#WorkinginCSA: Discovering Security Gaps and Reinforcing Systems Against Real-World Cyber-Attacks

Xavier Yeo is a Senior Consultant with the Cybersecurity Engineering Centre (CSEC), where he is part of a team conducting security assessments on Government systems and Critical Information Infrastructure (CII) systems. He also recently attended DEF CON 30 and was part of the CSA team that won the Adversary Village Capture-the-Flag competition.

1. What sparked your interest in cybersecurity?

My first experience with cybersecurity began with “hacking” online games when I was seven years old. I made my online avatar super powerful by making changes locally on my computer. It enabled me to win any battle against other online players and scale higher difficulty challenges. I felt that the thought process of “hacking” a video game is very similar to exploiting security vulnerabilities, as it involves manipulating the system to do things it is not intended to do. It was fun as a kid to explore these “gaming hacks”, but in the real-world, hacking attempts by malicious threat actors can have severe consequences.

When I was in secondary school, I also learnt to set up phishing websites and was able to trick my friends into visiting them. However, I would always reveal the prank immediately, advise them to change their credentials and teach them ways to identify phishing websites and suspicious URLs. I wanted to share my knowledge for the benefit of the larger community.

What started off as an innocent attempt to defeat a game in the virtual world opened my eyes to the possible devasting consequences that malicious cyber-attacks can have on the real world. I realised early on the need to enhance the resilience of systems against such cyber-attacks. Assurance and trust are the key factors as the world pursues greater digitalisation. No nation can be “smart” unless it is also cyber secure. This led me to pursue a cybersecurity-related diploma in polytechnic, converting my interest into a profession.

2. Tell us something interesting about your day-to-day work that not many people know about.

I am a Senior Consultant with CSA’s Cybersecurity Engineering Centre (CSEC), under the Attack Simulation Group (ASG). A typical day involves working with my colleagues to research and learn about the latest security vulnerabilities and attack techniques, in order to prepare for our upcoming engagements such as penetration testing or Red Teaming projects.

My team conducts security assessments on Government and Critical Information Infrastructure (CII) systems – using realistic tactics and attack vectors that real threat actors might apply, we exploit security vulnerabilities in an attempt to penetrate or gain access to their systems.

In exposing systems’ susceptibility to such attacks, we highlight the need to address such security gaps. This also improves the overall cybersecurity assurance of the system and makes it more resilient against real-world cybersecurity attacks. Research and preparation are vital as one wrong action could have significant impact on our client’s systems. I am also grateful that my colleagues enjoy our work, as well as learning new things, as much as I do. Most importantly, we get to have fun together while doing cool things like hacking systems (legitimately, of course). In addition, CSA provides us with ample opportunities to take up courses and certifications which help us keep up to date with developments in this fast-paced industry.

Something interesting that not many people may know is that working in CSA exposes us to emerging technologies such as Industrial Controls System (ICS) and 5G security. As the Communications pillar lead within my team, I am exposed to the latest information and trainings regarding 5G security, and my team and I use this opportunity to help identify cyber threats that may target Singapore’s national security.

3. You were part of a CSA team that won the Adversary Wars Village Capture-the-Flag (CTF) competition at DEF CON 30. Could you share more about your experience?

At DEF CON 30, there were a wide range of CTFs to select from, ranging from Hardware Hacking Village to Adversary Wars Village. Looking at our team’s background and expertise, we chose the Adversary Wars Village as it was the CTF we were more familiar with and interested in. My teammates come from different CSA departments – Sing Cherng’s expertise in malware analysis combined with penetration testing skillset from Kar Min, Guo Gen and I, made a formidable team. On the last day of the CTF, we could feel the tension in the village as players only had till noon to solve the challenges instead of the usual full-day schedule. Fortunately, our team leader Guo Gen, with his vast experience in CTFs, led us to victory.

It was also refreshing to see how hackers unwind and have fun during DEF CON 30. One memorable experience was witnessing the tradition where DEF CON 30 staff dressed up in inflatable dinosaur costumes every night before closing. They would run around the event area making loud noises and “attacking” people – DEF CON 30’s idea of a “closing” bell. Another memorable experience was the “Hackers’ Karaoke Night”, where participants gathered and sang their hearts out in front of other hackers. I had not experienced these in other major cybersecurity conventions, so it was eye-opening for me. I am grateful to CSA for giving me the opportunity to attend the world’s most renowned cybersecurity training and conference.

Aside from participating at DEF CON 30, we were there for Black Hat USA as well. We attended courses that we were interested in, and that were also relevant to our work. We learnt a lot of things from the top-tier cybersecurity experts in the world and it was a remarkable experience.

4. Any advice to those looking to work in the cybersecurity industry?

The industry has become more competitive compared to when I first started my journey with CSA back in 2018. Upskilling, exposure to the industry, and professional certifications are what I think job seekers should focus on to increase their value to potential employers.

For upskilling, there are abundant free resources online, such as Hack The Box, Udemy, Coursera, or YouTube videos that provide job seekers the necessary knowledge they need to enter the industry. For industry exposure, participating in CTFs, AiSP (Association of Information Security Professionals) or Division Zero meetups are good opportunities for one to expand their network. For professional certifications, attaining reputable certificates like Offensive Security Certified Professional (OSCP) or CREST certifications are attestations to your skillset.

Most importantly, always have a curious mind. Understanding how the systems work, applying creativity, and thinking outside the box will help you identify loopholes that developers have not thought of.

5. How do you unwind from work?

One great way for me to unwind from work is taking part in the weekly “Blue Sky Day” supported by MCI and CSA. Every Wednesday at 5pm, we will spend an hour doing physical activities such as running, walking, static exercises, or even badminton, all while the sky is still blue outside. My other ways to unwind include hobbies such as playing games, singing, covering songs, or working out in my improvised home gym.