During my time at Iowa State, I engaged in a variety of cybersecurity-related experiences. My coursework gave me a quality foundation in computer engineering and software development concepts. This was necessary for the later cyber-specific coursework that added onto the concepts with how an attacker mindset can be used to abuse the assumptions and oversights of developers. In addition to this, Iowa State also gave a multitude of resources to practice and refine my particular interests within the cybersecuity field. For me, this lead to a few key interests. I had the chance to delve into securing and monitoring Windows systems during the CDC. I also developed a particular interest for reverse engineering when the Hacking and Cybersecurity Club (HACC) would participate in CTFs. Lastly, I got exposed to external platforms like Hack The Box and had the chance to work with fellow students to broaden my skill sets.
In-Class Activities and Education:
Foundations: In my curriculum, the basics had to be covered before getting to the more interesting work. This was done using a few different courses.
- COM S 2270: Introduction to Object Oriented Programming
Because the best way to connect with a computer is often done with programs, this class is paramount. While there are fields that don’t deal with program, the majority of jobs in cybersecurity will rely on some core understanding of programming to get the job done. In addition to that, solving programming problems also leads to a better understanding of general problem solving. This class acts as a good primer to the way of thinking necessary in the field.
- COM S 2280: Introduction to Data Structures
Data structures are everywhere in computers. From the stacks used by processes to manage memory to the trees used to manage processes. This class brovides the underlying knowledge to interact with them as well as introducing the world of optimizations.
- CPR E 2810: Digital Logic
While very little areas in cybersecurity deal with circuits and embeded systems on the low level this class covers, it was fundimental in how the university decided to teach computer engineering. As other classes will show, how computers work was given from the bottom up. This class covers the basics like how computers understand numbers, text, and instructions. It also shows how the fundimental gates (and, or, and not) get used to store the aforementioned data and process instructions (further explained in CPR E 3810).
- CPR E 3080: Operating Systems: Principals and Practice
Seeing as every piece of software uses operating system APIs to run, learning the way that operating systems work provides many avenues to exploit a system. This is because an exploit at any level of the foundation will often leave the layers above exposed due to the way trust layers work. In this class, topics like process management, inter-process communcation, file structures, memory structures, and priviledge layers were covered. All of these have helped me while analyzing binaries ans dealing with file forensics in and out of the classroom.
- CPR E 3810: Computer Organization and Assembly Language Programming
Buiding off of CPR E 2810, this class takes the fundimental components like an adder, barrel shifter, or register file and uses them to make a MIPS CPU. It does this by starting from the highest level (mips assembly) and lowest level (building sub-components with logic gates) before working towards the middle by building out a decoder, an ALU, registers, memory, and control logic. This gives the fundimentals of any ISA to show how computers understand the instructions given to them. I use this knowledge in reverse engineering because every language needs to be assembly eventually to run on the computer. While MIPS may be differnet from x86/64, ARM, or RISC-V, the fundimental instructions are quite similar.
- CYB E 2300: Cyber Security Fundimentals
Moving on to cybersecurity itself, this course gives an overview of modern networks and protocols. Included in those are NAT, DNS, LDAP, mail, DHCP, and linux basics. All of the concepts covered in this course are foundational to any red teamer and the next course (CYB E 2310) which covers the security implentations.
- CYB E 2310: Cyber Security Concepts and Tools
Following from CYB E 2300, this course allows students to actively break into a similar network from the previous course while learning the flow of a traditional pen test. The content starts with OSINT before moving to enumeration, getting a foothold, privesc, and finally exfiltration. It gives a good foundation of the attacker midset as well as the standards and protocols to follow when engaging in a pen test.
Communication and Colaboration: In several of the classes at Iowa State, students take on large projects like the aforementioned MIPS CPU. To assure that they can complete the projects within the semester, students form teams. When working in these teams, I had to learn how to effectively delegate tasks, split workload into manageable chunks, and give feedback for the betterment of the project. For this, there were three notable classes:
- COM S 3090
The project for this class was focused on making an application using modern software development standards and practices. This class served as an introduction to the agile approach to development, git, and backend/frontend team structures. Because I had a year or so of industry experience using the Agile method and developing in a variety of frameworks, I took a leadership role. The team initially came up with an application idea that they were passionate about along with what flow and features they would like. After the initial, large web of ideas, I referenced the project requirements and my previous experience to scope the project down. When doing this, I made sure to not squash idea. Instead, I set priorities for a minimum viable product with additional wants and stretch goals as secondary and tertiary goals to hit once the minimum viable product was acheived. While this went well for most of the members, we had one member that really struggled with the concepts in the classroom. While I may have been backend, I took time to learn some of the frontend technologies to help him where he was struggling. I do regret spending as much time helping him as a I did because there were many weeks where I spent more time helping him than working on my own segment. Sadly, this still didn’t end up being enough, and the other front end person needed to take on both roles to get any functionality out, but this was an important lesson on why a poor performing team member can sometimes be worse than no team member at all.
- CPR E 3810
In this course, we were in a team of three where each team would delegate creation and testing of subcomponents to differnt members. For my role in this project, I focused on decoding instructions and designing/implementing the control flow of the processor. While that was the initial plan, we had a team member who was doing poor work. This team member gave me the first component he made for testing, and, while testing it, I descovered that it was completely non-funcitonal. Once I discovered this, I marked possible problems in the code and asked him about them. While doing this, he was unable to answer any questions about how his code worked. because the deadline was close, I had to pick up the slack and fix the component. The lab after this, we had to assign tasks for the next part of the project. The problematic teammate was a no show and not responding to communication, so we decided to give him a lighter, easier workload. With this, he disapeard and didn’t complete a single task he was assigned after multiple reminders as well as not showing up to meetings or doing other work during them. Because of his behavior, I wrote a report to the TA and teacher with evidence that he hadn’t done any work for the project and should not receive our share of the grade. This is important to do because reminders and gentle communication doesn’t always work. Sometimes it is necessary to report to someone of higher standing.
Hacking and Cybersecurity Club (HACC):
About: The Hacking and Cybersecurity Club (formerly IASG) is a place where students can hone their cybersecurity skills and go beyond coursework into their own interests. This is done thorugh discussion on the discord about current events, weekly corperate and student speakers, and involvement in campus and global events like the CDC and CTFs (Discussed later).
Leadership: Because I started in this club as a freshman, I got to know the cabinet quite well and took up a leadership position by my sophomore year. In this responsibility, I acted as a resource for others and pushed myself and my expertise to remain an example for other students.
- YouTube Manager (Sophomore): Recorded the talks throughout the year and posted them to the YouTube channel.
- CTF Captain: Organized events, provided resources, and supported students in learding how to participate in CTFs
- President: Preppared speakers, events, resources, and corperate communications as well as acting as a spokesperson for the club and cyber on campus
Talks: During my time at the club, I also gave a variety of presentation with more information on my talks page
CDCs:
About: Cyber Defense Competitions (CDCs) are held by Iowa State and give students practice with blue teaming. It does this by providing each team of students (blue teams) with a network of systems along with usability requirements for each. Students then have a month to find a fix vulnerabilities before the competition day itself. On competition day, each blue team has to submit white team documentation and green team documentation. White team docs contain all of the remediations and network architecture put up by the teams. Green team docs show how to use the systems and applications on the network for normal users. Once competition day starts, the attack phase begins and professional red teamers try to break into each team’s network. While red team tries to get in, teams have to complete anomalies to ensure that they aren’t just monitoring logs the whole time. Most anomalies are CTF style challenges, but there are also required anomalies like hiring and firing employees that force teams to quickly modify systems and controls while being attacked. Lastly, there are periodic intrusion reports to get points back for stolen flags if the teams were able to properly assess how their flags were stolen.
General System Security: Before doing anything, it is important to check the scenario and get an inventory of minimum access and availability requirements. After that, change the passwords for both the default machine users and the services on machines like the ones used in MySQL. Finally, it’s important to check for updates available on the OS, services, and programs necessary for the competition.
Analyzing Windows: To start, Windows is a very multi-facetted platform. During the competition, there may be standard Windows Desktop and Windows Server machines, but there will always be a Windows Server Active Directory machine. This means that covering Windows requires covering both the system and the authentication system it uses. Starting with the system, I always look at files in the home directories, services, and scheduled tasks. These are the most common places to find malicious artifacts because they also need to be easy for red team to find in a couple hours. After killing services, deleting malicious files, and deleteing malicious tasks, I shift my focus to users. Using net localgroup Users and net localgroup Administrators will check for local users and local admins. This is a very common way to add backdoors, and removing or properly provisioning these users is a great way to decrease the attack surface. Finally, I enable logging, the firewall, and defender. Because this is a CDC, these are often turned off, but all of them are essential to prevent and identify inrusions
Analyzing Active Directory: Typically, blue team would have to add all the official users, so any pre-added users could easily be identified as malicious. Starting fall 2024, however, ISEAGE was able to deploy all the legitimate users with the rest of the systems. This adds a more interesting component to auditing pre-existing priviledges and roles. To do this, I start by looking for and deleting users that aren’t in the list of users that should exist (including Guest). After that, I look at each individual user to audit a few fields: description, Account options, and group membership. The discription may have information like passwords. Account options hold a lot of settings that can make the user authentication more insecure like disabling kerberos pre-auth (AS-Rep roasting), using weaker kerberos encryption, and storing the password with reversable encryption. Lastly, and most importantly, group membership should be audited to ensure that users are only in the groups they should be in. There have been several times where a normal users was Domain Admin or even Enterprise Admin. For more information, see the slides for my AD Intro presentation
Analyzing Linux: Analyzing Linux isn’t too far off from windows. Checking /etc/passwd for users, checking sudoers for permissions, running ps aux and netstat -tulpn to check for running programs, and checking cron for reoccuring tasks all have Windows counter parts. The only main difference between each is understanding the quirks that are needed to find anomalies and fix them across the different environments.
Analyzing Programs: While finding out what the programs in the CDC do and fixing problems is crucial to keeping the network secure, it is way too broad to fit in an analysis like this. In a broad sense, though, I often work to understand the archetcture and flow of the program first. After that, I identify common pain points like session management, hardcoded credentials, vulnerable libraries, and default credentials. Finally, I use my previous experience in CDCs and CTFs to check for common vulnerabilities.
Purple Teaming: To help with the aforementioned vulnerability findings, I have found that it is also important to pen test our own network to find flaws and patch them. This can entail NMAP, nessus, and linpeas/winpeas. Once all of the findings are collected, I can try and verify the exploit before patching and verifying the patch. Pen testing like this is a great way to find miscelanious flaws that may exist in the systems after checking the most common locations. It also ends up being a great way to test my red teaming ability on the side.
Conclusion: After years of doing the CDC, I have developed a toolkit to secure and test systems. This toolkit has helped me in course work as well as in the professional world with enterprise systems.
CTFs:
About: Capture The Flags (CTFs) are competitions where competitors solve cybersecurity puzzles to get points. These puzzles can be in a variety of categories like web, reverse engineering, forensics, or cryptography. The goal of each of these challenges is to find a string called a flag. These flags will have a consistent format for each competition. For example, the platform Hack The Box uses the format “htb{flag_text}”.
Experience: Out of all the categories, I took a particular interest in reverse engineering. To learn more about the more interesting challenges I encountered, there are several writups on other pages. To be able to solve these problems, I continuously engaged with competitions and asked questions. this often put me ahead of the course work, but I still found it much easier to complete challenges after taking related classes. Getting that foundation allowed me to understand the intricacies of each exploit as well as how to apply it to the situation much better.
Dealing with the unknown: I almost never know how to solve a CTF challenge right away. This means I need to learn constantly. To do this, google is always there to help identify anomalies. For example, I always check the service versions in web challenges first. A simple search of: “[service] [version] poc” is a great way to find a simple way in where all that is needed for a foothold is a script. Other than that, sites like Hack Tricks give a useful checklist to run through depending on the environment. These tools along with my experience allow me to solve many of the challenges presented before me, and every new challenge I solve just adds to my toolbelt. To get a better look at how that works, check out my codebreaker writeups.
Looking Forward:
To advance my career, I’m going to continue to participate in events and challenges. Keeping my mind and skills sharp is one of the most important things to me, and I always appreciate the challenge while working. Currently, I do this with weekend CTFs, HACC, and SecDSM. Weekend CTFs give me a variety of challenges from differnet authors. This has kept me fresh and sharp because I always need to try new things when solving the challenges presented to me. SecDSM also shows off interesting ideas during talks that occur, but the main takeaway I get from it is meeting experts in the field and having a chance to network. I have had the chance to meet pen testers, infrastructure engineers, and many other contacts in the industry. HACC than puts me somewhere in the middle of both where I had the chance to learn from upperclassman and connect with them. Now, though, I am serving as a touch point to other students in the degree and teaching the future classes about what I have learned from my years of experience.