Preamble
I watched the following video recently and was inspired by the speaker (Mr. David Brumley, Carnegie Mellon University).
The video speaks towards the training model adopted by Carnegie Mellon’s Capture-the-Flag (CTF) team, which has won multiple DEFCON events. This is a remarkable feat, particularly given that the team must experiences some degree of turnover every year (and total turnover at least every 4).
I’m already familiar with their annual contest (which, as the lecture describes, also doubles as a screening event for University recruitment); but what really spoke to me was how their approach to codifying the education process.
All too often, I’ve found that offensive cyber security training is too coy; in other words, the material only makes sense retroactively (after the answers are already known), rather than developmental. The annual PicoCTF is remarkable both in its depth and breadth of content: in the shallow end, it not only teaches the fundamental building blocks of attacks but the act of discovering those vulnerabilities that can be attacked.
I recognize the Carnegie Mellon program as being one of the best in the world for preparing and educating its students in InfoSec and like to take a bit of time here-and-there to use its contests (which remain up year-round for anyone to use as practice - for FREE). I’ll probably look to follow-up this post with another in the future detailing my own write-up of their problem sets.
In the meantime, happy hacking!