Cedric van Bockhaven
Where it all began
Back in primary school we were hanging out on the playground thinking about what to do next. The idea of building our own website sounded appealing, so I started playing around with FrontPage and Dreamweaver. The other 10 year olds had soon forgotten about the idea, but I was captivated by the technology and possibilities. A new world just opened up.
I started learning about all sorts of web technologies and created websites for friends and family. I hosted/supported an IRC server for a popular peer-to-peer client, and learned new tricks from the techies who hung out there. At the same time I was confronted with people who wanted to bring our systems down or spammed our chat channels. So I learned how to defend our infrastructure and also got to understand how they were able to attack us in the first place. While I was fascinated by these attacks, I’ve always worn a white hat myself: I primarily enjoy the technical challenge and aligning the puzzle pieces to gain access.
Where it went to from there
After finishing my bachelor degree in Belgium, my home country, I wanted to learn more about cyber security. Options were limited in Belgium at the time, so I enrolled for a master’s degree in The Netherlands: the System and Network Engineering master. Throughout the master I learned the ins and outs of network protocols, how security can be applied to systems, and how security wasn’t really thought of by the early sculptors of our cyber ecosystem. During one of the projects we attempted to crack 512-bit RSA certificates of Android applications in the Play Store using the university compute cluster, as well as a collection of desktops and standalone servers, leading to a short electricity outage (oops!).
The fine folks at Deloitte NL supervised my thesis on patching of Android devices. I didn’t foresee staying in the country after the degree, though I realised I really enjoyed the environment I was in, so why leave? Surrounded by so many like-minded individuals, it was a no-brainer to join the technical team at Deloitte NL. Over the course of several years I got immersed in the captivating world of security testing and performed pentests on all sorts of web applications, mobile applications, infrastructure/networks, and other (exotic) systems. I organized/facilitated Capture the Flag events and helped build many CTF challenges. I was part of an ICS team that performed security reviews on industrial control systems. Later on I joined the Red Team and got to travel the world for clients in a wide range of sectors. In the meantime I enjoyed facilitating a number of courses, such as an Android security training, a GICSP/CISSP certification training, and a Red Team training.
After over 7 years, I wanted to dive deeper into offensive techniques, and found a match in my penchant for all that is “Red” in my (now) colleagues at Outflank.
My coolest project ever
Working on Capture the Flag events over the years has helped me learn so many different techniques across several cyber security areas. Organizing and managing events with sometimes hundreds of people attending requires a lot of preparation of an entire team. There is nothing better than the feeling of having all that effort culminate in the launch of the event, seeing participants sink their teeth into the challenges you built together (and the implicit combined suffering of those trying to solve your puzzle)!