Let’s face it. One of the most humbling realizations for most companies is that, regardless of their size, money, or stature, they rarely get the opportunity to choose which cyber threat will end up on their doorstep, and when. It’s the ever-present permeating thought that casts infinite shadows into every corner of critical infrastructure and sends security teams scrambling to prepare for an endless list of possible scenarios. While some companies struggle to fill open cybersecurity roles for various reasons, which may or may not include unrealistic expectations and/or prerequisites, others have found relief by complementing their security posture with crowdsourced security platforms like Synack and the Synack Red Team (SRT). Not only does this hybrid model provide a scalable platform for doing ad-hoc security campaigns on the fly, but it also infuses much-needed diversity into an inevitably converging pool of homogenized internal checkpoints. This is why Synack and Hack The Box (HtB) are working together to open doors to diverse talent around the world in cybersecurity. Maybe one of these doors is right for you?
Open Invitational CTFs
Every year, the SRT hosts an open invitational CTF, which allows researchers from all over the world to showcase their talents, win prizes and earn a shot at joining the SRT. These events are great ways for skilled applicants from any background to bypass the SRT Waitlist, a mechanism put in place to ensure that Synack grows the SRT proportional to researcher opportunity. While prizes may be limited for top-performing researchers, Synack evaluates everyone’s individual CTF performance stats when determining any SRT invitations. This ensures a fair and meritocratic evaluation process for all players, especially if they can’t commit to the entire CTF duration.
Fighting Imposter Syndrome
Imposter syndrome is real. Oftentimes, people may not even recognize the symptoms and how debilitating they can make you feel. “Am I ready?” Questions like these and unending self-doubt are reasons that some researchers don’t even try … cue the Synack Red Team Track on HtB released in early 2021! The intent is to build confidence for applicants struggling to determine their readiness and create a low-cost and fun alternative to certifications for up-and-comers to get their foot in the door. Applicants who can complete this track (in earnest, and on their own) should have the skills to perform well on the SRT private tech assessments (WebSec, NetSec, CloudSec). These assessments are custom built by the-one-and-only IppSec and refreshed regularly to deter cheating and incorporate new vuln trends seen in the wild by the SRT Circle of Trust. Yes, certifications can help, but Synack cares that you actually know the skills more than a piece of paper. Even if you don’t pass, the experience is a great learning opportunity for anyone that gives an honest effort.
Due to the overwhelming popularity of the program, Synack has made a slight change to maintain our commitment to proportional SRT opportunity and responsible community growth.
More times than not, the most successful SRT embodies three core common traits: talent, quality reporting, and speed. Due to the number of applications we receive every month, only talent can be adequately screened at scale. Quality reporting and speed are typically refined as researchers familiarize themselves with Synack’s reporting standards and optimize their TTP. We hope this information will set proper expectations with any potential applicant and help them make a plan to move forward with confidence.
Investing in Diversity
The name of the game in cybersecurity is diversity, whether that be age, gender, ethnic, regional, neural, or skill. Companies need broad-spectrum coverage from all different perspectives to try and keep pace with adversaries, and there are just far too many underrepresented groups in ethical hacking to make it an even fight. While diversity may be the name of the game, it’s hard to play when you don’t get a chance to step up. This is why Synack invests in programs like Synack Academy and partners with organizations like Blacks in Cybersecurity, BUiLT, and SANS to offer career awareness and mentorship in cybersecurity. Similarly, the SRT has programs for qualified veterans, women & other gender minorities, college and 18-and-under (our latest closed beta initiative) hackers to create unique opportunities for camaraderie, mentorship, and career support. As researchers work their way up the SRT reputation ladder, they can use their payouts to purchase more refined education/certifications and earn a spot on the Synack Acropolis to help fill out their resumes and grow their careers.
Cybersecurity is never static. Problems and solutions change every day, but the need for skilled personnel to actually do the work continues to grow. The world needs more companies, and more people, to step up and lead the charge for ethical hacking. Crowdsourced security platforms are essential for the good guys to stand a chance in the long run. The world needs talented researchers to share their skills with more than just one enterprise at a time, and companies around the world are quickly waking up to this reality. Every day, more and more companies are encouraging employees to try this alternate type of cybersecurity training because they see the benefit. If you think your employer would object, sometimes, all you need to do is ask! I, for one, am proud of all the work Synack and HtB have done to date, and look forward to our continued efforts to close the cybersecurity skill shortage while making the industry more diverse and the world more secure. “Where we go from here, I leave to you!”
Senior Director of Community, Synack Red Team
P.S. A special shout-out to @morphean_sec and his write-up that helped me realize, sometimes you need to stop running for a moment to let others know how all the work you’ve been doing fits together. Keep up the hustle, and good luck on the CTF! =)