Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 43

Gamification of Ethical Hacking and Esports with Ian Austin

EPISODE SUMMARY

Ian Austin of Hack The Box joins Joseph Carson and Cybrary to talk about the latest in ethical hacking gamification and its future in esports. We cover how to get started in ehacking, ways to learn faster, and how to take engaged employees to the next level. Will we see ehacking in future Olympic games? Plus, what you can do now to improve your security posture.

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist & Advisory CISO at ThycoticCentrify
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Host of the award-winning podcast, "401 Access Denied"
  • Speaker at conferences globally

Joseph Carson:
Hello everyone. Welcome back to another episode of 401 Access Denied, the podcast that really brings the latest trends and information around cybersecurity. I'm your host for the episode, Joseph Carson, chief security scientist, and advisory CISO at Thycotic, and it's a pleasure to be here with you today. I'm really excited about today's episode because it's something that I really enjoyed doing in the past couple of years. And I've got a very special guest, who we'll let him introduce himself. So Ian, give us an update of who you are and what you do.

Ian Austin:
Yeah. Thanks, Joseph. So really excited to be here today. So I work in R&D in Hack the Box currently. I've variously been a sysadmin, an internal pen tester, and a security engineer in previous lives. So what I really love doing is building breaking, but also what I liked was actually having the power to fix a lot of the issues. So that was quite nice. I love creating content, sharing knowledge with the community and also learning from other people in the community. if I create a machine and it has a specific vector, a specific path, nine times out of 10, someone in the community will probably say, "Hey, by the way, there's another way to do this. Did you know you could do this?" So it's just a great way to learn from each other. I also love doing research and yeah, I just working together with a super talented team here in Hack the Box.

Joseph Carson:
Fantastic. That's great. I think we've got very similar backgrounds. Also, I love taking things apart and creating and trying to figure out how they work and then learning from others that there's other ways of doing things either more efficiently, effectively. So I think that's a great way. For me and you, we create a lot of content and we're helping educate community, and I think that's one of the big challenges we've got in our industry is really talent is trying to accelerate the path of learning. I spent years in university and self learning and reading a lot of books, but I think we really need to accelerate that. I'd like to get your thoughts on the challenge we have on really getting new talent into the industry and accelerating the path from those entry levels up to really experienced professionals.

Ian Austin:
Yeah. No, you're absolutely right. We have this huge demand, especially where we're at the intersection of two really powerful forces, really. So you've got the cloud and then you've got cybersecurity, and at the intersection, there's just a huge demand that's really we just don't have enough people. And in cybersecurity, generally, we still have quite an acute skills gap, as you said, with millions of unfilled positions. So I guess from my experience, from my perspective, a university education is awesome, it's great. But actually, one of the things that I love about the industry is that you can get started with platforms such as Cybrary, of course, and Hack the Box, and use those to level up and to actually advance your career without having to have a degree or anything like that.

Ian Austin:
So here in Hack the Box, we're a platform for people. If you've got the curiosity and you've got the drive and you've got the desire, you can use Hack the Box to get yourself ready for the industry, in my opinion. So we work with companies to identify some of the best talent, regardless of their level of education. Maybe they didn't go to university or whatever, and that's fine. What matters is actually having the skills, which can be used in the real world.

Ian Austin:
So from my perspective, what we need to continue to do really is to promote the cybersecurity industry as being a great place to have a long and rewarding and satisfying career, something that you can learn and grow as time goes on. It's also something that, in my opinion, it really allows for social mobility. So there are millions of people out there who maybe don't have access to university and stuff like that, and you could use free platforms such as Hack the Box and Cybrary to really get going. So what we need to do is to get a lot of these people for who cybersecurity could be a really exciting and rewarding industry for them.

Joseph Carson:
I completely agree. And for me, even those who've been in industry for a long time, I find that I always had to keep re-skilling and you can't just go back and study for another three or four years, you have to find other means of staying fresh with the knowledge. So, absolutely for me, using platforms like Cybrary and Hack the Box as well, it's a way for me to keep my skill up to date. Really, the big thing I really enjoy about it is the gamification side of things. It makes it much more rewarding and makes it more challenging and it makes you think outside the box. How do you think gamification's really changing the industry and how do you think it's also really benefiting the professionals out there and those also getting into the industry?

Ian Austin:
Okay. Interesting questions. I just want to say that thinking outside of the box is the Hack the Box motto. So we, as a company, since we started in 2017 have really been trying to lead on the gamification side. Really, when something is gamified, it makes it fun and challenges you to do better and to retain the skills. It's more engaging for people. It's not just a series of check boxes, it's hands on. And there's actually a lot of research from academia that said actually gamification helps people to learn more and faster. So you can take your employees, maybe they're good now, but you can really make them really good with gamification. They can become super engaged. So yeah, I think gamification has a massive role to play in the cybersecurity industry.

Joseph Carson:
Absolutely. A question around, for me, what it allows me to do as also focused on specific skills areas. So my background is all in identities and privilege elevation and escalation. My area that wasn't so, I've been a developer years ago, and I was doing things like Perl and Visual Basic and even COLBOL, one of my first languages I started off with.

Ian Austin:
Nice.

Joseph Carson:
But today, it's a whole different programming scene. For me, it's Python, it's C, there's Ruby, there's so many different languages. And for me, I'm like, "Oh, it's a little bit out of my comfort zone." So I've used these types of platforms to look at certain areas that may not be my best place, but it's allowed me to learn very quickly. So you do think these platforms are also helping improve specific skills in those areas and really helping change the learning in itself.

Ian Austin:
Yeah, absolutely. You can have specific skills such as source code review, having to develop an exploit, which maybe there is a public exploit available and you can download it or use Metasploit, but you're going to have way more fun if you try to use Python or something to put together your own thing. So, absolutely, playing Hack the Box or learning with Cybrary, we will really allow you to level up your game in a lot of different gaming languages.

Ian Austin:
What I would mention as well is just the whole learning by trial and error. I think there's yet again, been a lot of research that said almost the more difficult, the experience in learning, the better you end up learning something. And of course, that may not be the case for someone who's a complete beginner who needs to have a bit of hand holding and needs to do the starting point first or something. But generally speaking, I think it can help you improve a whole bunch of individual skills.

Joseph Carson:
Absolutely. For me, I really like the aspect of different tracks. If you want to do something around website of things, you can focus on that path. If you want to focus around, let's say the Python coding side or there's privilege escalation. You can go down those different tracks and specialize in those areas. So for me, I'm doing don't Capture the Flag for a long time. Is there different types of Capture the Flag formats, and what different types of Capture the Flags would be available?

Ian Austin:
Yeah. Absolutely, there's Jeopardy, which a lot of people use. And so you have your categories such as PWN, crypto, reversing, forensics, and in Hack the Box, we have a whole range of categories. We actually recently revamped the mobile challenges section, so we've got some really interesting content now for mobile. We've got hardware, which is a pretty modern category really. It's not one of the traditional ones, but it's one that we're seeing a lot of growth in. So that's fantastic. In terms of just getting hands on, starting to play some CTFs, then Jeopardy is really a great format. We also have the battlegrounds here in Hack the Box, and that allows you to use your attack defense. You can attack another team's machines and try to defend your own at the same time. And this really gamified almost a warlike experience, allows you to really have fun with your friends. So yeah, it's another great format.

Joseph Carson:
I really like those. Yeah. Just can you clarify a little bit more details in, what's the difference between doing, for example, the machines themselves or specific challenges? Is there a big difference in each of those?

Ian Austin:
Yeah. So interesting question. There is a difference you're right. Let's say if me and you, we decided to do a CTF and we want to try out some web challenges. Okay. Well, we know straight away that it's going to be restricted to web, and maybe the title, the description is pointing to a specific technology or the content, the design patterns in the challenge help to guide us down a specific path and say, "Hey, this challenge is going to be based on PHP," or, "It's going to be based on some sort of de-serialization or maybe some sort of CVE that doesn't have a public exploit or something like that."

Ian Austin:
So with challenges, they're more specific on a specific skill set with machines, really the good thing about that is it more so replicates a traditional pen test, where you go through different phases, you have your enumeration, situational awareness, if you're in a Pro Lab, you look to get a foothold on an individual machine. Maybe you need to move laterally to another user account, you can then try to escalate privileges. There can be so many different technologies on each phase. There could be web. You might have to do some forensics, you might have to do some reversing. So it really is a bit of a mixed bag with machines. It tests you in a whole bunch of different areas.

Joseph Carson:
Okay. So you might have actually multiple scenarios that you need to do in order to get to the goal?

Ian Austin:
Yeah, exactly.

Joseph Carson:
... along the way versus challenge might be one specific flag.

Ian Austin:
Yes, exactly. Exactly that. You've got a bit more scope in a machine for really adding a narrative and stuff like that, so it's a bit more of a gamified approach sometimes. Although, I would say actually that the Hack the Box challenges are probably some of the best out there for a casual CTF player, and the work that goes into the hack, the box challenges, I know it's just incredible what the guys are doing.

Joseph Carson:
And that gets me to my next question, because I know that you are behind a lot of the content that gets created and I know there's a lot of, even the community out there, that's also sharing and contributing as well. How difficult is it to create a CTF machine? How much effort goes into it. Is it something you just, all of a sudden just compile and configure it and it's done, or is there a whole testing behind it?

Ian Austin:
Well, I guess if you're really into automation, you could maybe do that yourself to generate something. But yeah, generally speaking, it's such a great way to learn and it can be hard, but really the research is so, so rewarding. You found some cool stuff at work maybe and you're like, "Hey, I'd really like to have some time to play around with that in my free time," you can do that and you've can read up on it and you can read around the edges and you can follow these rabbit holes that might take you to somewhere cool.

Ian Austin:
Yeah, like I said, it is just a really great way to learn, by creating, by replicating these vectors. And it doesn't have to be super hard, but really, I think that when you create something, you should try to learn something new along the way. So the process of actually learning something new isn't easy. It is hard, but it's super, super fun. Even if you're right at the beginning of your cybersecurity journey, just starting to create an easy machine or something like that, you'll very quickly get the bug for creating and actually learning at the same time.

Joseph Carson:
And one question around that, with a lot of cases, since this year, of course we had the big PrintNightmare vulnerability came out.

Ian Austin:
Yeah, yeah.

Joseph Carson:
Which end up creates a lot of, let's say unintentional alternative ways to ponder that box that wasn't the intended way. They go back and actually fix those, patch those machines at later stages and re-ish them, or they just leave those unintended ways and the machines? What happens after major vulnerabilities are found?

Ian Austin:
Yeah. So good question. We do obviously keep an eye on the latest exploits and vulnerabilities that are released and how this might impact not only live content, but also some of the retired content. Yeah, we're super mindful of this and we're like, "Oh, okay. So we need to patch this," or, "We need to patch that." And I've got to say, the infrastructure team here in Hack the Box is fantastic. They always make sure that the content that was designed in a specific way by content creators, they make sure that we patch it for PrintNightmare or whatever, to make sure how the machine or the challenge author intended it, is how it's still playable. So they do a great job with patching the content.

Joseph Carson:
Excellent. I always like to go to the intended way, that the author crater done, rather than taking the shortcuts.

Ian Austin:
Yeah.

Joseph Carson:
So that's always my preference, I want to learn rather than take 10 boxes that have the same exploit, and just go for the flag, rather than actually learn along the way. One thing I've seen recently, a lot of this starting... I've seen a lot of recent, let's say prize money coming up for a lot of these environments. Is this something that's on the trend that? For these competitive side of things, what type of money is up for grab, or what type of prizes is available to those who are able to, for example, get first blood or able to get the highest points? Is this turning into a very lucrative approach for those who like these platforms?

Ian Austin:
Well, the thing is that Hack the Box has done a global CTF this year. We do the university CTF every year. We do the business CTF and there's loads of amazing prizes up for grabs. So it can be pretty lucrative. If you and your team manage to do really well in a CTF, then it can be great. You can get some fantastic prizes. Something I would say is that on the flip side is you can also get paid for creating. So if you submit machines to Hack the Box and the machine ends up being... Let's say it's a hard machine and everyone loved it. We thought, "Wow. The research that's gone into this is great," or the way it was designed was just really enjoyable. But then you can actually get paid very decently for creating content as well. So whether you like to make content or you like to test your skills in CTFs, there's ways to actually to get money either way.

Joseph Carson:
Interesting. I haven't thought about that one, so maybe I'll look too to seeing what I've got in my lab to contribute.

Ian Austin:
Yeah.

Joseph Carson:
Because I have a lab set up here that I've already preconfigured, so maybe there's an opportunity for that.

Ian Austin:
Yes, nice.

Joseph Carson:
One thing is sometimes it gets very competitive. That's one thing. For me, I'm very competitive. I like to do things quickly and I'll say really well.

Ian Austin:
Yeah.

Joseph Carson:
How competitive is it getting between the hackers out there who's playing in the platforms? And do they gang up with teams and collaborations together? How competitive does it get?

Ian Austin:
Yeah, pretty competitive. So of course, we've got the hacking playground, the main hackthebox.com site, where you can register and you can gain access to Starting Point machines and challenges, and of course, you've got Academy as well, which is more guided. But in terms of the competitive side, yeah, it can get very competitive. You see some of the best teams in Hack the Box, they've been playing CTF for a long time, but even the people starting now with a few years of experience of Hack the Box behind them, they'll probably be some of the best people in Hack the Box. There's lots people in the community that I saw a couple of years ago, and they were starting their journey in Hack the Box, and asking a lot of questions in the forums and stuff, and these are people now that lots of the new people ask them questions, and they're like the leaders in Hack the Box now, so it's really interesting. It is a competitive environment, but it's also a nice and a supportive environment at the same time.

Joseph Carson:
I completely agree. Sometimes I struggle with a few areas. I think one recent box I was telling you about I was doing was Secret. And initial access was okay, but the privileged escalation side was complicated. You had to be really good at reading code. So I had to go and reach out for help in order to get past certain areas.

Ian Austin:
Yeah.

Joseph Carson:
So absolutely, and there's a lot of people at there who's... What I like about it, the community is that they don't want to give you the answer, they want to help you learn how to find the answer, which I like. I like that approach, so I find that very valuable. The question is, do you think, I've seen recently in Estonia, they just did a major hackathon, Cyberlympics hackathon within the schools, which I think is fantastic because it's really getting, from a young age, contributing and getting that excitement. Just a question, is Hack to Box doing anything around the education side of things within schools and universities? Is there collaborations and opportunities there as well?

Ian Austin:
Yeah. Interesting. So we actually partner with probably hundreds of universities around the world. We offer labs that their students can help to supplement their courses with hands-on experience, hacking into Hack the Box machines. We know that university professors are incredibly interested in using Hack the Box for their courses. We also offer the University CTF where each university that's registered on Hack the Box, they put forward the best team to represent them, and then they battle it out. And there's lots of prizes, as we've said, that's available there. So yeah, we've got a whole range of different ways that we help to support and engage with the universities and students.

Joseph Carson:
That's awesome. For me, I think that's one of the things we really need to emphasize to really get more people excited about joining in the industry, because sometimes people see the industry as something as doom and gloom, but I think this is an exciting way to get more people interested. One of the things in Hack the Box for the audience, and some people might be early in starting and just getting familiar with some of the machines and challenges. Can you explain to the audience a little bit, what is the difference between fortresses and endgames? Just to give them an understanding of what they are and what's the difference between them.

Ian Austin:
Okay, nice. There are some similarities, I've got to be honest, but there are also some key differences. So essentially, a company will submit a fortress. So if I'm a company and I submit a fortress to Hack the Box, this really allows me to maybe plant a message on the fortress. So when people reach the final flag, they'll be like, "Hey, you can reach out to us. Send your CV to our team and we'll review it, and we can start to have a conversation." So fortresses are a great way for companies to really identify the best hackers and also for hackers really to be noticed by major companies, really major, major companies in the industry.

Ian Austin:
So endgames are more so submitted by the community or by Hack the Box staff internally, and really they give a flavor of a corporate network and what it would be like to actually pwn and to start doing a Hack the Box Pro Lab. So they're a little starter that shows you what a Hack the Box Pro Lab can be like. So that's the main differences for me. They both have multiple flags and stuff. Yeah.

Joseph Carson:
Fantastic. And another thing, years ago, I seen Hack the Box starting mostly in the UK and then evolving around the world and in North America, and even here in Estonia, there's quite a community. How global is this? How global is it becoming? Because one thing is, there's a lot of countries out there, as you mentioned at the beginning. You may not have access to education systems in the countries that would give them the opportunity to get into the industry. Is this bridging that gap between people who want to get started? And all they need is a computer and an internet connection, to be honest. Is it becoming a global community that's helping those in countries that may not have traditional education access?

Ian Austin:
Yeah. I totally agree with that, Joseph. Not only have you got younger people nowadays who expect to learn in different ways. It needs to be more interact, active, more gamified, it's learning and socializing at the same time. Really, what we're seeing is if you have a computer, if you have access to a computer, it doesn't have to be a good one. You can use a Pwnbox for example, which is like a virtual computer in your browser. So you don't even need to have a really high spec computer at all. So you just need the desire, the curiosity, and a computer, of course, and then through, through the Hack the Box channels or various other social networks out there, you can start to speak with like-minded people who also want to learn by doing, who say, "Hey, should we set up a meetup?"I'm not sure if there's one in our country yet or whatever.

Ian Austin:
So what we're seeing is that most countries around the world now have a Hack the Box meetup, which is amazing. There are hundreds of these groups that we're supporting with access to labs, and it's just such a great way for the community to really self organize and us to support at them as well, and to learn to further their skills, to make new friendships as well. It's a social thing as well.

Joseph Carson:
Absolutely. For me, what I really enjoy doing is after getting the flags and capturing machines, I like going through. There's quite a few who submit the walkthroughs and I really enjoy afterwards going through the walkthroughs or even watching some of the on-demand videos that you've got on YouTube, which are also fantastic, and there's some great amazing rock stars out there who's making that content available.

Joseph Carson:
But one thing I really enjoy is that seeing the different thought process of other people and seeing their approaches and the differences they do. I think that's an area that maybe it's something that potentially is that to have that little bit more clarified in the walkthroughs into these are similar, for example methods, and then these have alternative methods that wasn't intended or have interesting ways. But I find it's a very educational process as well, having that content available, especially for things like retired machines.

Ian Austin:
Yeah, absolutely, Joseph. And you know what? One of the really funny things I find is that if you are just looking to maybe to set up the Oracle toolkit for attacking Oracle service ODA, or you're looking to troubleshoot something, then if you actually search Google for a lot of these problems, it's surprising how many times Hack the Box articles or Hack the Box writeups actually are the first couple of hits. So this is something that I just find, still now it's just unbelievable.

Joseph Carson:
I agree. A lot of the searches I end up going to, some of the articles and the walkthroughs really have, have solved. Not specifically to what I'm doing, for example, trying to do Hack the Box machine, but when I'm actually doing something else, I actually find that some of the articles have actually helped me solve some of the challenges there as well. So it's impressive content. One thing, for anyone in our audience is coming from organize or have security teams or pen testers, or they're doing instant response and forensics, what can companies get out of this? What can they do other than getting their employees trained? Is there something they can do more with the platform?

Ian Austin:
Well, of course I have to use Hack the Box as the example here, but they have access to the Enterprise Platform, which is a new thing this year. So they can really use the Enterprise Platform, not only to assess candidates, but to provide some continuous learning, to evaluate their strengths and weaknesses. They can use it for a social aspect. So if you want to organize a team building thing, you can have a CTF, or you can have a lab, and on a Friday you can have some pizzas and beers, whatever, and then start going through your machines. In order to really get the most value from the service, there's of course, the Talent Search service. As we mentioned just now, Joseph, as well, they can start made a fortress, which has a similar benefit in identifying the best people. So yeah, there's really a lot of ways in the Hack the Box Enterprise Platform that companies can get a really good deal for what they're paying for.

Joseph Carson:
Fantastic. So one thing as well, just moving on to one area that I thought was really interesting. I attend a lot of events throughout the year, lots of events. And used to be once upon a time when you actually traveled and went to events in person, but of course, in the past year it's been very digital. And one event I attended this year was Kernelcon, and Kernelcon I thought it was fantastic. It was literally one day of mini capture the flag events. And you had so many awesome people on there. You had Chris Eagles, you had Joe Grand, John Hammond, and literally going through challenges that the audience who are watching would basically vote for or preference. And for me, when I was watching, and thinking about platforms like Hack the Box as well.

Joseph Carson:
It really got me thinking around this people are starting to watch hackers from a streaming perspective-

Ian Austin:
Yeah, absolutely.

Joseph Carson:
... when they're actually in these platforms and actually going around the thought process. And they're narrating about what they're looking at and what things they're thinking about. And I really started seeing that this is turning into almost like an esport. Potentially, in a couple of years time, you might even see this as an Olympic sport.

Ian Austin:
Yeah?

Joseph Carson:
Do you think this is something that will be trending and, and eventually will be streamed live and major events where teams of ethical hackers out there will compete and just walk through the processes, just like we've seen in the gaming industry.

Ian Austin:
Yes, absolutely. I have to say, hacking is of course the new gaming, so that said. But yeah, we, we also have battlegrounds tournaments here in Hack the Box where we stream the players playing, we have IppSec and John Hammond narrating and seeing what are they thinking at the moment? What are they actually trying to do at this point in time?. Like you said, it's a really interesting thing from a spectators point of view, being able to see that. And if you are a beginner now, and you're seeing how these guys are thinking, that's just such a useful thing to learn. The actual approach and mindset of some of the best hackers, and you can learn to do that yourself. So yeah, Hack the Box is definitely becoming an esport and we're working with a lot of esports providers as well and creating machines for them. And it wouldn't surprise me one day if maybe hacking was like some official eSport somewhere. Yeah.

Joseph Carson:
I believe it will be. It's only a matter of time. For me, I have kids, and watching my kids who basically spend time watching other people playing things like Minecraft and, and other games is just, and they spent hours just watching other people and you're just like, "Ah," and then I think about myself. I'm an old retro gamer and I still love gaming. I've got my retro pie fold with as much games as possible, but I try to do spend quite a bit of my time as well, keeping my skills fresh.and one thing is just watching people, like IppSec or John Hammond and Joe Grant and from the hard, I'd like to see a little bit more in the hardware side, getting into this as well.

Joseph Carson:
Because I think that's a interesting part for things like IOT. And I really like, the ones that was done recently, which was the the printer drivers.

Joseph Carson:
That was an interesting one. So I, I like those, those concepts of, of trying to get more hardware portions into it. But absolutely, for me, it's, it's, it's a direction that we're heading. And I, I think it's only matter of maybe a year or so before we really see this as a premium streaming, maybe even the dedicated channel that will be just all time that you subscribe to and just watch the elite out there, showing off their skills and really helping the world. Ultimately, my model that I say. There's two models that I have. One is that if I the more I understand the hacker techniques, the better I can understand about what things I can do to make my organizations and other companies safer.

Joseph Carson:
And I think that's ultimately can... At understanding these techniques and the stuff that they do, it helps me put into to make this the environments safer, you can put the safeguards in place. The other thing as well is that we all know that vulnerabilities will happen and mistakes and misconfigurations will happen. My second part is that I always believe that for me, it's about making the attacker's job... Making them take more risks.

Ian Austin:
Exactly.

Joseph Carson:
And the more I put challenges in place to force them to take more risks, they will create more noise. And the more noise they create in the network, the more chance we have at detecting it much earlier. So yeah. And I think Hack the Box gives me those ideas and thought about how can they make their, their job more difficult to get them to take those higher risks and make mistakes?

Ian Austin:
Yeah. Yeah. That's so true, Joseph. Coming from that similar background myself. Yeah. I couldn't agree more really. Having the offensive mindset as a defender just allows you to be more robust in what you're putting together, but also as a defender... Sorry, as an attacker, then having the defensive mindset also allows you to level up your skillset. So it's great. I feel everybody needs to be purple.

Joseph Carson:
Yeah. We do. For example, I agree, you don't need to be, having all the skills of everything. That's a difficult thing to do, is being very broad skill set. You have to focus, but having knowledge and working together, but people in across both teams and being somebody who's more purple minded, I'd say would be and being able to understand here, here's the attacker techniques and here's the defenses that makes those more difficult. So absolutely, we need both teams working together to make the world a safer place. It's not a competition for them to fight each other, but it's a company it's a place that we need better collaboration between both teams.

Ian Austin:
Yeah, absolutely.

Joseph Carson:
And that's what we need to get to and definitely purple teaming is the future.

Ian Austin:
Yeah. Absolutely, Joseph. Absolutely. I think you guys are doing a great job also in Thycotic. I actually used your product a lot previously as well, and so I think you guys definitely have a great mindset.

Joseph Carson:
Thank you. We like to try and more motto as well as make it difficult for the attackers to be successful and give the defenders a chance. that's definitely, we want to make security usable in the end and make organizations as safe as possible. So thank you. And it's always a pleasure getting direct feedback from those who've used the products in the past. I'd like to get your thoughts in summary. Where's the future going? What key takeaways would you like to get the audience? And some thought for process? For example, if they're new to Hack the Box, how would they get signed up? Because I think your signup process is very, very genius and very creative.

Ian Austin:
Yeah.

Joseph Carson:
So you would give people direction on next steps.

Ian Austin:
It's evolved over the years, if I'm honest. We still started off in 2017 with, you had to hack in to Hack the Box, and that was amazing. Even now, we still have that challenge available if people want to do it. But yeah, in terms of, let's say if we're a beginner and we want to, how we get started, well probably have heard of IppSec or John Hammond. We know that they're doing Hack the Box machines, and so we want to try out Hack the Box. Well, actually, if you just go to hackthebox.com, you can register, and the first thing which you'll get asked and prompted for is wherever you want to try the beginner content.

Ian Austin:
So we have starting point, which is completely free at the moment. You just work your way through the machines that take you from the very, very, very basics all the way through to pwning an actual machine. And then at that point, you're ready to try some of the other content on the platform that's suitable for beginners, other challenges and machines. So it's a very exciting time. I think my key takeaway in what will happen in future, I believe that we will continue to make the content in Hack the Box more personalized to each person, and just make sure that each person that joins when they experience the platform, that the content for them is precisely what they need for their individual journey.

Joseph Carson:
Awesome. So this has been very educational for me, and it's been a pleasure, Ian, having you on the show. I think for the audience, I definitely recommend the audience, if you're not using one of these platforms, definitely get signed up. And if you really want to accelerate your knowledge in penetration testing, digital forensics, anything in the industry basically, this platform will definitely help keep you up to date, keep learning, keep you excited, give you a bit of a challenge. And organizations out there, definitely get it available for your employees because it is rewarding. It is something that will keep them. One is keep them basically keep up to date and skills that your organizations will need. So Ian, it's been a pleasure having you on this show. Hopefully I will have you back on and again, in the future, I'm looking forward to seeing more of the content that gets created. Any final words?

Ian Austin:
Likewise, it was great to be on the show today. Thank you so much for inviting me and I'm sure we'll catch up soon anyway, either virtually here or somewhere else.

Joseph Carson:
Absolutely. I'm excited about upcoming lock Shields in Talent.

Ian Austin:
Yes.

Joseph Carson:
So hopefully that might be an opportunity. So for the audience, this is 401 Access Denied. Again go back and look at previous episodes, subscribe, stay up to date, stay safe, and thank you for being an amazing audience, and I look forward to providing more exciting episodes in future. So all the best take care, and thank you.