Global Cybersecurity Camp (GCC) 2025 Taiwan
It still felt like I landed in Taiwan yesterday
Last updated
It still felt like I landed in Taiwan yesterday
Last updated
I recently participated in GCC 2025! Learning new things, meeting new people, and exposing myself to unchartered environments was an incredible experience!
GCC 2025 is an annual cybersecurity camp (or conference, as some refer to it) where students and trainers from participating countries spend a week together and do some great stuff!
This year's GCC was held in Taoyuan, Taiwan on the 10th and lasted until the 14th of February.
As part of the 4 student representatives from Malaysia, we were sent to Taiwan to learn new things, explore different cultures, and create a global community (or networking) focused on birthing cybersecurity experts whilst instilling passion within the field.
We left Malaysia on February 9th, meeting at KLIA Terminal 2 at 6 a.m.
Was it excitement? Or was it rushing due to the lack of time? Either way, we were all sleep-deprived but made it to Taiwan!
Our flight was slightly and by the time we got out of the gate, it was already 2.30 p.m. We took the MRT to the hotel beside the station and readied for the icebreaker and opening ceremony at 6.00 p.m.
The opening ceremony was an incredible night as it allowed us to socialize and network with everybody at the venue (without the stress that would follow in the coming days).
The real meat of the camp began on day 1 where we started the day with an opening to GCC and the introduction of our groupwork. I met up with my group members for the first time and I knew this team was destined for greatness (spoiler). We were given to work on the title Quantum Security, which had us scratching our heads for the coming days.
We had our first training session on the Introduction to Threat Modelling led by Donovan Cheah from Singapore. The session focused on the many aspects of threat modelling such as the use of STRIDE-LM and how to deduce the TTPs of threat actors using MITRE ATT&CK. The session provided many nuances about threat modelling and how things are not always as they seem. For instance, STRIDE-per-element might be an easy starter to list the possible threats for a given system, however, a lot of the processes are missing from the DFD whereas STRIDE-per-interaction would define the flow distinctively; and even then, one would have to consider whose POV when modelling the threat. Additionally, the use of Gen. AI in threat modelling was introduced as a tool, not to lazily chart out the attack scenarios, but rather to generate the questions to ask the different POVs of the many stakeholders. The session provided hands-on using OWASP Threat Dragon and it was good that threat modelling was the first session we learnt; the later sessions also touched on it and became a crucial component in our groupwork.
In the following session, Writing a Code Sanitizer, was led by Mikihito Matsuura. Here we learnt how compilers generally function. This was crucial to the session as it focused on changing the configurations within function calls to intercept and prevent errors from occurring, effectively preventing exploits like buffer and heap overflow attacks. The session also looked into a compact, multi-pass compiler named "Chibi cc" (small c compiler), which we then took apart to reconfigure for our practical exercise.
The following day, Reverse Engineering Malware Written in C++ with IDA and Semi-Automated Scripts, was 8 hours of unadulterated reverse engineering with Hiroshi Suzuki and Naoki Takayama from Internet Initiative Japan Inc. (IIJI). The duo taught us how to analyze a decompiled and disassembled program using a licensed copy of IDA classroom. The session went in-depth into things like classes, inheritance, objects, vftables and even strings in the binary. Techniques such as analyzing what a code segment would do, and then renaming the variables into human-readable functions to ease the analysis were shown. The session was followed by a mini CTF competition where we had to look for flags within the malware sample. I'm usually not a reverse engineer player in CTF, but this experience allowed me the insight to understand how it is done and how to understand binary code.
On our third day, we got to study Operational Technology (OT) and ICS security. Sol Yang and Vic Huang led Deep-dive in OT security and attacks.
The third day kicked off with an insightful session titled "Deep-dive in OT security and attacks". Led by security engineer Sol Yang, and security researcher Vic Huang. We were introduced to the fundamentals of ICS, covering key components such as PLC, HMI, and SCADA systems.
The later session of the day was "Detection Engineering with Threat Intelligence" by the esteemed Tomohisa Ishikawa. He taught us the basics of threat detection and intelligence, focusing on performing digital forensics and analysis, including the attacker's TTPs. We were then introduced to tools such as SIGMA and YARA with labs to emulate how one might use them as Detection as Code to stay ahead of threat actors; leveraging such methods as actionable prevention and detection measures.
From brushing over the titles of the camp, day 4 was one of the most anticipated days I had. We started the day with Cherie-Anne Lee leading Modern Kernel Exploitation, a session jam-packed with techniques for bypassing modern safeguards within kernels using creative methods. She showed techniques such as Dirtycred, Dirtypipe, User space mapping attack, and Dirty Pagetable, explaining that most exploits were found from source code review (LOL).
The last session hit close to home. Simply because I love cars and also it focuses on infrastructure security. Introduction to Automotive Cybersecurity & Car Hacking by Kamel Ghali was an engaging session highlighting the inherent flaws within the automotive industry and the rest of the technology landscape outside of conventional computer security; how automotive manufacturers would still use a vulnerable technology to save cost. Kamel also introduced the CANbus and its usage within vehicles; allowing us to participate in the labs (that became a CTF) using tools such as ICSim, RAMN board, and even exploiting the Bluetooth on the Raspberry Pi used to host the CTF server!
The 4th day was also the last day we would have to muster whatever we had left for the groupwork that was assigned on day 1. With only a night left, we were scrambling for everything. Slides, deployment on the cloud, final touchups on our systems, you name it. We had a few runs to rehearse our presentation but it felt as though it was doomed. Our first run was over 13 minutes and we were missing 2 members. A lot had to be changed but with our fuel reserves running low, we were banking (haha a pun) on settling everything right before the presentation.
The final day on the roadmap started with intense tension. After all, this was the day every group had been preparing for; the groupwork presentation. And who was the first group to present? Ha. Haha. Hah.
My group was the first to go. At this point, it was do or die. So we took up our mantle and went to poundtown, priding ourselves as "Quantum Money", an inside joke we debated over in the days prior. Given the title Quantum Security and nothing else to work with besides using Qiskit, we really didn't have a sense of direction. I wish I kidded but for the first 2 days, we hadn't even decided on a topic.
Of course, we could do BB84 and QKD but that is the first result on Google search and wouldn't really be creative. There was a lot of debate within our group as to the implications of quantum technology in security. We managed to settle on a topic, utilizing quantum technology as a source of true entropy, or basically a quantum random number generator (QRNG).
The idea was that a classical computer cannot generate a truly random number because it is based on a mathematical algorithm that theoretically can be cracked, and one would be able to predict the numbers generated. A QRNG uses the properties of quantum mechanics based on the thought experiment of Schrodinger's Cat, such that the result of a qubit collapsing is truly 50-50.
I don't want to dive into the details of how it works here because I want this to be a casual blog of my experience at the camp, but essentially we had created a truly random number generator with a tampering-detection system using quantum entanglement. The shape in which this QRNG took form was a slot machine and card game (simply because we can LOL let's go gambling!).
Much to our surprise, we had won the groupwork along with Group 3. I had thought the systems demonstrated by the other 7 groups to be unique and interesting, thus we weren't really expecting to get anywhere. So then, we won SANS' CORE NetWar Continuous course at GCC, which was a pleasant surprise.
Thank you to my groupmates who worked relentlessly on this groupwork together. Truly, every moment we suffered together was indispensable to our success, and its a memory I will cherish. From left to right, Teodora from Romania, Kairos from Singapore, Sarin from India, Eric from South Korea, and Farhan on the far right from Indonesia. Thank you for being my groupmates!
These bright, witty, and humourous souls are the ones who made my journey at GCC enjoyable! We stuck through, looked out for each other, had meals, starved and suffered, and spent nights working until 2 am together.
With the last day of formal training/work over, we were taken to the city tour. I chose to see Taipei 101 for a myriad of reasons but if I'm being honest, I just want to see the giant ball LOL. Maybe I'm weird but I just think intricate marvels and engineering is fascinating. We took the bus from the Chang Gung Bus Terminal to 101 where we got up to the tower in the Ultra High Speed Elevator.
It was a bit of a shame that we couldn't see much from above because the fog and clouds got in the way of most of the view but it was still very cool nevertheless! I got to see the giant ball!
Irrelevant and skippable nerd yap session below:
The "Mass Damper" within the Taipei 101 acts as a counterweight per se. Taiwan experiences a lot of earthquakes which is terrible for the local buildings and it also implies that buildings cannot be made very tall. So the engineers devised a brilliant plan which was to use a counterweight to balance out the forces in the earthquake; acting as a pendulum of sorts to keep the whole skyscraper upright. Nerd yapping aside, giant ball in the building lol.
I want to thank the people who made GCC possible and allowed me the opportunity to experience it while having fun exploring all these new things.
So first and foremost, thank you SherpaSec for selecting me to represent Malaysia in GCC 2025.
This experience wouldn't be possible without the sponsor, Cyberwise Inc. which generously sponsored this trip.
I'd like to thank the founding members of GCC for making this whole experience possible.
To the local staff of Taiwan and the hosts of GCC 2025, thank you for accommodating and welcoming us warmly despite the cultural differences.
And to my fellow students, thank you for making my journey so fun and memorable. No one else but you could be this unhinged. The times when we suffered, cracked stupid jokes and sneered, stepped out of our comfort zones to try new things, sampled the local cuisine, and experienced everything else in between were life-changing experiences.
A shoutout to my roommate, Shane (pwn2ooown), the chillest guy I could have for a roommate who put up with my snoring with his own and also humoured my many questions about the local culture of Taiwan.
My groupmates from group 2. Farhan, Teo, Sarin, Eric, and Kai. You guys are the greatest!
To my Malaysian student colleagues, Fira, Shun, and Jeremy, who came along for the journey: I'm thankful these folks went alongside me and instilled confidence in me.
Last but most definitely not least, thank you to Shiau Huei, who served as our country staff, tour guide and translator, our senior and GCC alumnus, and our big sister who looked after us (FOR FREE).
This is my first ever blog post and I wanted to take a different spin from what I would normally write in my LinkedIn posts or anywhere else. I definitely wanted to take a more light-hearted and close-to-heart approach, conveying my emotions more casually. I wanted to write my thoughts without the restraint of professionalism.
Alongside my student colleagues, , , and , we embarked on a journey made possible by SherpaSec, Malaysia's cybersecurity community, and Cyberwise Inc., the sponsor that allowed this incredible opportunity.
A highlight during the session was the hands-on practice using the testbed replicating a real-world chemical plant, which allowed us to understand the implication of the Purdue model and network communication within ICS environments, how PLCs interact remotely via Modbus, and how firewalls in OT infrastructure functions. The session also touched on critical cybersecurity threats, referencing real-world ICS malware like Stuxnet and Triton.
After the very cool city tour we got , GCC 2025 was closed out with a dinner party. I'm not one for loud places but it was a nice place to end it. Go out with a bang
Thank you to all the trainers who took time out of their day (or week) to teach us. I learnt a lot from each session and appreciate all of you
