Teaching security teams to “think outside the box”

At Hack The Box, we proudly encourage out-of-the-box thinking by providing real-world environments that teach users to solve problems and go beyond a scripted approach of following a checklist of attacks. 

“Thinking outside the box is looking at a piece of software and thinking about how it was intended to be used, and what assumptions might have made about how users would interact with it. If the software author didn't consider that someone might interact with it in a given way, that's where vulnerabilities come in.”

 

David Forsythe (0xdf), Training Lab Architect, Hack The Box 

Building that muscle memory allows your business to respond to real-life threats quickly and efficiently, boosting your overall preparedness level, and this isn’t optional either. A business's reputation, financial security, and survival rest on its security posture. 

Customers need to be able to trust you with their data. Once this trust is compromised, it can be game over.  

It’s valuable for businesses to encourage hacking champions who aren’t a part of the infosec teams. For example, why not upskill developers in the basics of cybersecurity so that they can consider potential vulnerabilities when creating new features? 

This proactive mindset should be rolled out across the organization so everyone is vigilant about cybersecurity threats and best practices. The HTB Academy, for example, gives offensive and defensive security professionals the foundational knowledge to adopt the right mindset. 

By breaking down a hacker’s way of thinking, we can consistently encourage the attitude of curiosity, perseverance, and resilience. This is why our Fundamental Academy modules focus on critical thinking and ways of thinking outside the box before encouraging beginners to learn technical knowledge.

“I would say don't stop at getting the flags, go and explore the technology and learn what happened. Try to exploit things in a different way, if your privesc involves being able to write files as root and you normally just drop an ssh key, try changing it up and finding another way to escalate like creating a cron.”

 

Ippsec, Training Lab Architect, Hack The Box

Businesses as a whole need to move away from traditional practices, especially in the field of cybersecurity. We’re no longer bound by traditional hiring and value practical skills and experience over degrees and qualifications. 

This creative hiring is precisely how you find hackers with the best mindset, as they take the time to practice their knowledge and upskill in their own time. 

The talent shortage has forced us to think outside the box and focus more on a candidate's practical knowledge. But where do you find these unicorns? HTB’s talent search is a great place to start.

Practice over theory

As a business, focusing on “ticking boxes” with upskilling programs every six months can be easy. Especially as budgets tighten, upskilling may be pushed aside. However, for a company to truly defend itself against cybercriminals, a culture of always learning must be embraced. 

Having the opportunity to exploit the latest CVEs and threats in real-life environments is invaluable. This enables your cybersecurity team to stay ahead of cybercriminals and challenge themselves with new, landscape-connected threats.

As an example, on October 3rd 2023, Qualys announced their discovery of CVE-2023-4911, otherwise known as Looney Tunables. The local privilege escalation vulnerability impacts the default installations of most major Linux distributions. 

Within a few days, the Hack The Box team released a Machine around this to help organizations remain threat-ready. and Managers could assign this lab to team members with just a few clicks!

Recommended read: Carpediem (CVE-2022-0492) explained

Embrace 360 upskilling

A key element of a proactive security mindset is teamwork. Your cybersecurity team won’t be successful if everyone isn’t working together as one cohesive unit. 

This collaboration is much-needed between offensive and defensive teams. At HTB, we enable offensive teams to develop practical skills in defensive security, while allowing blue teams to think like attackers.

Our Sherlocks defensive labs enhance digital forensics and incident response (DFIR) capabilities by offering blue alternatives to red Machines. 

This enables a purple team approach to security. One that’s perfect for businesses looking to protect themselves from vulnerabilities while testing their defenses—and encouraging a proactive approach to security in feature development.  

We worked with Easi, a European IT services partner, to facilitate purple team training that catered to their wide range of services across general, defensive, and offensive. With HTB Professional Labs, they’ve been able to double the content shared in red and blue team meetings whilst training on 55 different MITRE ATT&CK skills.

You can find out more by reading Easi’s customer story.

Hackers are persistent—they dig deep until they find a way in. Businesses must be proactive about cybersecurity by adopting the hacker mindset with regular upskilling and challenging the status quo. Being complacent simply isn’t an option with threats on the rise.