Podcasts

Podcasts


Making CTFs count at any point in your story with Ed Skoudis

Expert penetration tester, master challenge developer and SANS Fellow shares the importance of hands-on practice and using CTFs to build skills and creativity.

Notes:
Though Ed Skoudis knew he was a tinkerer since playing with Legos during childhood, his younger self could never have envisioned the expansive career he now has. In this episode, Ed shares advice gleaned from years of creating challenges, building teams, and writing and teaching SANS courses. He and Jason discuss why CTFs are essential skill-building tools at any career level, how to overcome self-doubt and imposter syndrome, and why you should never let fear stop you from starting.
Bio:
Ed led the team that built NetWars, the low-cost, widely used cyber training and skills assessment ranges relied upon by military units and corporations with major assets at risk. His team also built CyberCity, the fully authentic urban cyber warfare simulator that was featured on the front page of the Washington Post. He was also the expert called in by the White House to test the security viability of the Trusted Internet Connection (TIC) that now protects US Government networks and lead the team that first publicly demonstrated significant security flaws in virtual machine technology. He has a rare capability of translating advanced technical knowledge into easy-to-master guidance as the popularity of his step-by-step Counter Hack books testifies. Ed earned an M.S. in Information Networking from Carnegie Mellon University, and his B.S. in Electrical Engineering from the University of Michigan, summa cum laude.
Return to Episode List
Recommendations based on this episode:
Transcript:

Jason Nickola

This is "Trust Me, I'm Certified" brought to you by GIAC Certifications, a podcast exploring how to conquer imposter syndrome.

Jason Nickola

Welcome back to "Trust Me, I'm Certified." I'm your host, Jason Nickola. And on this week's episode, we have a very special guest Ed Skoudis. As the original author of both SANS SEC504 and SEC560, he's educated thousands of GCIH and GPEN holders in those classrooms over the last 20 years. In addition to being a SANS Fellow, he's also the founder at Counter Hack and has entertained a generation of CTF-ers with the NetWars, Cyber City and Holiday Hack challenge projects. Not only is he one of the most accomplished and capable people we have in infosec, but he's also what I consider to be an expert at identifying talent and cultivating them into functional teams. He's had some really incredible people work for him both now and in the past. He's also a world class storyteller, which is a real superpower in matching the vast experience he has to share with the ability to make it land and stick with people from broad and varied backgrounds. I think all of this comes across really well in this conversation, thanks mostly to Ed and his many talents. But I couldn't be more excited to bring you this episode with Ed Skoudis. Please enjoy.

Jason Nickola

Ed, thank you so much for joining us on the show.

Ed Skoudis

Oh, it's pleasure to be here. Thank you, Jason.

Jason Nickola

So I've taught with you enough and heard you teach enough that I feel like I know little Eddie Skoudis.

Ed Skoudis

Yes, my 10-year-old self.

Jason Nickola

Right. But in reality, what were you like as a kid? And do you see any of the roots of what you've actually become and spend your life doing in what you were like as a kid?

Ed Skoudis

Oh, most definitely. For those of you that aren't familiar with my class at SANS, I do talk about 10 year old me there, and just how if I could go back in time and talk to 10 year old me and tell him what I have the wonderful fortune to do for a living today, it would have blown 10-year-old Eddie Skoudis's mind that I get to do penetration testing and hacking professionally and that that's a job. But when I was a kid, Jason, I was a tinkerer. I would love to build things - Legos, I'd have an electronics kit, I'd have a chemistry set, I would also tear things apart. There'd be an old television or radio and I would start to unsolder it and pull it apart. I pulled apart so many more things than I put together. I was much more destructive than constructive. But I love doing that and just very, you know, physical with my hands on the devices and seeing how they work and understanding. That's what I did.

Jason Nickola

Do you think that you just naturally inclined toward that or was there someone who enabled it for you or someone that kind of provided a model in terms of that curiosity and your ability to interact with the world?

Ed Skoudis

My grandmother really supported me as a young child in in building things. She would always make sure I had - and I'm talking three, four or five years old, I'd always have blocks that I could build things with and knock things down. And she made sure I always had craft supplies and she would encourage me just to make things and really she was so affirming and supportive of that. I called her Nana. So that was my Nana, and she in so many ways made me the man that I am today through those very early learning things. You know, I didn't start soldering until I was maybe 12 or something like that, and usually it was desoldering. But so it was kind of a gradual transition. I remember I was in second grade. So how old is second grade - seven years old, something like that, eight. I was trying to build a model airplane that could fly. And I was trying to turn a Comet cleanser can into the body of airplane and I had this grand strategy for how it was going to work. The thick of it is, it could never get enough actual thrust from a propeller to take off. It was a bad idea. But I had so much fun working on this thing and trying to make it happen. So a lot of tinkering and such as a kid.

Jason Nickola

And that's kind of a funny story. But if you dig into it a little bit, I think that a lot of people struggle with the concept of, well, you can't do this, or this probably won't work, if you pursue it in that way. And if you look at a lot of the things you've been able to do in your life since, it seems like you don't necessarily have that filter: Ed, this isn't going to work, you're not going to be able to build that people won't do that. I think a lot of people stop at that point.

Ed Skoudis

You know, it's interesting, you bring that up, I do have that same feeling that other people have, it's like, I can't possibly do that. It's just too complex. It's too hard. And that causes paralysis. You just don't want to do things. So what I do is I think that same thought, and then I kick myself in the butt and say, well, you might as well try. And most things - not all - most things end up being easier than I think they're going to be. But many things end up being a lot harder. It's completely unpredictable when you start. The point there is don't let that fear stop you from starting. Just start. And you might find out it's easier than you think. And you might find out it's a lot harder than you think. When I did all my office automation and such, when I first started, some of it just came so easily. And then I tried to do more and more complex things, and it got harder and harder and harder. But that's growth and that's development. So, you just got to kick yourself in the butt and say, well, I'm gonna try it, and you might fail. And you know what? That's okay.

Jason Nickola

Very well said. When would you say that technology and computing kind of came into the picture for you? You said you started soldering and desoldering in your early teens, but what about computers?

Ed Skoudis

Yeah, computers. I got my first computer in I think it was - let me say by age rather than the year, so 14 years old, and it was a Commodore VIC-20. I think you have a Commodore past, don't you? Have you and I spoken about early computers? I know we have, but I think I mentioned to you, I was a Commodore VIC-20 guy, William Shatner had his ad on TV and I saw that I'm like, whoa, the future's here, I gotta get one. So I saved and saved and saved and saved. And at Kmart, a VIC-20 cost $199. I saved as much as I could. I managed to save 100 bucks. And there was a Texas Instruments Sinclair computer, they called it. It was 99 bucks. It was not a very good computer, membrane keyboard, just really, really primitive but it was only 99 bucks. So my dad took me to Kmart, and I was about ready to buy the Timex computer. And my dad says what about this one? Because he saw the actual keyboard on it, and I said, oh, that's a nice one. VIC-20. But that's 200 bucks. And my dad said, tell you what kid, I'll sponsor the extra hundred bucks. So my dad did that. And then I bought a Commodore 64 after that, and then that kind of started my whole interest in software. But I never lost an interest in a little bit of hardware stuff. But it was really the VIC-20 and age 14 and up. And I never really looked back, I ended up doing a lot of stuff with computers. Then I went and got my degree in electrical engineering. And then I got a master's degree in information networking, got on the internet and stuff during that time, and really never looked back.

Jason Nickola

What would you say made you think about technology as a career as opposed to other areas of engineering with your background and interest in tinkering?

Ed Skoudis

Well, I'll tell you when I was in college, I was planning on being an aerospace engineer. That's what I wanted to be. I love flight. I love space. I love the space shuttle. That stuff all seems so cool to me. I was planning on getting that. Remember I wanted to build that airplane when I was in second grade? So I wanted to design aircraft and spaceships. And it was sophomore year in college. And I went to my college counselor, her name was Barbara Toma, I don't know where she is today. But I said to her, I want to become an aerospace engineer. And she said, no, you don't. I said, what do you mean? She's like, the Cold War is ending and there are going to be very few jobs in that space. But computers are exploding. But I don't recommend you get a degree in computer science, because you like to tinker, so I would become an electrical engineer with an emphasis on computer architecture. And that's what I did. And she was right. I mean, that woman - I owe so much to her. I wonder how she's doing these days. So I was actually going to go a different route. And I'm really glad that I went with the technology route, specifically electrical engineering and computer architecture. Now, one thing I really emphasize when I talk to my friends and my students and stuff like that, you do not need a degree in electrical engineering or computer science or computer architecture to do the stuff that we do as professionals. And I'm kind of emphatic on that. Degrees are nice, they're really cool. But you can do amazing work without getting a bachelor's or master's or a PhD in this kind of stuff. In fact, sometimes my team, I have 10 people on my team, they tease me because I never asked them where they went to school or what degree they got, because honestly, I don't care. I don't. Certifications are interesting to me because they're more recent than when they went to school and they're very applied to specific domains. So that is interesting to me, but the degree you got years ago, from a place I might not have ever heard of, I'm not even going to ask you, or even if it is a big brand name place and you got your master's degree, eh, it's okay. Although I will tell you, you know, SANS.edu, the SANS Technology Institute, that's saying something. I know I'm biased and such, but I see what goes into that program. But I really don't even ask my team that.

Jason Nickola

As long as it's not Ohio State, right?

Ed Skoudis

There you go. I did go to University of Michigan. There's also Michigan State, right? I always point out my wife went to Michigan State, I say, but I still love her. I still do love her just not quite as much.

Jason Nickola

So how do you do it then? A degree path is certainly an applicable one. But if you're not going to get a degree, how do you do it?

Ed Skoudis

Yeah. Practice, practice, practice. Hands on keyboard practice. And one of the things I love is capture the flag events and there's so many of them that are available, so many that are available online for free and you can develop yourself skills with them, have some fun, meet some friends. I'm really big into that. And in fact, so big into it, 10 years ago, I had been playing capture the flags for about a decade and I thought, I think there's a business model here where we can make some of the best capture the flag events in the world. But standing that on its own is very hard business to make. So I thought, can we build these things for SANS? And that's when we created the very first NetWars. It was actually 10 years ago this week that we started Counter Hack to build the best cyber ranges and CTFs in the world for SANS and that's what became the NetWars series. And we're offering a series of free NetWars events now, we call them Mini NetWars. And people seem to really like those. So anyway, CTFs, that's what I would recommend. And there's plenty of them available. SANS offers some, they're called Mini NetWars, SANS also offers some that we're calling SANS community CTFs, but there's a bunch of others available from a lot of different places.

Jason Nickola

Yeah, and one of the things that I really like about your story in your path is - I don't know if this was a conscious decision, but you can still find your old website, Counterhack.net. And what I love about it is, many people in the industry know about NetWars now. Many people in the industry know about Holiday Hack challenge now. But I love that I can show people Counterhack.net and say, look at the challenges that this guy developed just because he thought they were interesting things that he wanted to do with his friends. These are the seeds. This is where this stuff came from. So yeah, I like to say find what is interesting to you, what you want to learn about and go off and build something that other people can use and you have no idea when you start that where it's going to end up. Just look at what Ed did.

Ed Skoudis

Oh, that's really kind of you. I really appreciate that and all that stuff over at Counterhack.net, those challenges were back in 2002, 2003, up to maybe 2005, so we're talking 15 to 18 years ago. There's pictures of me with hair there which I'm sure gives everybody a chuckle. They'll find that point to me like it's the biggest joke or maybe my hair now is the biggest joke or lack of hair.

Jason Nickola

I think it looks great, Ed.

Ed Skoudis

Thank you, buddy. You too, man, you too. You make that look work. So it's kind of a cobweb, right, it's an archive, I don't update Counterhack.net. Why? Because Counterhack.com is where our action is going these days and our focus on SANS and cyber ranges and NetWars. So we still try to do a lot of stuff for the community: Holiday Hack challenge, Mini NetWars. I mean, it's one thing I learned long ago from my friends at SANS and the senior leadership of SANS is you need to support the community, and SANS has all the great posters, and all of the academies there to support the community. And then SANS has us do Holiday Hack challenge and Mini NetWars and such, just so that they're giving back to the community. And I want to make sure that for my career and job always giving back, and you mentioned telling people to build stuff. And I'm totally with you on that and having them release it publicly, for free so that people can see and learn. Even just writing a blog where you figure out, it doesn't have to be rocket science. It's just you figured out a way to solve a problem. Post that and somebody else might benefit from it.

Jason Nickola

Yeah. So I'm glad that you brought that up, because that's a little bit scary even for people who are in front of crowds often or on video often and produce lots of content. There's still some fear there for a lot of people, especially in getting started. So you're very well known, very accomplished and very polished now. Was there a path for you to get there? Was there a bit of a struggle? Or is it something that you've always kind of gravitated toward?

Ed Skoudis

Yeah, I mean, there's this concept of imposter syndrome and such. And we all feel it - even now, I feel it. But my path, so I remember when I was in college, I took a class on public speaking, and I was terrified. But I got up in front of the audience and did a presentation that was sort of a culminating thing of this class. And I did a presentation. And to my shock, it went really, really well. I was so happy, really excited. People were mesmerized. They were looking at me and I couldn't believe it. And so I sat down, they clapped at the end. And as soon as I sat down, I realized that my fly was open the entire presentation. Alright, so lesson learned on that. Then I went to work for the phone company. I was at Bell Corp. And they gave us another class on doing public presentations. And I learned a lot. The lady there was named Nita Greenberg and she was incredible, how she taught us to present and teach and this and that. But I did a sample presentation for her. And she said at the end of it - I thought I nailed it. I was really happy with the way it came out. And she said, oh, that was terrible. And I'm like what? She said it was too polished, you come across as inauthentic because it's too polished. You need to sometimes look up and think like you're trying to think about what you're going to say next. I'm doing it right now, you can't see because we're not on camera. Even though you know exactly what you're gonna say next, you need to make it seem more authentic and more like back and forth and kind of engage with the audience and she was 100% right. Alan Paller from SANS always says that a really good presentation is a dialogue with the audience. Maybe only one of you is speaking, you know, the speaker, right? But there's a dialogue, there's a back and forth with the audience, and you want to make sure you try to achieve that. So I learned that from Alan, and Nita Greenberg helped me learn that too. I also remember the very first conference call I was on. I was at working at Bell Corp. And it was me and there were probably 12 or 13 other people on this conference call with me. And I remember I was new; I was a kid right out of college. And there was this discussion going around the table about something we were going to implement on top of the SS7 network, signaling system seven. And we're talking about whether we should put TCP or UDP on top of SS7. And I remember saying, hey, isn't it funny that UDP - this is something I had learned in college and I thought I learned it right - UDP stands for unreliable damn protocol. Of course, it's User Datagram Protocol, but I really thought it was unreliable damn protocol. And I said that on the conference call. And I heard some other voice on the call. I don't know who among the other members this was said, who let him in here? And that kind of shattered me and made me feel much more intimidated and imposter syndrome. I mean, that kind of underscores it. So I had to get out of that. And practice, practice, practice really goes a long way. And realizing also that everyone feels imposter syndrome. Everyone does. And you just kind of got to overcome it by pushing yourself just do it. That's just what you got to do. And it's a good thing. It's okay. And even if you fail, you know, I did say unreliable damn protocol, and they said, who let him in here. That's okay. That happens. It happened to me.

Jason Nickola

But you made it and you came out of the other side okay. It wasn't a death sentence, right?

Ed Skoudis

Yep. It's just persistence. I remember when I was working at the phone company, I did an interview with Network World Magazine. And they misquoted me, saying that I said a certain vendor product was not very good. And we're not supposed to at the phone company talk about which vendor products are good or bad back in the day, right? I got in big trouble for being misquoted, and I said, it's a misquote. They said, well, you can't be doing that. And then they told me I just couldn't do interviews, because it was just too dangerous if I'm going to be misquoted. So for about a year or two, I didn't do any more interviews, and then I just started doing it again. And thankfully, that was a one-time experience so far. I have been misquoted other times, but never in a way that actually got me in trouble. And I'm also I'm very careful and I try to be very clear when talking with the press, because oftentimes, some of them are just incredibly smart. Others are not very technical, and you need to convey your ideas at the level that they can re-convey them. So I've learned that too, that's been very helpful. But my point is, I've had some miscues and misfires throughout my career in public speaking and in talking on conference calls and such and it's okay, you'll get past them.

Jason Nickola

Right. So shifting gears a little bit. You have been able to attract an impressive team at Counter Hack not just today, but you've historically.

Ed Skoudis

Yeah. Thank you for that. It's true. I agree.

Jason Nickola

I certainly think so. Yeah. And some names that people might recognize, like Tim Medin, Josh Wright, Jeff McJunkin, Chris Elgee, who we've had on the show. And lots of people that are more behind the scenes like Tom Hessman. They're just all quality people and great at their jobs. What is the secret sauce for that? How have you been able to consistently attract such an impressive team?

Ed Skoudis

That's really cool of you to say. Well, first of all, we have a rule. I only hire people that are smarter than me, which sounds good - the point is, it's a pretty low bar. So it's not that hard to be smarter than me. But on my team, we're not focused on growth. We're not focused on growth for growth's sake or growth overall. Our focus on my team at Counter Hack is to do really, really high quality work with people we love, to help people build their skills, through things like NetWars and such that we built for the SANS Institute, to help thousands and thousands of people around the world build their skills. So there's that vision, that mission that we have. And because we're not focused on growth, we're very careful with bringing in a new hire. It's almost always somebody we know and have seen in the community for a year or more. Ron Bowes is another person on my team. You've heard me mentioned Ron before. Ron took my 560 class from me and during class, he said, I want to work for you someday. And I said, okay, that'd be nice. And lo and behold, 10 years later, he started working for me. And it was 10 years and he went through a series of other companies that he worked at and built his skills and such and then finally, when the time was right, he came over and now he's been on my team for probably two and a half, three years, and he's just wonderful. So that's kind of the unique thing about my team is others because of financial pressures and things like that they need to grow, they have to grow, right? And that's a lot harder, and also some of my friends who have companies they are trying to grow, and trying to build out a bigger team of, say, 50, or 100, or even more individuals. And I think your own organization, you guys are not super focused on growth. And that allows you to be more careful and choose just the right person. So another thing - we're super focused on culture, and trying to have this sort of fun, whimsical culture of people that really like each other, support each other, that are kind, and we do fun, silly, weird things together, that helps underscore that culture. I spend a lot of time thinking about that and purposely cultivating a culture. It's something that we did a lot back at InGuardians. I'm one of the original founders of InGuardians. I'm no longer on their team, but I wish them well, I think the world of them, I love those guys. It's just I wanted to focus more on challenges and supporting SANS with NetWars and things like that. They wanted to focus more on growing their company. More power to them, that's totally cool. But I learned with the guys at InGuardians like Mike Poor and Jay Beale and Jimmy Alderson and such, I learned the importance of having a nice culture for getting the best work out of people.

Jason Nickola

In terms of technical skills, and actually maybe not even technical skills, but more the intangibles that enable someone to be great at this job. What are some of the things that you look for in terms of their ability to take in new information and kind of follow their curiosity and adapt their skills? What are the things that you need the people on your team to have from that perspective?

Ed Skoudis

Yes. Oh, that's so good. I do look for them to be inquisitive. I want them to ask me questions about the company. If I'm interviewing them, and they're not asking me questions I worry about are they right for this, you know? So them asking some really good questions. And for your audience here, if you're going in for an interview, you better show up with some really interesting and good questions. Not questions that are gotcha or anything like that. But instead questions that show that you are a thoughtful person, you're very interested, and that kind of stuff. So I look for their inquisitiveness, I look for examples of their creativity because a lot of what we do is very creative. We have to build things, we have to build things in an innovative way, and we want to make them fun and whimsical. So I look for that kind of stuff in their background. And even in just the way they seem to think. Do they come up with really interesting analogies and illustrations and stories? I'm looking for storytellers. In some ways, what we do at Counter Hack for SANS is we're storytellers through technology in helping people build their skills, but that's kind of our special sauce that we do different from most other organizations. So I'm looking for that, the storytelling thing. And then the other thing is, I'm really looking for - I know this might sound kind of weird, but I'm looking for kind of a foundation of kindness and goodwill. Because that is long lasting. And all of this is based on we only talk to people who are technically really, really solid. If you're not technically solid, we're not even talking to you. But on top of that, I'm looking for that goodwill, inquisitiveness, and creativity.

Jason Nickola

So when you look back at some of the things you've been able to do in your career so far, we chatted with Chris Sanders recently. One of the things that he said is he likes technology and he likes security, but he's discovered that security specifically isn't what he is actually extremely passionate about and it is enabling others in the learning process that he looked back and discovered that he's actually really passionate about. When you look back, how would you characterize what it is that that makes you do what you do? And what would you say you're passionate about?

Ed Skoudis

It is pretty much what Chris said. I really want to help people build their skills, so they can make the world a safer place. That's what my whole team is focused on at Counter Hack. That's a big part of what SANS and GIAC do and working together in that sort of family environment. And then the extended family across all of the different parts of SANS. So it's helping people do their jobs better, helping people improve their lives, and most of all, making the world a safer place. That's what it's all about. I was once asked by Alan Paller, this was maybe three or four years ago. He said, in everything you've done in your career, what are you most proud of? And I said, well, look, I don't want to sound like I'm bragging or anything, but he's like, no, no, tell me. And I said, Well, honestly, the creation of 504. That's SANS Security 504 for those of you that don't know; the GIAC cert associated with it is GCIH. And Alan said, oh, why? And I said, because I think of everything that I've been involved with, that I've been fortunate enough to work on and be asked to help with, 504 has helped more people in more ways than anything else I've ever built and may ever build. I mean, yes, I'm proud of NetWars and 560 and Holiday Hack challenge and all that, but I think just for number of people and amount of help it gave them - I'm not trying to brag, please don't think this is my ego talking. It's actually me talking out of humility. I can't believe I was given - I'm tearing up right now - I was given the opportunity to be able to create something that helps people like that. And again, I am sorry, if this sounds like an ego thing.

Jason Nickola

No, it doesn't at all.

Ed Skoudis

I just am so thankful. And then I was able to transition it to John Strand who took it to the next level. And now it's transitioned to Josh Wright who is doing amazing things with it and I'm so proud of them and all that they were able to do with it. So yeah, it's to help people. It's a long-winded way of saying, I agree completely with Chris Sanders

Jason Nickola

He's a good person to agree with. What is coming up for you?

Ed Skoudis

Oh, well, we are continuing to work on Mini NetWars. So my team is building those and we cracked an interesting thing with Mini NetWars. The reason we came up with mini networks was I got a call from Eric Bassel, who runs SANS. And it was at the start of this whole COVID corona crisis thing, and he said, Ed, come up with something fun that helps people when they're under lockdown and quarantine so they can just do something fun on a regular basis. And instantly it hit me - we'll do Mini NetWars. To build a normal NetWars takes about a year and requires a lot of my team members, like four or five or six people working on it over a year, and there's no way we can put out that kind of content at that level of depth and breadth really quickly and with quality. But I thought what if we did something about a 10th of the size of NetWars, and we'll call it Mini NetWars. So we're telling you, this is small, it's 1/10th the size of NetWars, but we can crank these suckers out in 10 weeks, and people seem to love them. Now we did get one person write in, gee, that was a lot smaller than NetWars. Dude, the frickin name is Mini NetWars, okay? It's about a 10th the size of NetWars. You may very well finish it. We'll give you nine hours or maybe 18 hours to do it. And if you're really, really good, you might finish it in three hours. But there you go; I hope you had a great adventure finishing it in three hours and actually learned some really cool new stuff. So now we're looking at Mini NetWars as essentially a platform that we can write small scale something that will take maybe a normal person, nine or 18 hours to do. And a genius might take them two or three hours, but they'll have had fun doing it, they'll have learned something. So we're looking at extending this and doing Mini NetWars in different ways. Maybe even Mini NetWars for different verticals. We have so many healthcare institutions that say, can you build a NetWars just for healthcare? And the answer is, I'd love to do that. The problem is it's going to tie up my whole team for a year and only help healthcare people. But I can now say, look, I can do something for healthcare, and it takes 10 weeks. Much more affordable, right? So the whole thing works better - or financial services. We haven't started these yet, but we're talking about doing Mini NetWars that are focused on specific verticals. So that's really helped open our eyes to that. So that's one new thing that's come down the pike recently, the Mini NetWars and then vertical specific Mini NetWars. We are also working on our new big NetWars release, which will be NetWars Core Tournament Seven.

Jason Nickola

Oh boy.

Ed Skoudis

I assume you'll be teaching that, TA-ing that for us, right? Hint hint?

Jason Nickola

I'd love to, yeah.

Ed Skoudis

Yep. So that's coming. I can't give you a date. We actually built about 70% of it by March of 2020. And we were supposed to finish it by July of 2020. But then COVID hit. And Eric Bassel asked us to do something fun for the community. So my team put it on mothballs. We just stopped development of Core Tournament Seven, because we're focused on Mini NetWars. And just last week, I said to my team, look, we're rolling on Mini NetWars, they're coming out. We're doing great with those. I would like to start finishing Tournament Seven. So the team is working on it, I have not given them a date yet on when I want it done. Because I want them to get their arms around it. I mean, we put it on the shelf for four months or something like that. So I want to give them a week or two to kind of see where they are. We have a new storyline that we just came up with and it is such a cool storyline. Wait till you see it, Jason, you're gonna love it. It's hilarious. And several people on my team have said it's probably the best storyline we've ever had for a NetWars tournament. And there's a supervillain at the end of it. It's got some of the whimsy that you might see in a Holiday Hack. So yeah, Tournament Seven is another big thing that we're working on. And I'm sure everybody, well, many people who are listening here are saying will it be out at this time or that time or that time, and the answer is I don't know. Because looking forward, we've got a couple big things that we have to finish by the end of this year. One is Holiday Hack challenge. People want that. And we want to give it to them. 15,000 people play. And then the other is I would like to make some good progress on Tournament Seven, but I cannot commit to that being done by the end of the year because Holiday Hack has to be done. Santa Claus has this fetish with December 25. So we gotta get that done before Santa does his thing. So I'm not sure on the scheduling of tournament seven, but those big things, Mini NetWars, which are small things, but they're a big concept, Tournament Seven, which is a big thing, and a cool fun concept, and then Holiday Hack, and that's the rest of my year.

Jason Nickola

That's a lot. There's a lot going on. And having worked with some of the students for the Mini NetWars events, I know that the feedback has been that it's served a real need and that the numbers have been pretty incredible in terms of the people who are participating. So just thanks, from somebody in the community, thank you for doing that. Because people have needed the distraction not only, but also the ability to work on your skills and get something out of it as the economy and job markets have all been affected by what's going on with COVID. So, thanks to you and the team for doing that.

Ed Skoudis

That means a lot to me, thank you. And let me tell you, this actually in an interesting way dovetails into something we talked about earlier. And that is sometimes you fail, but you learn from your failures and make something better. I had this amazing idea, at least I thought it was amazing. And I was so excited about it. It was maybe five years ago. And the idea was what we called a one-hour CTF. And the idea was, it would be a CTF that would take place in an hour. And it was small, just inherently small bite-sized CTF and you capture the flags and be done. And we built an infrastructure for it and we ran two of them and they didn't go very well, and they didn't scale very well. Well, the stability wasn't all that good and we learned, and it occurs to me now Mini NetWars is what one-hour CTF was supposed to be, but 1000 times better, because it's got enough NetWars in it and all that high-quality infrastructure that the team built for that. Plus it's small scale. Now, it's much more than one hour. Like I said, if you're a genius, it might take you two or three hours. Or if you're an average person, it might take 10 hours or something like that. But we had to fail at one-hour CTF before we could succeed with Mini NetWars. And that one thing that both of them had in common though is you don't bring tools. One-hour CTF and Mini NetWars, everything happens inside your browser. So the tool that you need to bring is a browser, nothing more. If you need to sniff, there's going to be tshark in a terminal window or something like that. If you need to do IDS, you'll find Snort popping up here or there and all the stuff is kind of built in and the beauty is you access it all from within the browser. So we learn from the failure of one-hour CTF so that Mini NetWars could be so much more successful. One-hour CTF, we'd run it for 400 people, and it would fall over. Mini NetWars we're running for 1200 people and knock on wood, it's been really solid.

Jason Nickola

And the ability for things to run in your browser and not have to bring tools or setup with you is a big part of accessibility, I think, varying skill sets, and even age ranges to be able to play and participate. Is that something that you and the team have tried to build into the NetWars and Mini NetWars experience to make it accessible to different levels?

Ed Skoudis

Yes. Oh, definitely. That's one of the things that we do with the whole NetWars experience is to try to appeal across the areas of expertise. So if you're brand new, you're going to get some stuff, and you'll capture some flags, right. If you're like a super expert, you're going to learn some new things and you're gonna say wow, how cool is that? So we do try to do that. Now, not all SANS Ranges, and not all SANS CTFs do that. There's this - I mentioned the SANS community CTF. And there's a whole family of CTFs, they're created by James Lyne and his team. They are unlike NetWars in that they are for a specific skill level, they have one range they call Jupiter Rockets. And it is a pen test, you're doing a pen test of a rocket company called Jupiter Rockets. And you're hacking into the different systems. It is intermediate to advanced out of the gate and it doesn't pretend to be simple or easy. Yes, there's a hit system in it, which is cool. But so you're going to see NetWars, at least the current plan is to have it available to all skill levels and everybody benefit and learn from it. Whereas you're going to see some additional offerings from SANS, some commercial, some free, that are targeted to specific skill levels.

Jason Nickola

Well, Ed, this has been an awesome conversation, and I really appreciate you making time for us.

Ed Skoudis

It's been so fun. Thank you, Jason. What great questions. You really asked great questions.

Jason Nickola

Thanks, appreciate it.

Jason Nickola

That was Ed Skoudis. We can't thank him enough for taking the time out of his busy schedule with all the community NetWars events he and the Counter Hack team have been producing lately. And thanks to you for joining us for another episode. We'll be back in two weeks with the next one. So please be sure to subscribe at giac.org/podcasts, Apple podcasts, Spotify, or wherever else you like to listen. Thanks again and we will see you next time.

Receive GIAC Podcasts Alerts