Q: What do you do when you have a room full of aspiring “hackers”, looking to take a vast amount of training and knowledge, and demonstrate their capabilities as they get ready for the real world?
A: Bug Bounties!! Duh…
Preface
As a training provider striving to more closely align education and the workforce in meaningful ways, we’re always evaluating new ways to apply skills and training to real world scenarios. Nearing completion of our very first Cyber Security Professional bootcamp, we were evaluating various options for what would make a compelling “final project” for our students to cut their teeth in a real world application.
While there are many great resources for practicing targeted tools and techniques, and reinforcing specific skills in various ways, we were looking for something that was a little more organic. We all love CTFs and other challenges, and have used many of those for other parts of our training, but we wanted the final boss to be more of a “real world” scenario, not focused on finding a single predetermined “flag”.
Requirements
What we were looking for was a lab or platform environment that would complement our core values and meet the following objectives:
- Foster A Collaborative Team Based Approach
- Encourage Analytical Thought
- Application of Prior Subject Matter
- Prepare Students for Real World
- Provide Additional Learning Opportunities
Enter HackerOne
Not too long ago, a friend of mine had gone to HackerOne, and (apart from being an avid reader of their excellent daily newsletter) I’d been following them for some time and always enjoy reading the vulnerability disclosures and am fascinated at some of the income potential for some of the true hackers on the platform. More so though, I’ve long been a fan of crowdsourcing models and the open source software ecosystem, and love the idea of people helping to make companies and their users(us) safer in collaborative and mutually-beneficial ways.
After discussing as a team, we decided that what a better way to hit our defined objectives than have students apply what they’ve learned (and more) to real world systems, networks and application infrastructure than a bug bounty program!! With the potential to showcase your skills, possibly make some scratch, but more importantly wear that notorious badge of an official bug bounty hunter….
Final Boss
Students were given the opportunity to evaluate and choose a participating company of their choosing, and being gamers themselves, naturally Valve and accompanying Steam ecosystem. Was an easy decision. This was no small task as the following were all valid avenues of attack and students would have no shortage of areas to concentrate, but a finite time in which to do so.
- A variety of TLD and sub-domains
- Native client of Windows, Linux, Mac
- Mobile clients for Android and IPhone
- Native Steam protocol
- Valve game titles
- A complete operating system in SteamOS
- A custom Steam CLI tool
- The Steam SDK
No small task indeed.
Outcome
The students put in roughly 80 hours of time over the course of a month, each exploring various areas of Steam ecosystem and infrastructure, trying new approaches hitting dead ends and even officially reporting a bug!
Unfortunately, they were informed that while they had discovered a bug, they had to provide further proof that it was an exploitable bug and were unable to take it further in the time provided.
In the end, no successful hacks were executed and Valve and its users will live to see another day.
Retrospective
All in all, while not gaining the illusive bug bounty hunter game, the students found the experience to be valuable, working together, encountering the variance that one sees in the real day to day operations of today’s modern infrastructure, while testing for vulnerabilities and identifying security measures in place, preventing a variety of attacks.
Kudos to Valve for their efforts to improve their platform through the professional ethical hacker network and to HackerOne for providing an excellent platform for students and professionals alike to come together and apply their skills outside of the standard lab environments that are usually used for cybersecurity training.
All in all we believe that the bug bounty process was a great educational tool on many fronts, and we’ll be back for more….
Moving On
We would also like to acknowledge and thank our awesome group of students who took on the challenge of not only the final bug bounty program, but attacked the entire 36-week program with passion, professionalism and determination. It was an amazing experiences and they will no doubt be an asset to any organization lucky enough to have them.
We can’t wait to see what their future holds. Look out world!
Feel free to reach out if you’re an employer looking for new recruits trained in: malware analysis, reverse engineering, Python software development, scripting and automation, network and OS configuration and hardening, penetration testing, cloud networking and infrastructure.