so team building even

dumb as all right listen up eat soon beer let's talk about something else besides what you're just doing something play just come from hey listen we start talking about music engage people outside of the computer it does break down some barriers you find out like you know something would never talk this person outside of like this attorneys get into the bad game there's walking Mike attorney that okay this is how I met them just we'll give him would have never probably talk to this guy the same thing you're saying you circular désolée something outside just the activity at hand actually goes much further away or building a great team chemistry and personality outside the skill set but

really things I didn't include specifically that stuff for this talk because I paid outside of that technical range but I think that is also incredibly we would do barometer we had someone wants to watch movie we'd hang up cheesy video games in the room that's what you want to do or dedicate one day maybe we're not practicing you're just going on for a just morale it's important thing especially depending on how much time during the day you have to keep some and bring them in the situation that I have been in where we would work for two or two hours a day or less maybe not a half of one hour every weekday I think it would take maybe a

month or two for someone will really roll through over the wire learn their Linux command line stuff and then slowly you sprinkle in the custom challenge the exposure to a web star so I think at that pace where it's two hours a day every weekday maybe three months but again it's slow and it's gradually but again how much you can be engaged with them how much you can hold their hand you can fast-forward that to one of us

[Music]