🇹🇼GCC 2025
Experienced my first international cybercamp, in Taoyuan City, Taiwan.
On 9th - 15th February 2025, I has the opportunity to go to GCC (Global Cybersecurity Camp) alongside my friends Jeremy, Nelson & Shunsuke (Shun). We were taken care of by none other than Shiau Huei as one of the crews and huge backbone of the camp . Special thanks to Sherpasec & Cyberwise Inc. for making this possible to all of us ✨
What's GCC?
An annual week‑long international cybersecurity camp, hosted on a rotating basis, that brings together the top ~50 students from participating countries. The goal is to strengthen the global security community and cultivate future cybersecurity leaders by offering immersive, hands‑on sessions.
This year, selected students will gain hands-on experience in various cybersecurity domains, which includes reverse engineering, threat intelligence, OT security, kernel exploitation, and car hacking, guided by seasoned industry professionals and researchers.
Read more here: gcc.ac.
During the selection process, Sherpasec as the Malaysia community representative held 2 levels of selection process, in which during the preliminary screening, applicants has to fill in a form detailing their experience in cybersecurity and upon shortlisted, will receive an emailing informing them as one of the shortlisted candidates and undergo an interview process with the panels.
Day 0
Our first encounter with each other (except Shiau Huei, I met her a couple of times already haha) was on the day of our flight to Taiwan & we hit it off right away. We took the morning flight and had our breakfast in flight while enjoying the view. The flight was around ~5 hour so we all mostly slept the entire journey.
Upon landing, we were greeted by the chilly winter air (it didn't snow, sadly). We went to the hotel venue for the check-in process, where we got our nametags & gift from the host (the tumblr is my fav thing) then head off to a Uniqlo store nearby to check out some clothes before heading back to the hotel for the ice-breaking party.
We had a great time yapping with other participants & getting to know everyone in camp & where I met my roomie Klara, from South Korea 👋🏻 after the party ended we went back to the hotel to rest up for our training sessions the next day.
Day 1
Woke up early & had breakfast with my roomie & the rest of the members before we walk together to our training place, which is at the Chang Gung International Convention Center, a short 10 mins walk from the hotel.
The day started with speeches from the host organiser, AIS3, which is the largest scale cybersecurity training and education system in Taiwan, where they screen talents as early in high school. So awesome! Then, came in speeches from the other sponsors before we were briefed about our groupwork. My team, group 7, got assigned to do an SSO Tracker.
After that, we had our lunch at the hospital area, which has a food court that serves a variety of food. With the help of my friends, they help me translate the menu and I was able to eat a good lunch that is Muslim-friendly. During this break, we got some swags from Defcamp & members of team b10s, along with some snacks from our home country that we exchanged among each other.
After lunch, we head back to our classroom to start our classes for the day~
Introduction to Threat Modelling
Our first class of the day is Introduction to Threat Modelling, by Donavan Cheah, one of the class I really looked forward to. We were taught about how threat modelling works, its importance in an organization and learn how to classify threats in a system using STRIDE-LM & MITRE ATT&CK framework and comparing how these frameworks fit in an organisation, which was very insightful and so interesting. We also learn on how to map attack trees for common web app flaws using Threat Dragon.
We were randomly selected to present about our classifications to the class by group and discussed why we classify each threats as such. We were also introduction to AI-related attacks frameworks such as MITRE ATLAS & OWASP Top 10: LLM & Generative AI Security Risks. As I did receive trainings on using MITRE ATLAS during my fellowship program, it was nice to see it being touched again during class. We did get to touch a bit on LLM-related threats but not enough time to deep dive on it 🥹
Writing a Code Sanitizer
During this session by our trainer Mikihito Matsuura, we were introduced to code sanitizers & compiler tools that detect and mitigate bugs to help you write safer code. We learned how to use existing sanitizers and even explored how to build one ourselves by modifying a lightweight C compiler called chibicc, his own tool. His class also covered key concepts such as writing secure code with sanitizers, understanding the structure of a C compiler, and applying both static and dynamic analysis techniques to C programs.
As a not huge fan of C language, it was quite tough for me to follow at the beginning but gradually gets easier and understandable as the class progresses.
I found it especially interesting how the session touched on binary exploitation concepts, like detecting Use-After-Free and Double-Free vulnerabilities through instrumentation. It gave me a fresh perspective on how secure coding and vulnerability detection can intersect at the compiler level.
After the class ended, we went back to the hotel, had dinner at this one vegetarian shop near to our hotel and started planning our groupwork.
Day 2
Had our breakfast at the hotel & headed over to our class for the day!
Reverse Engineering Malware Written in C++ with IDA and Semi-Automated Scripts
In this intensive hands-on lab, we explored reverse engineering techniques for analyzing C++ malware, guided by Hiroshi Suzuki and Naoki Takayama from Internet Initiative Japan Inc. (IIJ).
The session focused on understanding how object-oriented features such as classes, inheritance, vtables, and string handling are represented within compiled binaries. Since many modern malware strains like RATs and banking trojans are written in C++, this knowledge is essential for thorough analysis.
Throughout the course, we used IDA Pro (Classroom Edition) as our main tool due to its robust decompiler, processing speed, and support for scripting and plug-ins. While alternatives like Ghidra are useful for certain tasks, IDA remains the industry standard for detailed reverse engineering work.
We were taught practical techniques for identifying object structures, renaming functions for readability, and interpreting complex behaviors in decompiled C++ programs. The session concluded with a CTF-style challenge where we applied these techniques to extract hidden flags from real-world malware samples. This lab gave me valuable insight into binary analysis workflows and helped me appreciate the precision and logic required in this discipline.
This class was particularly one of the most challenging classes for me as reverse engineering is not my forte, but the trainers were really helpful by giving access to the material before classes and a very detailed slide contents that is very easy to follow, which I really appreciate.
After a grueling 8-hour lab with lunch break in between, we head back to the hotel and had Fried Chicken Master (a halal fried chicken joint in Taiwan, it's good!) together while we continue mingling and share fun stories about each other before heading to each others' group to continue our groupwork.
Day 3
The usual hotel breakfast (because good food is FREEEE food) & heading the training place for our classes of the day~
Deep-dive in OT security and attacks
In this class, we focused the exploration into Operational Technology (OT) and Industrial Control Systems (ICS) security. Led by Sol Yang and Vic Huang, the session unpacked core components of ICS environments, such as PLCs, HMIs, and SCADA systems while also addressing the unique risks that come with securing critical infrastructure.
We were first introduced to the MITRE ICS Matrix, which fascinates me as this was my first exposure for ICS-relates framework.
Next, we have hands-on lab using the GRFICSv2 testbed, which simulated a real-world chemical plant. Through this setup, we learned how the Purdue model applies to layered ICS architecture, observed live Modbus communication between PLCs, and analyzed how network segmentation and firewalls are implemented in OT networks. Real-world case studies like Stuxnet and Triton were used to contextualize the threats that demonstrates how OT environments can be both fragile and high-value targets.
This class was particularly interesting for me as this was my first hands-on experience in the world of OT security, hence it was very thrilling to see how the attacks actually works and its significant impact towards the infrastructure rather than only knowing about them theoretically.
Detection Engineering with Threat Intelligence: Techniques of consuming and creating threat intelligence for Detection Engineering
Another class that I look forward to as it is related to Threat Intelligence, a topic I have started to become interested in the past few months.
This class was led by Tomohisa Ishikawa. As someone with a blue team background now venturing deeper into red team tactics and AI-assisted analysis, this session gave me a clearer picture of how structured intelligence can strengthen both detection and prevention efforts. We looked at how threat intel isn’t just about collecting indicators of compromise (IOCs), but understanding the why and how behind attacks through analyzing adversary behavior, known as TTPs (Tactics, Techniques, and Procedures).
What stood out most was learning how to convert technical insights from malware analysis or forensic investigations into Detection-as-Code, using tools like SIGMA and YARA. We didn’t just learn the theory, we built detection rules ourselves and saw how they fit into a real-world SOC pipeline. For me, it connected everything I’d been studying: threat modeling, log parsing (like my FYP project), and now, turning that data into actionable rules.
After class ended, we had dinner & industrial session, where sponsors introduced to everyone about their communities and also where the iconic "FOR FREEEEEE" slogan by none other our Sherpasec founder, Shiau Huei came to born 🔥
Day 4
Our last training sessions for the entire camp 🥹
Modern Kernel Exploitation
This session by Cherie Anne Lee is by far, one of the toughest for me as I have close to none experience in kernel exploitation (and the fact I confidently called her Anne-Marie, as in the singer before class did not help my case 😂😭)
Her session covered a deep dive into modern Linux kernel exploitation. Through her own past CTF challenge designs, she gave us a fast-paced overview of real-world vulnerabilities, explaining both the technical details and the mindset behind exploiting them and how many of the the bugs were discovered simply through source code review.
We covered some advanced techniques like Dirty Pipe and Dirty Pagetable, each showing how modern kernel safeguards can still be bypassed with the right combination of creativity and technical skill.
I had the opportunity to ask her for tips on starting to explore kernel exploits and it has been a slow process on my end but hey, it's better to start than never! Her journey discovering cybersecurity, out of sheer boredom, while still studying chemistry is honestly so inspiring for me. There really is no limit when you're willing to put in the work.
Introduction to Automotive Cybersecurity & Car Hacking
The last but not least class of the entire camp, and one I am very excited to. Led by Kamel Ghali, we were introduced to the inner workings of vehicle communication systems, particularly the CAN bus, and how attackers can interact with different vehicle components through it. What made the session even more engaging was the hands-on portion, where we used tools like ICSim, RAMN boards, and Raspberry Pi to simulate real-world scenarios. In our group, we took turns trying it out.
The exercise turned into a mini CTF, where we explored attack surfaces like in-vehicle Bluetooth, which is a practical and fun way to apply what we’d learned. I managed to solve a couple of questions, which was very exhilarating.
During the entire camp, I got to have some one-on-one sessions with Kamel, who was very kind and gave me a lot of insights which I really appreciate and even shared some tips on how to get started into Bluetooth hacking.
Once the final class ended, we did the final sprint for our groupwork to get ready for tomorrow's presentation~
Day 5
The most gut-wrenching session, the presentation day arrived.
Group Presentation
We demonstrated on how we did our groupwork, and also a demo on how CVE-2024-45409 worked. Although there were some hiccups during our presentation, we were happy we managed to deliver it.
City Tour and Closing Party
After the presentation & prize giving ceremony ended, we head other to enjoy the city tour! I chose to visit National Palace Museum as I've been to Taipei 101 twice. As a huge history nerd, I had fun touring the museum. It was a huge one, with lots of artifacts. Some of the parts of the tour are quite immersive and I really enjoyed myself. I walked around with Anna who happily listened to me yap.
Once the city tour ended, we headed over to Le Ble d'Or at Taipei Miramar Entertainment Park. We had a blast at the closing party where we ate and karaoke amongst each other, it was so fun! As Muslims inside the camp, we had our small party & got served Muslim-friendly food.
All good things come to an end, some of us had the brilliant idea to have everyone sign their names on our name tag so we headed out to buy marker and collected everyone's names like superstars ⭐
After party, we hang out in small groups back in hotel until late night~
Day 6
We went sight seeing in Taipei City, visiting some museums and strolling around taking pics, killing time before our flight at night.
It was a fun albeit quite chaotic (keeping this one for the memories) but I enjoyed the last day so much!
Personal Reflection
GCC has always been one of my dream camps to join.
I learned about it back in 2023, where I just started my journey in the community and cybersecurity. I gained the courage to apply in 2024, but I was rejected. Was I devastated? Absolutely. I still remembered how I cried when I learned I didn't make it. But I didn't let that setback defined me, so I focused my energy to improve my skillsets and also my presentation skills throughout the year. I believe there is something good behind this setback.
When I saw the announcement about GCC 2025, I was hesitant. Part of me was doubtful, what if I applied again and failed? That would be so humiliating. But another, larger part of me persuaded myself to at least give it a shot, regardless if I failed or not. At least I tried, didn't I?
I was glad I listened to that voice telling me to try again, which leads me here.
As the only Muslimah in the entire camp and the first ever participant from my university, I carried more than just my name with me. I carried the hopes of those who’ve never seen someone like them in this space before.
There was a quiet pride in being there, but also a deeper sense of purpose. Representing not just myself, but my university and my faith on an international stage reminded me that visibility matters. That being present matters. And maybe, just maybe, it opens the door a little wider for those who come next.
Will this be the end of the road for me? Of course not! GCC has opened a much larger door for me to explore and not only that, the friends I made along the way, gives me the encouragement I needed to keep moving forward. To take that leap of faith, regardless of the results. To keep going, even when the road ahead seems uncertain and to always trust my gut feeling.
I am forever grateful to be given this opportunity. Until we meet again, my friends ⭐
Picture Dumps 📸
Last updated