Is humanity heading for an apocalyptic cyber future where AI will take over? What would people and businesses do in such a situation, faced with large scale never-ending cyber threats? Curious about the possible scenarios, The Recursive sat down with Haris Pylarinos, founder and CEO of the online cybersecurity training platform Hack The Box.
With over 15 years of experience in the IT and cybersecurity industry and as a highly skilled systems engineer and security expert, Pylarinos founded Hack The Box in 2017. Six years later, the company, which allows IT professionals to advance their ethical hacking skills, has a community of over 1.3 million platform members and trained over 1.4 thousand corporations, academic institutions, government agencies, and organizations.
Based in the UK, but with its main R&D center in Athens, at the beginning of the year Hack The Box managed to raise $55M and is now looking to expand to the US market. In the interview Pylarinos offers his vision for Hack The Box, his insights into the future of cybersecurity, the challenges that lie ahead and much more.
The Recursive: Will the increased use of AI potentially lead to catastrophic cyber-attacks and what would this use also mean for the cybersecurity industry itself?
Haris Pylarinos: I don’t believe that cybersecurity professionals will be greatly affected by AI because the primary intelligence of AI systems is not there yet. Because you really need to think about a lot of aspects when securing a system, you have to think about the business logic as well, which is something that AI is not always capable of.
Now, when it comes to catastrophic cyber-attacks in the next year – I think that’s a big bold statement, but I’d say that we will see a lot of AI in the years ahead and hacks towards AI. Because the more we use it, the more AI is constantly learning from us. If we take social media as an example, it’s constantly letting our preferences decide what to show us next.
So what if you could alter the way AI decides to show content by feeding it false data, and suddenly you could overrun a government? Because you have the eyes of all the people and it’s quite scary if you think about it, and I don’t believe it’s too far away. Also, we’re seeing a lot of deep fakes – you can pose as someone else now and with what we’ve seen with ChatGPT is that practically bots can have quite realistic conversations.
So what if you could multiply this and you target thousands of employees, and instead of just sending a phishing email, you send out live chats or Facebook chats, whatever. Then, suddenly you have thousands of employees chatting independently with a bot until one of them falls for the trap.
And there is a lot more to come – we are seeing now that many are adding AI assistants in the organization. So you are attending a conference meeting and you ask the AI, how did the meeting go, what are the key takeaways, and so on.
You can also ask the AI though, to mass send an email to the entire organization or you can ask the AI to tell you if there are any emails on all mailboxes that contain any passwords and to bring those emails back to. you. So even if you use AI for simplifying your work, if it’s used by criminals it can multiply the effectiveness of what they are trying to accomplish.
What do businesses need to realize when it comes to the cybersecurity of today and dealing with such criminals?
It’s tough to beat the criminals, they will always exist and they have a very discrete advantage – it’s one single individual versus a huge organization with a huge attack surface. So if we make an analogy, the organization is like a big fortress full of towers, guards and so on. But it takes just one small human to slip through the cracks and get inside.
So, it’s an uneven game, it will be an uneven game and there is no company that cannot be hacked. Every company will be hacked. Some companies are hacked already, some think that they are not in danger, but they just don’t know it yet. So getting hacked is part of the game.
What makes you stand aside from the competition is to be able to figure it out in time and to act accordingly – manage the crisis instead of panicking. And for that Hack The Box helps a lot with our products because we are targeting the human element.
We are making sure that they build muscle memory so it’s like putting them in a simulated war zone every week where they learn to fight. It’s like we put them to play Call of Duty every week, so they are a bit more ready when it comes to the actual war.
In this regard, what is the importance of CTFs, bug bounties and the culture shift to learn and have basic cybersecurity skills?
They are essential because first of all CTFs (Capture The Flags, a type of computer security competition) are 100% practical, and they touch the most important point of cybersecurity – which is research, you have a problem that appears unsolvable in front of you. And you get to research on the spot to figure out a solution before someone else does – so this is a number one skill a penetration tester should have. So CTFs are very valuable.
Bug bounties are quite similar with a difference that this is a production target realistic, and you have to act responsibly not to damage anything. So overall, I believe cyber should be inducted in schools, from a very early age. Even if we are talking only from an awareness perspective, we should all be aware that whatever pops up on our computer screen, or whatever we see on social media should not be taken as credible information and we should always be aware.
It’s similar to the case where someone would approach you walking on the street, asking you about your bank account details – so you would obviously not give them out. The same things apply when you receive an email, supposedly from a bank asking for the same thing. So this means a lot of education across a nation. If we tackle this, I believe that the majority of cyber attacks will drop, because most of them start with an initial phishing attempt.
How is the game changing in cybersecurity when it comes to practical training experience versus arbitrary degree qualifications?
First of all, I think there are not enough professionals, and the traditional hiring model has to be revisited. It’s been revisited partially by many organizations because you cannot rely on university degrees to find cybersecurity professionals. Because there are excellent cybersecurity professionals that just didn’t end up having a degree.
So what you actually want is soft skills for an employee, and you also want technical skills. And as long as you can assess those skills, you can hire an individual with a high school degree that is an expert in what he does. I have multiple examples of people that don’t have relevant university degrees that are working in Hack The Box and are some of the best technical minds I’ve met in my life.
Certifications now are another thing. I’m not against certifications since at least they prove that you’ve done some research. But I wouldn’t rely solely on certifications. So if I had to choose how to hire a new person, I would first do a technical assessment, make sure they are hands on and know what they’re doing, and then I would look for certifications or for a university degree.
How does Hack The Box work with businesses, government institutions, universities, when it comes to developing customized training programmes?
Hack The Box offers a range of services – one is the academy which is a more guided training and we teach you about specific subjects. Then we have our labs which is more of an exploratory learning where you build muscle memory, you get to research more depending on the needs of the organization, depending on what skills they want to improve, and if they have those skills mapped to a specific framework like NIST.
We can assist them but they are also able to tailor themselves to the content related to their requirements and pass all employees through a weekly or bi-weekly, continuous upskilling, instead of doing a lengthy one week training course or a certification and then just sit back for the entire year.
We’ve seen that it makes more sense to digest the information in smaller pieces in short amounts of time, that helps it stick to your brain. And it also keeps you motivated constantly. For example if you go to a seminar and you get all hyped about all the new things that you’ve learned – you end up remembering 10 to 20% of those you go full on next week on work because you have all those things to try and then you’re back to normality. But if you constantly have something to spark your creativity and interest – this gives you a constant boost to your performance overall.
Could you share some examples of individuals or organizations that have benefited from using Hack The Box?
We do have a lot of case studies with companies such as Toyota or NVISO. On an individual level one that comes to mind was a biologist that joined Hack The Box, had absolutely no relation to cybersecurity, he just joined out of fun. He reached number one in the Hall of Fame, he became the best. And now he’s one of the most sought after penetration testers in Greece, working for one of our major telecom providers. So for me, I’m very happy to be able to provide this path to someone.
What are the next plans for Hack The Box when it comes to expanding to new markets?
Hack The Box is quite strong in the US and we are doubling down there. Apart from that we are also expanding in Australia quite rapidly. On the product side, we are shifting towards an organization which will cover anything around the human element of cybersecurity.
As we started from the offensive side with pen testers now we are gradually growing, capturing also the SOC analysts, the security engineers, the threat hunters, and so on. Our goal is for Hack The Box to be a single pane of glass, that you can monitor your entire cyber workforce, understand the pain points, and instruct the content to be consumed to address those pain points.
What are some of the biggest challenges for cybersecurity in the next period?
When it comes to challenges and spanning in two to five years from now is obviously the cloud, as we are seeing more and more organizations gradually transition to the cloud. And many have the false assumption that the cloud is 100% secure, which is partially true, but nothing is 100%.
Their infrastructure is secure, their systems are secure, but they provide so much functionality that allows you to be insecure as an organization. So there are a lot of tweaks that you must do even on a cloud environment to secure your actual software – they’re securing the server systems, but you are responsible for your applications. So we see more and more cloud specializations coming ahead and looking further ahead.
I think the next big thing will be AI and machine learning, how can you trick algorithms, how can you identify AI created material versus human created material and this is another thing that we could see in the future in terms of software stacks, which will be which actually is important now for plagiarism in schools for example.
We’d see more IoT for sure since it is gradually penetrating our houses, they have smart lamps and smart whatnot – so the more smart things you have, the bigger the attack surface you have even as an individual and organizations follow the same pace.
You have smart offices with lights and doors and everything controlled by computers. And criminals can get very, very creative by utilizing those components for things that we couldn’t even imagine. For example, you could extract information from an organization assuming that you have a foothold in that organization. You could flicker the lights and extract the information through the flickering by having a receiver outside capturing the flickering of the light. And this is something that there is no cybersecurity product that can catch.
The virtual world is merging more and more with the physical one, so that the damage that you can inflict goes past the digital and into the physical – you have smart cars that you can direct to hit someone or you can turn the air conditioner on in a newborns room to 12 degrees.
So there are endless things that you can do if you want to cause damage and we have to be very, very careful. IoT was left behind when it comes to securing the systems but now they’re catching up and I’m expecting to see more and more through that space.