Secgen, Hacktivity, And Hackerbot Randomised Hacking Challenges by Dr. Z Cliffe Schreuders

hi folks hello um my name is uh Dr Cliff shreders I'm a reader in cyber security and director of the cyber crime and security innovation Center leads Becket University I'm going to talk to you about Innovations in cyber security education and specifically want to talk to you about some of the Technical Solutions to teaching cyber security that we've built um and that I've been involved in coding and creating um also going to talk a little bit about content for teaching cyber security um and what we do to try and make cyber security education meaningful um and engaging and hopefully a little bit fun so obviously I could say a lot more about myself but just to say that I am a

um very much an open source software free and open source software Advocate and um free culture I love programming I spend a lot of time programming and creating things um and I I started hacking computers in the in the 990s when I was in like high school I guess and um yeah I would hack things um and you know built all sorts of things back then um and the recently I've just been reflecting and every time we try and build Tool uh educational experience for people try and go back to that initial what is it that really engaged me when I was first learning about cyber security and I've not thought about this movie for years and years and years and I

don't think I've ever mentioned it students before actually but I loved this movie and I watched it recently and it's a bit na there's loads of technical inaccuracies but it just reminded me of that spark of joy that you get from the experience of hacking computers and you know when back in the we didn't have any of the Technologies then that exist now like virtualization where we can give you something tack into um that's safe and confined and legally you know clear and all that sort of stuff um and yeah I think it's just reflecting on that that that joyful experience that you get from that first time that you hack into a machine and it's not always fun don't

get me wrong like sometimes it's challenging and it's hard and you know but if what you're trying to do is solve a challenging hard interesting thing hopefully the experience is that when you do eventually solve it if you're not having fun you at least get a deep sense of satisfaction that you've managed to do that and managed to achieve it um but I think it's what we can aim for especially the start of the education experience you know obviously we ramp up difficulty as we go but especially when we think about how do we introduce these Concepts really it's easy to make it fun because you think about cyber security there's inherently um its adversarial in nature

you've got people that are defending people that are attacking um you know you have black hats and white hats and red Tings and blue Tings and you know it's very adversarial in nature which makes it easy to make it fun and interesting and engaging and I think also something that's not really talked about very much is the fact that there's this like sense that it's a little bit mischievous as well um which really taps into something Primal as well I think and if you can manage to achieve that then that is like really useful and in addition to making it engaging interesting and fun really what we want to do is embed what's known as

the security mindset so the security mindset if you've not heard that term before is basically we want you to be able to think critically about a system as an attacker so even if your job is to defend the system even if you are a blue you know on Blue Team or whatever if your job is defense and hardening it helps so much to have that offensive mindset so that when you are thinking about a system the first things that you're thinking about is well how would I go about breaking the system if I was attacking it um and that is just a really useful to some of us it comes like naturally um and to but even if that's

not your first inclination is like how would I break something and but you know um that then you can still learn those skills by being exposed to that way of thinking so being given lots of challenges where your job is to break into systems and see those flaws um in terms of um learning theories in pedagogy there's a term called constructivism which is essentially the idea that you build your knowledge based on what you already know in addition to what you then experience um so it's experiential learning and in terms of cyber security what this means is learning through doing and actually having an opportunity to put into practice the things that you're learning um and again with cyber

security it's it's easy to do that stuff with cyber secur there's lots of ways you can get hands- on with things but it's not how every University for example teaches cyber security you can take a very theoretical approach or you can take a very Hands-On approach or a combination and what we what I and do when I'm designing materials is we'll describe the the um the theory but then and whenever it's possible get students to put that theory into practice because you'll get a lot more you'll walk away having understood it fully and having done it which I think is better than the alternative so there are there's lots of things that we can do to actually give

Hands-On experiences where you can actually get your hands diry and actually experience the thing um and obviously in cyber security one of those ways is through Capt the flag challenges capture the flag is an amazing experience um so again if I'm talking about my history I guess like when I was a an undergrad student um had the opportunity to participate in kind of early capure the flag competitions and it's a lot of fun um it really is a is a good you know so said there's competitions um it you can do it as a hobby there's lots of really great basically it gives you that experience of having machines to to break into but it gives you clearly defined goals and

objectives you know when you've succeeded um there's a lot of really good things about Capture the Flag challenges so it works as an as a way of engaging learners but building those challenges is really hard work so having built loads of ctfs and CTF like challenges over the years I can say from experience it's a lot of work it takes a lot of time and typically what it would look like normally is that a CTF challenge gets created and it's very much a manual Affair maybe you you'll basically install some software configure in a vulnerable way or install vulnerable software or maybe write some vulnerable code but really when you think about it that can only really be used once before

um it can't really be experienced again um with that taking away that problem solving element becomes a memory exercise so one of the things that we've built uh is a open source software called SE gen and it generates randomized um challenges can generates virtual machines that have meaningful security challenges and CTF scenarios um and importantly has randomization which I'll talk about in a minute huge library of content um again I'll talk about that in a moment um we have a front end called activity which is like our online platform um which essentially manages all that backend infrastructure gives access to all of the virtual machines uh it's a hosted platforms it's kind of like you

know like a website that you log into and all those VMS are like running in our like infrastructure in our data center data centers so the I guess the important thing about the randomization is that it makes it so that you can do something for example like give students The Challenge and they might all be a little bit different from each other we can decide how different they are we might decide well we want to be able to teach a class easily so we're going to give them basically the same thing but give them all different flags or we give them all something completely different actually randomize the kinds of vulnerabilities that are there or randomize the Thematic

content of the of the challenge or randomize um the um a combination of these these things together which can create something that's quite interesting um so it helps from the educational point of view but also from like well I just want something to hack into what it means is that we can generate these hacking challenges if we want to make them very random we can just give you challenge after challenge of something that's quite different um and so I'm not going to go into this in detail but there's a few different ways that we do randomization um it's also modular in nature so what that means is that we have like these reusable code based

components so rather than being a manual thing where we will go in and have to install Apache on a server for example it's just a on line we want Apache on this system and you know basically we have we building from these building blocks that we've already coded um and so that it it it makes it easier it makes it more efficient it's harder to set up in the first place I guess than manually installing patchy versus writing the code to install Apache but in the long term it's a lot more efficient and it's a lot more powerful of a solution um so it makes it easier to build those challenges um we as a team and me and I

as an individual really believe in open Innovation so SE as open source software uh you can find it in in GitHub and um play around with it um if you run it on your own machine you'll be provisioning um VMS that are on your system um and we use that at a much bigger scale where we provisioning into like out cloud like fertilization platforms and things so the technology stack for SE looks a bit like this the SE gen's coded in Ruby um it uses vagrant um to kind of manage the way that we um interact with VMS we use poppet for making system level changes for like installing software for example um poet librarian helps us manage

dependencies um we have local code that's written in Ruby that will generate content and encode content so for example those modules one might be as simple as B 64 encoder and we might have another module that is a security vulnerability um that's an FTP remote execution vulnerability we stack those things together and pop a flag on top and you know couple lines of code tell it to build and then we've got a VM that has a remotely exploitable vulnerability on it that has a flag that's basically forign coded or whatever but you'd find as a result um so we also deploy to um virtual box um or what we use is we deploy into our over infrastructure or

our proxmox infrastructure so we um this over the last year or so we've been making a move to proxmox so over is Red Hat based um platform um I've spent many many hours coding all the proxar stuff so essentially we're um now we have multiple clusters some one running over and a number of clusters with um servers that are running proxmox um which is you know future proofing for us um and um proxo has been a really great programming experience actually the apis are very nice to work with um so the we have a huge amount of content that's part of segen that Maps across to cbok so the cyoc is the cyber security body of knowledge um

and some of the sorts of things that we cover I know there's some of some of them are our previous or current students in the room so you know you you know this already uh a couple of you but yes we've got things like ethical hacking penetration testing web network security system Security in response investigation malware R engineering software security exploit development um so how do we choose what to cover well we have um we've done this mapping exercise across to cybo so we are one of only 10 universities in the UK that are currently ncsc accredited for an undergraduate computer cyber security um degree there a very rigorous um process of basically mapping everything that we do across to cbok and

demonstrating all these different concepts that we that we M to um and as part of that we looked through like every lecture every lab every assessment and mapping it all to all these different concepts and then after that that was a useful experience we CH we renamed modules to make it clearer um what's inside them and we um even added a new module to cover some stuff that on reflection we thought would we should be covering in the degree um so it was a really useful um process to go through but also um I then won a bunch of research grants or or development grants through cbok to basically bring that mapping through to section so now within

section every SE F challenge every scenario every lab in section is all mapped acoss to cybook so um so for example here in the um GitHub page um we are um we've have a cross index an in index here of like different um cyoc knowledge areas and you can see within that all the different scenarios that within sej and how they ma to these different concepts um and then if you actually like look at one for example um you can actually see specifically the knowledge areas topics and keywords that are mat to um to that and actually if you want to you can even click through and look at source code and see how we actually generate the

virtual machines um so other recent things that we've been doing is um making use of chat GPT so chat GPT is is I think it's amazing it's amazing piece of Kit um large large language models are going to change the way we work they're going to make well they've already made me more productive in programming that I do um there is a separate discussion about how we um update education accordingly I think for one of the ways is do more of these kinds of like technical challenges where you actually need to sit in front of a machine and complete the challenges because you know but what we're what we're using chat PT for at the moment is

to generate some narrative content to kind of breathe some life into these challenges so if you've done CTF challenges before um often you'll basically hack into a machine and um that's the end you get the flag cool um what we're trying to do is um have some bit of narrative content a bit of flavor that we add to those machines so for example we've got a scenario where you basically turn thought thought this e evil organiz plans for world domination so you hack into the machine and you can find some Financial records and the plans that they have for like taking over the world and you know just a bit of fun but it just like makes it only

just um adds a bit of um life to to what we've already what we're already doing um we also have hackerbot um which is basically a interactive chatbot it's not not a Bas on a large language model and if you ever have a conversation with it you will not be impressed by its conversational skills but what it can do is attack your machines so basically it has it has like it's running in a separate copy of Ky Linux and it will actually fire off Med exploit and actually attack the students VMS um using real exploits and things and then you your task is to do things like defend against the attacks that hacker bot's carrying out or the C the example

on the slide at the moment is setting up IDs rules based on something it's asked you to do and then you know whether you stop hackerbot from carrying an attack or you investigate figure out what hackbot did or complete whatever task it's asking you to do in this case create a SN rule then when you succeed you know it'll give you a flag which it's basically a way of like CTF ifying um the kind of defensive and investigative stuff um so hacka is is our um online lab infrastructure kind of platform stuff um we've had over a thousand of our students have now used activity every year I spend many many many many hours and so do and so do other people

on the team contributing to these projects to to make things better um but yeah so we keep improving activity but we've built up this like lab platform um some of the features is we're about to launch um this very soon daily hacking challenges So based on what I was saying before about having this very randomized challenges where we can just encourage people to to interact on a daily or weekly basis and in that in light of that we've also like bringing in streaks so you can see like how many weeks in a row have you completed how many flags and completed challenges and things um compared to other platforms really good desktop experience um spice is basically like a

better version of VNC and if you've used a lot of the other products that are in the same space they're often like a web- based um system which is very can be very frustrating to use um and also it's a nice desktop experience as opposed to just using open vpm or something that uh so it does a lot of stuff it Provisions VMS has multiactor authentication allows you to take snapshots of your VM so that you can you know roll back if you make a mistake and brick a VM or whatever we've got leaderboards and like scoreboards and and all the rest of it gives you a like a safe um lab environment for learning about cyber

security um so let's see how this um internet connection is going I'm not going to do it's not a longterm or anything but just a little a little Peak at what it looks like um the the platform looks a bit like this so you can see this is the introduction to ethical hacking um and you know you can basically go in there you can see some lader boards you can grab some VMS and start them off and start hacking um just kind of wrapping up um recently uh we won a grant through cyber ASAP to look at commercialization so we won a a um cyber the academic startup accelerator program cyber ASAP uh and through that we basically did a whole

bunch of development and so you know we we had funds to have more developers working on the platform created more hacking challenges including open source content um and basically getting it ready to have commercial customers and I'm not going to talk about it in detail but we have um I'm happy to say that we do have our first commercial clients um kind of confirmed at this point so we're taking it Forward um and entering the commercial Market with it as well um but so in conclusion um and if you uh basically learning cyber security should be enjoyable and engaging maybe fun to start with um and hopefully fun if not deeply satisfying if you do it right um

use CTF challenges you know it's so much it's it's so good it's so it's such a good way to do uh to do things um we published extensive open- Source software we're going to continue to do that even as we start commercializing some stuff with you know open source is really important to me so the actual core framework and the challenges and stuff are going to stay being open source we're going to continue to to contribute to the community in that way um and yeah so and activity provides like a hosted experience of all this stuff and if you want to know more you can talk to me um afterwards uh and that is the end of the

talk thank you