Before it became the unofficial mantra of Offsec, “Try Harder” was just a simple suggestion to a frustrated student. About ten years ago, one of our Offsec instructors, bolexxx, was chatting with a Penetration Testing with BackTrack (PWB) student in IRC. The student was stuck on one particular exercise, and was upset that bolexxx wouldn’t just give him the answer.
“Nothing works!” the student said. He made it clear what he wanted — an easier path to the solution or a specific set of instructions to follow. He sent one last message out of frustration. “I’ve tried everything!”
“Well,” bolexxx typed, “Have you tried harder?”
It was simple and to the point. Bolexxx went on to explain why we never simply hand out answers, the benefits of researching solutions on your own, and so on. Ultimately, that student didn’t enroll in an Offsec course to get a participation trophy or simply cross an arbitrary finish line. That student, and in fact all of our students, come to us to learn both the techniques and disposition it will take to be successful. It’s that second half of the equation, developing a strong and specific disposition or mindset, that distinguishes Offsec’s approach and courses from the rest.
Since that student, there have been countless others who have been told to “try harder.” In the last 10 years, this simple, short phrase has gone from a not-so-subtle hint to a mantra. Maybe even something more than that. We say it to our students and to each other, both in and outside the context of information security. To that end, we’d like to take a moment and explain three specific aspects of what exactly it is we mean when we say “Try Harder.”
Trying Harder Means Being Persistent
When the first (and second and third…) idea doesn’t work, sometimes a student can get stuck with a sort of tunnel vision, staring at their screen, waiting for the solution to become obvious. When we feel like we’ve hit a brick wall, stepping away for a moment and taking a break is usually the best advice. Once we sit back down, we’re forced to re-introduce ourselves to the problem, and often this new perspective is just what we needed. Being persistent often means pressing pause for a moment.
It’s also important to remember that mistakes and failure is part of the process. Sometimes a particular vector just seems like it should be more effective. The first step in developing persistence, it seems, is looking for why or how a particular approach is failing. Often this will lead to new approaches and new ideas.
There is an element of patience to this as well. Thomas Edison once quipped that “the most certain way to succeed is always to try just one more time.” That’s what we ask of our students. Keep at it. Keep looking.
In other words, try again.
Trying Harder Means Being Creative
Of course, the most persistent approach is rather useless if we’re not trying new things. So many security flaws are either the result of or can cause unexpected behaviors — it follows that a successful student is one who is able to think “outside the box” a bit.
Maybe we should clarify here — we’re not asking students to blindly stab in the dark, but when things aren’t going as planned, we can’t simply resort to checking our work against an example in a book, searching for typos or a misplaced semicolon. At times, penetration testing can be a bit like looking for a needle in the proverbial haystack, so being creative means applying an understanding of information security concepts to consider (and test!) a wide variety of ideas.
In other words, try differently.
Trying Harder Means Being Perceptive
Situational awareness is a critical skill for any information security professional. By this we don’t just mean knowing what resources are available, or when to walk away from one approach and try something new — though perception does start there.
There’s also a necessary personal awareness that we hope to cultivate in our students. It’s critically important to be aware of how much time is left in an exam (or, for that matter, an assessment), and how to best use that time. Brute-force attacks, for example, can be incredibly time consuming. On the other hand, a different approach may be efficient and effective, but if a student isn’t confident and well-practiced, they may find themselves still knocking at the door when the clock runs out. The most technically skilled pentester with no ability to appropriately manage time or resources simply won’t be successful in the field.
Making time to step back and actively assess a situation is critical to being able to make good decisions. This sort of perception might not come naturally – but it’s a necessary skill.
In other words, try smarter.
A final note
A careful observer may notice that Offsec spends a lot of time thinking about and focusing on the work (as opposed to the achievement). The mantra, after all, is “try harder” and not “win harder.” That’s no accident.
Our goal is to provide the best, most complete trainings that leave our students with both the techniques and disposition necessary to be effective and successful beyond the classroom. We carefully designed all of our courses and labs to teach the mindset and the work (not just the results). It’s also why our exams aren’t necessarily easy — they are as hands-on and in-depth as the courses themselves.
Perhaps the reason Offsec Certifications are sought after by employers, is because they measure much more than technical aptitude (though they do that as well). They are proof that the certification holder is skilled, persistent, creative, and perceptive — someone who tries harder.