Education
ltnbob,
Jan 16
2024
As a passionate IT or cybersecurity educator, you are likely familiar with the challenge of making class fun, engaging, and effective.
Education should be enjoyed, not just endured!
I have found that traditional approaches to teaching cybersecurity topics are not effective at engaging learners. (Personally, I don't think traditional methods of education adequately prepare students for the industry.)
When I teach courses each semester, I aim to make classes, meeting sessions, and assignments a learning experience students truly enjoy and look forward to participating in.
In this post, I will share how I integrate Hack The Box (HTB) content in my classes to:
Ensure that students are engaging with complex subject matter.
Make class more enjoyable (so they want to come to class).
Improve student performance and comprehension.
Note💡: This post is based on my experiences as an educator and aims to inspire engaging practices that work best for you and your students. However, teaching is not an exact science. So your teaching strategies should be tailored to individuals in your class and your curriculum.
Enroll your students in University CTF 2023
Assess your students' skills and get them to practice (for free) on more than 18 hacking challenges covering multiple categories—from Web to Forensics.
Get a detailed report on student performance once the competition ends, supported by training suggestions.
Win more than $65,000 in prizes (for the top 10 teams)!
December 8th, 2023 @ 13:00 UTC
As a teacher, I recommend you also aim to be the leading student.
I've found that this approach fosters a deep level of respect. Your students will respect and trust you more if they can tell you know what you are doing and are familiar with modern platforms and the content you’re exposing them to.
Starting with Hack The Box, you should have experience playing and learning on HTB before integrating it into your class.
Start experimenting with the following services and select topics that map to student learning objectives and your curriculum:
The HTB Academy acts as a powerful learning resource to reinforce what your curriculum teaches. It also allows you to specialize content around specific skills and themes.
The platform takes a beginner-friendly “building-block” approach to learning. Guided cybersecurity courses (called Modules) are divided into short sections, hands-on challenges, and regular checkpoints.
The Academy’s balance of guided and hands-on learning enhances comprehension with active recall—which according to modern scientific literature, is one of the most effective ways to learn or teach anything.
Easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to your curriculum.
HTB Dedicated Labs provide a completely isolated and hands-on environment. Students can access an ever-expanding pool of virtual labs and practice on the most common and recent system vulnerabilities and misconfigurations.
There are more than 650 virtual Machines and Challenges designed to provide training on specific attack paths, Digital Forensics and Incident Response (DFIR) content, programming languages, and other subjects that are critical parts of any university syllabus.
Macquarie University (recognized for having the highest graduate employment rates in Australia), for example, uses HTB Dedicated Labs to practice techniques covered in its curriculum.
The CTF Marketplace allows universities to deploy CTF events with only a few clicks. You can easily configure multiple private and public CTF events in exciting ways to:
Test students with practical assessments.
Encourage healthy competition between students.
Host fun events for potential students interested in attending your classes.
To test students at the end of each semester, Macaquire University offers a customized CTF event tailored to its curriculum. Giving professors the ability to assess skills in a practical, fun, and competitive way.
"It’s proven to be an extremely effective way of keeping students engaged, with gamified approaches to practical study and friendly competition - all of which contribute to their employability on graduation."
Alireza Jolfaei, Assistant Professor of Cybersecurity, Macquarie University
When I introduce Hack The Box to learners (especially beginners) for the first time, I almost always start with Starting Point.
After beginners use the Academy's guided learning to upskill, Starting Point is a bridge that welcomes students to labs. It introduces easily exploitable virtual Machines to help students familiarize themselves with HTB.
This helps students in two key ways:
It walks them through how Hack The Box works.
Paves a basic foundation for building hands-on skills.
I start by guiding them through setting up accounts, getting familiar with the interface, and appreciating the gamified UI.
I then walk them through ways to connect to Hack The Box. Followed by an explanation of how machines and labs are running on HTB’s infrastructure and the different networks students can connect to. (This alone is a great way to teach students how VPNs work!)
At one point in time, I was scared of Hack The Box, as silly as that may seem (feel free to laugh). Forcing myself to actually try it is how I overcame that internal roadblock. I share this with my students and encourage them in the process by using HTB Starting Point.
When introducing students to Starting Point, I usually start with a machine called Meow. It is a “Very Easy” difficulty machine and allows learners to overcome the initial intimidation of learning in such a hands-on way.
Note💡: Don't forget to encourage your students as you teach them; you likely know teaching and learning go much deeper than the content. It often involves helping learners overcome internal roadblocks. So they can believe in their own ability to learn and succeed.
One way to approach Meow as a group is by starting with the guiding questions. Ask the questions to your students before immediately answering them. See how they respond and where their mindset is. Meet them where they are.
As this is done, you can also show them around Pwnbox and help them become familiar with basic Linux commands. I find that many learners who are first starting out do not understand Linux, and many are intimidated by operating system (OS).
You can also use Meow to teach the following concepts in a fun, guided way:
IP addressing basics.
Linux CLI Fundamentals.
Misconfiguration vulnerabilities vs. CVEs (what is a CVE?).
Enumeration using tools like Nmap.
Interpreting Nmap output.
Understanding how ports and services work.
After completing Meow, you could go in many different directions. You could progress students to other Starting Point boxes or assign relevant HTB Academy modules to fill any knowledge gaps.
I recommend using Hack The Box Dedicated Labs and Hack The Box Academy. They complement one another well.
You can assign Hack The Box Academy as homework and reading for your class to supplement your lectures, custom labs, and walkthroughs.
Hack The Box Academy provides more guidance than any other service Hack The Box offers. Multiple job roles and skill paths contain modules covering specific topics. I like to think of modules as books that you can dive into and complete labs in.
Modules have challenge questions, boxes, and entire labs connected to them to help learners develop skills and a comprehensive understanding.
One of the best ways to have students start with Hack The Box Academy is with the Information Security Foundations Path.
The Academy Team at HTB maps the content to industry-recognized frameworks including:
Hack The Box also has certifications, which validate students as qualified candidates in the sight of employers in the highly competitive talent marketplace.
I'm experimenting with making HTB CPTS and HTB CDSA the final exams for many of my courses because there is a growing demand in the industry for talent that has offensive and defensive skills (purple team perspective).
One course is Network Vulnerabilities I (HTB CPTS as the final) and Network Vulnerabilities II (HTB CDSA as the final), both are 16-week courses with students meeting each other twice a week.
The classes would use modules as the "book," but I would lead lectures and have students working with equipment in a hands-on, physical lab environment. There would be a mixture of retired boxes and Sherlocks I would have students complete.
Students then submit written or video walkthroughs as assignments to be graded. This develops a vital skill for real-world cybersecurity: writing actionable reports.
I'll challenge students to explain their understanding of a topic and give them opportunities to come in front of the group and teach with presentations.
Hack The Box's Professional Labs are transformative learning experiences, but they are difficult for beginners. Each scenario models a multi-host enterprise environment.
In my opinion, they are the most realistic learning experiences on Hack The Box; they simulate the interconnected environment of IT environments in the real world.
Professional Labs may be better suited for more advanced students who are further along in their studies. For example, as capstone projects in the final semester before graduation.
Cultivating a strong supportive community within your student body (in-person and online) is important. Outside of curriculums in courses, you can do this by challenging your students to engage in HTB Capture The Flag events like University CTF 2023.
I like to continuously give my students challenges to strive towards that will keep them engaged in learning even outside of their scheduled courses. So I strongly encourage practice sessions outside of class time.
Sometimes, I inspire this by completing HTB challenges during community hours in the lab I teach in. Students will hang around in the lab and ask questions. Some will join in and practice their skills.
The students who hang around outside of class to learn more can be awesome members of a competition team or club. When I notice these students, I encourage them to team up and even compete in events.
CTFs can be intimidating for those who are new to them. I've heard beginner students make a few statements:
"I don't really think I have the skills to compete in a CTF."
"Aren't CTFs for working professionals?"
"I don't really know how to hack."
When I hear statements like the ones above, I encourage students to participate even if they don't win. The learning experience from the event is what’s important—students can always try to rank in the next one. Of course, they should always aim to win but realize they can't win if they do not try. Failure is going to happen.
The accelerated rate of change in cybersecurity can outpace traditional educational curricula. This presents a significant challenge to university professors and academic institutions:
How do they keep up when they’re responsible for fine-tuning learning content, coaching students, and maintaining realistic cybersecurity infrastructure for learning?
While the demands placed on teachers grow, so are expectations from students; who are shifting their approach to acquiring knowledge.
Today's learners place a higher emphasis on learning that feels fun and interactive—but also prepares them for the skills required to navigate and secure the cyberspace of tomorrow (consider the explosive growth of gamification in learning over the recent years).
In this environment, platforms like Hack The Box (HTB) help connect curricula to the live threat landscape with guided, practical, and hands-on resources for teachers and learners.
Giving students access to HTB often becomes a marketable advantage for institutions. At the same, teachers can shape a dynamic educational ecosystem that supplements academic education.
Learn more by getting a free demo of the HTB platform.
Author bio: Robert Theisen (LTNB0B), IT Program Director/Cybersecurity Professor Robert loves learning, but he loves to empower others even more. He never takes off his IT/infosec professional hat and never will so long as he is preparing others to succeed by mastering the various tactics, techniques, procedures, and tools at their disposal. He has been in the industry for over 10 years, accumulated over 10 certifications, and assisted thousands of people around the world with entering and leading successful careers in the industry. None of his accomplishments would be possible without great mentors, friends, family, the Internet, and God. You can connect with him on LinkedIn |