homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Coinage: The SANS Pen Testing Coins Backstory
370x370_Ed-Skoudis.jpg
Ed Skoudis

Coinage: The SANS Pen Testing Coins Backstory

March 24, 2013

[Editor's Note: Some things I work on are the result of ten, thirty, or one-hundred minutes of effort. Others are the result of six months or a year of work (such as my office tour). This blog is the result of over a year's work by not only me, but also John Strand, Josh Wright, Kevin Johnson, Steve Sims, and many others).

In each of the seven SANS Penetration Testing Curriculum courses, Day 6 is a Capture the Flag (CtF) event, allowing students to pull together their experiences from the previous five days into a full-day exercise that models real-world penetration test activities. For about a year now, we've been rolling out course-specific CtF challenge coins as a prize for the noteworthy accomplishment of coming in the Top five winners in each class. But, only a few people know the backstory of the SANS Pen Test Curriculum coins... until now. You see, there is a cipher embedded in each coin, and here's the story of how that came to be.
-Ed.]

Several years ago, Rob Lee started giving away challenge coins to people he calls "Forensicators" (Given my delicate virgin ears, I blush every time I hear that word, by the way). Rob awards these really beautiful coins to people who do something special — write a blog post, ask a great question in class, write a tool, win a challenge in a class, and more. I've always thought his coins were a fantastic idea, and a wonderful reward for people who do great stuff. Rob was pushing me for years to create a pen test coin. "Where's _your_ coin, Ed?" he'd sometimes taunt, in that precious way only Rob Lee can muster.

But, while I loved what Rob did with the coins, I didn't want to just copy Rob's coin plan. So I thought about the situation for months, and how we could tie some sort of coin thing into the SANS Pen Test courses.

On Day 6, each Pen Test course has a Capture the Flag competition, and, for my courses, I'd always given out an autographed copy of my book as a prize. My publisher generously sent those books to me for free, as a marketing thing. I was really happy to get them. About 18 months ago, there was a staffing change at my publisher, and they told me "No more free books" (kinda like the "No free bugs" movement, only completely different). Buying books at the author's price was still a bit pricey ($30 each), so I bought some books myself as prizes while I started brainstorming other options.

During one of my morning walks, it hit me... my two problems (getting a coin for the Pen Test Curriculum to address Rob's taunting challenge, plus being kicked off of the free book gravy train for CtF prizes) could be used to solve each other, and we could add some fun and whimsy to the whole thing. The idea was to have a different prize coin for each SANS Pen Test class. Money-wise, we could give five prize coins away in each class for about the same price as the book.

And, instead of just 504, we'd have a different coin for each of the pen test classes, so people could collect them all! We'd give each course's coin a different theme, such as super heroes, ninjas, and spiders. The course's author could impart their own personality, wisdom, and humor into each coin. And, best yet, the coin imagery could be taken as a course icon. SANS has course icons for some of the other (non-pen-test) courses, but none for pen test courses. I didn't want a clip-art or stock image look for the course icons, so at that time I was working on a small project to try to come up with special course icons. That project was fail fail fail, as the artists were only creating garbage. But, the coin project also solved the logo problem too! Win-win-win.

In early 2012, I set about having an artist work on the 504 coin. We spent about a month going through ideas and drafts. Then, at RSA in Feb 2012, we had our final draft ready to send. I showed it to my friends and colleagues at the RSA conference, and they loved it! I was excited.

5041

But, at that same RSA conference, when I showed the 504 coin image to John Strand, he said, "Really cool... and what is the challenge?"

I replied (and this quote is 100% accurate), "Wha???" Strand said back, "Well, this is a Skoudis thing so there must be some kind of challenge or puzzle built into the coin." Me: "Oh...uh... yeah. I'm working on that." I panicked. Strand was right, and I hadn't thought this through enough. It could be a hundred times better the way he suggested.

The coins were already in fabrication, and I needed to retrofit a challenge into the coin. Walking the streets of San Francisco, I thought long and hard. Then, it hit me — we could have a single phrase that weaves its way throughout each pen test course coin. Each coin would have a unique cipher for part of the phrase. People would have to solve all kinds of ancient, modern, and custom-created twisted ciphers from all of the coins to get the final phrase that pays. Then, we'd give the first person to win and decode all the coins a really exciting prize. I ran it by SANS management, and they were on board. This would be a big undertaking, rolling out eight coins over the space of a year, but lots of fun — with the ultimate embedded mystery in the coins themselves.

But, there remained the problem of the 504 coin not having an encoded message. I continued to think — and then, "Heeeeeey! We could bootstrap this by using the text on the back of the 504 coin as a reference to decode something." I don't want to give away how it works, but it is a little like a one-time pad based on a historical cipher.

With that problem solved and our plan in place, we got our first batch of 504 coins in Orlando in March 2012. They were a hit.

We got our first batch of 560 coins in Baltimore in April 2012. More excitement.

The 575 coin came in May 2012 in San Diego. Josh hired his own artist to do it, and it was AWESOME with a cool cipher, great theme (Gamera, the flying turtle monster that battled Godzilla), and inspired artwork. Next, the 542 coin arrived in June 2012 in Denver, with my artist working on spider ideas provided by Kevin Johnson and Lara Dawson. Then, the 660 coin appeared in DC at SANS FIRE in July 2012, done by Steve Sims' artist using a Conan the Barbarian theme.

We hit a snag. Our artists were pretty tapped for ideas, as were we. There were three more coins needed: 617, 642, and NetWars. It took a few months, but we finally got the NetWars coins done in the nick of time for the Tournament of Champions in December 2012. The Counter Hack Challenges guys and I created a custom cipher over Thanksgiving (at the same time we were working on the Miser Brothers' Holiday Hacking challenge) for that one. Then, the 617 coin debuted in January 2013 featuring another movie monster (that knife-headed monster Guiron from another Godzilla movie, via Josh's artist).

We are almost there with our final coin: the one for 642, which we just finished last week and will pass out starting in one month. That'll make 8 coins total, with the following themes (please click on the theme for a full view of the face of each coin):

504: Super Heroes (with a nod to Batman, Spider Man, and the Incredibles)
542: Spider & Fly
560: Ninja
575: Reptile Monster Movie (Gamera)
617: Another Reptile Monster Movie (Guiron)
642: Samurai and Dragon
660: Conan the Barbarian
NetWars: The World

SANS Buttons

Each coin includes on its face the course name, number, and logo, as well as some words about what the course is about. On the back, there's an inspirational quote congratulating the winner and challenging him or her to do great things. And, of course, there is a different cipher on each coin's back. I must say, it has been TREMENDOUSLY fun adapting historical ciphers and encodings to the coins, as well as creating our own fun ciphers from scratch.

But, not everyone wins a coin, and some people really like the images from the course and wanted something to take home. Even the people who won the coin wanted another way to represent their victory. So, we tried another experiment at SANS Vegas in September 2012 — we had little stickers made up with the coin images on them, to distribute to folks who took the course. When we went to pass them out, students went CRAZY for them. We gave them all away in a matter of minutes. We've been passing them out at selected conferences ever since. Oh, but the stickers DO NOT have the ciphers on them. If you want the ciphers, you have to win the coin (or use your wiles, wit, persuasion, and other more nefarious tactics) to determine those.

And, that's the story of the coins.

The story does continue, though — we're having T-shirts made up that show all 8 coins on the front (two rows of four coins), and then a mysterious coin-shaped silhouette lit from behind underneath. We hope to have those T-Shirts later in 2013. That way, students can wear the shirt and point to the coins they've won, and also point to the next one they plan to conquer. What's that 9th coin, in silhouette, you ask? Well, that's another mystery (our funk is multi-layered).

Oh, and we have one more thing up our sleeves for people who have taken our courses in the past, but perhaps didn't win a coin (either because we didn't have the coins at the time, or because they didn't win the CtF). I call this idea and event "Coin-A-Palooza". Just at two special events, if you have taken a given SANS Pen Test course before, your NetWars performance will allow you to earn coins for those courses you've taken before. People who get from Level 1 to Level 2 of NetWars will get a 504 coin (if you've taken 504 before... and we will be checking). If you go from Level 2 to Level 3, you can get a 542, 560, 573, or 575 coin of your choosing if you've taken those courses. If you go from Level 3 to Level 4, you'll get your choice of a 617, 642, or 660 coin. And, if you come in the top 5 spots of NetWars at the event, you get a NetWars coin. So, people will be able to pick up between one and five extra coins at the event.

I'd like to close by congratulating the victors of the various SANS Pen Test Courses. You folks have done something very special, and, as an instructor, it has been an honor working with you as you develop and apply your incredible skills. On behalf of all the SANS Pen Test Curriculum instructors, we'd like to thank you for your hard work, diligence, and achievement of excellence!

-Ed Skoudis.
SANS Penetration Testing Curriculum Lead
Director, SANS NetWars & CyberCity Projects
Founder, Counter Hack Challenges

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Penetration Testing and Red Teaming

Related Content

Blog
Penetration Testing and Red Teaming, Cybersecurity and IT Essentials
January 4, 2023
Cloud Scanning for Vulnerability Discovery
In this article we'll look at the step-by-step process of scanning a cloud provider's network for target enumeration.
370x370_Joshua-Wright.jpg
Joshua Wright
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
370x370-person-placeholder.png
Emily Blades
read more
Blog
Penetration Testing and Red Teaming
January 17, 2018
SANS Poster - White Board of Awesome Command Line Kung Fu (PDF Download)
Imagine you are sitting at your desk and come across a great command line tip that will assist you in your career as an information security professional, so you jot the tip down on a note, post-it, or scrap sheet of paper and tape it to your white board... now imagine you do this all the time...
SANS Pen Test
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn