Interview of Isis - Kévin Monfermé
Interview of Isis - Kévin Monfermé
Kévin Monfermé, better known as Isis on Root-me, started his professional change towards cybersecurity a year and a half ago. He met people who are passionate about this field which fueled his desire to experiment challenges on Root-Me. He really got into it by creating live podcasts sharing tips and advice with cybersecurity experts. Isis talks to us about his new job with passion and shares valuable advice and resources for those who, like him, consider a career change or are starting out in cybersecurity.
Introduction / Presentation
Who are you and what are you currently doing ?
I’m Kévin Monfermé @Isis, currently a student at ESNA in Rennes in the 1st year of the BTS SIO (Computer Services for Organizations) in a work-study program.
What got you into cybersecurity ?
I started to study Business in high school, which is far from cybersecurity. I’ve played around games source codes for a long time and I had always wanted to get more skilled at it. The day I met Podalirius and Laluka got me deep into cybersecurity and the Root-Me journey. I wanted to be part of this community where people really want to learn about the job - people like me actually! So, in October 2022, during the Cybersecurity Month, I started a podcast on Discord.
Every month, 2 persons are invited to the podcast to tell us about their job, their background, and share tips for the newbies interested in cybersecurity. We share in a live and relaxed mode. I had the chance to interview Voydstack, Ruulian, Mizu, Podalirius, Laluka, SoEasy, Worty, Xanhacks, but also freelance devs. Half a hundred students were following the podcast live and asking questions, that helped them on their journey. I enjoyed doing this podcast to help people find their way. Some of them actually started their career change after listening to us. I wasn’t very good technically but I’m relatively comfortable talking to people, probably because of my background in sales. I think it’s the combination of the human and of the technical aspect that made people like the podcast. The people I met at that time are still friends today. The people I interviewed gave me precious advice on how to learn, where to look for information, and they strengthened my career change project to cybersecurity.
How did you experience your career change ?
The beginning was harsh because I stopped my studies after my high school degree and went to work. It’s true that going back to school after experiencing the professional environment is quite complicated. But if you are passionate about what you are doing, whether you are on a work-study program or going back to school on remote (I know that OpenClassrooms offers this type of format), passion is the driving force! I’ve had more fun in the last 6 months with my work-study program than I had in a year of work the year before. Having a job only as a means to earn a living, even if it can be satisfying, is not enough. You need passion.
What domains are you particularly interested in ?
It depends on what I want to do in the moment. At a certain point I was really into web, a field in which I have learned a lot. I remember Mizu made an introduction on a vulnerability that literally fascinated me. I spent 2 weeks trying to understand how it worked. I got interested in malware development, with an ethical intent of course. The idea is to understand the technique behind it and how Windows really works, … The dev aspect fascinates me in general.
Cyber Experience
What is a typical day like? A typical week for you ?
I’m currently working as a security developer in a two-week at work and two-week study program. When I’m at work, depending on the project I’m on, I usually go through long phases of information gathering - I do research to understand what has already been done on the subject and what I can already correct before “getting my hands dirty”. This stage is often longer than the development part, I would say that the documentation part represents 70% of the work. To sum it up, I spend my morning documenting and in the afternoon I do some testing that often doesn’t work, so I debug and do another test, and so on.
What mistakes were you making when you first started in this industry ?
I’m not sure that I have enough background for now to answer this. A year and a half of experience is short. Generally speaking, what I struggled the most at first with was my impatience, I wanted to quickly understand as many things as possible. I realized it was much more relevant to dig into one subject after another. We can always go back to a subject and dig deeper and deeper into it afterwards. You should not hesitate to take breaks as well, rather than getting stuck on a subject for a long time and getting discouraged. Sometimes I have found solutions or ideas only after I had turned to a completely different activity.
Do you have an interesting story to share with us about your cyber career ?
When I started on Root-Me I was working from 8:30am to 4:30pm in an elementary school. I had set myself the challenge of completing the Steganography category. I would bring my laptop to work and the kids were intrigued by the images they were watching on my screen. Explaining steganography to a 6-year-old is a tough one! I was able to accomplish the category within one month only!
What were your main challenges in learning this job ?
Apart from the fact of having to learn to be patient, I would say that the main challenge is to stay informed all the time, to keep a good awareness so that you don’t miss an important vulnerability or a critical article that could help you integrate the right information for your future missions. Right now for example there is a news about ransomware targeting VMWare ESXi servers. This vulnerability has been around for 2 years but nobody has seen it. It’s a challenge for everyone to stay as informed as possible, and we must make our team aware as some of them are not interested in security. It’s important to be up to date on vulnerability to anticipate, for example by Red teaming or by pentesting on other platforms. For the development of malwares and tools it’s the same: if you know that a 0Day was discovered, you know it has become a OneDay, you look at how it was done, you try and take inspiration and you may manage to find a variant somewhere. To summarize, the biggest challenge in cybersecurity is to be up-to-date. The difficulty is to find the accurate sources because there is a lot of information out there. There are people who claim to be cybersecurity influencers and who communicate on Twitter, LinkedIn or other networks but you realize quite rapidly that the information they share is not technical. It’s just compiled information that you can find anywhere else randomly…
What good sources could you share with us ?
The most interesting is probably the articles found on personal blogs and this is also a matter of personal tastes – Do you like the way the speaker explains things?
I personally follow The The HackerNews which is a very famous media. I also follow the CERT-FR alerts and information that come out frequently and the reports published by the ANSSI.
Twitter can be a good network to identify people who can be good sources.
For France for example I would say that Noobosaurus R3x is reliable, he verifies the information and only publishes quality info. I also like the videos on his Youtube channel, sometimes he approaches technical subjects and makes practical demonstrations. Podalirius is also an interesting source to follow because he offers a good watch around Microsoft and offensive topics. I will also mention Shutdown to follow the release of new important tools.
What do you feel you do better with experience ?
I understood the importance of monitoring but also the importance of putting techniques into practice. As long as you have not tried, it’s hard to make sense of things. I do not hesitate now to get to practice as often as possible by doing effective research to move forward. Now, I consider things step by step, there are technical levels to pass before being able to go forward.
Your relation with Root-Me
How did Root-Me help you on your career path ?
Root-Me helped me a lot. I found my job, the training and the company that hired me on a work-study program thanks to the platform and its community ! My boss was on Root-Me, he was part of the staff team. It’s always easier when you show your username on your resume and the recruiter considers hiring you because he knows your active participation on Root-Me! One of the reason the Principal admitted my school application was that I had 3000 points on Root-Me at that time.
What is your favorite type of challenge and why ?
Steganography remains my favorite category. I also like reverse challenges, even if I’m training a lot on this subject by myself. The idea is to understand how a software works and to hijack it by finding a vulnerability in the code. To train myself on this I use VX Underground which offers a whole directory of samples and malwares. I have a VM which is completely dedicated to this and on which I do malware reverse directly.
What aspects of Root-Me do you appreciate in particular ?
I really appreciate the Root-Me Discord which is the place where you really connect with the community, you can share on any topics and find help from passionate ethical hackers.
What motivates you to create challenges? What’s the benefit for you ?
I’ve created only one so far, in steganography of course! We modified it recently. I would like to create others later if I have the time because I like to make people discover certain notions this way. It’s all about sharing! And we also learn by creating challenges because designing them requires a lot of meticulous work, understanding and debugging.
Until today, what are your best achievements on Root-Me ?
It is to be part of a caring community, and to feel respected.
What does the Root-Me community bring to you that you can’t/don’t think you can find elsewhere ?
Personal and professional support because I know that if one day I need to find a job, I can advertise on the platform and ask the community about job offers and ask if people have information and people will try to help me. It is not the case on all social media.
Tips
In your opinion, what are the main qualities needed to do this job ?
Curiosity and passion are essential because they are the necessary conditions to study subjects in depth.
What advice would you give to someone considering a career change in this domain ?
The advice I would give to someone who is just starting out is not to panic because other people are way better than you. It can be scary at the beginning when you’re not able to follow some people who are much more skilled. I would also advise not to hesitate to ask questions, but to make sure you ask the right ones.
I know that HacktBack has published a video on this topic: “How to have all your questions answered”. It explains how to properly ask a technical question to make it easier for the people you’re asking your questions to answer. This video is super interesting. I would also advise to take your time to learn things, you don’t necessarily learn at the same pace as your pairs. There’s no need to be stressed out as long as you love what you do.
It explains how to properly ask a technical question to make it easier for the people you’re asking to answer. This video is super interesting.
I would also advise you to take your time to learn things, you don’t necessarily move at the same speed as others, but there’s no need to stress about it as long as you love what you do.
Which person particularly inspires you and why ?
Laluka because he has incredible human skills and always helps people without asking anything in return. In addition to these qualities, he is a technical monster.
What are your ambitions for the future ?
To keep on enjoying what I do every day, no matter what the job is. I want to keep this flame alive!
To keep up with Isis, follow him on Twitter! : @0x1sis