10 Steps to Build & Lead a Competitive Cybersecurity/CTF Team

John is a u.s. Coast Guard hacker and CTF enthusiast he's a US Coast Guard Academy cyber team captain who led the team to winning placements in multiple competitions both civilian and military personally he develops training material in InfoSec challenges and briefs multiple VIPs on cyber security he's also an instructor in curriculum author for Coast Guard course on introduction to Linux with game affine learning material and classroom activities he's also an online youtube personality to showcase programming tutorials cybersecurity guides and CTF video walkthroughs so please put your hands together for John Hammond thank you all right hi good morning thank you thank you for coming to hang out and see my talk and thank you to besides for

slipped me in the morning and giving me an opportunity to to speak so thank you very much this is the 10 steps to build and lead a cyber security or capture the flag team the steps are gonna be kind of high-level in nature but I'll try and be as detailed as I can to explain how you can actually and actively accomplish them I will be around at the end if you have any questions of course and we'll get to it so obligatory introductory slide hi hello I'm John Hammond I am a Coast Guard hacker I've been doing that for a couple years with them and that's how I got all this cool PowerPoint presentation skills I have availability

on the Internet right you can find me on the interwebs I have a github account that should have a lot of the code content and material that I'll be showcasing here if anyone is interested and I have a cheesy YouTube channel where I showcase some programming tutorials video walkthrough write-ups for capture the flag challenges etc so if you're interested in that like comment and subscribe ok so step number 0 the title of the talk is a little bit of a falsehood right I went from 0 to 10 inclusive so it's really 11 steps but 10 step sounds a lot better than the title I digress so this is step 0 because it is self-evident right it's kind of implied if you want

to build and train a cyber security or capture the flag team you want them to have a network or a playground to really in practice in so you want that both physically and digitally for one thing you want a physical space a room and infrastructure that encourages that creativity that innovation and just like kind of spawns the enthusiasm for that kind of work and also digitally right you want it to have unfiltered internet access because you're probably going to be looking at port ranges and computers that you may not want someone else's thumb on and you want access to a lot of Technology right so you've got Windows computers of course just as we're used

to and Linux machines especially Linux machines and you still wanted to have that cool hacker friendly vibe right so have a lot of toys in there have a lot of gadgets like security reference books and stuff like a Raspberry Pi or a Wi-Fi pineapple or rubber ducky that stuff that just fosters enthusiasm and excitement when someone's bored and just wants to jam so this is a physical space that myself and my team occupied for a little bit and I actually hate this I use this as an example of what not to do but this is probably just personal opinion I think that those kind of tables that are just jutted out are bolted to the ground and that sucks

I think that's dumb and stupid and stupid and dumb because I think as a team you want to be like close and comfortable and cozy right when you have that literal physical separation it inherently divides the team and I didn't like that so eventually we did get that kind of space and that will lead me to the real step number one right get your people on keyboard and like as fast as you can this should be the first thing that you do and it should be everything that you do so when you're first starting out right when you're trying to build up this team you're gonna trying to recruit newcomers and they may not know any of this stuff they may not even

know how to use a computer or just don't know what these acronyms are and that's okay right because you want to be open and inviting and just receptive to everyone there you're not trying to be selective so what you should do is get them on a command line as fast as possible and sit down right beside them like literally be beside them and show them that you want to teach them just walk through steps with them go through command by command and get them up to speed in the beginning you're gonna be teaching a lot of introductory and fun stuff but that's okay right you can make it fun and engaging especially if you're on an operative so a utility that I put

together to kind of help teach people this introductory stuff is called training wheels you can find this on my github account it's part of the introduction of Linux course and it acts like a voice right it manifests itself and kind of another colored text while you're working in Linux command line in bash in the shell and it will kind of talk to you and walk you through certain kinds of lessons so you may be entering a command it may be teaching you okay about the man pages or how to navigate through the filesystem etc and for one thing it's holding your hand right but I may not have to be beside you looking over your shoulder or

breathing down your neck but you're still engaged you're still on a keyboard and it's not a lecturer kind of droning on in front of the PowerPoint presentation making you guys fall asleep like right now okay personally I think that that active engagement and that reinforced learning is the best way to teach people things you should try your hardest to gamify everything anyone play capture the flag cool yeah so make everything a capture the flag make like trying to exit out of vim a capture the flag everything that you can do give your people an opportunity to learn something practice what they learn and then actively feel like they're in control of their learning okay number two grow a central

repository or kind of a hub of your training material and this can be any forum you want right this can be a github repository this can be a list on a whiteboard if you want but the more dynamic the more active and engaging that it is the better that it is right so take for example like like a web portal a framework that your team members and yourself can log in to have an account and they can interact with everything that your team does and that's exactly what I mean you want it to be everything open and accessible so that every team member can contribute like new or old veteran or newcomer they can still add their own content and

create their own material so you as a leader right should want to develop challenges and make that training material make them available to your people and then make them want to do the exact same thing once someone breaks the glass ceiling and creates their own challenges suddenly that excitement like spreads like wildfire because for one thing they're gonna want to show their friends their challenges and like broadcast it right and suddenly other people are going to want to make challenges too and I think that that is like the secret to fostering group growth and development because now you've got this awesome feedback loop for one thing you train your people and then suddenly your people train your

people and that's awesome that's that's a win that's wins all around alright step number three let your team members share their knowledge now that everyone's kind of educated and like learned up right give them the spotlight and let them teach offer opportunities to present tool cases like present different tools techniques vulnerabilities etc so every Sunday I would ping like our slack channel and that's a tangent step number three and a half have a slack channel or like a discord server or matter most thing to keep that communication with your team back to step three ask them if they're willing to do a presentation or showcase some kind of demonstration and originally this was meant for like an

opportunity for veteran members to showcase what they've learned and prove their skillset and train the other members but this stuff could be anything right like it could be a theoretical presentation it could be like a very general topic oriented or it could get in the weeds with like RSA cryptography or binary exploitation or even like trying to code a blind sequel injection and Python cool cool stuff or it could be fun it could be like a morale booster thing like the steam local command and Linux ASL so this brought a lot more life to our practices right and it helps spread the wealth as one person grew and developed they could share what they've learned and then help other people grow

and develop just the same way and just like creating challenges and content and material this kind of thing is contagious like it soon as someone sees their friend to give a presentation they're gonna be like I want to do that too and they'll create their own presentations and present in the future step number four keep constant communication and this is kind of in addition to the slack channel or discord server or whatever you do always be in touch with the people and I don't mean like annoying emails at you forward and you haven't even read through an article or something I mean worthwhile content you want to digest and curate what you show off to

your people so I would start out practices with what we kind of fondly referred to as the spiel and that Wooding often include like time stamps and information from CTF time so an online resource to kind of monitor upcoming competitions and stuff like that I would include things from the zero daily newsletter that hacker won showcases in case there's any real-world security events going on and I monitor stuff from a subreddit like our security CTF or net sec because you can always find new events and just stuff going on in the world so at the end of that at the end of passing that information open the floor and let your people do the exact same thing in case they have

anything that they want to share they want to bring the table that's awesome okay number five provide incentive for your people to engage and then encourage them to you should give praise and like publicly recognize those people that work hard so for one thing your central repository that hub could have like a leaderboard right and maybe the people that create and solve those home main challenges will climb the ranks on that leaderboard or perhaps if you wanted to make it so that people that present more often that solve create produce more challenges or create write-ups solutions the challenges maybe they could get points for that kind of thing and just give them a means to see their see their

progression in their growth and when you provide an update like the spiel or some other kind of announcement forms like don't hesitate to call people by name and just publicly recognize them if they're doing good work like if someone on your team is consistently willing to give a presentation or showcase something recognize them if someone like solves a crazy hard challenge in a recent competition that requires some uber leap cyber ninja skill nice them if a few people work on 1ct up with you and just a few members of your team but not all of them that's okay but you can publicly recognize the people that do and then the Pima the teammates that don't will be more like to

participate in the next competition number six constantly look out for new events your first prerogative and your priority should be training value so do everything in your power to share experiences with other people that normally means trying to send as many people as possible to as many things as possible you're gonna want to be thirsting for new events to go to so lurk around on the internet and check the balls for upcoming like competitions and catch the flag events you want to stay on top of b-sides conferences like this knowing that tickets go on sale know if they have a capture the flag besides Delaware's next weekend anyone going to that all right it's a road trip

yeah I gotcha plan the availability to go to as many events as you can try to go to Sands training attend net Wars go to cyber seed in Connecticut or competitions like MIT CTF Kaizen hack the Machine the list goes on and on anything that you can get your hands on push for it and fight for it step number seven place ETF's right this is the big one this is the most important step actively do it actively practice place ETFs and place so many CTFs that you gain some sort of weird Association and like tribal knowledge for upcoming competitions like let's say you saw an event coming up and you know you've played that last year or a

previous year and now you kind of have the know-how to tell your people and tell your teammates oh yeah that one is super duper hard or oh man that one's super easy I think all of us should play because we're gonna get so much training value out of it that's awesome when a CTF is not online play war games try over the wire smash the stack like crypto pals micro corruption potable kar sans hold a hack the list goes on and on if a war game is just a little bit out of reach for some of your newcomers that's okay because again you can create your own custom content you can be in control of that

trajectory what's difficult what's easy how do I hand hold someone to learn something new the best benefit of creating your own content is that the author or the developer of the challenge or whatever training material is in the same room with you and you can always pass them you can always ping them and they can offer however many hints or as much guidance as they would like and that's an awesome thing a cool thing to do with that as well is hold your own like in-house capture-the-flag competitions like once you've built up a ton of material otoño training value see if you can roast your own in-house and local competition sup number eight read write-ups and write write-ups analyze

your own efforts during a competition when you and your team play a CTF keep track of what you solved and what you didn't solve keep track of the category for the things that you didn't solve right write-ups for the challenges that you did solve and read write-ups for the challenges that you didn't solve so one of the best things lately is that write-ups aren't just a complete wall of text that make make your eyes glaze over we have like YouTube video write-ups between live overflow gin ville cold wind myself hip SEC there are plenty of people that are trying to make this content in other forms and in other media's so totally jump into that once

you solve a challenge or someone else on your team does and a couple other people don't get it that's alright make a presentation share the knowledge recreate the challenge and maybe like a distilled form and your own custom material that's again accessible from your central hub so these things all kind of come together that is how you improve tell your team in the daily update in the spiel or whatever the case may be when write-ups are out and available for a recent competition and then encourage them to go read through it just it doesn't matter if it's like bathroom reading as long as it happens that's the way to improve step number nine repeat do this over and over again I

think you probably noticed that a lot of these things aren't like a one and done this isn't a one-time only step this is an iterative thing and that makes for like the heartbeat and the pulse of a growing team still number ten and this is the final step stretch your people this is like the icing on the cake because a lot of these steps when you implement them you inherently mark yourself as the leader like you become the dedicated example for what the team should be and everything that you you want the group to grow into but if you want to hit the next level to keep the team growing after you you have to stretch them like

drag them out of their comfort zone so walk around during practice and just see if people are actively doing something are they participating are they learning new things to make sure that everyone has something to do and something to work on when a competition comes up that you know has quality content and a lot of training value like hold your people to it and make sure that they actually play push them to say like five challenges or ten challenges or 15 challenges like make sure they break that glass ceiling and then show them the people in the room that are succeeding that are solving challenges so they have someone to reach out to and in grasp at

when they need help or a little bit more guidance one thing that we did during ez CTF because we wanted to improve each member individually we had every person solve every challenge everything that they could it was a team competition but you still want each individual person to learn so they would do as much as they could if each player was playing alone there was a team in the room there's people around and you can keep track of who's struggling who should we keep bringing up to speed and that's an awesome thing what we did was we created like a Google Doc spreadsheet where each team would each team member each individual person would mark the

challenges that they solve and that would be a visual display right who has done the most work who can help on a specific challenge and who needs a little bit more work this way you have a sense of accountability and I hate that word I'm never gonna use it again I think feedback is a much better word you've got that internal feedback this 'i have a person's to look at themselves and say how do i measure up with people in my team and hazard how do i measure up with myself okay so I lied to you there isn't really a 10 steps way to build a cyber team that was just a sneaky trick to get you to come to my

talk there's no book on how to improve people and even if there were no one would buy it because they're smarter than that at least the ones of you that are still awake there's no way to condense or encapsulate what should be done to keep people engaged especially learning and growing within cybersecurity but I think that we can at least figure out or get an idea that for each person it requires like constant practice it requires a platform and a framework to progress and measure their progress progression and it mean it also needs a means to feel good about their success like when they are actively learning and doing something new so the most important

thing is to make sure your people are happy and keep them happy keep them learning and really really excited about this stuff because this is cool stuff cool that's it thank you and ER super sort I expected a 30-minute window but uh do any of you guys have questions for me yes sir

nice right yeah I what I went to high school at some point in my life so I can probably offer some insight there I think an awesome thing is to create posters make flyers if you need a spokesperson or if you need some individual that loves being on the keyboard likes to do cybersecurity your computer program and that kind of stuff if you're just trying to seek out that individual put up posters in the high school track him down and maybe if it's a casual email or just engage in in homeroom or someone to ping the teachers with that could be cool to find that individual to act as the spirit does that answer your question okay

okay oh geez you can mm-hmm yeah yeah computer science teacher reach out to those that are deep in that scene yeah

I think that's an awesome thing getting that getting the library or like a public space rented out to just do something live is awesome ok the suggestion was if you're trying to kind of start this ground up like grassroots get people engaged in a capture a flag or cybersecurity scene do something local like at a public library or some venue that is local to that town and keep people growing and trying to get engaged that way because you'll have that spot and those resources and infrastructure I think lunch is next so you got some time to chill all right thanks [Applause]