Discover more from f33d by Prelude
Capture the Flag
Design your own training programs inside Operator
Have you ever looked around for cyber security training, specifically for your (experienced) team?
Aside from new-to-the-industry training - where there are a slew of pretty cool options - there are considerably less cool options for those who are already working in the industry. Don’t get me wrong, there are some pretty intense, useful training programs out there… but their coolness factor takes a hit once you account for cost and accessibility.
Why pay exorbitant fees to train your security staff on generic skills that aren’t tuned to your specific business?
As a company with the singular mission of making advanced security more accessible (period), we’ve added a new type of option: customizable capture the flag training programs you can design yourself, tailored for your team.
First let’s talk background.
When we started developing the Operator command-and-control (C2) platform last year, we decided to make training a first-class citizen of the application. As a C2, Operator is designed specifically for red/purple teams to evaluate if your defenses are working. As a desktop tool, it is designed around the individual using it. Operator is meant to be owned & personal.
This design choice made it natural to bake in continuously updating training programs which are always at your fingertips. Between security assessments, you can hone your skills by keeping up with the offensive-minded training programs that cover areas like:
Introduction: a constantly evolving program teaching you how to use Operator.
Pink Badge: a free certificate program to append offensive security skills to anyone currently working in IT or InfoSec.
Capture the Flag: a free multi-level program that acts as a real-world training ground to test your skills.
Now let’s talk customization
With these programs off and running, constantly evolving and growing, we decided to go one step further and open Operator training up for customization.
For Enterprise license holders, we created a space to create completely customized training programs. It’s quite simple: we assign your team/org a file system and you can use our template to upload your own programs, each private to you.
Your programs may focus on your industry, process, team dynamics, specific technology... The point being, off-the-shelf training can only go so far. You need to train your staff to succeed at your company.
The training programs can be ordered or unordered and you can mix-and-match options like having the user enter text input to capture the flag (i.e., prove their knowledge) or a script to programmatically verify they got it.
As a security leader, you can monitor your entire team’s progress from a web dashboard:
A couple of training use cases to consider:
An on-boarding program to send your new security hires through. On-boarding can often be inconsistent, so solve this by designing a thorough program which describes your process, where your resources are, who to contact in different circumstances and more - and validate that your new hires understand.
A security training ground. Create your own CTF challenges which hone the skills of your offensive and defensive teams. Your challenges can plug directly into your own tools and infrastructure - meaning you can create personal training. For example, instead of sending your team through Azure security training, consider building your own program that hooks into your Azure environment. Because your company’s configuration may be different from what they’d see in a generic program, you can train your staff more effectively.
More effective compliance-driven testing. Every security team member dreads the quarterly compliance security questionnaires but the information within them is often critical to know. Build your own program that covers the areas within the compliance space you want to ensure your team “gets.”
Security competitions. You can design cyber competitions on the fly that can build team comradery. Instead of going out to lunch as a team once a quarter or doing a standard company retreat day, build an in-house CTF program in the shape of an “Escape Room.”
Operator is a double-edge sword: use it as a command-and-control app to assess your cyber defenses or use it to train your security staff to succeed at your organization, not someone else’s.
Cyber security training is often a costly and painful experience. But it doesn’t have to be.