Review: SANS Cyber FastTrack 2019

September 25, 2019
Category: Uncategorized

         This spring, I received an email through my university with an invite for a program called Cyber FastTrack. The part that caught my eye was that it was prepared by SANS, which is known throughout the field of Cybersecurity for providing top-notch training on just about every subject. I didn’t (and still don’t) consider myself very skilled in Cybersecurity, but I signed up to see if I could challenge myself and learn something.  Fast-forward about six months and I’ve completed 100% of the program including every single challenge in CyberStart Game and earned a ~$21k scholarship for SANS certifications and training. If you are new to the field and/or determined enough to do what it takes to earn it, this could easily be a reality for you as well, and if you would like to know more about the program, keep reading.

         The grand prize that they offered to top scorers was a SANS Technology Institute Undergraduate Certificate in Applied Cybersecurity.  Don’t let the ‘Undergraduate’ word scare you away though if you are more experienced or already have a degree, because it’s made up of 3 SANS certifications valued at over $7,000 each! The only caveat ( at least for this iteration of the program) would be that in order to earn this scholarship, you must have earned at least 48 college credits and have been registered as a student in a college from an eligible state within the last 2 years (Eligibility from their main page is posted below). I believe that most online colleges count as well (I fit this category), but most people should be at least able to participate in the CTF/modules even if they aren’t eligible, which I highly recommend. Despite these amazing rewards, only about 13,000 people in the United States even attempted the first stage. The program involved three stages spread out over the course of 5-6 months, starting in April and ending in the middle of September. 

CyberStart Assess

The first stage was CyberStart Assess, which consisted of about 15 challenges ranging from simply reading a web page’s source code to reverse engineering a downloaded executable file. If the latter sounds too intimidating, don’t worry too much, as the program was designed to introduce you to new topics at a very refreshing pace, so it is very approachable. CyberStart Assess is short and sweet but it will help you gauge your own interest and give you a good idea about what the challenges will be like in the later stages. They allowed over a month to complete these 15 challenges, which should be plenty of time for even the most beginner of cybersecurity learners. Your goal should be to try and complete as many as you can, but if you find that the last couple of challenges are a bit too difficult, don’t sweat it. As long as you scored high enough, SANS should send you an email inviting you to the next stage, the CyberStart Game.

CyberStart Game

         CyberStart Game was a CTF-style portion of Cyber FastTrack with over 200 different challenges to solve. It consisted of three different ‘bases’, each with a different type of challenge category. Each one of these was approachable for someone of any skill level and they built off of each other extremely well. 

Headquarters Base

         The Headquarters Base was more or less the ‘main base’ when it came to the CyberStart Game. It contained about 3-4 times as many challenges as the other two bases and the topics covered a much broader range. The challenges started out fairly simple, having you read a page’s source code and solving basic puzzles, but they gradually built up over the course of the thirteen different levels, each containing 12 challenges. All of the challenges were pretty easy going with few moving parts. You could see things like command injection, SQL injection, cross-site scripting, user-agent switching, cookie theft, reverse engineering, and more. None of these challenges were particularly difficult up until about level 10, and even then, level 13 was the only one with any challenges that I would say were fairly difficult. I would suggest that if you get stumped, go work on one of the other bases for a little bit and come back to the challenge later. There are times that you might learn something new that could give you a breakthrough on the HQ base.

Moon Base

         The Moon Base was all about solving challenges with Python, and there were about 30-40 of them. This was honestly my favorite of all three of the bases. It utilized a built-in editor/interpreter and some challenges even came with some starter code already written. The first few levels of the base were very instructional in nature, essentially having an entire walkthrough for the challenge written out in comments.  Experienced Python programmers may be a little annoyed to find that they can’t import most of their favorite modules but are limited to ones provided. For example, you may be used to using Beautiful Soup or Requests for most of your HTTP programming, but you will need to use Urllib/UIrllib2 for just about everything HTTP related in this module. There were some modules that gave you an IP address and a port to connect to and you could potentially use your own IDE and modules, though not all of them were like that. In my opinion, it would be better to force yourself to use their environment and to learn something new instead of relying on libraries that automate most of the work.

Forensics Base

         The Forensics Base was something that played with my emotions quite a bit.  You were able to use common tools like strings, exiftool, binwalk, steghide, etc. The first few challenges were both simple and interesting, involving some very basic steganography and image analysis. However, this ramped up quickly, as you were then asked to download multiple 3GB images containing virtual hard drives for you to sift through for a flag. There were also a few challenges where you were given a Windows Registry Hive to dig through for a flag as well. I initially found these to be very mundane and time-consuming, so I put off the rest of Forensics Base until the end. Fortunately, it ended up getting much more interesting when they started to provide memory dumps and teaching some of the popular forensics tools. So if you find yourself getting bored with the first few levels of this base, I would recommend that you push through, because it does get much better.

CyberStart Essentials

         CyberStart Essentials was the third and final stage of Cyber FastTrack. It started after the CyberStart Game ended, although in my case, they did leave the Game part open for another month for people to complete without earning points. The first thought I had about Essentials was, “Why am I doing this after Game?”, and after looking at the SANS Technology page for the ACS certificate, it turns out that Essentials is actually the first course for the program. My thought is that they probably left it for the end in order to weed out those who weren’t as dedicated.

Essentials was fifty bite-sized modules of computer-based-training, designed to teach you literally everything you just did in Game. The material was surprisingly both deep and broad, while remaining very brief and to-the-point. Some of the topics they taught in the modules were: Computer Hardware, Networking, Linux, Windows, Kali, Reconnaissance, Exploitation, Forensics, and more. You could easily do several modules a day, and most of them had a short 10-20 question timed exam at the end.  They were all un-proctored and you could use the internet as much as you wanted, though you might be tight on time if you expect to do that for each question. After completing the exam, you got your score immediately, but you were not told you what you got wrong. Presumably, this is done to protect their questions from getting leaked.

By far my biggest gripe with Essentials was the quality control for their exams. There were some exams that I felt extremely confident about when pressing the submit button, only to find out that I got several questions wrong. There were also some questions that were ambiguously worded or flat-out just didn’t make sense. It was frustrating to see a 60% or 70% on a 10-question exam that you were sure should be a 90% or better. The good news though, was that the fifty-question final exam seemed to be much better in terms of question quality.

I also ran into a problem that caused two of my tests to instantly submit right when I started them. I dual-boot Linux and Windows on my home computer, so naturally I did the Linux exams on Linux and Windows exams on Windows. It turns out that dual-booting can sometimes cause problems with your system clock, which caused my exams to time-out right away. Fortunately, the Cyber FastTrack support was kind enough to acknowledge the problem and they were able to reset my tests. 

Ultimately, I would still say that Essentials was a great experience overall, especially since my group was presumably the test group for this material. I imagine that most problems will be fixed by the next iteration of this program.

Conclusion

My personal experience with the Cyber FastTrack program as a whole was honestly pretty fantastic. Putting aside some of the technical difficulties and quality issues in Essentials, the rest of the material was the kind of high-quality work that one would expect from SANS training, but at no cost. The name “FastTrack” described the program perfectly, as it can take a complete beginner to a competent level of knowledge and skill in a remarkably short time. And if you were determined enough, the roughly $21k worth of SANS training and certifications that you could potentially earn is nothing to scoff at. If you are even thinking about possibly trying the program out next time, I would suggest that you register your interest now for reminders. It’s completely free and there’s nothing to lose for trying.

https://www.cyber-fasttrack.org

Comments

  • I agree that some of the exam questions were written deceptively. I really feel like this was done on purpose, though. A number of times I had a draft email written up, ready to support why there were actually two equally correct answers only to realize after some reflection that one word here or there implied some slight logical twist that invalidated one of the choices. I think it was created this was specifically to check out test taking ability in addition to our technical knowledge. It reminded me of the kinds of lateral thinking required in certain types of IQ tests or brain teasers. Often the technical component was only ~25% of the problem.

    Awesome write up and congratulations!

  • I signed up for this thanks to this article! With a “well nothing to lose” mindset. I feel like I’m too inexperienced to succeed just yet but hopefully I can learn along the way!

    • Glad to hear it Aaron! I hope you have as great of an experience as I did!

Leave a Reply to Cerkoryn Cancel reply