I have developed a bit of an obsession with Hack the Box as of late. Over the past few weeks, I’ve completed seven boxes, climbing from a lowly noob to become a “hacker”. While I contemplate taking a shot at the next level (requiring roughly five times the points I’ve accumulated so far) I’ve had some time to think about the value of doing CTFs and what makes HTB so engaging and enjoyable. I think I have it: feedback.
Part of it is that I see immense value in understanding what is happening in the offensive world, even though I’m a blue teamer (defender). I don’t subscribe to the idea that you have to be on the offensive side to be a “true” security professional, but knowing the kind of tools and tactics being used by penetration testers and bug bounty hunters is incredibly valuable. You can get some of this through news, blogs, Twitter, etc. but there is another level of appreciation you get from trying to hack a machine yourself.
Part of it is the gamification in HTB. The community is vibrant and global and HTB does a nice job of giving you achievable ranks, a variety of boxes at different difficulty levels, and various stats and leader boards where you can see your progress and receive recognition. While your HTB rank is persistent, your points towards the next level are not. Boxes are regularly retired once they’ve been hacked enough times, and when one is retired you lose any points you gained from that box. This applies a little bit of pressure on you to keep progressing and it makes achieving a rank more meaningful because it can only be attained by completing a set of fairly recent boxes within a reasonable amount of time.
But the biggest draw for me is feedback.
You receive such meagre feedback as a defender. When you do a good job… nothing happens. When you miss something and an intruder sneaks past your defenses without alerting you: silence. A big part of what makes being a defender so hard is the challenge of measuring results and connecting them to your actions, letting you know what you are doing right and wrong, and giving you opportunities to learn and improve.
In HTB (and in red teaming or penetration testing broadly) you craft an exploit, you run it, and you know right away if you were successful. If you get your reverse shell, you did something right and you know what you did to get that result. If not, you’ve learned one more thing that didn’t work and you try something different.
I’m not sure how to address this challenge but being aware of it is the first step. Having regular penetration tests and reviews of your security practices, carried out by expert external firms and with results incorporated into a consistent framework (NIST, ISO, etc. – take your pick), can be one way to get qualitative feedback over time. Running simulations, such as table-top incident response activities, is another effective way to proactively find gaps in your security program and generate some feedback (before an attacker does it for you).
It’s a challenging to be a defender these days, especially if you are in a small organization. While we try to find ways to generate and incorporate feedback into our work, I encourage you to give HTB or a similar capture-the-flag platform a try. I bet you’ll find it enjoyable and that it will give you some new insights you can use in your defending.