SANS Penetration Testing

SANS Penetration Testing

Coinage: The SANS Pen Testing Coins Backstory

[Editor's Note: Some things I work on are the result of ten, thirty, or one-hundred minutes of effort. Others are the result of six months or a year of work (such as my office tour). This blog is the result of over a year's work by not only me, but also John Strand, Josh Wright, Kevin Johnson, Steve Sims, and many others).

In each of the seven SANS Penetration Testing Curriculum courses, Day 6 is a Capture the Flag (CtF) event, allowing students to pull together their experiences from the previous five days into a full-day exercise that models real-world penetration test activities. For about a year now, we've been rolling out course-specific CtF challenge coins as a prize for the noteworthy accomplishment of coming in the Top five winners in each class. But, only a few people know the backstory of the SANS Pen Test Curriculum coins... until now. You see, there is a cipher embedded in each coin, and here's the story of how that came to be.

Several years ago, Rob Lee started giving away challenge coins to people he calls "Forensicators" (Given my delicate virgin ears, I blush every time I hear that word, by the way). Rob awards these really beautiful coins to people who do something special -- write a blog post, ask a great question in class, write a tool, win a challenge in a class, and more. I've always thought his coins were a fantastic idea, and a wonderful reward for people who do great stuff. Rob was pushing me for years to create a pen test coin. "Where's _your_ coin, Ed?" he'd sometimes taunt, in that precious way only Rob Lee can muster.

But, while I loved what Rob did with the coins, I didn't want to just copy Rob's coin plan. So I thought about the situation for months, and how we could tie some sort of coin thing into the SANS Pen Test courses.

On Day 6, each Pen Test course has a Capture the Flag competition, and, for my courses, I'd always given out an autographed copy of my book as a prize. My publisher generously sent those books to me for free, as a marketing thing. I was really happy to get them. About 18 months ago, there was a staffing change at my publisher, and they told me "No more free books" (kinda like the "No free bugs" movement, only completely different). Buying books at the author's price was still a bit pricey ($30 each), so I bought some books myself as prizes while I started brainstorming other options.

During one of my morning walks, it hit me... my two problems (getting a coin for the Pen Test Curriculum to address Rob's taunting challenge, plus being kicked off of the free book gravy train for CtF prizes) could be used to solve each other, and we could add some fun and whimsy to the whole thing. The idea was to have a different prize coin for each SANS Pen Test class. Money-wise, we could give five prize coins away in each class for about the same price as the book.

And, instead of just 504, we'd have a different coin for each of the pen test classes, so people could collect them all! We'd give each course's coin a different theme, such as super heroes, ninjas, and spiders. The course's author could impart their own personality, wisdom, and humor into each coin. And, best yet, the coin imagery could be taken as a course icon. SANS has course icons for some of the other (non-pen-test) courses, but none for pen test courses. I didn't want a clip-art or stock image look for the course icons, so at that time I was working on a small project to try to come up with special course icons. That project was fail fail fail, as the artists were only creating garbage. But, the coin project also solved the logo problem too! Win-win-win.

In early 2012, I set about having an artist work on the 504 coin. We spent about a month going through ideas and drafts. Then, at RSA in Feb 2012, we had our final draft ready to send. I showed it to my friends and colleagues at the RSA conference, and they loved it! I was excited.

But, at that same RSA conference, when I showed the 504 coin image to John Strand, he said, "Really cool... and what is the challenge?"

I replied (and this quote is 100% accurate), "Wha???" Strand said back, "Well, this is a Skoudis thing so there must be some kind of challenge or puzzle built into the coin." Me: "Oh...uh... yeah. I'm working on that." I panicked. Strand was right, and I hadn't thought this through enough. It could be a hundred times better the way he suggested.

The coins were already in fabrication, and I needed to retrofit a challenge into the coin. Walking the streets of San Francisco, I thought long and hard. Then, it hit me -- we could have a single phrase that weaves its way throughout each pen test course coin. Each coin would have a unique cipher for part of the phrase. People would have to solve all kinds of ancient, modern, and custom-created twisted ciphers from all of the coins to get the final phrase that pays. Then, we'd give the first person to win and decode all the coins a really exciting prize. I ran it by SANS management, and they were on board. This would be a big undertaking, rolling out eight coins over the space of a year, but lots of fun -- with the ultimate embedded mystery in the coins themselves.

But, there remained the problem of the 504 coin not having an encoded message. I continued to think -- and then, "Heeeeeey! We could bootstrap this by using the text on the back of the 504 coin as a reference to decode something." I don't want to give away how it works, but it is a little like a one-time pad based on a historical cipher.

With that problem solved and our plan in place, we got our first batch of 504 coins in Orlando in March 2012. They were a hit.

We got our first batch of 560 coins in Baltimore in April 2012. More excitement.

The 575 coin came in May 2012 in San Diego. Josh hired his own artist to do it, and it was AWESOME with a cool cipher, great theme (Gamera, the flying turtle monster that battled Godzilla), and inspired artwork. Next, the 542 coin arrived in June 2012 in Denver, with my artist working on spider ideas provided by Kevin Johnson and Lara Dawson. Then, the 660 coin appeared in DC at SANS FIRE in July 2012, done by Steve Sims' artist using a Conan the Barbarian theme.

We hit a snag. Our artists were pretty tapped for ideas, as were we. There were three more coins needed: 617, 642, and NetWars. It took a few months, but we finally got the NetWars coins done in the nick of time for the Tournament of Champions in December 2012. The Counter Hack Challenges guys and I created a custom cipher over Thanksgiving (at the same time we were working on the Miser Brothers' Holiday Hacking challenge) for that one. Then, the 617 coin debuted in January 2013 featuring another movie monster (that knife-headed monster Guiron from another Godzilla movie, via Josh's artist).

We are almost there with our final coin: the one for 642, which we just finished last week and will pass out starting in one month. That'll make 8 coins total, with the following themes (please click on the theme for a full view of the face of each coin):

504: Super Heroes (with a nod to Batman, Spider Man, and the Incredibles)
542: Spider & Fly
560: Ninja
575: Reptile Monster Movie (Gamera)
617: Another Reptile Monster Movie (Guiron)
642: Samurai and Dragon
660: Conan the Barbarian
NetWars: The World

Each coin includes on its face the course name, number, and logo, as well as some words about what the course is about. On the back, there's an inspirational quote congratulating the winner and challenging him or her to do great things. And, of course, there is a different cipher on each coin's back. I must say, it has been TREMENDOUSLY fun adapting historical ciphers and encodings to the coins, as well as creating our own fun ciphers from scratch.

But, not everyone wins a coin, and some people really like the images from the course and wanted something to take home. Even the people who won the coin wanted another way to represent their victory. So, we tried another experiment at SANS Vegas in September 2012 -- we had little stickers made up with the coin images on them, to distribute to folks who took the course. When we went to pass them out, students went CRAZY for them. We gave them all away in a matter of minutes. We've been passing them out at selected conferences ever since. Oh, but the stickers DO NOT have the ciphers on them. If you want the ciphers, you have to win the coin (or use your wiles, wit, persuasion, and other more nefarious tactics) to determine those.

And, that's the story of the coins.

The story does continue, though -- we're having T-shirts made up that show all 8 coins on the front (two rows of four coins), and then a mysterious coin-shaped silhouette lit from behind underneath. We hope to have those T-Shirts later in 2013. That way, students can wear the shirt and point to the coins they've won, and also point to the next one they plan to conquer. What's that 9th coin, in silhouette, you ask? Well, that's another mystery (our funk is multi-layered).

Oh, and we have one more thing up our sleeves for people who have taken our courses in the past, but perhaps didn't win a coin (either because we didn't have the coins at the time, or because they didn't win the CtF). I call this idea and event "Coin-apalooza". From November 7-14, 2013, we'll be having the SANS Penetration Testing Hackfest Training Event in Washington DC (please do mark your calendars!). We'll run our NetWars challenge several nights there for folks to build their skills and have some fun. Just at this one special event, if you have taken a given SANS Pen Test course before, your NetWars performance will allow you to earn coins for those courses you've taken before. People who get from Level 1 to Level 2 of NetWars will get a 504 coin (if you've taken 504 before... and we will be checking). If you go from Level 2 to Level 3, you can get a 542, 560, or 575 coin of your choosing if you've taken those courses. If you go from Level 3 to Level 4, you'll get your choice of a 617, 642, or 660 coin. And, if you come in the top 5 spots of NetWars at the event, you get a NetWars coin. So, people will be able to pick up between one and four extra coins at the event. We're still planning this extra-special training event, but you may want to mark your calendars! Initial details are here:

I'd like to close by congratulating the victors of the various SANS Pen Test Courses. You folks have done something very special, and, as an instructor, it has been an honor working with you as you develop and apply your incredible skills. On behalf of all the SANS Pen Test Curriculum instructors, we'd like to thank you for your hard work, diligence, and achievement of excellence!

--Ed Skoudis.
SANS Penetration Testing Curriculum Lead
Director, SANS NetWars & CyberCity Projects
Founder, Counter Hack Challenges