Leading up to Black Hat USA, hear from Black Hat Review Board Members, Speakers, Trainers and Partners about their contributions to information security and the upcoming Black Hat event.
This week, we chat with Sumit "Sid" Siddharth about NotSoSecure Trainings. NotSoSecure offers 4 unique classes in 2 Day and 4 Day Formats: Advanced Infrastructure Hacking, Basic Infrastructure Hacking, Hacking and Securing Cloud Infrastructure and Web Hacking - Black Belt Edition. Learn more and discover full class dates and information below »
Can you give us a quick intro to you and NotSoSecure?
Hi, my name is Sid and I am the founder of the company NotSoSecure. We are a leading training provider at Black Hat and other IT security events. In 2019, at BH USA (Las Vegas) alone, 500+ attendees took our advanced hacking courses. Today, I am here to talk a bit about what makes our courses so popular, how we train people at that scale and also how we are adapting our classes in a post-covid world.
Here is a picture of one of our popular class, "Advanced Infrastructure Hacking" taught at BH USA 2019 and attended by nearly ~150 attendees.
Figure 1: NotSoSecure Class @ Black Hat 2019
Please tell us a bit more about NotSoSecure and the history of your relationship with BH events?
While I have personally been a speaker at BH events since 2007, we first got world's attention in 2015, where we took a call to go beyond a standard 20 person classroom based training and scale it to a 100+ person classroom. Everyone then thought it was a crazy idea to teach so many people in one classroom, but we had a method to the madness. We made sure that everyone had the same hands-on training experience as they would in a small class and we follow those same principles even now. Things that set us apart:
- Our extensive in-house research and subject matter expertise on topics that allows us to constantly update our classes and present the latest cutting-edge techniques.
- Our years of experience in teaching courses have allowed us to perfect our course delivery, ensuring a great learning experience for all attendees.
Please tell us a bit more about how you plan on delivering your courses virtually, especially to a large number of students:
The following are some of the key things that allow us to teach classes efficiently and to keep it interactive.
- Our courses come with a hands-on lab. Each attendee gets his/her own dedicated lab access to play during the class and we provide free 30 days access after the class, allowing the learning experience to continue even after the class.
The student pack provided to attendees, don't just come with the slide deck. It contains lots of additional material such as useful tools/scripts/cheat sheets etc. Within this student pack, is an exercise sheet listing all the challenges which attendees will solve during the course of training. The pack also contains an answer sheet (pdf documents) providing detailed walk throughs (with screenshots and explanations) on how each and every exercise discussed in the class is to be solved.
The figure below is a sample from our extensive answer sheets:
Figure 2: Sample Answer Sheet
Figure 3: Sample Answer Sheet
The answer sheets are password protected as we want attendees to focus on solving questions by applying the new knowledge and not to cheat by directly peeking inside the answer sheets. The password for the relevant answer sheet is provided at the end of each module. These answer sheets are particularly useful when the attendees revisit the class during their extended lab time and this allows us to ensure that their learning experience has not finished when we finish teaching and the attendees have the best chance of really taking in the training.
During the class, the trainer maintains a live google-doc. All attendees have read only access to this live document and after each exercise (after providing practice time), trainer updates this document with relevant steps to solve each exercise. This allows attendees to directly copy/paste complex commands and quickly troubleshoot issues themselves, rather than trying to focus on the small terminal screen on which instructor will type on his laptop.
Figure 4: Google Document Shared with Students in Class
- When classes get big, as they do typically for events like Black Hat, we have an army of "support staff" available to troubleshoot the questions and technical issues which attendees may have. The support staff are highly qualified and each is a subject matter expert. We typically have 1 support staff per 12 attendees to ensure that any questions are promptly dealt with.
Please tell us what are the new things people can expect from BH USA 2020 training?
This year, we are launching a brand new class: Hacking and Securing Cloud Infrastructure (August 1-2) and (August 3-4). The class covers a number of attack scenarios which could allow an attacker to gain a foot hold on to an enterprise's cloud network and then move laterally and vertically to gain further foot hold. A common web application vulnerability hosted on public cloud (such as a SSRF issue) could allow an attacker to query meta-data services and gain vital information. We cover attacks and issues spanning all 3 major cloud providers (AWS, Azure and Google) and also cover the logging, monitoring, securing and hardening aspects.
Another course we're excited to teach virtually is Web Hacking Black Belt - 4 Day and 2 Day Edition. Here we have a collection of some neat, new and ridiculous vulnerabilities affecting web applications and APIs. We have handpicked issues which affected real world applications and have found a mention on the bug bounty platforms. Some of the highlights of the course include topics around SAML, OAUTH, SSO vulnerabilities, practical cryptographic issues, modern de-serialisation issues, advanced XXE, template injection and other topics.
We also have a 2 Day class for beginners called "Basic Infrastructure Hacking" (August 1-2 and August 3-4) that is ideal for people who want to become pentesters or managers who want to understand what goes on behind the scenes. The course begins with laying a foundation for everyone by discussing the basic concepts and gradually builds up to the level where attendees not only use the tools and techniques to hack various components involved in infrastructure hacking, but also walk away with a solid understanding of the concepts on how these tools work and therefore ready to face the real world.
What are the challenges in teaching advanced classes remotely (virtually)?
One of the biggest challenges in teaching remotely is how to troubleshoot problems remotely and get reasonable feedback from attendees which you otherwise get in an in-person class. We have solved this by:
Every attendee will have access to a separate pre-configured system ready to plug and play where they can ask a "dedicated support staff" to troubleshoot any technical issues. The attendees can share the screen and even grant access for our dedicated staff to resolve the issue quickly. This portal is separate from the meeting and the instructor will never have to interrupt the entire class to troubleshoot any individual as this will be taken care of by our dedicated support team.
Figure 5: Live Interactive support portal
We have gamified the challenges and asked the attendees to put the answers to the exercises in a CTF portal when they solve it (and before the instructor demonstrates the solution). This allows the instructor and the support staff to assess how attendees are performing in real time and if everyone is on the same pace or not.
The live leader-board helps the flow of competitive juices too.
At the end of the class, the attendee can download a pdf which tracks how many challenges they were able to solve on their own. This will also give attendees a good idea of their strengths and weaknesses within different areas of the course and areas to focus on during their extended lab time.
With the coronavirus outbreak, we think that the in-person, classroom based trainings may just go out of fashion for many and corona or no-corona, we think fewer people will be keen to travel and sit in classrooms close to others and have a trainer/support staff look over their shoulder and type on their keyboard to troubleshoot the problems.
That said, the virtual classes are perfectly suited to adapt and overcome these challenges. We will teach the class over the webinar platform (gototraining). Attendees can join the live feed from anywhere in the world. The classes will come with all the benefits outlined above.
For more details on NotSoSecure Courses, visit the links below:
Sumit 'sid' Siddharth founded NotSoSecure, a boutique consultancy and training company. Sid has been a speaker, trainer at many Black Hat conferences. Been a serial entrepreneur himself, Sid now mentors budding InfoSec entrepreneurs under his new initiative Disruptrs.io. He is passionate about working with talented people and to bring cutting edge technology to life.