Remember the message.
The future is not set.
Testing.
Hey, welcome.
Welcome to CypherCon in the evening.
All right.
Jim and I are here together.
My name is Mark.
This is Jim.
We're going to introduce ourselves a little more formally in a second.
But we're here to talk about moving from friendly fire to live fire and the importance of cybersecurity competitions.
Hey, I'm first.
Okay, great.
I'm a cybersecurity instructor at WCDC.
That's Waukesha County Technical College.
Pretty far down the road from here.
And I've been doing this for 30 years in IT and cyber.
I've been teaching for 25, so I've learned a lot over the years.
And one of my greatest joys in teaching cybersecurity is helping students prepare for competitions.
I've got about 15 years of experience coaching individuals and teams with CyberPatriot, which is a high school-only competition, National Cyber League, which is a capture-the-flag competition, and Collegiate Cyber Defense Competition, which, well, we'll talk about that,
too.
That's kind of a real live-fire competition.
We do a lot of other competitions as well, like HiveStorm, CAE Vivid, and there are several others out there that we throw in as much as we can.
Hey, everybody.
My name is Jim Schultz.
I always like to kind of tell a little bit about my background and how I kind of got into IT and cybersecurity.
I'm kind of like a lifelong resident of the Waukesha, Milwaukee area.
I'm a child of the 90s, and, you know, I think about my path in IT.
I remember, like, growing up in the late 90s and our family getting our first family computer.
I think about, ooh, this cool, shiny thing, and immediately taking it apart.
You can imagine my parents, who were totally non-technical, that kind of pissed them off, but I had the pleasure of putting it back together.
I knew at that moment, like, wow, technology and IT, I really kind of enjoyed this area, and it was a thing for me.
So kind of growing up, right, kind of getting interested in IT, I did a lot of really cool things.
My father, he owned a small business.
I think about wanting to really get into tech, learning how to build websites, web apps.
I had the opportunity to build a website for him, which led to me starting and running kind of a shared web hosting company, which was a lot of fun, and this was kind of in the high school time period, and I passed out of my high school IT courses, like,
relatively quick.
Anybody kind of identify with that, right?
Maybe you're in high school, you do all the web design classes, and you want a little bit more.
Well, I found WCTC here at my local, you know, technical college.
So I went there when I was in high school, had a really great time taking classes with instructors.
Not, I don't think exactly with Mark, but with a lot of our colleagues.
Maybe we had a class together.
It was a huge influence on him.
Yeah, obviously, right?
But I loved those classes.
It was so much fun.
I loved working in IT, kind of building my shared web hosting company, and getting ready to graduate, my parents, they really wanted me to go to, like, a four-year institution.
So I went to the University of Wisconsin-Milwaukee.
I mean, that was great.
Credits transferred over.
I got a job pretty much immediately working in our IT office, kind of running an IT office with a bunch of my friends I were taking classes with.
So doing mostly desktop support, kind of like junior admin-related things.
And as I was getting ready to graduate, and I was able to graduate pretty quick, because all my WCTC credits, what do you think, they transferred into WM?
They sure did.
I was able to graduate in three years.
And getting ready to graduate, I had the opportunity then to move into a full-time sysadmin role, mentoring a lot of the students in the tech office, showing them how to do things like, how do you install Linux?
How do you image a computer?
How do you troubleshoot printers?
All that fun stuff.
And that got me really interested in IT, working with students, wanting to teach.
And then also the whole security aspect.
Growing up as a kid, modding video game consoles, that was a ton of fun.
Doing a bunch of things on the Internet, maybe I shouldn't have been doing, but I learned a ton doing those things.
Tons of fun.
And then also kind of working with people, helping them do things like, how do you uninstall malware?
How do you protect against phishing messages?
All that stuff.
So getting into teaching has been a real kind of journey for me.
And I love the hands-on technical aspects.
So currently I work over at WCDC with my fantastic colleague, Mark.
And I'm a consultant over at GoSkill, primarily doing things like web app pen testing, doing a lot of report writing, as you can imagine.
And that's been a lot of fun.
And kind of in this path, as you can see, I have some certifications, and I'm happy to talk more about these one-on-one.
I love that really hands-on, technical, hands-on keyboard experiences.
So like the OSCP and all the hack the box certs, those were so much fun for me to earn, learn, and I'm happy to share and talk about all that.
So yeah.
Great.
Cool.
So cybersecurity competitions and games.
Who's competed in a competition before themselves?
Aren't they so much fun, right?
These are a blast.
And up here on the screen are a lot of our former competitors.
Many of them are here in the audience.
So thank you, friends, for being here.
Mark and I, we seriously appreciate that, right?
You guys are awesome.
And they are so much fun.
So competitions, right, they offer very unique challenges.
And one of the things that we like quite a bit about cybersecurity is that it's a lot of work, but it's also so much fun in games, right?
I think about a lot of the other areas of IT.
They don't have fun CTFs.
They don't have these cool things you get to work on, learn, and play with friends.
But in our field, we totally do.
And beyond this, too, there's a real community, right?
I think about a lot of folks that work in IT.
We tend to be introverted, kind of awkward individuals.
But these competitions, these games, they get us out there working with each other, right?
There's such great opportunities for us to learn from each other, not only technically, but also build the soft and social skills.
And as you all know, those skills are critical if we want to work in this field and be successful.
And I don't know if you want to add anything, Mark.
Other than in this picture, I think these guys all worked on a...
Stop me if I'm wrong.
You guys were trying to find a hacker going across cell phone towers.
And you had one final guess on the third guess, and it was a Starbucks.
And there happened to be two Starbucks within a two-mile radius, and it was a 50-50 shot, and you guys chose the wrong one.
Great.
Real-world experience.
That's awesome.
Yeah, and one thing I wanted to mention, too, which is what I also love about this, is especially at WCDC, we have folks that are anywhere from 17 years old to 50 years old.
It's a really great way to really get to interact with tons of different people, for sure.
Yeah, that's right.
Actually, one of our first CCDC competitions, I actually had a 62-year-old for the first time and actually made it to Midwest Regionals, if anybody knows what I'm talking about there.
You might even remember.
Oh, okay.
Excellent.
Who made it pretty far along in the competition, which was pretty cool.
Coming up in these next set of slides, we'll be talking about some of the competitions Mark and I are most involved with.
This is a very small subset of what's out there in the field.
This is kind of what we're involved with, but keep in mind, if this isn't your jam, there's so much more that you can do beyond this presentation.
One of the ones I really love is CyberPatriot competition.
CyberPatriot is strictly a defense competition that's specifically for high school students, and only high school students can compete in it.
In fact, they even encourage middle school students to compete in this.
This is probably the number one way that you all may be able to help out some of your local high schools, or even middle schools.
High schools have a hard time finding the time, the people, and the resources to help mentor for a competition like this.
Plus, it's just really hard to impart the importance of securing an active directory server to somebody who's 14 years old.
It's just difficult, right?
And you're trying to get that importance across, and it's hard.
And I do remember very vividly at one time, sitting with somebody for two hours, and this does happen when we're teaching and coaching with cyber.
I had somebody that I was talking about.
It was an open Netcat port with a shell.
Oh, CyberPatriot.
An open Netcat port with a shell.
And we sat there, and we explained, okay, here's what moving a shell across a network means.
And this is what happens.
You've got to try to find the service that keeps starting that port and figure out and try to stop it and do all that.
We spent hours on it.
And he said, yeah, that's great.
And he never came back to another meeting after that.
It's one of those things that sometimes you're either like, hey, that's really cool.
And this was like shoveling shells.
This was really cool stuff.
It just didn't impart upon this person.
And that's okay, too.
So CyberPatriot, over 5,000 teams this past season.
5,000 national teams that are all competing at the same time.
They have a public scoreboard that their friends and family can watch and see how that team is doing.
Thank you.
Most of CyberPatriot and what it is are misconfigured images.
Anybody know what that is?
Oh, this goose.
Oh, my gosh.
You didn't have that, I don't think, did you?
Okay.
You missed out.
Any other CyberPatriot people?
Did you see this before?
They may not have done that.
I think they did that in the last two years or so.
So this is the desktop goose.
There's a benign program out there called desktop goose.
It's super annoying.
You can download it, install it, have some fun with it.
You're going to get rid of it in about five seconds.
But he kind of walks around the screen and grabs your windows and moves them so it's real hard to do things.
It's kind of like a modern version of Bonsai Buddy.
Remember that?
Oh, Bonsai Buddy, yeah.
But they would delete them and he'd come right back, right?
So it was a service that kept running, right?
So it was kind of the goal is to figure out, hey, how do I stop this service?
So it's a launching point to talk about services.
What does a service mean?
How about the task scheduler?
You know, how do all these things work on Windows, right?
And again, this is high school students, so you've got to kind of keep that in mind.
They've got Windows clients.
They've got servers.
They've got Active Directory items that you have to kind of talk about.
A lot of auditing.
Ubuntu Linux and Mint Linux, right?
Which is kind of... They've got malware on there.
They've got these persistent scripts, again, that run at desktop goose.
There's rogue applications, password policy settings that need to be in place.
And all of this is scoring live.
So the machines are sending scoring back up to a server somewhere.
And you can monitor your scoring throughout the competition.
We learn a lot about hardening.
It's really fun to watch high school students when you give them a thousand page CIS document on how to harden their Windows server.
Like, okay, go through it, right?
And we start figuring out how to parse through that document.
Which is pretty cool.
They also include forensic challenges.
There's a Boeing forensic challenge.
It got big sponsors for Cyber Patriot.
But there's also forensic challenges where you're given encrypted files and you have to figure out how to decrypt and how they're encrypted.
Steganography and things like that.
How cool is it to get a thing like this when you're in high school?
To come and talk to an employer.
To come and talk to a school that you want to go to and take cyber security courses.
Talk to your internship, right?
That's just a really, really neat thing.
It builds a lot of pride.
And Jim and I, I think we see that a lot in our students, in our high school students.
And, you know, obviously that gives us a lot of satisfaction.
But it's just really cool to watch these folks do so well.
Total bragging rights, for sure.
If you want to be a mentor, CyberPatriot makes it really, really easy.
If you go to their website, QR code, of course.
Thank you, yeah.
You can sign up to be a mentor.
They say they do a background check on you.
It's like 30 minutes later and they say, okay, you're a mentor.
The form is kind of sketchy, but don't worry, it is really safe.
Just ask for a social security number and all A lot of volunteers out there, you know.
But you can sign up and be a virtual mentor.
And there's a little checkbox that says, let the schools contact me.
So you can do that, and then if a school decides to start up a CyberPatriot program , or want to do some sort of cyber security for their students, they might go on to CyberPatriot, see that, and say, hey, there's somebody in my area that I could use as a CyberPatriot mentor ,
and kind of go from there.
I could also encourage you guys to reach out to your local high schools.
I've done that with mine.
I actually was a mentor for many years.
And this year, for the first time, just some of the security interest dropped off a little bit, so we're not doing it.
But I'm hoping to start it up again next year.
Now, I get to talk about National Cyber League, also known as NCL.
Anybody here compete in NCL before?
Yeah, so many of you.
It's a pretty awesome competition for those of you who have done it.
If not, unfortunately, the registration for the spring competition I think closed maybe this past week.
But it usually operates in the fall and the spring.
It is so awesome, right?
So what's really great about this is it's very low cost.
It's $35, and when you buy that, you get it for the whole fall, spring semester.
And you get access to this gymnasium, which has lots of guides, walkthroughs, lots of very approachable content.
It gets pretty challenging pretty quick, but there's a lot of stuff there for noobs and for those that are hungry and want to learn.
It's really cool, too, because there's a practice game, there's individual games, and team games.
There's a lot of really cool stuff that you can do, and as you're going to see, if you do well enough, there's some cool rewards that you get.
They have a lot of videos in their walkthroughs as well that you can just watch and see how people do things.
Absolutely.
And they have a Discord community that's also super helpful.
We had students that had done team games with folks that are not anywhere in Wisconsin, and we're like, hey, how did you hook up with this team?
It's cool to make friends across the country.
Pretty awesome.
Is Noah here?
He's somebody who graduated from WCDC, went to another school, and started up an NCL team, and beat us.
Yeah, and up here on the screen, we have some of our students from last fall that did NCL.
This was last fall, right?
I think so, yeah.
Yeah, it was fun.
Good group, right?
And beyond the competition, right, so what's in there?
There's different categories from forensic challenges, different types of offensive challenges, reverse engineering, web app, which is like a personal favorite of mine, password cracking, which is a personal favorite, I think, of everybody's, right?
Our students are always looking for excuses to buy that gaming rig.
Like, well, if you get a nice GPU, you could use that for, you know, for Ashgad, right?
Why wouldn't you want to do that?
So a lot of really fun opportunities to kind of dive down in the areas that you're interested in.
And beyond that, too, NCL , the platform, it'll kind of inform you of the areas they're good at, and kind of encourage you via this kind of like web graph type of view of things you may want to check out, which is kind of cool to see from competition to competition.
And up here on the screen, we have kind of one of the NCL types of challenges.
A lot of these are done via a web browser, so you don't need to have access to that password cracking rig, per se.
A lot of stuff can be done in browser, or you can take the stuff kind of offline and use whatever tools that you're familiar with.
So if you like using Kali Linux, go ahead and do that.
If you want to use your custom tools on an Ubuntu machine, you can totally do that.
Or if it's just, you know, hey, I want to use Windows with Wireshark, also a possibility.
Yeah, I remember and some of the challenges, Rebecca, I was just thinking about the picture, and it was the what's the guy with the tape?
Flex Seal.
Yeah, it was a Flex Tape.
It was a Flex Tape challenge.
And it was like a picture that was split up into like a hundred or two hundred segments, and it was they put a delimiter in there, and you have no choice but to learn how to do script things when you're working with something like that.
You're like, how the heck am I going to figure this out?
And it launches you to that next level of like, okay, I've got to figure out how to write a script to do this.
I can do it in Bash.
That's me.
I do stuff in Bash, even though I should do it in Python and something cooler.
But I do it in Bash, right?
Jim might be able to do it in Python.
I probably had ChatGPT write me the Python script, right?
And it worked.
And it usually works, right?
Maybe it works, then now I've got to troubleshoot it.
Yeah, that was a lot of fun.
Lee, I remember working with you and Charlie on, I mean, this is years ago, right?
But, you know, talking about writing scripts to make better password lists for Hashcat, right?
And that was really the only way to do it, right?
You can't crack passwords on a VM.
You know, you don't have that much processing power, right?
So...
Yeah, and kind of going back to like the fun aspect of this is, well, the gymnasium is open like, you know, all fall and spring.
Those individual and team games, those are timed, right?
So I think that's very realistic.
You think about a boss or a supervisor or a client kind of giving you a firm deadline.
You've got to get some work done.
You run into barriers and challenges.
You've got to think, man, I need to get through this quickly, which is super realistic.
And like, some of my personal favorite things about this competition is like, it's a lot of fun and you learn a lot that will not only help you in your courses, but helps you make friends, build those relationships.
It looks fantastic on a resume.
It gives you all these really awesome talking points when you go in for an interview.
I've seen job listings for, you know, entry-level roles that says, hey, we'll take you with not a lot of experience, but we want to see that you've done NCL or CCDC, which we'll talk about in a little bit.
And beyond that, too, if you do well enough, you get these really awesome challenge coins.
And at WCTC, we've been really fortunate.
We've had a lot of really kind of kick-ass students that have gotten these challenge coins.
So up here is a group from about, maybe about a year or so back.
Do you have a challenge coin with them?
No.
But what's also really cool is at the end of the games, you get this scoring report, right?
And that's really cool because you could take this to an employer, attach it as a piece to an application.
Or this kind of informs you of how well you did, right?
So you can set some goals.
I gave a talk on home labs and learning last year at CypherCon, and one of my things I always recommend doing is kind of reflecting and setting goals, right?
So these competitions really give that opportunity to kind of say, hey, I did some really cool stuff, right, the past couple weeks, the past couple months.
What's next?
Really reflect on that, learn from that, and do some cool things.
We were thinking about bringing a wireless presenter in.
I'm like, Mark, that's a bad idea.
Not at HackerCon, right?
Can't bring a wireless clicker or a USB, a Bluetooth mouse to a hacker conference, right?
CCDC, probably one of my favorite things to work on, and I think we, you know, NCL is a lot of fun, and Capture the Flags are a lot of fun, and you learn a lot, right?
But, you know, you could argue, hey , that's not a lot of real-world stuff.
I disagree on a lot of them.
I think a lot of the challenges are very real-world, especially log analysis, network analysis, PCAP analysis, and things like that.
But CCDC, I think, is a lot more real.
And I think, Aaron, I'm going to call you out, right?
It's hard as heck.
Yeah, seven, six, seven, eight hours of scoring, and , you know, the red team, anybody on the red team for , yeah, you don't have a rules of engagement, do you?
You just go and make us cry.
It's great.
We love it.
Keep it up, right?
It's an awesome experience.
I mean, where else do you get an experience where you're sitting in a room with a real live network, a real live internet-connected network that works, and machines talk to each other, and exchange data, and real live hackers attacking you and making your life miserable,
and you've got to keep the network running while your boss is giving you stuff to do.
And not, like, easy stuff.
Hard stuff.
Melissa.
IPv6 play.
Migrate to IPv6.
Have it to me on my desk by the end of the day.
It was like a four -hour plan.
It's crazy, right?
If not more.
So it's six to eight hours of scoring.
It's a sabotage network.
I mean, the story behind CCDC is that the network admins that ran this network were all fired all at once, and they got sent home for doing something naughty, and they hired you as a consultant to come in, and you've got about 30 minutes-ish to protect that network,
and it's misconfigured.
It's unpatched.
It's got back doors all over it.
So you've got passwords, default passwords everywhere.
So you've got to do all of that securing in the time they have to get home, and then they kind of unleash and make your life miserable all day.
It's supposed to emulate one to two years of on-the-job experience.
Yeah.
I think that's pretty... I don't know how accurate that is, but man, it's a good story to go tell your employer when you go interview for a job, you know.
Right?
Teamwork is a must.
This is one that you can't...
you've got to be able to work with the people on your team.
And I think one of the biggest things...
This might be on a later slide, Jim.
But this is really where you learn how to be a team member, I think.
You're thrust into this situation that's stressful.
And the other thing that's never lost on me for all the students that are in here, you're putting yourself in a spot where you're like, I don't know if I know what the heck I'm doing.
I don't know how many talks I've seen today.
Probably three.
Johnny Christmas had one.
Somebody else had one where they basically are like, we don't know what we're doing.
But we're figuring it out as we go, right?
I'm learning as I'm going.
And I think one of the main points in all of this is Johnny Christmas in his talk earlier today, get uncomfortable.
Put yourself in a situation where you don't know what you're doing.
I mean, you know, you've got to know a little bit, right?
But hey, that's what Google's for, right?
That's what internet searching is for.
And that's what chat GPT is for, right?
Claude, whatever.
But put yourself in that situation, and I think you learn a lot.
And you also learn how to work with members of your team.
Like, hey, has anybody seen this?
That is something that I love seeing throughout this team thing.
But it is hard, right?
It takes time.
It takes a lot of time on their part.
It's a lot of dedication.
It's also not lost on us is how much dedication that the students and the competitors put into this.
You red teamers, you show up on a Saturday and just start.
You're like, hey, I got this really evil script I want to try.
It usually works.
All right, cool.
So, the competitions are great, but like, if you're not currently in school, if you're not currently running, you know, as part of a cyber club, you might be thinking, okay, what exactly can I do?
Or maybe, you know, it's summer break, right?
Maybe it's not quite competition season.
There is so much fun that you can do for both learning and for competition, perhaps.
So, I'll talk about some of my favorite services that I really kind of enjoy and I learn from quite a bit, sometimes day to day, a lot of the times, for sure, at least week to week, that I'd highly recommend checking out.
First off, Hack the Box.
Who here has played around with Hack the Box?
Yeah, it's an awesome service, right?
There's stuff there from, like, total noob to, like, total expert, right?
There's stuff here that will make anybody's brain hurt, but only, you know, in the right way, as we talk about.
If this stuff isn't hard, when you're learning this stuff, I think it's really good to be on the cusp of, man, I'm gonna give up, to just barely making it, because you feel so good about those hurdles that you overcome, right?
You will never forget the things you spent hours and hours and hours figuring out.
So, Hack the Box, they have an amazing academy.
I mentioned that I have the Hack the Box CPTS.
They're one of their pen testing certifications.
If you're a student with an EDU email account, you can subscribe to their academy for $8 a month, right?
It is such a good value.
And beyond that, they have individual boxes you can hack into for free on their free tier.
They have Pro Labs, which are pretty cool.
They very much emulate real business environments with dozens of machines.
I learned so much from Hack the Box, as do my students.
I would totally recommend checking that out.
If you enjoy web apps, I would highly recommend diving in.
I get a lot of students that tell me, web apps are weird.
I'm like, yeah, everything's weird at first, but just take that knowledge and break it down into different pieces, and you can assemble it.
I'm a huge fan of the Portswigger Web Academy.
It's a free service you can go through and learn.
There is a lot of pressure to buy a subscription to BERT Pro.
You can do a lot of this stuff without that, which is pretty fantastic.
If you're like, man, this Hack the Box stuff and this Portswigger stuff, it's hard.
There's TryHackMe, right?
Who's used TryHackMe before?
Right?
It's great.
It's awesome.
It's very approachable, more guided exercises, and they do some really cool things.
They have their Advent of Cyber.
Who's done that before?
Yeah, it's pretty cool, right?
You get all the goofy YouTubers that do fun videos.
There's a whole narrative.
That's always such a good time.
You can win prizes and things, too, although I never seem to win any prizes.
Maybe someday.
They always list these huge prizes, too.
Yeah, right?
It's real?
Yeah, it's real.
What did you win?
Year membership.
Cool, yeah, I'd take that for sure, right?
Awesome.
Yeah , seem to do it every single year, right?
Yeah, right.
And if you're like, man, subscriptions, those are expensive.
I don't want to put my credit card number into yet another thing.
There's so much you can do in your home lab, and I think I mentioned I have a home lab that I'm pretty involved with, and I gave a talk last year here at CyberCon about home labs.
There's so much you can do at home.
You don't have to spend a lot of money to figure this stuff out and run this stuff in-house.
And a lot of the time, even if you are doing hack-the-box, I'd say, hey, learn how to set this stuff up at home, because you'll learn a lot about networking, infrastructure, network security, all that stuff.
So, like, on VulnHub, as an example, you can download a lot of the same machines that are used in offsex playing grounds, improving grounds, where you can go through and do things in the cloud.
You can download a lot of that same stuff and run it either in VMware Workstation locally for free, or set up something like on Proxmox, which I totally would recommend trying out.
It's so much fun, and again, there are a lot of ways you can do this without having to buy, like, you know, make a server off of eBay that costs, like, $100 a month to run.
Some of the services I've listed on the slide, like, feel free to take a screenshot of this, or take a picture.
These are a lot of the cool tools that I use both at home, and actually at WCTC, like, in my ethical hacking classes and web app security classes, these are the same stuff, like, we run here, you know, at WCTC for our classes, you load them into, like,
we have a VMware environment, Metasploitable 2 and 3, a little bit old school, but totally hackable, OWASP, they have their juice shop, which is fantastic, you can run that pretty easily just in a small VM.
And if you're interested, like, in testing directory services, there's, like, you know, the game of Active Directory, there's so much really cool stuff out there that you can run at your home that does not cost $10, $20, $30 a month subscription fees.
Anybody running any of these or playing around with them?
Yeah, definitely check it out.
A few other competitions to talk about, and we've done this on our own as well, I think a lot of fun is to be had, and we've been really busy with current competitions, but once that slows down, once National Cyber League starts slowing down, we might look at our own CTF,
right?
So we've used CTFD, I think it's a pretty popular, you know, CTF platform, pretty easy to use and populate.
But we use CTFD to create some challenges and have our own students work on things.
We may try collaborating with other schools with that as well, which has been a goal of ours.
There's a lot of free utilities out there, too, or free sites like PycoCTF.
PycoCTF is a really cool capture the flag competition that does occur at some point during the year, but it's really only geared towards high school students.
Don't let that fool you, there's some pretty cool challenges out there.
If you ever want to learn a little bit more about Python or a little bit more about binary exploitation, reverse engineering, they have some of that stuff out there, which is pretty cool.
Last year we competed in one that was really cool.
We are a certificate of academic excellence school, so we have the capability of participating in some of these other CAE school competitions.
We try to do as many of them as possible.
A lot of them are on site and are difficult to get to, but they had one that was called Vivid last year, which was kind of a quiz, exam, paper, pen test that we did.
Oh, sorry.
My teacher in me saw your hand go up and I'm like, I've got a question.
So why compete?
Why play?
Like I mentioned earlier, challenge yourself.
You want to put yourself in this uncomfortable situation.
And I think a lot of the red team folks that are in the audience, you know what I'm talking about.
You constantly have to, right?
You've got to create your virtual machines, you've got to create your hardware machines, and you've got to figure out what makes them tick so that you can pull them apart and break them.
Get yourself uncomfortable.
I think learning teamwork skills is probably one of the most important things that come out of this, and I think that builds a lot of excitement.
And in all honesty, it builds long friendships.
I love that about this.
I think that Nick, how did we fight over that firewall?
How did you fight over that firewall that you were working on for CCDC?
It's amazing.
And we did it together.
Maybe not me, right?
I was kind of trying to be the coach, I suppose.
But there's just so much, right, Lee?
It's been a lot of years.
But I remember all the things that we did and all the things that you guys did, which make it a lot of fun, and it's a lifelong friendship.
Helps build your resume.
Build friendships, I kind of skipped ahead a little bit.
Definitely helps you build your resume.
Gives you something to talk about at that interview, at that employer.
Something beyond just classroom work.
I kind of feel like you have to do something beyond.
Doesn't have to be a full commitment, although a lot of us have done that full commitment, but it's got to be something, right?
These capture the flags are a great opportunity to work on some things that are extracurricular.
You're experiencing real attacks on real networks safely.
Like I mentioned earlier, where else do you get an opportunity other than actually getting hacked by somebody?
That you're sitting there actively getting hacked by an advanced persistent threat all day long.
Their main goal is to make you miserable that day and completely bring your network down.
That is hard to defend against.
And they do it with the fact, with the thought in mind that you're college students, you're working on this thing, you're trying to learn.
Yeah, they're going to knock you down, but they're also going to help you realize what you did or what you might have missed later on, which is a really cool experience.
And learning how you deal with that stress.
We had a webcam, we used to have to do it over webcam, maybe 10 years ago.
And we watched another team on the webcam, everybody was monitoring all the other teams, and we saw one person sit there and look at a screen like this, throw his hands up, throw his hands up, pick up the monitor, throw it off the screen and leave the room.
Do you remember those days?
Were you there when you had to do the webcam all the time?
I think we did.
Hopefully that person figured out teamwork.
Right?
Oh, now this is the favorite part of our talk.
So, one of the things I wanted to do, and I really didn't or couldn't include everybody, right?
I kind of wanted to include some alumni that worked on some of these competitions over the years.
And I've got a lot sitting in the audience, I've got a fellow instructor who coaches along with me at a different school where we're competing.
What's the first Lego League word?
Coopertition.
Coopertition.
But I have some students here with us, and I just kind of wanted to maybe introduce yourselves briefly and talk about maybe some of the things on the screen.
Maybe have you guys pick one thing.
You guys want to come on up?
You guys all right with that?
They're already coming up?
They're going to be all right with it.
Yeah, that's kind of no fun.
So this is the ad-lib part of our competition, thank you, of our talk.
I don't have to freestyle like Thug Shells, right?
Well, and Melissa's one, I'm going to steal a story from her.
They gave us a challenge to convert this network over to IPv6 and talk about everything about it, right?
How are you doing DHCP?
What kind of DHCP?
What about DNS records?
All this.
And you spent all this time on it, and at the end they were like, just kidding.
Because they promised us 10,000 points.
They didn't know that we could see the points we were promised.
So absolutely I devoted myself to get that inject done.
I don't think you'll ever forget it.
I don't think you'll ever forget it.
I'll never forget it, no.
Never.
Okay, that's great.
So, I don't know, I have some canned questions up there, but what do you guys remember from the competitions?
Paul, is there something?
Melissa, I kind of stole your thunder there.
I'm Melissa, by the way.
Thanks.
I'm Paul.
I guess a quick thing about myself.
I'm a graduate of ZTC from 2019.
I now work at Northwestern Mutual.
I've done CCDC, NCL, USIT Collegiate Conference.
I forgot about those traveling conferences.
That was a lot of fun, too.
Yeah.
I know.
But I think my most memorable is definitely the first year I did CCDC.
That was a rough eight hours in a windowless room.
A lot of stress.
A lot of yelling.
But like you said, it really builds trust and teamwork, and you have to trust that the people around you know what they're doing, or at least are trying to learn and do it on the fly.
But also that when you need help, you will ask, and people will come help you.
Because we had a lot of the backup systems.
We had a lot of people who were cross-training to make sure that we had that pool of knowledge.
Yeah.
That's awesome.
What's up, guys?
I'm Bennett.
Again, WCDC grad.
But I just want to riff off of that.
I think the teamwork is really important.
Because when you're sitting in the classroom, there's group projects, but in reality, you guys are emailing each other.
Kind of a Teams message if you use Teams.
I hate Teams.
But we were showcased all these nice group photos because we're in a room.
We're working together.
It's like a war room at a job.
But you're all together.
And especially under the CCDC pressure, the yelling is not a joke.
This is intense.
They're ransom wearing our servers.
I got Nyan Cat on my screen, and I can't do anything else.
But overall, it was such a fun experience, and I think it's really important to be frustrated.
Because that means you're on the cusp of learning something new.
Hello.
I'm Connor.
2022 WCTC graduate, so about three years now.
I don't mean to repeat and just piggyback off of what the two of you are saying, but teamwork is the core thing that you learn and build off of, and that's what's going to carry the most when you actually find a career in cybersecurity.
Because you can be as technically proficient as humanly possible, but no one's going to want to hire you or really talk to you if you don't know how to have a conversation and work on a team.
So learning that through CCDC, because you can't really get that just by showing up to a college class every Tuesday or something.
Being forced to work together in that tight environment that's really difficult and scary and brand new to you because you're in your first year of college and you have no idea what's going on, that's what's really going to take it home and actually build those skills that you can't really find anywhere else.
One thing I'll say too is, you know, maybe everybody here in the crowd is really, really technically proficient and a whiz.
But I will be the first to say that I did not consider myself that.
I was a career changer with no experience in IT.
And if it weren't for the encouragement of my peers, shout out to Justin too, he would not stop talking about Cyber Club.
And then Mark, seeing in me that I had a place in CCDC in particular because I didn't want to bring down the team.
I didn't want to take up a spot of eight, I believe, if I wasn't going to be a big value add.
So I was very sheepish.
I was already telling Mark, like, I don't need to participate.
Don't worry about it.
And he cast me as one of the inject managers, which I didn't even know what an inject was.
And I'm so grateful I used it in job interviews for sure.
It teaches you about teamwork, yes, but also time management, diplomacy, leading a technical team, and getting them to give you your deliverable on time.
So I'll just say, if you're that technical, proficient person, please be the voice that encourages someone else to get involved and to try it.
Because if I didn't have those people, I would not be standing here.
So...
That's awesome.
Yeah, do you remember...
What did you work on?
So I was the Ubuntu email server.
And...
But I will say...
She was the hacker for the Ubuntu email server.
Yes, that was fun.
And I remember at one point it got ransomware.
And our response was, we wrote in our whiteboard, we did not negotiate with terrorists, and then reset our whole server instead of dealing with them.
It's a bit of fun.
Yeah, that's great.
Overall, I think the biggest challenge, though, it's the injects.
Everything's on fire.
Yeah, a lot of times we just want to deal with the technical stuff, but then all of a sudden our boss is saying, hey, write me this report on how we're doing, like, performance-wise.
And you're like, no way.
And back then I thought it was a bit of a kind of off-the-nose like , ha-ha, that is so true and so real.
Oh , yeah, that's right.
I think the understanding coming from that, and kind of not straight translated, but being able to go, okay, we dealt with this, I dealt with this for eight hours, it's a two-week period in real life, I can deal with this, it's not that big of a deal.
I think when you're talking about challenges that you can take and move into a real-life setting, that's probably one of the biggest ones.
Cool.
So I think from a career perspective, how this impacted us, personally for me, I started doing competitions in high school, so I was in Cyber Patriots.
I did a business program, but did networking infrastructure as a senior in high school.
Every interview I've done, they've asked me about these competitions, because there's only so much work experience you can do when you're at a younger age, especially in college.
So I worked as an engineer at an insurance company, and now I do, I'm in a financial company, and every interview has been talking about these experiences, these challenges we've gone through, and they're like, oh, you understand active directory defense?
That's crazy.
And it's just super cool to see them interested in what we're doing, and I think it even, because they don't know.
Sometimes you'll have an older boss, older manager, and they've never heard of NCL or CCDC, these are just acronyms that you hear and the millions you hear in IT.
But, overall it just correlates to what you know, and it's something to put on paper, such as the NCL report that you're showcasing.
Awesome.
And I would encourage everybody, if any of this sounds interesting to you, come, you know, talk to Jim or I, but come talk to these guys.
You know, Melissa had a talk yesterday, anybody see Melissa's talk yesterday at these sites?
Okay.
Connor had a talk today, anybody see Connor's talk today?
Bypassing DMA?
Yeah.
And, you know, they've got a lot to say about this, and Bennett's got a site that helps correlate, you want to talk about that for a second?
Sure.
So, two hemispheres, you know, competitions, but events.
You know, I'm not going to stand up here and showcase, like, sales pitch you on networking, but CypherCon is awesome.
And there are so many other events, you know, I can't promise you that there's going to be a CypherCon every week, but there's meetups, there's tech events, I can tell you there's about eight or nine tech events in the Milwaukee area alone per month.
So I showcase a platform called Epical Intelligence, and I just put together all the tech events in Illinois, Wisconsin, Minnesota, so it's just one spot for everyone to know what's going on.
So you don't always have the network, there's so much going on, you've got to follow these companies, it's just one spot, it's no cost, I'm not sales pitching up here, it's just a benefit to the community.
One thing I want to say, too, so a couple meetup groups I would highly recommend would be, like, DC414, DC608, MilSec, MadSec, get involved with the community, right?
And Bennett's site, you can track all those, I'm assuming?
Absolutely.
There you go.
Yeah.
Otherwise, Google around, and all those communities, right, they also have discords, right, they have places you can talk asynchronously if you can't make it to the meetings.
Totally would recommend getting out.
I know, like, it can be, you know, it can be hesitant, or you might be, like, well, should I really go to these things, especially as, you know, aqua-rated IT people, but totally go.
Everybody at these events, they're all friendly, they really want to get to know you, they want to share their knowledge, they're looking for friendship, so highly recommend getting involved, and check out Bennett's website.
Yes, yes.
My name is Jake, I'm another student at WCTC.
Talking about the events that go on, I remember the first time I went to MILSEC, and that's Milwaukee Security?
Yeah, Milwaukee Security Group.
And I remember being very, very hesitant, going like, I don't like going and dealing with groups of people, but I pushed myself out of my comfort zone, and it was a really good way to network and learn.
Cybersecurity is something that I want to go towards, and it's a very good way to learn and network with those who are already in the industry.
So if you're interested in cybersecurity, go to one of those groups.
Yeah, Justin over here, I mean, I don't know how much I want to, you know, I didn't want to necessarily put you on the spot.
One of our sponsors for MILSEC, and, you know, just local meetups, right?
Yeah, of course, yeah, meetups are huge.
I think networking, like these guys have been saying, is everything.
Putting yourself out there, like Melissa and myself, I was a late adopter into the IT field at 30, made a career change, went back to school and had these incredible mentors to kind of guide me in this direction, this new career of cyber.
So networking was huge for myself to be successful.
These competitions were everything.
NCL, Hive Storm, Hack the Box, all these things that allowed me to build these skills and become a pen tester after finishing WCTC's program and just set me up for success in the best way possible.
So putting myself out there as well was huge.
So like these guys are saying, MILSEC, I work for Sprocket Security, so a couple of my colleagues kind of run the MILSEC group and get that coordinated.
And we're always looking for new people who want to talk, share something cool that they're working on.
So if that's something you're interested in, please hit us up.
Cool, thank you.
Yeah, it's awesome.
I love seeing you guys all up here.
I've got alumni from previous competitions.
I've got current competitors.
We've got current competitors over here as well who are still tired from the competition a few weeks ago.
And I thought it was kind of cool to just say over the past 15 years, we've coached about 150 CyberPatriot competitors, we've coached about 150 CCDC competitors, and coached about 900 NCL competitors.
I think that's pretty amazing.
Yeah, so definitely, you know, definitely get involved, right?
High schools definitely need help, right?
You can make a difference.
You can do little different things.
You can go to a DC608 meetup, or a MilSec meetup, or a number of things.
Volunteer, right?
Ask your local technical and community colleges how you can get involved.
There's so many opportunities all around us.
And you know, I feel like you're all here at Cephricon, you kind of already know that, but then share that, right?
We all have people in our lives, right?
IT colleagues, things of that nature, that aren't here at Cephricon with us.
Encourage them to get involved with whatever means you can.
Oh yeah, we can do that.
How do I, where do I get, how do I get my mouse over there?
I don't think there's any sound, which is fine.
Yeah, there we go.
It is, it's working.
So this is what a competition looks like.
There is audio.
Yeah, it's okay.
There's a cool audio track that goes with this.
Not a big deal.
This is a time lapse from CCDC.
Don't worry, it's only like five more seconds.
Everything looks the same in dark mode.
There's a constant chaos.
We need to keep it bright a little bit.
The music makes it look better.
Yeah, sorry.
There we go
.
And then yeah, please feel welcome to connect with Mark and I.
I'm always happy to connect with folks on LinkedIn.
One of the cool things about an educator is I see students maybe fairly early on in their careers, and that's just the start of a friendship and a relationship.
It's really cool to think, I've been teaching and working with students now for 15 years.
If you would have asked me when I first started teaching or first started mentoring, running that tech office, would I still know these people this much later in life?
Totally.
I think about my friend Chris Beckett, who works at Northwestern Mutual.
Chris was just here talking to my Security 2 class not even two weeks ago.
It was such a good experience.
I'd love for you to connect with me, follow me, reach out if you have any questions about any of those certifications, career advice, all that fun stuff.
And I think Mark is the same.
Yeah?
Yeah, that's great.
Hit us up on LinkedIn or on Jim's website.
Just let us know, hey, we met you at CypherCon.
We started talking at CypherCon.
Can you share your slides or can you share some resources with us?
We're pretty passionate about promoting competitions and games.
This is the one other thing I wanted to say that I forgot about.
No other industry has games like we do.
Am I right?
Nobody.
Nobody has captured a flag in cybersecurity competitions.
Nobody has fun like we do.
And I think it's probably because it's just so damn hard.
And we've got to try to make it fun to ease the pain, right?
But it is.
It's fun because you get to solve something.
Yeah, we do.
We do.
I'd love to open up time for any questions if anybody has some of us or of some of our fine competitors.
This is your chance.
And as good teachers, we will not be leaving this room or letting you leave this room until at least one question gets asked.
Hey, there we go.
All right.
We love that, yeah.
Yeah, I agree.
And I think the bar gets raised every year.
I think every year we have to work harder to get better at this.
The red team's getting a little more evil.
Yeah, I agree.
I agree.
Question?
Alex?
Ha!
Yeah, go for it.
What I love about WCTC is it's hands-on and practical.
It's geared towards helping students get their foot in the career.
And the classes, they're $500, give or take, each.
It's a safe space to fill.
You're not going to go into debt by trying it.
I see a lot of 17, 18, 19-year-olds that are trying to figure out their life, rightfully so.
And I love that you can try it, and if you fail or decide that it's not for you, there's so many other ways you can take it, and you still have those opportunities.
You're not locked up.
And if you love it, the floodgates are there for those career paths.
And Mark and I, and the communities that we have, we support each other.
So that's my elevator pitch for WCTC.
Yeah, absolutely.
I love it.
Thanks for your question.
Just to continue off of that, as he was saying, everything is hands-on.
You get real tactical right away, and it's awesome.
And to compare, I had a buddy who went to a four -year university.
I won't call it out.
He started his junior year, and he goes , I'm just starting my networking class.
Do you know what a TCP packet is?
I will say, too, I have a bachelor's in Romance Languages, so I do have that degree .
And so I was looking at getting into cybersecurity, and I researched the master's program offered at Marquette University.
I was talking with them, and saw the price tag.
I was like, okay, well, might be worth it.
But I don't have any IT experience.
I don't know if I'm going to like this.
Turns out someone who knew Mark suggested check out WCTC, and I saw they were having an open house, so I went, loved what I was hearing from the teachers.
Much lower barrier to entry in terms of cost, so I was like, this is a lot less of an investment or risk, as Jim just said.
And look how that turned out.
So, and they definitely equip you for the workforce so, so well.
So to build off that a little bit, I also started going to a four-year university, dropped out, went to WCTC, and for me, the big thing was just how different WCTC felt as a school.
It didn't feel like you were just kind of made to memorize or not really learn something.
We were given, you know, I remember first day networking, it was, oh, we're configuring a router, day one.
You know, it's not, it was more than just this theory, more than just memorization, it was actually doing and learning it hands-on.
And that made a huge difference with my want and the challenge I felt to learn more as I went there.
To continue off what he was saying, I went to another local area technical college.
And it was before, you know, the world panicked and everything shut down.
And when that happened, I wasn't really liking, even before all that happened, the classes I was taking, and then once everything started, I'm going to say normalizing again, I'm going to say that, I started looking at WCTC and looking at how they did things compared to the other one,
it was pretty substantially different compared to where I was going was much more slower, but it just the way they were didn't seem good.
Going to WCTC, it's a faster pace.
Yes, it's a faster pace, but it's also a lot more hands-on in my experience.
And that's really the biggest part for me was that hands-on.
Cool.
Thank you.
Yeah, I think we're close.
Did you have something else?
No.
Okay.
Yeah, I think we're ready to wrap up.
Oh, thanks.
Yeah.
Lee?
Stop!
Applause Applause