In this blog, I want to recap the year and highlight some of the events that took place. I’m going to try and keep this in chronological order.
Over the summer, I was fortunate to secure an internship with The Chemours Company as a “Cyber Security Operations Analyst Intern.” This title is a bit convulated, and I was really just a Security Engineer intern. This internship was super meaningful to me because I got it as a current freshman / rising sophomore. I have always heard “start applying to internships during your junior/senior year”, and so knowing my skills and experience were strong enough to get an internship this early on was extremely validating.
I learned a lot of stuff during my 7 months with Chemours. I was lucky to have a “hands-off” management approach, meaning no micro-managing, flexible deadlines, and a “we want you to learn” attitude. I wasn’t stuck with some project that was a do-or-die, I was assigned multiple ideas which I could choose for implementation. This allowed me extreme flexibility in what I wanted to learn, because I wasn’t stuck doing just one task; ie: “Create a DevOps CI pipeline”, I had multiple ideas in different facets. Some of the things I got to work on:
(1) Creating SIEM detection rules via KQL. (2) Designing runbooks/playbooks to help formalize the incident response lifecycle. (3) Analyzing malware both statically and dynamically, as well as provisioning a Cuckoo Sandbox. (4) Performing a mini red team engagement: Creating C2 payloads, performing OSINT, preparing phishing campaigns (5) Performing vulnerability assessments and detection and response control validation.
I was selected to be a recipient of the RuralTechFund scholarship, which was a $1,000 grant and two free SANS training courses and their approproate GIAC exam. Huggggeee shoutout to RuralTechFund, btw. The first SANS/GIAC combination was required, and was the SEC275 course and the GFACT (GIAC Foundational Cybersecurity Technologies) certificate. The curriculum includes “Linux, encryption, programming, networking, computer hardware, virtualization, Windows, servers, security concepts, and more.” To me, this course aligns with a little bit of CompTIA’s A+, Network+, and Security+ – all in one.
The SEC275 course was OnDemand, and had a little over 200 hours worth of material to watch. To be completely honest, I didn’t watch a single video, and rather relied to skimming through the provided books and jotting notes down. Because the exam format is open-book, I indexed topics that I wasn’t quite familiar with, that way if I encountered it during the exam, I would have a quick way to find it. Indexing plays a huge role in all GIAC exams, because time is limited and so being able to find the material quickly is important. Especially when there’s 5-6 different books you are allowed to use. I ended up passing the exam with a 91%, and obtained my first-ever certification!
Tennessee Tech has hosted the Central Region CPTC (Collegiate Penetration Testing Competition) for the last couple of years. When I heard they were putting a team together, I was super excited to try out. The tryouts consisted of some pretty basic pentesting prompts: “Imagine you have the following Nmap scan, what do you do next?” or “What tool most likely generated this output?” I tried out, and was accepted as an alternate, aka a backup. If one of the main team members wasn’t able to make it on competition day, I would take their place. I know it seems weird, like “You were just backup, not even in the competition,” but when the entire team (5 people) were all seniors and I was a sophomore, it was still exciting to get to sit in during the practices and learn more about methodologies. And now I’ll have a bit of experience for next years competition!
I’ve always been more offensive security oriented. I never saw myself wanting to do defense because it reminds me of system administration; messing with firewalls and all that fun stuff. I decided to give it a go, after a friend had forced convinced me to join the team. Similar to CPTC, I was on the “CyberForce 2.0” team. We had two teams, a ‘varsity’ and ‘JV’ of sorts. CyberForce 1.0 had the older people who have participated in CyberForce before, and 2.0 was those new to the competition (me!). Oddly enough, two of the members on 1.0 would not have been able to make it to the in-person competition, and so we switched places and I went up to the main team.
Not to really diss the Department of Energy or CyberForce in general, but I didn’t find this competition to really be a defensive competition. Sure, there were aspects of defense leading up to the competition, such as securing and hardening our provisioned boxes. But during the actual competition, it felt more like a CTF. There were red-team prompts every hour: “Hey, we ran an attack. Can you identify what the attack did and steps to remediate?” But during the time in between red-team prompts, were “anomalies” which were just CTF challenges we had to solve for points. We also had to develop a full-stack website, which was unique to say the least. Here is the source code to our website, which had one of the highest scores and 100% uptime.
Evyn and I had to learn NodeJS and Express in the matter of like two days– fun experience! Overall, we placed 7th nationally.
As I mentioned earlier, my RTF scholarship granted two certificates. The other one was up to my choosing, and because of my interest in red team and penetration testing, I figured the GPEN (GIAC Penetration Tester) certificate was the best choice. This covers a wide-array of topics necessary when it comes to performing a pentest: password attacks, privilege escalation, service exploitation, OSINT, recon, reporting, and even some Active Directory attacks and persistence. This exam I actually studied for, with the SANS SEC560 course. I did it OnDemand with Tim Medin, who actually came up with the Kerberoast attack. I studied for roughly four months, on and off. Similar to the GFACT, indexing was a super big help when it came to exam time. I passed with an 82%!
The next cycle of summer internships start to get posted around this time. I was going ham on applying to internships. Curating and optimizing my resume. Practicing interviews and my elevator pitch– all the things you do to prepare for the job search. I actually received a decent amount of offers this time compared to last summer. This year I received offers from Molson Coors, Cisco, Oracle, and RingCentral. But it was when I got the email from Microsoft asking me to interview that I started to freak out.
Everyone in IT knows FAANG. Facebook/Meta, Apple, Amazon, Netflix, Google. Some of the highest paying jobs in terms of tech companies. Interestingly enough, Microsoft isn’t in FAANG, but I still consider them to be a cream-of-the-crop when it comes to tech. I started out with a phone screening, which was essentially a behavioral interview. How do I react under pressure, how do I prefer team projects, etc. I was then invited to a four hour long panel interview. The first two panelists were a resume walkthrough and then a “Here is a little bit about what we do.” I was feeling good thus far, no big hitting questions, no stress. Until the third panelist. I was asked to receive some C source code and find potential security vulnerabilities within it. I’ve had a C++ class, and from CTF challenges, I know the typical dangerous functions, like gets() and strcpy(), but beyond that, I wouldn’t trust myself to evaluate application source code. I did my best and found most of the vulnerabilities, but there were a few I missed, and one really dumb issue I didn’t catch. The last panelist asked about threat modeling. Given a network diagram, or some application diagram, identify potential threats and then remediations. After the interview, I felt a little nervous because I really thought I blew the source code review questions.. But, I ended up getting the offer to join Microsoft this summer in Redmond, WA as a Security Engineer intern!
I feel like I had a pretty productive 2022. Lots of new learning experiences and career-growth. Look forward to the New Year, and hope 2023 is just as fruitful!