INSIDE THE

NEWS + ADVICE

What Do CTFs Have to Do with Getting A Job

Posted by Kathleen Smith

BSides San Antonio Capture the Flag

At DerbyCon, a panel discussion focused on competitions and how they can support your career growth. The panelists were:

Kathryn Seymour, a Red Team Analyst at Bank of America. “I’ve spoken at multiple conferences, but most of my help as a volunteer involves things that happen at my company, working with candidates. I work a lot with college students and high school students, introducing them to this field and mentoring many of them. I encourage them to stay in contact with me and I also keep in contact with a lot of different people at conferences. I help put people in touch. So I’m more of a behind-the-scenes type of person when it comes to volunteering.”

Kirsten Renner, Director of Recruiting at Novetta. “I’ve been recruiting since 2000, which is a long time. I’ve been in InfoSec for about 10 years, specifically in the InfoSec conference community since 2010. My volunteerism started with workshops, mentoring, and helping people write resumes and learn how to interview. I’m mostly known for my contributions to the Def Con Car Hacking Village and getting it started five years ago.”

Kat, tell us how you got your job through a competition

I started off in security as a triage manager. I managed a large call for a security incident and I was able to connect with somebody who was in the information security field. They saw my passion and love for this and they said, “You can work for me.” I said that I have no experience. That’s the history of my life—I have no experience. It’s always the number one answer that I have in my interviews, and he said, “It doesn’t matter. You have a passion. I can teach you all the skills.” That set my whole expectation for working in security. I thought, if I can demonstrate how much I love this stuff, I will be given opportunities. And so I started hunting. I was a blue team member and in order to get better at my hunting job, I started to participate in Capture the Flags.

Our company offers an internal Capture the Flag (CTF) competition. And I said, “I want to learn more about how attackers work, so that I can better understand how to find them.” So I started to play in their CTF, and I didn’t know what I was doing. So I reached out to people I had never met before — the big scary red team — and I said, “Can you teach me some of this stuff? Can I learn from you?” After the competitions were over, I’d go over the flags with them and this accomplished two things: It helped me develop my skill set, but it also helped me build relationships with the people that I someday wanted to work with.

After 18 months from my first CTF, I was offered a job on the red team. Every time there was a CTF, my poor family would sacrifice me for an entire month, four times a year. They knew that when CTF came around, that was it for mom—there was only CTF and work. The time that I put into it showed the manager who was putting on the CTF my dedication and my ability to learn. I was actually offered the job when I started beating the rest of the red team.

It was a great way for me to demonstrate my skill set and as my career went on, I found that I was able to gather information that I needed. When you play CTF, especially in a team competition sort of way, great things happen. You’re exposed to people who have different skill sets. We have a forensic person, a malware analyst, and red teamers who each have their own expertise. When you’re playing together to solve a problem, you get to work through it and see how other people work through it too. So you build the relationships, gain a lot of skills, and you have a lot of fun doing it.

Kat, should you share your CTF involvement with employers or recruiters

Yes. In my case, even if you’re not currently interviewing, you can still demonstrate the value of what you’re doing to your employer. After each competition, I would take what I learned and I would write it up. I would present it to my manager, as a way to show him the value he was getting out of it. I tell the folks that I work with, when you’re talking about what you do, find a way to format a question at the end that opens up a door for you to describe some of the skills that you learned. Or if you’re asked a question that you don’t know the answer to, answer in a way that allows you to say, “Well, I was working on this CTF competition with these other teammates and I was able to learn something similar.” You have to be careful with that though. I just learned recently when witnessing an interview that there is actually too much of that sometimes. So be careful not to fill every question with, “I don’t know the answer, but here are 15 other things that show what I know.”

Kirsten, if someone shares that they were part of a CTF, is it important that they win

I love that question because I would actually prefer to hear about what you failed at or what you lost at, because you learned a lot more that day. So if you ever competed, make sure that it’s on your resume. As a recruiter I’m going to have resume fatigue. I go through many resumes, but you’re showing me that you took the time to be part of a competition and you’re obviously a team player. I know right off the bat that this person knows how to collaborate. They know how to be a part of a team and they don’t try to do it all themselves, especially if they’ve done more than one competition.

There are two different types of workers. There’s the one that clocks in at clock in time and then clocks out, and that’s okay because that’s all you’re required to do. There is also another person who never really clocks out. There’s that person who text messages themselves at 3 o’clock in the morning because they get amazing thoughts when they should be sleeping. If I saw that someone was in this competition and I had never met them, I automatically know which one of those two workers they are.

Kat, how do you decide which competitions or community activities to participate in

As far as competitions go, it depends what system I bring with me. If I brought my work system, then I’ll play all of them, but if I brought my personal system, I’m going to limit what CTFs I play in. But I also have the issue of saying yes to too many speaking engagements. Last year I was unpacking my suitcase into the washer and repacking from the dryer. That happened because lots of different people were asking me, and you want to please everyone.

Then I got on a plane to DerbyCon and the lady asked me where I was going to check in and I said, “I have no idea.” That was kind of a wake-up moment for me. I have wonderful children at home and I am traveling so much that I don’t even know where I am or where I’m going. At that point I decided to take a step back and do things that allowed me work behind the scenes and more remotely.

My CTF team participates together, welcoming everybody to come and play. When we’re not able to attend conferences for various reasons, we share a lot of the questions in our channels, so that everybody can continue to participate even outside of attending the conference. So that’s one way that we help each other still learn, still be involved, and not have to actually travel as much as we do.

Make the most of your CTF involvement

It’s important to take time after a competition to write yourself some notes. Anytime you’re part of an interview or you’re trying to look for a way to discuss the things that you’ve learned, you’re going to want to have some kind of content to be ready to share. You’re not going to remember every single competition that you’ve been part of so keep a competition journal. What was the challenge? What did you learn? What did you fail at? What new skills did you learn or which old skills did you fine tune? Who did you meet and have you followed up with them to continue building the relationship?

CTFs can be a fun challenge, but they are also a networking opportunity that will help you develop skills relevant to your profession. Get out and participate!

This entry was posted on Friday, November 30, 2018 9:59 pm

Leave a Reply

Your email address will not be published. Required fields are marked *