Many people take the Cyber Scheme Team Member exam to become a CHECK team member or, as is my case, a Cyber Essentials Plus Lead Assessor. The day started in the Eagle Tower reception at 8:45am with candidates trickling in and sharing their prior experiences. One was on his second attempt and said his employer does not expect anyone to pass first time so allows them up to four attempts. Another was previously an infrastructure administrator working mostly in telecoms who had a wealth of experience and commented that people that pass first time are a rarity. With that in mind, I was not too hopeful.
The assessor, Paul Richards (Head of Education for the Cyber Scheme) took us up to the exam room and explained the format. It's run in a very relaxed manner whilst also maintaining the security and integrity of the exam.
I was taking the new style assessment, so gone was the multiple choice exam and the written paper. Instead we had questions of the type "tell me everything you know about <insert highly specific subject here>". It was open book and we had a short period to look up any information we needed. I knew only about half the answers off the top of my head so needed to do some research. I initially focussed on how a certain protocol works before researching the rest of the responses. This was then followed by the technical interview (viva) where we went through each question in turn. Paul was a very fair examiner, prompting for more detail where required and quickly moving onto the next question when all available points had been achieved.
The practical part of the exam is still, at the time of writing, the same duration as the old version. I can safely say it is an exam unlike anything I have experienced before. It was an absolute rollercoaster of emotions - annoyance, frustration, anger (at myself), surprise, joy, relief and contentment. I feel like I almost went through the 7 stages of grief in the space of a few hours. When the time was up, I knew I'd not been successful but was proud of how well I'd done on the first attempt.
The wash-up meeting after the practical was really straightforward, direct and ended on a positive note. The exam was due to finish 'by 5pm' but I was out of the building at 1:30pm. I can't guarantee the same early finish for everyone.
Where I went wrong
I kicked off a load of initial scans that turned out not to be needed. I found an exploit in about 20 seconds but then wasted the next 10 minutes trying to use it to gain far more information than was required to answer the question. Some methods I tried simply failed to work so I moved onto other questions. One and a half hours in, I was feeling thoroughly deflated.
In the final hour, I managed to tick off quite a few more questions by erm... actually reading the question and doing what was required. Surprising, that!
I'd been almost fixated on finding exploits so didn't do much brute forcing. That could be partly because I'm doing this for Cyber Essentials purposes which is focussed on policies and managing vulnerabilities. Weak credentials should not be possible with a good password policy and appropriate user training. CE requirements also make MFA mandatory for any cloud services, further mitigating the risk. Next time, I'll remember to use a mix of approaches for the practical exam.
My written report was too technical and should have instead focussed on business risks and other things that will persuade executives to allocate appropriate budget.
What I did well
I prepared for the exam as well as I could reasonably have done:
- prior education (MSc Computer Science),
- experience (linux systems, web applications, proxies and auth systems),
- a pentesting practitioner course,
- and trying to identify and fill in any gaps in knowledge or skills.
I knew the knowledge components well although, like nearly everyone, I recognised I had a few weak areas. Those were no great stumbling block. The exam is fair and is designed to assess a real world situation. You need to know your stuff but can look things up when needed. Learning the content as you're doing the exam is definitely not a recipe for success.
My practical skills are generally acceptable and it is difficult to prepare for the specifics of the practical element. Online 'capture the flag' competitions from HackTheBox or TryHackMe often focus on exploiting niche vulnerabilities of increasing difficultly. The CSTM exam is not designed to assess any skills like that.
Building a training environment yourself can be a good way to practice underlying infrastructure skills and gaining familiarity with a range of technologies. The main downside of this is that you'll know (or should know) what infrastructure vulnerabilities are there already. There are purposefully vulnerable web apps available to help prepare for those type web questions:
- Juice Shop
- Damn Vulnerable Web Application (DVWA)
- Buggy Web Application (bWAPP)
- WebGoat
- Mutillidae
- Google Gruyere
How to do better next time
RTFQ! Seriously, read the exam paper and all the questions before diving in.
If the question specifies a method, that's exactly what it wants.
After answering the question move onto the next one. If the question requires you to login as a user and you manage that, don't waste time trying to escalate to root, admin or system privileges.
Some information, available services, attack vectors or vulnerabilities will not be relevant to the questions you need to answer so don't get sidetracked by them.
My CSTM Practical Exam Strategy
I developed this strategy after sitting the exam the first time and reflecting on ‘I wish I’d have known this in advance’. A lot of it is general exam strategy, although with some particular emphasis on avoiding a scattergun approach and falling into rabbit holes. You’ll probably need to customise it to something that works for you.
- Connect to the network and ensure it works e.g. by accessing a service or by pinging a known host.
- Read the full exam paper before actually starting:
- Make a note of relevant tools to use for each question:
- nmap scans (including banner grabbing, OS detection and scripts)
- brute forcing (dirbuster, hydra)
- password cracking (john)
- vulnerability scanning (whichever one is your preference)
- exploits (metasploit, SQLi, file inclusion)
- Identify things that may take a long time to complete (e.g. UDP scans of a large block)
- Identify areas where you could save time, for example, by dealing with sub-sections of questions all at once.
- Start at the start and work through in order. Some of the questions are designed to follow on from each other e.g. if you miss 3c you might find it difficult to answer 4b.
- The report should be focussed on whatever area it requests. Technical reports should be a summary of technical findings such that their IT teams would be able to implement appropriate fixes. Business reports should detail the risks to the business in a manner that would prompt an executive to allocate resources to remedy any issues.
TLDR: It's a fair exam. You need to know what you're doing and use your time and resources effectively. Use the exam strategy above as a basis for your approach.
NB: This post has been approved by The Cyber Scheme. Candidates are reminded there is a non-disclosure agreement preventing the unauthorised disclosure of information about the examination process or the exam content.
Update
Barry has now passed CSTM which proves these can make the difference in practice.