We Have to Unlearn “Winning” Cybersecurity
Games are fun. Winning is tangible. Spinning educational material into a game-like challenge is a pretty innovative way of creating more engagement and excitement around the learning experience.
There is no shortage of games within the cybersecurity learning space these days. We have offensive security platforms like Hack The Box and Try Hack Me, and even now defensive challenges trying to gamify Blue Team operations within Blue Team Labs Online among others (I’m sure).
I think the gamification of cybersecurity learning is really powerful at broadening the student audience to people that may be intimidated or unexcited by learning such concepts and skills. It also fosters a sense of community, pride and achievement (in much smaller doses than gaining a cert/degree). This is all great, and I do think that the cybersecurity talent is improving as a result of this wider, invested audience.
In reality, though, the cyber industry is far from a game. It has very serious connotations. This notion really hit my radar when I stumbled upon a provocative blog post from James Hay called Gamification has ruined basically everything.
“Because what’s missing from this race to the top of the ladder, is the learning. Because the reality is it was never about that. You are a product to be bought and sold, your habits too.
...
The goal is becoming faster at playing the ‘game’ of cyber.”
I think that he hits the nail on the head, and that these cyber education platforms need to address to their audience the disparity between a game and real life.
True learning often embodies careful thought and strategy, and takes immense patience and failure to see even slight success. When I had to implement REGEX blacklisting policies in an email proxy for a SOC client, I didn’t just go in, make a policy and get some points and a rank upgrade. Nor did I mess up their email proxy policies until I got it right and then get the points and rank upgrade. It was torturous.
Since the email proxy was in prod and the business relied on the inbound emails to be delivered (obviously), this wasn’t a game. I had to navigate internal and external politics, prove the REGEX policy was necessary to prevent widespread phishing campaigns that weren’t being mitigated, present to the client stakeholders, implement the REGEX policy with exactness, and test outside of business hours. When it didn’t work I couldn’t just try, try, try. I had to roll back immediately, contact stakeholders, resubmit more change requests and go through this whole song-and-dance while facing internal/external scrutiny with each failed change outcome. It was grueling. But after multiple attempts, the syntax worked and the policy processed inbound mail correctly so that blacklists were effective in the way we needed.
And more than any sense of victory, was honestly just a sense of relief.
But it was real life. With real consequences. With real meaning. And I learned far more from an experience like that than any flag, pwn or IOC I’ve uncovered in the context of a simulated game.
Also, I think with this new ‘shininess’ to playing and beating offensive security challenges, the talent pool will grow in volume and lower in age. This is a very exciting, but incredibly dangerous outcome of the gamification of red team skills. I think that these platforms need to attribute more weight to not only teaching people whatever skills they want (i.e. h4ck1ng), but also teaching them the consequences of breaking the law (i.e. u get v&) and encouraging them to pursue legal careers with their skillsets as they upskill. \\
Else, they are just flooding the cyber landscape with threat actors, while making a nice penny along the way.
My prediction: these threat actors are about to get A LOT younger; and have skills that don’t match their life experience.
