hashtalk 006: interactive games for cybersecurity engineers that don’t suck and how to treat them like a mini-vacation for your learning journey
By Eva Georgieva
Hey bugs! Lately I’ve been quite focused on one thing that I am currently working on, so I wanted to snap out of it for a brief moment in time. And since cybersecurity doesn’t get less overwhelming whether you learn more about it or not and it’s overwhelming all the time anyway, at least having some fun in the process helps.
So when I think about fun, usually the first thing that pops up in my mind are games. Now since I want to stay on track here, I’ve started to search for cybersecurity games . Turns out, we do have a few of those, and a few of those are quite good.
Hors d’œuvre
Today’s bits of entertainment and education:
- crypto, cloud and web based cybersecurity challenges
- are the games a distraction or do they benefit your cybersecurity journey?
The Cybersecurity Games
Okay, so here is my list of websites that are worth checking out and that offer quite a good exercise for the brain on various cybersecurity topics through a gamified experience
1. Hacksplaining
Hacksplaining is an interactive training platform for learning web application security by simulating attacks and defenses.
It offers education abotu common web vulnerabilities (e.g., SQL injection, XSS, CSRF), exploit mechanisms and prevention strategies, how web applications are attacked and how to secure them.
Who is it for? Beginners to intermediate learners, especially developers who want to understand security vulnerabilities in their applications.
Is it free? Partial: Some lessons are free, but the full experience requires a paid subscription.
Link to it: https://www.hacksplaining.com/lessons
2. Pwn College
Pwn College is an online cybersecurity education platform with a focus on binary exploitation and low-level systems security. Created by cybersecurity professionals for in-depth, practical learning.
On this platform you can learn binary exploitation techniques (e.g., stack overflows, heap attacks), reverse engineering and debugging and advanced topics like kernel exploitation.
Who is it for? Intermediate to advanced learners, especially those interested in CTFs or professional binary exploitation.
Is it free? Yes, completely free.
Link to it: https://pwn.college/
3. CryptoHack
CryptoHack is an interactive platform focused solely on teaching cryptography through progressively harder challenges.
Here you can learn classical ciphers (e.g., Caesar, XOR), modern cryptography concepts (e.g., RSA, elliptic curve cryptography) and cryptographic vulnerabilities and implementation flaws
Who is it for? Beginners and intermediate learners interested in cryptography, with some basic Python knowledge.
Is it free? Yes, fully free.
Link to it: https://cryptohack.org/
4. Flaws.cloud
Flaws.cloud is a cloud security training platform that simulates AWS misconfiguration challenges. Each level builds knowledge of common AWS vulnerabilities.
It offers quite a nice content around identifying and exploiting S3 bucket misconfigurations, understanding IAM roles and privilege escalation, mitigating cloud security vulnerabilities
Who is it for? Beginners and cloud security enthusiasts wanting to understand AWS-specific vulnerabilities.
Is it free? Yes, fully free.
Link to it: http://flaws.cloud/
5. CloudGoat (by Rhino Security Labs)
CloudGoat is a tool that allows users to deploy intentionally vulnerable AWS environments to practice cloud exploitation.
Again, some of the things you can try and do here is exploiting misconfigurations in AWS services (e.g., S3 buckets, IAM policies), privilege escalation and lateral movement in cloud environments, remediation techniques for securing AWS resources
Who is it for? Intermediate to advanced users comfortable with AWS and cloud security concepts.
Is it free? Yes, open-source and free to use.
Link to it: https://github.com/RhinoSecurityLabs/cloudgoat
6. OverTheWire (Wargames)
OverTheWire offers a series of wargames designed to teach foundational and advanced cybersecurity skills in a progressive format. Challenges span topics like Linux, networking, cryptography, and binary exploitation.
Some of the things you can learn are:
- Linux command-line skills (Bandit)
- SSH, privilege escalation, and process manipulation
- Binary exploitation and reverse engineering
- Networking fundamentals
Who is it for? Beginners to advanced learners who want a command-line-focused, progressive learning experience.
Is it free? Yes, completely free.
Link to it: https://overthewire.org/wargames/
7. CryptoZombies
CryptoZombies is a gamified platform for learning smart contract development on Ethereum using Solidity. It uses interactive lessons to build a zombie-themed game.
You can learn about solidity programming and Ethereum smart contract development, blockchain basics, gas optimization, and debugging contracts and advanced topics like ERC-721 tokens (NFTs)
Who is it for? Beginners to intermediate learners interested in blockchain, smart contracts, or NFTs.
Is it free? Yes, fully free.
Link to it: https://cryptozombies.io/
Are cybersecurity games a distraction or a benefit to your learning journey?
Incorporating gamified cybersecurity platforms into your learning journey can be both, a great decision and a potential distraction.
I believe it all comes down to making a clear roadmap as to what you want to achieve.
One example can be trying to earn your AWS cybersecurity certificate and if that is a case, then, going through the challenges from flaws.cloud can enhance that. However what I do recommend is setting a time-frame for the platform.
Research in advance the complexity of the challenges, the approximate time to solve them and set a weekly time goal to spend on the platform. Even better, set a deadline for yourself on when you should be finished with this path, challenges or whatever you decided to explore from the particular platform.
The trick is to not jump into a different platform before finishing what you started. Now some negative Nancy in the background would ask “But why would I jump to a different platform if I already started with this one?” Well Nancy, that is because our brains are naturally drawn to novelty, a phenomenon tied to the release of dopamine, the “feel-good” neurotransmitter. This drive for new, exciting stimuli can make switching between platforms or jumping from task to task feel rewarding, even if it isn’t productive. When we encounter something new or different, our brain gets a burst of dopamine, and even though these platforms are designed to keep you entertained, our brain also doesn’t like hard things. It’s programmed to keep us in the comfort zone, keep us safe. So, as the levels of difficulty in the challenges progress, so does our frustration because we can’t solve them right away. Naturally, our excitement takes a fall and we are now trying to find something new fooling ourselves that we learned enough and we can jump onto the next thing.
My advice would be to plan your time on the platform like a mini-vacation for your cybersecurity learning journey. Plan the days, plan the stay, charge your knowledge and get back on your learning road.
Let’s keep in touch
I’d always be willing to discuss more, exchange ideas and continue the hash talk.
Reach me at: evaincybersec@gmail.com
