N/A - For introduction week, there was no demo
In my school, Rochester Institute of Technology (RIT), Computing Security (CSEC) is one of a big computing major. One aspect that I absolutely love about RIT and CSEC is that our student club, RITSEC (https://ritsec.club), plays a big role in educating passionate students. Members of RITSEC tries to share, teach, provide, participate, and lead in various areas of CSEC.
Some of the areas are:
- Weekly 4 hour meeting - Education, Technical Demo, Personal Research
- Creating, hosting, and running Security Competitions like ISTS, IRSEC, RITSEC CTF
- Leading and participating in CCDC (Collegiate Cyber Defense Competition)
- Leading and participating in CPTC (Collegiate Penetration Testing Competition)
- Having it's own dedicated Red Team
- Operating multiple interest groups - A smaller sub group which focuses on specific branches of Information Security (Red Teaming, Penetration Testing, Incident Response, Reverse Engineering)
- And of course, much more
When I transferred to RIT 2 years ago, as a fresh-freshman, I also learned a lot from RITSEC. As much as I learned from the classes, I have learned as much as, or even more, from students from RITSEC. Fast forward 2 years, now I think it is my turn to give back to the community and help out some students. And thankfully, recently Mohammed (fellow colleague) and I became leaders of RVAPT which made it possible for me to give back to the community.
RVAPT is one of the interest group, which is a smaller group that focuses on Offensive Security. RVAPT stands for RIT Vulnerability Assessment and Penetration Testing, which is pretty self-explanatory of what it focuses on.
Started by Ben Bornholm (blog) and Michael Milkovich, RVAPT focused on teaching students Offensive Security; not just slamming keyboard in front of a terminal, but to teach them what proper Offensive Security means.
I was also heavily influenced by the original purpose of my colleagues. This is why I decided to create a clear purpose and goal of RVAPT even before I created content for our members.
Goal and Purpose
The goal and purpose of RVAPT is to prepare its members to become a proper Offensive Security oriented student/professionals. For the elements of becoming "proper", I decided to focus on developing two mindsets.
- Develop a proper Technical Offensive Security mindset
- Develop a proper Non-Technical Offensive Security mindset
To me, a proper technical Offensive Security mindset is about developing a personal methodology. It is not about learning what tools to use, what flags to use or what specific techniques to use. It's about finding a target, proactively researching it, finding out unintended behaviors, exploiting those, and reporting back to the client. Moreover, it's about using this methodology to the target and the environment and looking at the bigger picture. The essence of technical mindset is this process and methodology. This methodology is not something everyone was born with. Moreover, it is not easy to develop this methodology if one goes down the rabbit-hole of "hackhackhack" mindset.
A Proper Non-Technical Offensive Security mindset is remembering that it's about business. After all, Offensive Security is business; a client will ask for a service, the service provider will provide the service, report it back to the client, and receive some kind of reward after the work.
It is not about "breaking in", "hacking stuff", or sarcastically making fun of client's blue team or system administrators. It's about providing business value. The client decided to invest time and money to us, in order to solve their problem. As a service provider, it is our job to provide the best service, explain the business impact, and report it back, with professionalism. Any interaction in the industry, rather it is Cybersecurity or Software Engineering, all ties back to business. Thus, it is my goal to emphasize the importance of business, impact, and relationship with the client in Offensive Security.
With those goals and mindset in mind, I decided to structure the RVAPT meeting and its contents. Due to students' schedule, RVAPT meeting lasts for 1 hour every week. Content wise, the meeting is structured with 30 minutes of presentation and 30 minutes of hands-on demo.
The presentation will be based off of penetration testing. This was because penetration testing provides a good full experience of offensive security, while not requiring too much technical experience like Red Teaming. For specific topics, PTES (Penetration Testing Execution Standards) will be the framework that I am going to reference. While not the industry standard, the 7 steps of penetration testing from PTES definitely shows the full big picture of penetration testing process.
I believe in technical, hands-on demo. This is why hands-on demo will include various activities, from enumerating VMs, lateral movement in an simulated infrastructure, OSINTing on organizations, writing reports, and doing a in-character acting between testers and the client.
As an ultimate goal of RVAPT, Mohammed and I are planning to build a small infrastructure for our members to perform a simulated penetration testing on. With this infrastructure, the members will go through a 1~2 day competition, acting as a security firm. We hope that this infrastructure will provide a full penetration testing experience.
That about sums up the first introduction of RVAPT. Currently RVAPT is on its way of Week 3, Passive Enumeration/OSINT. That means I have some catch-up to do in terms of the blog post and some demos.
My ultimate goal is to run RVAPT, guide the members to the proper Offensive Security way. Moreover, it is to share the knowledge, content, and fun that me and my members had, to other schools and people around the world. As we like to say in RITSEC, "Security through Community" is key.