BLOG

Most people who pursue an education and career in cybersecurity will spend the majority of their career defending networks. Typically, 10% work in a red team capacity that tests network security from a hacker’s perspective. Because of these statistics, most educators would assume that teaching defensive measures is the most important element of a cybersecurity program. 

This is only partially true. Yes, we need to teach our students the basics of how to defend a network and how to tailor our defensive measures for networks of different sizes or those with unique purposes. However, we also need to teach them how to attack a network so they can better understand how effective specific defensive measures are at repelling attacks.

Thinking Like a Hacker
We can say that, within cybersecurity, those who are great at attacking a network will also be great at defending a network. The reason why is simple. If students are trained in how to find vulnerabilities, exploit those vulnerabilities to achieve a particular purpose, and bypass common defenses, they will be even better at developing defenses. Students will also have a greater appreciation for why certain devices are advocated for network defense and the type of attacks each of those devices can stop or actively monitor. Professors should consider structuring their lessons around network attack methodologies to give their students a more rounded education.

Police officers often train to think like a criminal. They do not do this so they can transition into a life of crime. They do this so that they can better understand what actions a criminal may take in different situations. This gives police officers the ability to stay one step ahead of nefarious actors and catch them in the commission of the crime or before they can commit the crime. This same ideology can be applied to the cybersecurity arena. If professors teach their students how to sneak past a firewall’s defenses, those same students will be able to recognize these attempts in the real world and should be able to quickly respond to stop the attack.

If we follow this thought process further back, we can say that great system administrators make great attackers. One challenge when teaching students how to hack into networks is that they do not always have a strong understanding of how different operating systems are organized and how to navigate or manipulate those operating systems. Those who have spent a long time as system administrators can transition to red teams quite easily because they know what to do once they gain surreptitious access to a victim system. They know where the hashed passwords are stored, they know how to clear the logs to cover their tracks, and they know which services and files to modify to enable or disable capabilities on the victim system.

Including System Admin Techniques
Many students who learn how to attack a network do not know what to do once they gain access. They find the success of gaining access exhilarating but are unable to follow through with fully taking over the victim system, elevating their privileges, pivoting to other systems on the network, or fulfilling other common hacker objectives. This is usually the result of not having the system administrator expertise. So, while professors take up the task of teaching students to attack, they should also weave in common system administrator techniques that relate to attacking or defending a network.

Take password construction as an example. We have been preaching for many years about the importance of strong password development, but the average user still does not fully understand why this is so important. Teaching a student where the password hashes are stored on different systems, how to acquire those hashes, and how to make attempts at breaking the passwords offline will show them how easy it is to break a simple 8-character password. Having this perspective will teach them two things. First, they will understand the importance of monitoring system logs for any attempts at accessing password hashes. Second, they will understand why their own passwords should be constructed in a way that they cannot be easily broken.

Why Should Your Students Learn How to Hack?
Some may argue that teaching these skills is not important, but take it from someone who spent many years on the frontlines of cyber warfare. Thousands of hours of network analysis and hundreds of hacking investigations taught me that the more we understand how to attack, the easier it is to defend. It is a method that has been applied to military operations with great success. We need highly trained students to enter the industry with an in-depth understanding of how nefarious actors operate so they can be stopped in their tracks. Knowing how to configure a firewall and an intrusion detection system is not enough.

Some may also say that simply having a strong understanding of defense is enough to keep hackers at bay. One could argue that if a defender understands all the capabilities of defensive software and devices, they could leverage that knowledge into a very secure network. But this only goes so far. This level of understanding does not allow one to make an educated guess at what the next attack will be or what the hacker will target. It cannot get inside the mind of the hacker to think like them and implement actions to stop them from getting past the front door. Cybersecurity is not a cookie-cutter operation; it requires critical thinking from every possible angle.

Professors need to prepare their students for what they will encounter outside of the classroom. Organizations need someone who can truly defend the network, not just regurgitate the common lines about standard security postures. The most secure networks will be those secured by someone who knows how to break in, how to bypass firewalls, and how to trick users into clicking on malicious links, because they are the ones who know the right techniques to keep every one of those attempts from succeeding.