First, for those of you who don't know, let me explain how HSTS works. HSTS is a HTTP header which a web server can send to tell a client that they should not accept unencrypted communications from that domain for a specified period of time. Developers can also preload their websites so that the browser knows that it should use HTTPS for its first communication.

strict-transport-security: max-age=31536000; includeSubDomains; preload

However, for this to work it must be writing to disk somewhere, and that means forensic artefacts! So I set out hunting for them and very quickly had the usual series of revelations that come with a project like this; "This seems really easy, why has no one done it before" "Oh... that's why...".

Before I go any further, I should note something very important. Like any browser cache artefact, a HSTS database record does not prove that the user deliberately browsed to that website, simply that the browser interacted with it.

Firefox

Let's start with Firefox, given that it's the simplest of the browsers to analyse. Firefox writes its HSTS database to a file called SiteSecurityServiceState.txt within the user's Firefox profile (%APPDATA%\Mozilla\Firefox\Profiles\ on Windows), but unlike most Firefox artefacts, it's not an SQLite file, but a plain text tab-separated table.

blog.daniel-milnes.uk:HSTS	0	18207	1604684330099,1,1,2

Let's break this down:

blog.daniel-milnes.uk - The domain in question.

:HSTS - This file is also used to store HPKP records, so this distinguishes the record as HSTS.

0 - The number of visits. Note: In my testing I found the behaviour of this field to be very unreliable, so I would caution against treating it as forensically sound.

18207 - The number of days since the Unix Epoch that the page was last accessed.

1604684330099 - The number of milliseconds after the Unix Epoch that this record expires.

1  - The Security Policy State. 0 meaning unset, 1 meaning set, 2 meaning knockout, and 3 meaning negative.

1  - Should subdomains be included? 1 means yes, 0 means no.

2 - The Firefox source code calls this source, but in my testing I was never able to get it to produce any value other than 2, including sites with and without preload.

Firefox does not consider this file to be history, so clearing history will not remove it, but it does consider it a Site Preference.

The database is not written until Firefox is closed, meaning that a live disk capture may prove incomplete. This also applies to Tor browser, as it is based on the Firefox source code.

Chrome

Google Chrome proved to be a much harder beast to tame when it came to actually finding where the HSTS database is on disk, but after resorting to the tried and true DFIR method of crossing your fingers and using diff, I eventually found %LOCALAPPDATA%\Google\Chrome\User Data\TransportSecurity, a JSON file (despite the lack of the extension) containing the database.

"+2oHxdIbjeDrXH6buN8LtFwdxx7XuvmXd+B47y9TQIM=": {
   "expiry": 1599899783.19529,
   "mode": "force-https",
   "sts_include_subdomains": false,
   "sts_observed": 1568363783.195293
}

That doesn't exactly look like a domain, does it? Well I went digging in the Chromium source, and my heart sank when I saw this:

// This inverts |HashedDomainToExternalString|, above. It turns an external
// string (from a JSON file) into an internal (binary) string.
std::string ExternalStringToHashedDomain(const std::string& external) {
  std::string out;
  if (!base::Base64Decode(external, &out) ||
      out.size() != crypto::kSHA256Length) {
    return std::string();
  }

  return out;
}

Yep. Chrome stores in the format Domain → Replace . with hex showing distance to next . → Add null terminator → SHA256 → Base64, meaning that the process would go blog.daniel-milnes.uk  →  \x04blog\x0Ddaniel-milnes\x02uk  → \x04blog\x0Ddaniel-milnes\x02uk\x00 → Sha256 → Base64. I'm assuming this was done to help with privacy concerns, but it really makes forensics a nightmare. Nevertheless, there is still some value here if you're trying to prove that a suspect's browser visited a specific site, but you won't be able to dump out a list like you can with Firefox.

Beyond that, the other fields are laid out like so:

expiry - The Unix timestamp of the record's expiry.

mode - For HSTS this will say force-https.

sts_include_subdomains - Should subdomains be included?

sts_observed - The Unix timestamp when the resource was last observed.

Clearly, Google decided to kick forensicators when they were down at this point, because unlike Firefox where the option to delete the HSTS database is not ticked by default, Google not only bundle HSTS in with cache, but it ticks the option by default. That means that someone clearing up after themselves would have to fairly intentionally leave behind the artefact.

The only nice thing about Chrome is that the developers made the research marginally easier by creating a developer page where you can register HSTS domains chrome://net-internals/#hsts.

This is true for all browsers built on the Chromium project, including Chrome, Edge Dev, and Opera. Like Firefox, the file is written when the program is closed.

HSTS Parser

So none of that seems particularly easy to quickly analyse, but fortunately, I've hacked together some low-quality Python to help with this problem! HSTS Parser is now available on GitHub, and it can process Firefox and Chrome HSTS databases! It'll even give you a nice ASCII table to look at everything in.

Whilst I've not broken SHA256, you wouldn't be hearing about that for the first time here, I have added support for a wordlist when processing Chrome hashes. This means that you can feed in a list of domains you like to know if were contacted and it will hash them and try to match them to the list.

You can get HSTS Parser on my GitHub here today!

Hopefully that gives you a good insight into the forensic applications of HSTS, but if you've got any questions or suggestions, feel free to drop me an email at daniel@daniel-milnes.uk!

So I've spent around the last year hunting for entry level jobs in Cyber Security, and after recently finding success, I'd like to share some of what I've learnt, what I wish people had told me, and some tips to help you succeed where I struggled.

University

This article is going to mostly be written about alternative post sixth-form options, but given how many people choose to go down the University route, I thought it at least worth discussing.

Firstly, picking a course. If you are interested in pursuing a degree in Cyber Security, the National Cyber Security Centre has a list of degrees which they have certified the quality of, but even with these, I would be careful. Remember, for a degree to be created, it will need years of development, and that means that much of the information will be out of date. Whilst there is certainly value in a Cyber Security degree, it is hardly the be all and end all of educational opportunities. And let's face it, most professors teaching those courses haven't been in industry in years. Much of this applies to Computer Science degrees as well, but at least they won't be anywhere near as out of date a few years down the line. In my opinion, if you want to do Cyber at University, better to join a Cyber Security society like ENUSEC, and participate in some of the opportunities I'm going to talk about a bit further down.

Apprenticeships

Given all the costs involved in University and the questionable relevance of some of the material, what alternatives are there? Well, what about apprenticeships? You're earning money whilst gaining skills and practical experience, plus a degree if you can get a place on a degree apprenticeship. So what is applying for apprenticeships actually like? Well, let's take a dive into the process!

Before we begin though, we need to get something out of the way. You're going to be doing this a while. Apprenticeship applications are generally much later in the year than University applications (I went to an assessment centre the day after my last exam), so even if you see yourself as an apprentice, it may still be worth applying for University, just to give you that backup. But don't get caught in the trap of thinking Apprenticeships are easier to get. Where a University course might have 50 places, I've been at assessment centres for one position. Also, get ready to deal with rejection emails, they don't feel great...

Finding Something

With all that being said, how do you actually find apprenticeships to apply for? There is no centralised website like UCAS, so how do you find something? Well, as a starting point, I'd highly recommend some sites which do try and list all available apprenticeships

• Not Going to Uni
• Gov.uk Apprenticeship Finder
• UCAS (Yes, really)

Specifically for Cyber however, I would recommend looking into some of the following:

• NCSC CyberFirst Degree Apprenticeship
• Government Security Practitioners Cyber Security Apprenticeship
• Santander Digital Technology Apprenticeship
• BT Cyber Security Degree Apprenticeship
• IBM Digital Degree Apprenticeship
• QinetiQ Cyber Security Degree Apprenticeship
• Home Office Cyber Security Degree Apprenticeship
• Microsoft Cyber Security Apprenticeship
• Vodafone Cyber Defence Higher Apprenticeship

Some of these may not run again, and there are likely many that I have missed, but this should hopefully give you a starting point.

The Application Process

So whilst the application process can vary massively between organisers, things normally begin with a resume (or a resume copied into a poorly designed website), so make sure you have an up to date resume. Even if you're not applying for stuff now, try and make a resume now. It's going to take you a while, and it's much easier to keep it up to date then have to make a completely new one when it comes time to apply. Also prepare for some "Why do you want to work here" style questions in the initial application.

Once you've got past that, there will normally be some kind of vetting process. Those which I have seen can be split into three categories, some places will do all three, some will only do one, one or two will skip all three.

Psychometric Testing

Did you do 11+? If yes, do you remember the dumb questions you had to do? If yes to both, you should feel right at home with psychometric testing. If not, let me give you an idea of the hell that awaits. Psychometric testing will generally consist of numerical sequences (GCSE Maths to A-Level Further Maths level), verbal reasoning (If Paris is to France, what is to England?), and non-verbal reasoning (see below).

Speaking from both my own experience and that of others who have been through this, expect to come out of this feeling like you've failed, but don't worry, you'll be fine. If I were cynical, I would say that tests like these are mostly just testing how much you care, but I'm not cynical, so I won't say that.

Subject Specialist Testing

Many programs will try and assess your Cyber skills by having you complete labs. I'll talk a bit more about Immersive Labs (the source of the below screenshot) in a minute, but as a suggestion, if you are given a minimum number of labs to do, do more. Do as many as you can.

Written Testing

If you're anything like me, next comes the worst part. At this point, many schemes will try and get as much writing out of you as they can to try and assess your suitability. On one application, I have seen 500 words on all of the following requested:

• Yourself
• Teamwork
• Effective Communication
• Self-motivation and Drive to Succeed
• Initiative
• Client Focus
• Adaptability
• Technical Skill
• Motivation for Applying

I'm not sure really what advice I can give for this beyond get other people to read your answers. It may sound great to you but utter rubbish to other people. Unfortunately, in this situation, it's other people's opinion which matters more than yours.

Assessment Centres

So, congratulations, you've made it through candidate vetting (and maybe some video interviews, which may be the most unpleasant thing you'll do whilst job hunting), it's time for an assessment centre. These are generally much more standard, with most containing these three elements.

Group Task

These will normally involve some kind of logic puzzle or judgement on attributes of an employee. The thing is however, in most cases, it doesn't actually matter if you get the right answer (if there is one), what is actually being assessed is your teamwork and communication, so make sure to focus on that.

Interviews

I'll be honest, I absolutely hate interviews, so I'm probably not the best person to give advice about them. Instead I'd recommend this great article by Barclays, which should help set you on the right direction. The only pointer I might give is that it's fine to be nervous, the interviewer is expecting it, and they'll do everything they can to calm you down.

Individual Activities

Sometimes organisers will ask you to give a presentation on a topic they specify. Depending on if you enjoy this kind of thing this can either be a Godsend or damnation. As with most things, practice is the key. I have claimed classrooms at school for hours to practice presentations, much to the bemusement of anyone who walks in, but the only way you are going to get comfortable presenting like this is practice. Oh, and don't wing it like I've seen some people do. You may as well not even show up, it will be painfully obvious how little you've prepared.

Offers

If all goes well, you should be able to put your feet up at this point and wait for the offer! Or, as will often be the case, the rejection. I said it at the start, and I'll say it again, get ready for the rejections, no matter how well you think you did. If you do get rejected, make sure to ask for feedback so you can improve for next time. If you were accepted, congratulations!

Jobs

Alternatively to all that, you could always look at getting a job that's not part of an apprenticeship scheme. Many companies are happy to take younger less experienced people on and train them up. Don't worry if you feel a bit underqualified looking at job listings, just take the plunge and see if they respond. Unlike apprenticeships, jobs tend to have much simpler application processes, so applying for one is nowhere near as big of a commitment. Some stuff that might be worth applying for:

• F-Secure Consulting (Formerly MWR Infosecurity)
• NCC Group
• PenTestPartners
• Modux

(Recruiters, email me and I may add you to this list)

Making Yourself Stand Out

This could probably be a blog post of its own at some point, but here are some things you can get involved in or do to help yourself really stand out from the other candidates.

Cyber Discovery

Ok, if you're here, you probably know what Cyber Discovery is, but for those of you who don't; Cyber Discovery is a UK Government funded scheme to train 14-18 year olds in everything Cyber Security with a great community. Starting from the very basics, up to industry level reverse engineering and web app testing, it's a great way to learn, and I can credit it with a large part of my knowledge. If you do really well, you may get the opportunity to participate in professional qualifications like SEC504 and FOR500, and if you're really lucky, go to the USA to learn even more. They even let me write a blog post on their site which is always nice. Bonus brownie points if you set up a club to help teach others.

CyberCenturion

CyberCenturion is a team based blue team competition for 12-18 year olds, focused around Windows and Linux security run by Cyber Security Challenge UK and Northrup Grumman. As your team patches vulnerabilities they are awarded points which can contribute to a place in the final, where a place on a trip to the USA can be won. Did I mention I led the team who won this year?

Cyber Security Challenge UK

Cyber Security Challenge is an organisation dedicated to running competitions and training in Cyber Security for young people. For a long time they ran competitions for sponsors which I can give a ringing endorsement to. Recently, they have shifted their focus to younger audiences, and I'm interested to see where they go with this.

Hack the Box

Hack the Box is a free platform for Hackers to practice their skills. After completing the welcome challenge, you are given a VPN connection with 20 boxes to hack into in return for badges which you can use to show off what you can do to employers! Boxes are regularly rotated so there's always something fresh to try, and you can even submit your own boxes for ultimate bragging rights!

Immersive Labs

Immersive Labs is a huge collection of free labs, each designed around a specific skill. Want to practice unquoted service paths? There's a lab for that. Want to know a bit more about Snort? There's a lab for that. Immersive Labs is great for learning and practicing specific skills, and if you can get your future workplace to pay for it, there is a massive collection of premium labs with new ones added every week.

Google Code-in

Whilst not stricly Cyber Security, Google Code-in is a competition for 13-17 year olds, where you participate in open source projects, and those with the greatest levels of participation are given a very expensive Google Goodie Bag and a free trip to Google's office in California.

Start a Blog

If you've not noticed by now, I'm a big fan of blogging. Blogging is a great way to show to employers what you can do, and the range of skills that you have. If you have a little bit of money to throw towards the project for a server to host on, I can highly recommend Ghost (WordPress also exists, but please don't use it), or if you want something completely free, Google's Blogger is a great no-frills option. Make sure to check out other people's blogs to help you stay up to date with the industry.

Twitter

Despite its many faults, Twitter is still a great platform for getting yourself out there and noticed. Twitter can be a great place to keep up with the Cyber Security industry, and to showcase things you'd like an employer to see.

Conventions

Less valuable from an employment perspective, but still great fun, conventions can be a brilliant way to network. You don't have to spend thousands to get to DEFCON, BSides events (London, Bristol, etc.) are excellent ways to meet people and expand both your knowledge and your circle of contacts. Oh, and drink a stupid amount of booze (if you're an adult and into that sort of thing, not for me but you do you), eat an unhealthy amount of pizza (much more my thing), and hack a bunch of stuff.

LinkedIn

Oh LinkedIn, Facebook for old people (as it's known). Whilst on the surface LinkedIn may seem to be just another social media platform, it's so much more. LinkedIn is both a great way to stay in contact with people you meet, and conduct OSINT. Unlike Twitter, there's no one hiding behind a handle, and unlike Facebook, there's no well... Facebook. It's hardly perfect, but I am yet to find a better way to network with people.

Conclusion

First of all, seriously well done for getting through all that. I know it's a lot, so thank you for sticking with me (you did read the whole thing right?). I'm not saying that you need to do all these things to get a job in Cyber, nor that doing all these things will get you a job, far from it. These are simply some of the steps I have taken which have helped me move from education to a career in Cyber. Hopefully this has been of some value to you, and if it has (or if you have any suggestions for modifications), drop me an email on daniel@daniel-milnes.uk.

With 130 million registered users, phishing campaigns targeting Discord are inevitable, but why are people suddenly talking about them, and what do they mean for me?

Before I go any further, I should really credit Troy Hunt's post "No, Spotify Wasn't Hacked" for inspiration here, I've refocused on the recent Discordgg.ga events, but most of what he said holds true here.

What's going on?

If you had Discord open on the evening of the 19th July 2019, you might have noticed the flurry of @everyone messages informing you that your account may have been breached and you, yes you, might be at risk!

All of this leads back to the kind of phishing websites that are depressingly common on the internet today, in this case, discordgg.ga. This website perfectly replicated the Discord sign in page, collecting the credentials of anyone who signed in using it, it even connected back to Discord to check if they were valid.

Now normally, these kind of campaigns take place out of the public view, with the credentials being sold on by the creators of the phishing campaign to be used by others, but the creators of this campaign did something interesting, they published what they had collected online.

What does this mean for me?

Well, someone else has your Discord account (unless you've taken steps I'll come onto in a second). Anywhere you can send messages, now so can everyone who downloads the breach, everywhere you can take moderation action, now so can they, any server you can delete, now so can they.

Well then, what can I do to protect myself?

Before I go any further, I should clarify, you're probably not impacted by this. The attackers say they collected around 2,522 valid logins, and as such, for most people, this is a cautionary tale, rather than an incident to be responded to. Could Discord have done much better here? Yes, but for the moment, let's focus on what you can do.

@everyone

Whilst my "Personal Cyber Security from basics" (name not final) series of posts is coming soon, for the moment, here are a few basic steps you can take remediate damage done by this attack and protect against future ones.

Passwords

The first step to dealing with anything like this is changing your password, making the one the attackers have non-effective. You're not re-using passwords between sites, are you? Oh, you are? Change everywhere that your Discord password is re-used. Password reuse is bad practice, and I'd recommend moving away from it, but for the moment, get those passwords changed. In future, I'd recommend using a password manager to generate and store random passwords, which I'll talk about more in another post. Whilst this won't protect you against future attacks, it will remediate the damage done by this one.

How to change Discord passwords

First, go to "User Settings"

"Edit"

"Change Password"

Fill out the form and press "Save"

Multifactor Authentication

For those not familiar, multifactor authentication (or 2FA as it's more often known) is the process of requiring multiple pieces of data to gain access to an account. This means that even if someone has one of the pieces of data, they can't get into the account. The first piece of data is normally a password, and the second is normally a code generated by an app or sent via SMS. There are alternatives like U2F Keys, but that's beyond the scope of this post. By enabling 2FA, you make any passwords collected by phishing campaigns useless, and for the two minutes it takes to turn it on, it's well worth the while. Unlike changing your password, this will protect against future attacks.

Discord have an official guide on enabling 2FA here. For most people, I'd recommend using Authy with an SMS backup.

@Administrators

Assuming you've followed the above advice, you should now have 2FA enabled. Discord allows you to force this for your entire moderation team, and I would highly recommend doing so. This can be done on the "Moderation" tab of server settings.

Have I got something wrong, or have you got any suggestions for improvements? Let me know at daniel@daniel-milnes.uk.

Almost a year from when it started, my Cyber Security Challenge UK journey must sadly come to an end. Recently, Santander hosted the final (at least for now) face-to-face competition, and I'd like to share my experience at the event to help others to prepare for similar competitions.

Qualifiers

At previous events, the qualification tasks have often been a good indication of what will actually happen at the event, but no such hints were available here. The qualifier for the National Crime Agency competition was a disk image, to match the forensics involved in the actual event, and the qualifier for the Bank of England competition was log analysis, which was most of what we did at the competition. As well as being the final face-to-face event, this was also the qualifier for Team UK, and as such, a wide variety of skills needed to be tested in the qualifier, meaning no hints were available. Last year's ECSC Final was hosted at Cyber Re:coded in London, and this year's competition will be in Bucharest, Romania, so places are hard fought after.

Qualifier 1

The first qualifier was somewhat of a red herring as far as the actual event was concerned, as it was a penetration test of a web app. Whilst I obviously can't document the exact solution, it was a nice challenge, and it was interesting to see Rangeforce's take on more offensive tasks (more on Rangeforce later). My only experience with Rangeforce was at the 2018 Masterclass, a defensive challenge, and as with most challenges like this, enumeration was the key, and was what made it take me much longer than it should have.

Qualifier 2

The second qualifier was, whilst closer to the actual event, still a test of other skills. Although technically blue team, qualifier two focused on DFIR, specifically in the form of a network traffic capture and disk image. Whilst I found the network capture to be relatively simple, I must admit I was flummoxed by the disk image, and was very interested to hear some of the solutions used by other competitors.

Ultimately, whilst my performance in these qualifiers was enough to get me through to the actual event, qualifier two in particular highlighted an area I really needed to work on. I will confess that I was hoping for a blue team style event after winning CyberCenturion with TeamWhy2k a few weeks prior (blog post coming about this Soon™), and in this regard, I somewhat got my wish.

Day 1

At this point, there's probably a law that says all I'm allowed to tweet is photos from windows, and as such, that was how this event began.

After arriving at the Leicester Marriot Hotel, I quickly checked in to my room, before heading down to the lobby. Whilst I do know most of the regulars at these events, it was still refreshing to see an influx of new competitors, even at the last event, and a healthy representation of Cyber Discovery hoodies.

After arriving at Santander's head offices, we got a briefing on the events of the coming day, and what we were all fighting for, a place on Team UK. As there is no Masterclass this year, and with the aforementioned trip, a place on the team was everyone's goal.

We then spent some time getting to know the other competitors, and although it started out as a simple quiz, it quickly developed into a difficult logic puzzle, calling on our deduction skills. Whilst we ultimately didn't come out on top, it was a great experience to get us ready for the next day.

After arriving back at the hotel, a large group of us collected in a hotel room and played Fibbage for a while, and it was a good thing that we also had the hotel rooms on both sides, as it turns out 14 people in one room do produce quite a bit of noise! It was also a really nice opportunity to see some of the staff, competitors, and assessors in a less formal environment (although not ball pit levels of informal), and I sat talking until the early hours of the morning in the bar, catching up with people I hadn't seen in months.

Day 2

One of the best ways to evaluate any hotel is the quality of the breakfast, and in this regard, I was certainly not let down.

After stuffing down enough food to satisfy a hippo, I did the obligatory 50 checks of my room to make sure I hadn't forgotten anything, then got in a taxi over to the Santander offices.

A large collection of sweets and a bottle of Ribena Light in hand (I went through 5 bottles of the stuff, God help my insides), we got a briefing from Rangeforce about what we would actually be doing for the competition. We were interns at a firm that made ambulance deployment management software, and the firm was experiencing a major breach. Like Masterclass, we were given a copy of the network topology, but this time with the added complication of "satellites" which had a 5mb/s link to us and the internet. Whilst we were lucky that the machines were mostly up to date and were accessed exclusively through SSH, this is an interesting idea I would really like to see built on. Personally, the most frustrating and least enjoyable competitions are those which are the furthest from an actual situation, and I think Rangeforce strikes a really good balance here, as whilst there are some simulated elements (for example, the scoreboard which was up around the room), they are kept to a minimum, and do a good job of keeping up the pressure.

Speaking of Rangeforce, I would once again like to thank them for putting together the actual challenge for the event. Their challenge design and platform continues to be excellent, and I hope to be involved in an event they run again in the future.

With all that out the way, what was the actual challenge like? Well, as I mentioned, the event was purely defensive, but not in the same style as CyberCenturion. Where Centurion had you patch common Windows and Linux vulnerabilities, at this event, the solely Linux environment had no common issues like these, it was entirely custom services, which really helped improve the experience. Whilst knowing how to secure fresh machines is an important skill, it does get repetitive, so having to quickly learn how custom services work and secure them in a tight time frame is a really fun experience.

Throughout the day, we saw a variety of interesting exploits, and whilst I obviously can't document them in full, one of the most interesting ones I saw related to pam_deny.so, which is the file Linux uses to reject authentication requests, and replacing it with pam_allow.so, essentially meaning that any authentication requests would be accepted. Additionally, I was shown why my beloved fail2ban isn't quite the magic bullet I hoped it would be. For context, fail2ban scans logs from a large number of common applications like nginx and sshd, then writes firewall rules to drop traffic from clients with high error rates. In theory this works really well, and indeed, it did block several exploits on the board, and this was lovely for the 30 seconds it took us to realise it had also blocked the scoring platform. A side effect of this network configuration was that the machines saw all traffic coming from the same source, so when they blocked the malicious traffic, they also blocked the ability for the scoring platform to see if the machine was working.

There were also some less advanced exploits, including things like RCE within the web app, which really highlighted the value of digging through logs for a task like this. If you've got them, tools like Splunk and fluentd are great, but often, things like a command backdoor constantly being tested will stick out like a sore thumb in logs, and spotting them mean you can quickly search the app's code for the function being exploited and remove it. Whilst there is obviously value in manually reviewing source code, especially in time sensitive situations, looking for signs of exploitation and working backwards from there will save you a lot of time, although in real world situations where a log event isn't being triggered every few seconds, this is less appropriate.

Unlike at Masterclass, where I worked on most-all of the reports we submitted, my involvement in the process this time was fairly minimal, as whilst it is something that I enjoy doing, there were people on the team more qualified to do them, both faster and to a higher standard than me. I did appreciate the relevance of the situation to the real world, as one vulnerability that we had to write about was passwords appearing in log files, which both Twitter and GitHub have been caught doing recently.

Just like at Masterclass, we bounced up and down the leaderboard, but in the final hours of the competition, it turned into a fight for uptime with a couple of other teams. We eventually reached the point of taking desperate steps, like the aforementioned fail2ban, or drastic changes to the permissions of system files. In the end though, it was good old fashioned vulnerability hunting (and a couple of people watching for downtime) that pulled us through. Whilst we did finish top of the board, there were still a large number of reports which needed to be marked, with the potential to radically change the scores.

Fortunately, the positions stuck, and we managed to come out on top overall. I'd like to say thank you to the entire team, you were great, and I look forward to being able to work with you again.

This year's Team UK were then announced, and whilst I was obviously disappointed to not make the cut, the team is made up of people from whom I'd seen amazing performances at both this event and others I had attended with them, and are the kind of people I don't have any issue losing to. Everyone on the team has done excellently to get this far, and I wish them good luck in the ECSC competition.

Once again, I'd like to issue a massive thank you to everyone involved in the event, CSC, Santander, the assessors, Rangeforce, and everyone else who was involved in putting together this great event. I feel honoured to have had the involvement with Cyber Security Challenge that I have, and I wish the team there the best of luck with whatever the future may hold.

Unless stated otherwise, photos used are either my own or official event photos published here.

I recently had the honour of participating in the 2018 Cyber Security Challenge UK Masterclass sponsored by Barclays. It was an absolutely insane experience, which I would encourage anyone interested in Cyber Security to get involved with. Hopefully this blog will give a taste of what was involved as well as some hints on how to get the most out of the event if you are lucky enough to qualify.

22 Days To Go

My story actually begins a couple of weeks prior to the Masterclass itself. To help with preparation for the event, CSC sent out a list of pre-reading. I went through most-all of this list over the next few weeks, but for any event like this, the pre-reading can be used as a great way to speculate about the course contents, and work out other helpful skills for the event.

Some of the pre-reading really stuck out to me, for example, we were told to read into National Security, suggesting to me a serious and organised crime focus. In addition, there were several items about different types of DDoS attacks and a mixture of Windows and Linux material. This all suggested that the event would be blue team focused, and whilst I did work on these skills through programs like Cyber Centurion and Immersive Labs, I made sure to work on my red teaming skills in case my assessment was incorrect.

11 Days To Go

A few days before the event began, a very cryptic video was released by CSC. Amongst my friends this inspired some furious inspection (I've watched this trailer more times than I dare to count) and some giggling from some who attended last year who thought they had (incorrectly) predicted what would happen.

Day 1

The first day of the actual event began, as most do, with a tweet of a photo out of the window of a train to London.

I arrived at the Hilton London Bridge Hotel extremely excited, and yet not entirely sure what I was in for. Whilst I had been over the pre-reading, everything I'd heard from previous competitors suggested that the Masterclass was greater than the Bank of England and NCC Group Face to Face events I had attended in both scale and difficulty. They certainly weren't wrong there.

Once I had checked out my room, I made my way down to the lobby and met up with the other contestants. Whilst in previous years the attendance at challenge events, and especially the Masterclass, has been mostly university students, this year had seen a huge influx of sixth form students (making up 12 of the 48 competitors). All of these students (including myself) had participated in Cyber Discovery, and the fact that the Cyber Discovery team had been able to get sixth form students up to this standard was seriously impressive. This also gave me the advantage of knowing a substantial portion of the people attending, which turned out to be both a strength (already having bonded with many of the people present) and a weakness (helps me be introverted as hell).

I'll be honest, there are few things in this world as dramatic as checking in to a hotel and being handed an envelope with the information for the next few days. Once I had unpacked a little I headed downstairs to meet with the other contestants and staff. We talked for a bit before making our ways over to Barclays' Canary Wharf office. On the way we passed through a beautiful looking set of Christmas decorations, at which point I discovered my phone's lack of low light performance, but I managed to get a few usable shots.

Once we were in the venue we were introduced to our teams. In my case, that was formed of one person I already knew, four UK based new people, and one competitor from Singapore. Team building exercises take many forms at CSC events, from puzzles spread around museums to pub quizzes, and this event put yet another unique spin on the formula.

Representatives of the Metropolitan Police organised for us to play a game devised by Bristol University. We were given a situation with a company who operated a power plant, a budget, and a list of potential spending options. For the most part, we did alright, making the systems and facilities more secure and fighting off the majority of attacks. That was until the last round, where we received a £5.5 million fine from the ICO for GDPR violations. But hey, at least we weren't the team who had their power plant blown up. It's the small victories in life...

We also got to experience a small snippet of life within Barclays' SOC, through a virtual reality experience.

Once all that was done, we made our way to the nearby Giant Robot market, where we were bought dinner.

Once we had finished dinner (and Scottie had picked himself up off the floor from laughing at me taking a photo of my food, an admittedly very hipster thing to do), we made our way back to the hotel. I tried to write some of this blog post, but quickly realised the futility of that effort, so I headed off to bed.

Day 2

After a "small" breakfast, we collected in the lobby and made our way over to the venue.

It was then that we were given the full explanation of the coming events. he story was a continuation of the one from the previous year. Nancy Oregon, a senior member of the Research4U firm, had been caught working to bring down the CEO, Rex Buckingham. Nancy was now serving time for Computer Misuse Act offences with the group 29Alpha and we had been hired as security interns at Research4U. It's at this point that I need to thank RangeForce, the technical team behind the event. Whilst at some other events, physical infrastructure had been brought on site, RangeForce instead made use of their powerful cloud learning environment. This meant that each team had a fully simulated network, with Windows and Linux clients, an Active Directory domain, and workstations (as opposed to just servers). The actual challenge was incident response (ensuring systems remained online and secure), and so this setup was perfect.

We were given access to our workstations and a copy of the network topology, and were told to get to work. We spent a few minutes planning how we would spend our time, focusing on our areas and tools of expertise. This was a nice plan in theory, although it broke down quickly. I took the domain controllers as my initial area of focus, as I had gained quite a bit of experience auditing Windows Systems participating in Cyber Centurion. I took the usual basic steps before beginning to search for exploits (reset passwords, check members of the administrators group, check for users who shouldn't be part of the forest).

Throughout the day, evidence related to the overarching story was put up on both the computers and an evidence board, and members of our team made sure to make notes on the new information that was put up. To aid with this, during the day we were given the opportunity to interview Nancy, where we did a passable impression of people who weren't making their questions up on the spot.

We continued work on securing the systems and uncovering the story, and as we approached the end of the day we began compiling reports for both the CEO and CTO of the company. Another member of the team and I worked on these reports (with me focusing on the situation report), and we made sure to check each other's work as we went. In my opinion, this was both one of our greatest strengths and weaknesses. We ended up splitting into pairs for most of the event, and whilst this did mean that we were able to ensure productivity and accuracy, it did lead to reduced communication between the entire team. There were multiple instances where one of us would get several minutes into trying to solve an issue before discovering that someone else on the team was already working on it. We did setup a Discord server as somewhere to share links and credentials (very secure), and I'd highly recommend that any other team at a CSC event do the same. I've sometimes scoffed at teams setting up Slack or Discord groups at events, but given how well it's always worked for them, I have had to eat my words in that regard.

I unfortunately can't include the exact reports, as that would ruin similar challenges for those attempting them in the future, but I can tell you that whilst we did find ourselves copying parts between the reports, we ensured that we used non-technical language in the CEO report, and made sure that there were simple points for him to repeat to press.

We probably spent longer than we should have on these reports, not submitting them until minutes before the deadline, but it was worth it, as we got 70/100 for the technical report, and 90/100 for the situational report. These reports do highlight our coordination issue though. Whilst we did get them in, we started them far too late, and kept retracting them to add new information we had found. Looking back, it would have been a good idea to implement some kind of time management system like Trello, and although we did initially create tokens we handed round to ensure only one person was working on a machine at once, this went out of the window almost immediately.

What the reports don't mention however, is the solution we put in to keep the page off of the site whilst we came up with a real solution. A tmux session running the below code may not seem like the best solution, but as a stop gap, it worked surprisingly well.

Once we had got the reports done, we had a bit more time to work on challenges from the board, and had to prepare a presentation for the team in the USA who we would be handing investigations over to for the night. We made an effort to collect notes and prepare, but this highlighted our communication issues in a similar way to the report, although we were moving in the right direction. We divided up responsibilities into what we had done, what we felt needed doing, any actions we would recommend, and threat intelligence. Finally, once all that was done, the day was rounded out with a check-in from 29Alpha.

We ate dinner before heading back into the challenge room for a whirlwind tour of cryptography. We learnt about various ciphers and heard the story of acquiring an Enigma Machine! Turns out, German border guards don't really like you trying to leave with one, but it all worked out in the end and this machine ended up in a museum in Bletchley.

After all that, we made our way back to the hotel and collapsed. Whilst on the first day I had left the strength to stay up for a bit and talk, I was in no state to do that after a day of incident response, and I was out like a light.

Day 3

Despite being so tired, with all still to play for, I was up bright and early at 6:15. After being one of the first to get Breakfast, we headed back to Barclays. Upon arriving at Barclays, we were given a list of changes that the USA team had made, and their changes were about as helpful as our report to them (not very!). Servers were misconfigured and several previously patched vulnerabilities were now present again. We jumped onto our machines to start patching, but almost immediately hit a road block. Whenever we connected to any of the machines over SSH, we got an escape room to rival Vim. Whilst this was initially really annoying, once we realised what had happened, I did have to stop momentarily as I was laughing hard enough to stop me working.

A quick unalias -a later we were back in business, but because of this quick fix, we never found the true cause, likely losing us points. We continued searching systems for issues, and whilst I wont bore you with a complete list of what we found, there was one example that I think works quite well as a cautionary tale.

One of the systems that we had to maintain was an API built in Ruby and published using nginx. We fixed the issue with the Ruby, but we couldn't get nginx to start. I spent quite a while trying to fix this before discovering that despite initially discounting nginx's error messages as they made references to places I could see there wasn't an issue, looking over them again, I noticed an issue that I'd come across before. Many linters (and Python is especially guilty of this) wont actually throw an error on the line that's not been correctly ended, it'll throw it on the next line when it hits something it isn't expecting. So I'm somewhat ashamed to admit I spent around an hour looking for an issue that was solved by adding a ; to a config file...

Later in the day, we were asked to prep for a press conference. As with the other timed events, we probably didn't start preparing for it early enough, but by the time of the conference, a representative of our team was ready enough to present what we had found so far. Whilst many teams took the opportunity during the press conference to take a small break, our rapidly falling position on the leaderboard left us in no state to do this, and we pressed on. The press conference was concluded with the CEO being taken into custody.

Whilst we had thought that fixing nginx would represent the last of our issues with the API, boy were we wrong. The API continued going down, and whilst we did make our best efforts to fix it, it became clear that it was eating too much of our time, so we took inspiration from the first day, and implemented a stop-gap.

Just as we started to get everything under control, we received word that our network was being blamed for a massive DDoS attack, and that it needed to be stopped immediately or we would be cut off. Fortunately, we had already taken steps against this by disabling UDP on our memcache server, and a few iptables rules later, we had the situation under control.

It was then that it started to come crashing down for 29Alpha, as more evidence began to be uncovered linking Nancy and her brother to the attacks. We had to submit one final report with all the information that we had collected from both the interview and the intel board in the corner of the room, and unlike previous reports, we didn't wait until the last minute to get this one in!

Again, I can't include the actual report here, but in the report, we recommended action for Research4U and law enforcement. We did have to be careful with the second one though, and I had to be corrected by a law student on our team, as I began propose action that was either not appropriate or not something we were in a place to propose.

A few minutes later, we came to the end of the time we had been allocated, and were finally able to relax. This triggered the usual discussion of answers that comes at the end of any CTF, and I had a few key takeaways:

• Don't fight your way through iptables when the box has ufw. If it works, use it.
• Think like a pentester. Whilst we did run linenum on one of the boxes, we stopped looking at it once we spotted a vulnerability, and never really went back. Had we actually looked at it some more, we would have spotted the cron jobs that were causing us so much misery.
• Focus on patching the root cause, as opposed to the actual vulnerability. As the Rangeforce team revealed, all the vulnerabilities existed in at least two places. Patch one and the other would just bring it back. You needed to make sure you were removing all traces of the attackers on the machines, as any foothold was enough to bring the entire system down. This would also have been aided by taking better notes, although we were able to reconstruct most of our actions from memory.

Once we had said our final goodbyes and thank yous to the Barclays team, we headed back over to the hotel to prep for the dinner in the evening. For reasons I don't entirely understand but thoroughly approve of, CSC reserved the hotel's ball pit for the under 18 candidates, and we made full use of it.

I can definitely think of worse ways to catch up on the events of the past few days than partially submerged in a ball pit, but it was eventually time to prepare for the dinner. After several minutes of competitors laughing at each other as we were all clearly not used to wearing formal clothes, we began to mingle amongst the other guests. I can't talk too closely about who I actually spoke to for obvious reasons, but let's just say "various people from various walks of life" and leave it at that. After some business card swapping, we made our way into the hall for dinner.

After polishing off the food, we were then treated to a performance from a very unique dance troop.

The dinner was rounded out with the announcement of the winners of the competitions, the best newcomer award, and the best career changer award, along with some individual prizes. Whilst I earned a Yubikey U2F key and a year's membership to iisp, some participants managed to earn tickets to Blackhat EU and University courses. We spent some more time networking in the dinner room before making our ways out into the bar area, where I took the opportunity to catch up with some of the people that I'd met throughout the experience. It wasn't long however before I spotted a massive group of CSC staff making their way over to the ball pit.

The rest of the evening flew past with some interesting conversations and opportunities to talk to people I would never normally be able to, but the highlight had to be watching the CSC team getting some well earned rest time, Stuart being pelted with balls and returning in kind, and a very different side to people I had only seen in a professional context. I honestly couldn't tell you what time we kept the hotel staff up until keeping an eye on us, but judging from the fact that I tweeted at 3am, it must've been fairly late.

I left my hotel room with a large pile of my business cards, and I came back with a large pile of other people's cards, so I think that counts as a success?

Day 4

After the previous day's festivities, I gave up all semblance of good timekeeping, and rolled out of bed around 9:30, although unsurprisingly I was still very tired. I sauntered down to Breakfast and ate a little, before throwing my messy pile of clothes into my case and starting the long journey home.

I've said it several times, both to their faces and online, but I really can't thank the entire challenge team enough for what they did for me and the other competitors. The Masterclass was like nothing else I'd ever experienced, and will be taking pride of place on my resume. There really is nothing else like a CSC event, and I'd seriously recommend anyone who is even vaguely interested have a go. What have you got to lose?

Advice

Whilst obviously the entire Masterclass was an amazing experience, I can't expect you to read all of that and not get anything useful, so here's some advice for anyone at a future CSC event:

• If someone in a white shirt comes over, explain to them what you are doing. They are assessors, and they are making individual notes on you. Whilst your technical performance is obviously very important, your soft skills are also being closely assessed, so explain what you are doing and ask for help. These people are professionals, and whilst they can't give you the exact solution to the issue you are facing, they deal with this kind of stuff on a daily basis, and can probably give you a push in the right direction.
• Get coordinated. Every event will begin with an icebreaker, and take that opportunity to set up some infrastructure. Get a Slack or Discord group, and for longer events, setup some kind of project board system like Trello.
• Bring a mouse and USB drive. It'll save you so much time. Just trust me on this one.
• If you think something that isn't working should be, let someone know. There's no point sitting there trying to fix something where nothing's actually wrong.
• Actually do the pre-reading. Many people will look at the size of the pre-reading and give up, but it's worth doing. Even if you don't get the whole way through each piece, it's worth doing as much as you can. The reading isn't picked at random, and is generally a pretty good indication of what you'll be doing.
• Once the actual challenge is revealed to you, stop and take stock of what you have. Spend a few minutes coming up with a plan, work on what you're good at, and let the others handle what they're good at. There may be times that you feel that you're out of your depth, but you need to remember that you have a team who are there to help you, and at the end of the day, this is an event. You're behaviour is being evaluated, and being adaptable is a great skill. Even if you don't know exactly what you are doing, a willingness to try and to learn is very important.
• Take notes as you go. You'll usually be asked to produce some kind of report, and there's nothing worse in the world than having to write a report entirely from memory.
• Get business cards. If you have the chance, give them to someone, the worst thing they can do is bin it. If someone offers you their card, take it, but remember to actually follow up, and fairly quickly. Getting an email that says "we met 6 months ago but I've not got round to emailing you" doesn't look great.
• Get LinkedIn. Get it now. I'll be doing a blog post about doing LinkedIn properly at some point, so keep an eye out for that.

Congratulations on getting to the end of that, I know it was a lot. If you have any questions, feel free to email me on daniel@daniel-milnes.uk or on Twitter at @thebeanogamer.