A candidate’s story…

My experience of taking the Cyber Scheme Team Leader (CSTL) Examination

So it finally happened: I was comfortable in my general level of competence to attempt the relatively-new Cyber Scheme Team Leader examination last week. It’s a team leader-level certification that is intended to show advanced-level penetration testing skills, whilst also demonstrating the soft skills required to deal with customers during an engagement. It also carries CHECK Team Leader equivalence (https://www.ncsc.gov.uk/articles/composition-check-team). The exam itself is comprised of three distinct sections:

  • Scoping activity. Sitting down with one of the assessors, who assumes the role of a client, you are expected to take a base level of provided technical information, and use this to create a scope of work that covers all the appropriate areas required for testing.
  • Technical assault course. Once all candidates have undertaken the scoping activity, you are permitted to connect your laptop to the exam rig, whereupon you undertake a 4.5 hour practical assessment in the form of a penetration test of the “customer” environment.
  • Wash-up meeting/Viva. Following the practical assessment, there is a further meeting with the “client” where you are expected to present your results, explain your methodology and answer customer questions about your findings.

Anybody who is familiar with team leader-level certifications in Pen Testing will probably notice a number of differences between the format for CSTL and that used by other examining bodies. Foremost amongst these are the removal of any written or multiple-choice testing. The purpose behind this is apparently quite deliberate: In moving towards a format whereby the candidate is expected to engage with a “client”, it is not only possible to examine those skills in a different manner; but it also ensures that the pre-requisite soft skills are in place to have the confidence that a candidate can engage with customers in a professional way.

It is just my opinion, but I believe that the technical examination is a breath of fresh air when compared to other, similar, examinations. Rather than having a very proscribed set of questions with a very definite process to reach the ultimate “goal”, the examination takes the form of a real-world penetration test. Obviously, I’m not able to discuss the technical intricacies of the exam, but suffice to say there is no single set method that is required to locate, and ultimately compromise, vulnerable hosts. Indeed, just as in a real-world engagement, a number of the hosts that you encounter are not actually vulnerable. As a candidate you are expected to utilize solid enumeration techniques, prioritise high-value targets and move through the infrastructure to demonstrate the required competencies. Vulnerable hosts contain flags which can then be recorded to demonstrate compromise of a particular device. This element of the exam is 4.5 hours long, which sounds like a lot, but is actually just about enough time to cover everything that needs to be done. You don’t feel under horrific time pressure, but there isn’t any spare time for taking things easy.

The final viva and wash-up meeting were not my favorite part of the day. Having been at it for a number of hours and still being unsure as to whether or not I’d done well enough in the grueling technical exam, I really just wanted to go home. It was, perhaps, an overly simplistic way to think about the discussion. The reality of it, is that it gives a further opportunity to pick up additional credit. Additionally, if any particular element of the practical did not go entirely as expected (you were missing a tool, or a tool was not functioning as needed, for example), then it provides an opportunity for you to communicate how you would have approached matters under ideal circumstances. The assessors did a good job in putting me at ease, in spite of the situation and the whole conversation was far more of an example in how to explain certain issues as you would to a client, rather than a contrived role-playing exercise.

All being done, I was free to go and head off back down the road. The exam being on a Friday, it meant that I had a whole weekend of pondering what-if’s, but an email promptly dropped into my inbox before lunchtime on Monday, telling me that I had fulfilled all of the requirements to be recognised as a CSTL. I may have let out an involuntary yelp of joy at the time.

Now the *really* hard work begins…