Top training trends from security teams on HTB’s Enterprise Platform

With more than 1,500 security leaders training with HTB, the Enterprise platform is a powerful professional development center for cybersecurity teams. Year over year, there’s been a tenfold increase in the completion of Machines on the HTB Enterprise platform (evidenced by our ranking as the number one Cybersecurity Professional Development platform on G2)!  

Striving to continue delivering more value to cybersecurity teams, we’ve doubled down on exclusive, threat-landscape-connected content available with HTB business plans whilst enhancing critical reporting, team management, and customization features. 

In this post, we’ll share data about the exclusive Machines on the HTB Enterprise Platform over the last year from (July 2022 up to July 2023). You’ll learn about: 

• Vulnerabilities and CVEs security teams focused on following last year’s analysis.

• The top MITRE tactics and techniques teams trained on.

• New additions to the Enterprise Platform for a more efficient upskilling process.

Exclusive content on Enterprise Platform

The amount of exclusive content available for teams has now increased to three Machines per month—with a new bonus Machine added to the monthly release cycle of two CVE boxes. This empowers teams to train on a variety of different exploits, trending logic bugs, or scenarios specific to certain technologies or business environments (e.g., exploiting flaws/misconfigurations in payment gateways for e-commerce platforms). 

To recap, content on the Enterprise Platform includes: 

• CVE-based Machines: All exclusive Machines are designed around emerging high-risk vulnerabilities and active threats in the current threat landscape.

• Bonus content: Machines, Challenges, or Sherlocks dedicated to business-specific capabilities, scenarios, and technologies that need specialized attention from a cybersecurity perspective. Depending on the current threat landscape, bonus content can have a  flexible style, focus, or subject matter that adapts to emerging threats. 

• Bonus content—Business logic Machines: Business Logic Machines focus mostly on business logic vulnerabilities. That is, vulnerabilities in form input logic that allow business exploits to happen (e.g. misconfiguration in Payment Gateways). The Discounted business logic Machine, for example, focuses on an e-shop exploitation that allows a purchase without money.

• Bonus content—AI Challenges: Challenges that focus mostly on AI vulnerabilities. AI Challenges are the new direction for Bonus content on the platform for business users.

• Exclusive Professional Labs: Premium training labs designed to provide an accurate adversary simulation against challenging, and sometimes fully patched, enterprise technologies. 

• Guided mode: A mode available on the platform that provides further direction to solve Machines in the form of a set of questions pointing to the right root flag path. This speeds up the upskilling process, supports a seamless onboarding experience for junior staff, and allows employees to optimize time spent learning. 

The most popular CVEs teams trained on

In general, the interest that cybersecurity teams have in CVEs breaks the perception that the most recent vulnerability will interest the experts. What we notice is a steady interest in specific vulnerabilities regardless of their disclosure time. The interest in popular CVEs is consistent; we’ve identified some exceptional cases, as you will read below.

• Analytical (CVE-2022-24637 and CVE-2022-2588). An Easy Linux Machine that features two CVEs. 

CVE-2022-24637: an unauthenticated remote code execution vulnerability (RCE), making use of information leakage in order to gain credentials.

CVE-2022-2588: a Linux kernel vulnerability that allows a user to gain root privileges.

• NineTail (CVE-2021-1675), is the second most popular CVE machine on PrintNightmare vulnerability. Ninetail is an easy difficulty Windows box that showcases simple yet realistic attack paths on an Active Directory Domain Controller, including the latest Windows Print Spooler vulnerabilities.

These two exclusive Μachines account for 1 out of every 6 completions of exclusive Machine content on the Enterprise Platform.

The next three most popular exclusive Machines are:

• ApacheCGI (CVE-2021-41773): a Very Easy difficulty Linux Machine that showcases a path traversal vulnerability in Apache HTTP Server 2.4.49 and 2.4.50, which allows unauthenticated attackers to read files outside of the virtual directory path bounds. 

• ADSelfService (CVE-2021-40539): a very easy Windows Machine that showcases an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus (version 6113 and prior) affecting the REST API URLs that results in a remote code execution. 

• DirtyPipe (CVE-2022-0847 and CVE-2022-25636), an Easy Machine on Linux kernel pipe buffer flags handling. 

It’s interesting to note that both NineTail and ApacheCGI appeared in this exact position (3rd and 4th) in last year’s report. It is also worth noting that ADSelfService is referring to an older vulnerability, announced in 2021. Despite the fact that we’re talking about an old vulnerability, there is evidence of active exploitation even today.

Some additional exclusive Machines worth mentioning are:

• Eris (CVE-2019-0708) and Log4Shell (CVE-2021-44228), which were the most played Machines on last year’s report. Those two still stand high in popularity this year, occupying positions 12 and 13.

• Enlightenment (CVE-2022-37706), a 0-day privilege escalation vulnerability through Enlightenment window manager published on September 19, 2022. The exclusive Machine showcasing the vulnerability was quickly made available in October 2022 on the Enterprise Platform and reached position 15 in terms of popularity.

Top MITRE tactics based on top exclusive Machines

A further analysis of MITRE ATT&CK tactics for the exclusive Machines on the Enterprise Platforms displays the following characteristics:

• The most common MITRE tactic is on Discovery(TA0007) with Network Service Discovery(T1046) being the most common technique.

• The next most common tactics are Privilege Escalation(TA0004) and  Initial Access(TA0001). 

• The final two MITRE tactics that have a significant impact on top CVE Machines are Credential Access(TA0006) and Execution(TA0002).

Is your team ready to deal with the latest vulnerabilities and exploits? 

Hack The Box provides a wide range of scenarios to keep your team’s skills sharp and up-to-date. 

Organizations like Toyota, NVISO, and RS2 are already using the platform to stay ahead of threats with hands-on skills and a platform for acquiring, retaining, and developing top cyber talent. 

Talk to our team to learn more.

Author bio: Mike Giannakopoulos (t3rraarc), Staff Product Manager, Hack The Box Mike Giannakopoulos has 13 years of experience around software development and user experience focusing on B2B Saas online services. He is responsible for HTB Enterprise platform roadmap creation, execution, and adoption by B2B customers and players. He has a Bachelor's and Master’s degree from the Department of Computer Engineering and Informatics at the University of Patras. Feel free to connect with him on LinkedIn.