Secure Code Comments: One Easy Way to Steward Your Application Security Culture
While traditional code comments focus on explaining the code's functionality, security-focused comments are crucial to promoting secure coding practices throughout the development lifecycle (SDLC). By making this simple tactic part of your natural workflow, you can assert your knowledge and become a security champion. Let's explore how integrating security comments into your code can benefit you and the security team. Leading Forward Using Secure Code Comments Integrating security into your daily coding isn't just about ticking requirement boxes; it's about building a security mindset that makes you indispensable. Secure-code comments are low-hanging fruit for sharing knowledge, learning from others, and making security a seamless part of your day. Senior developers and application security champions can quickly and effectively educate other developers about best practices without leaving the comfort of their Integrated Development Environment (IDE). Best practice for code comments suggests emphasizing the why, not the what. Security-focused comments are no different. Meanwhile, they play a crucial role in promoting secure coding practices, enabling teams to: Explain Key Security Moves: Share the rationale behind specific security measures, such as input validation, encryption, and access control mechanisms. Flag Red Flags: Spot potential weaknesses in your code, like SQL injection, cross-site scripting (XSS), and unprotected data. Share Knowledge: Link to relevant security standards, guidelines, and resources and facilitate efficient code reviews. Enhancing Code with Security Comments–Two Examples Example 1: Preventing SQL Injection with Parameterized Queries (Python) Let’s consider a simplified Python function, which performs a simple insert operation into a database: def insert_user(conn, name, email): """ Inserts a new user into the 'user' table. Args: conn: A sqlite3 connection object. name: The name of the user. email: The email address of the user. Returns: None This function uses a parameterized query to prevent SQL injection vulnerabilities. See: CWE-89 https://cwe.mitre.org/data/definitions/89.html By using placeholders (e.g., `?`) and passing the actual values as separate arguments, we avoid direct string concatenation. This ensures that user-supplied input cannot be manipulated to modify SQL commands. """ sql = """INSERT INTO user (name, email) VALUES (?, ?)""" cur = conn.cursor() cur.execute(sql, (name, email)) conn.commit() cur.close() As you can see, in addition to the regular docstring, we succinctly mention why we’re using parameterized queries over string concatenation. We also reference a CWE and provide a link for anyone who wants to learn more. With just three extra sentences in a function comment, we’ve given less experienced developers who are code spelunking a quick lesson (or reminder) about why and how to prevent SQL injection. Example 2: Mitigating XSS Vulnerabilities with DOMPurify (React) Let’s take a look at another example, this time on a React frontend. Here, we’re knowingly doing something potentially dangerous but effectively communicating to other developers the mitigations applied. /** * Displays user-generated HTML content, sanitizing it with DOMPurify to prevent XSS vulnerabilities. * * This component uses `dangerouslySetInnerHTML` because the content being displayed *must* include HTML markup. * Alternatives like rendering plain text or using a limited subset of HTML tags are not sufficient for this use case. See: https://kanban.system/t/123 * **Security Considerations:** * * **CWE-79 (Improper Neutralization of Special Elements used in an HTML Page): https://cwe.mitre.org/data/definitions/79.html * This code directly addresses CWE-79 by sanitizing the user-provided HTML before rendering it. Without sanitization, malicious * users could inject JavaScript code that would be executed in the context of the website, leading to * XSS attacks. * * **Why not just use textContent?** If we used `textContent` or similar methods, any HTML tags in the user * input would be treated as plain text and displayed as-is. This would prevent XSS, but it would * also defeat the purpose of allowing users to input HTML in the first place. * * **Why DOMPurify?** DOMPurify is a widely used and well-maintained library specifically designed for * sanitizing HTML. It's more robust and secure than attempting to create a custom sanitization * solution. It handles a wide range of potential XSS attack vectors. * * @param {string} htmlContent The user-generated HTML content. This is assumed to be untrusted. * @returns {JSX.Element} The sanitized HTML rendered within a div. */ function SafeHTMLDisplay({ htmlContent }) { const sanitizedHTML = DOMPurify.sanitize(htmlContent); return ( <div dangerouslySetInnerHTML={{ __html: sanitizedHTML }} /> ); } This time we go into more detail about the why. Let’s break it down: First, it’s important to acknowledge that the original approach isn’t best practice. Second, you can level up developer awareness about alternative options.Then, connect the dots for maximum impact, sharing why this approach is required to satisfy product requirements. Finally, it’s important to detail security considerations with CWE IDs, codifying the weakness you’re proactively mitigating; yes, you can even justify the introduction of another dependency compared to a custom implementation. Any future developer tasked with modifying the comment feature will quickly understand the importance of keeping this mitigation rather than “cleaning up the code” because it still functions “the same” without it. As an AppSec developer or security champion, you’ve just avoided another security report being raised because of a regression introduced by an over-eager junior developer. It's well worth the 15 lines of extra code. Even better, any security engineer performing a secure code review will be much more confident that their developer understands why they wrote the code the way they did. This knowledge, in turn, expedites that coveted ‘approve’ on their pull request, reducing the time to get the code safely into production. Identifying and codifying vulnerabilities with Find the Flaw Setting the tone with security-focused comments largely falls to the lead developer or security champion, presenting an easy opportunity for aspiring champions to stand out. Remember, the goal is to identify and codify weaknesses in code before or as it is being written; this approach ensures others can craft easy-to-understand security comments too. Whether you’re just starting out or looking to grow your skillset, Immersive AppSec’s Find the Flaw collections provide ample opportunities to build critical DevSecOps muscle memory. You’ll learn to identify various common vulnerabilities in code and recognize what CWE IDs they correspond to. Writing security-focused comments will feel like second nature when you're coding up a storm! Beyond Code Comments: Empowering Your Manager to Recognize the Power of AppSec Training Code comments are a valuable AppSec tool, albeit only one piece of the puzzle. To cultivate a developer-led security culture, organizations need managers who recognize the power of comprehensive training programs for their elite developers. These programs support proactive developers with the knowledge and skills to build secure applications from the ground up. As a result, the organization achieves development velocity SLAs and application security simultaneously. Remember to share your experience learning by doing, gaining the attackers’ perspective, which Immersive Labs AppSec offers. Your manager and teammates should recognize the value of using safe, real-world scenarios and interactive exercises, such that the training you do (now) targets the problems you have (now). Share your thoughts Check out this Find the Flaw collection and then share your thoughts with The Human Connection community: For developers: Does adding security rationale to your comments feel like an ‘easy enough' lift? For security champions: Are you already using this technique or something similar? How have you convinced other developers to adopt this style of commenting?An Ounce of Prevention Beats a Pound of Postmortem with Supply Chain Security
Supply chain security is all about protecting your organization from risks and threats that come from external parties and processes you rely on. But trust, like code, is a dependency. And risk? That’s a side effect. Case in point: this month, a widely used GitHub Action, tj-actions/changed-files, was compromised, proving that when the Git hits the fan, it can blow secrets across thousands of repos (CVE-2025-30066). It was a textbook case of a supply chain attack: a legitimate, trusted tool hijacked and used to compromise downstream users. Now, don’t get me wrong, we all love GitHub and a secure CI/CD pipeline. But when attackers injected malicious code into the action, stealing secrets like personal access tokens, npm tokens, and private RSA keys from affected CI/CD pipelines, over 23,000 repositories were exposed to cyber risk. This wasn’t a breach caused by a missed patch or weak password - it was a breach of inherited trust. It highlights a pressing truth: supply chain security isn’t just a technical problem. It’s a cultural one. It demands dynamic cyber resilience. And I know you’re tired of hearing about SolarWinds, Logs4Shell, and Kaseya. But it’s not just your security at stake – it’s everyone you rely on and everyone who relies on you. Even right now, we are watching The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants 🙀 That’s why dependency monitoring, minimal permissions, and source validation are critical to securing your supply chain. In today’s software-driven world, trust is embedded in every layer of how we build and ship technology. We trust the tools, the teams, the platforms, the packages. To mitigate risks effectively, we need a clear understanding of them. Let’s explore approaching this with Immersive. Third-party risk management Business stakeholder lens: Procurement and vendor management teams must understand that security isn't just a checkbox during onboarding. Ongoing third-party risk reviews and SLAs with teeth are essential. Security leaders should train these teams to ask the right questions and recognize red flags. Risk ISO 28000 – Security Management Systems for Supply Chains NIST 800-53: Ep.20 – Supply Chain Risk Management Technical stakeholder lens: Security teams must know how to evaluate vendor security postures, monitor for changes, and validate that data flows are compliant and secure. Training should focus on threat modeling integrations and validating trust assumptions in vendor tooling. Secure Fundamentals: Security Patching Mobile Application Security Fundamentals: Inadequate Supply Chain Security Software supply chain Business stakeholder lens: Non-technical leaders should understand that open source and third-party code aren't free – they come with ongoing maintenance, monitoring, and potential exposure. Funding and prioritization decisions should reflect this risk. NCSC Cloud Security: Ep.9 – Supply Chain Security Stack Overflow Secure Fundamentals: Least Privileges Introducing the Cyber Kill Chain Technical stakeholder lens: Developers and AppSec teams need to understand transitive dependencies (a.k.a. shadow dependencies), know how to interpret Software Bill of Materials (SBOMs), and be trained to look beyond their own code. CI/CD workflows must be hardened, with guardrails baked into the process. CVE-2024-3094 (xz) – Supply Chain Compromise Events & Breaches: Monero Wallet Supply Chain Compromise Sunburst Supply Chain Compromise Collection Hardware and physical supply chain Business stakeholder lens: Especially in regulated or critical industries, leaders must ensure that logistics and sourcing teams are trained to recognize risks around counterfeit or tampered hardware. Business Continuity 101 NIST 800-53: Ep.11 – Physical and Environmental Protection IST 800-53: Ep.1 – Access Control Technical stakeholder lens: IT and SecOps teams should be trained on verifying hardware provenance, firmware integrity, and secure provisioning practices. This is often an overlooked area in cyber training programs. IoT & Embedded Devices: Supply Chain Hardware Tampering Data handling in the chain Business stakeholder lens: Legal and compliance teams must understand how data moves across vendors and jurisdictions. Training should focus on recognizing data sovereignty issues, breach notification responsibilities, and contractual risks. Compliance Data Handling Secure Fundamentals: The CIA Triad Secure Data Handling Technical stakeholder lens: Data engineers, architects, and security teams should be trained on protecting data in transit and at rest, especially when working with third-party platforms or integrations. Zero trust principles also apply. OWASP 2021: Ep.8 – Software and Data Integrity Failures Modern Encryption Operational resilience Business stakeholder lens: Executives and business continuity teams must recognize that vendor outages or upstream compromises can impact downstream. Tabletop exercises should incorporate supply chain attack scenarios. Recommended reading: House of cards: surviving a supply chain attack Labs: Cyber for Board Members: Ep.8 – Supply Chains Cyber for Executives: Ep.7 – Supply Chain Security NIST 800-53: Ep.6 – Contingency Planning NIST 800-53: Ep.8 – Incident Response Technical stakeholder lens: Incident response and engineering teams should be trained to detect and contain incidents involving third parties. This includes monitoring dependencies, rotating credentials, and updating playbooks for modern attack chains. No Labs this time! Exercising becomes critical: Cyber Training Essentials for Supply Chain Resilience Supply Chain: Template for Technical Teams You may not cause the vulnerability, but you'll own the breach. You can’t wait until the postmortem to start training your teams to see beyond the perimeter. A resilient cyber culture ensures that your people are ready to respond when trust is compromised. Supply chain security is a shared responsibility, but it starts with recognition and increasing cultural buy-in. At the end of the day, an ounce of prevention beats a pound of postmortem. Share your thoughts Did you learn anything surprising about the interconnectedness of supply chain risks? What do you think is the biggest hurdle to strong supply chain security? Share a practical tip or strategy that worked for you! Big thanks to ZacharyAbrams for assisting with content reviews and recommendations in today’s blog! Want laser-focused recommendations for your unique program needs? Chat with your CSM about Premium Support to work with legends like Zack! Get updates in your inbox on posts like this by following the Human Connection Blog!Cyber Drills and Outcome-Based Programs: A Hands-On Approach to Cyber Resilience
What are cyber drills and outcome-based programs? Cyber drills vs. outcome-based programs Cyber drills Prove Outcome-based programs Improve Simulate a realistic cyberattack to test response capabilities Ongoing, structured programs to build and improve security operations Benchmark security preparedness at a given point in time Measure progress over time with defined success metrics Team-based exercises that focus on immediate response Tailored multi-year programs that address specific security gaps One-off or periodic events Continuous learning and improvement The key difference is that cyber drills test and prove preparedness and expose improvement areas; outcome-based programs address the improvement areas and enhance an organization’s ability to detect, respond, and recover from cyber threats. Combined, these approaches provide sustainable, robust cyber resilience. Designing an effective outcome-based program To implement an outcome-based program successfully, organizations must consider the following factors: 1. Understanding business objectives and risk tolerance Before designing a program, it’s crucial to understand: Business goals – what is the organization trying to achieve? Risk appetite – how much risk is the company willing to take? Regulatory requirements – what compliance standards must be met? 2. Defining measurable outcomes Success should be based on quantifiable improvements, such as: Reduced incident response time Fewer security breaches Improved threat detection capabilities More substantial alignment with regulatory requirements 3. Tailoring the program to the organization Organizations are unique, and outcome-based programs must be customized to fit: Risk assessment results Threat landscape Technology stack and processes Security team capabilities 4. Implementing and monitoring progress A phased approach ensures better adoption: Pilot phase – test the program with a small team before full deployment Phased rollout – implement step-by-step to ensure success Continuous reporting – regularly track metrics and adjust the program as needed 5. Demonstrating ROI and business value To gain leadership buy-in, organizations must: Showcase case studies of successful implementations Use data-driven insights to highlight improvements Demonstrate long-term value beyond compliance Example: A multi-year cybersecurity resilience program A well-structured outcome-based program can span multiple years, evolving as threats change. Year 1 – Conduct cyber drills, crisis and incident response exercises and assessments, and document response plans. Develop improvement plans and program scope. Year 2 – Technical and executive training, incident handling exercises. Year 3 – Advanced cybersecurity drills, scenario-based threat modeling, multi-team exercising. Process and policy stress testing. Year 4 – Purple teaming, improving collaboration between defense and offense teams. Year 5 – Full-scale red teaming and supply chain cyber drills. This approach ensures that organizations continuously prove and improve rather than just react to incidents. Final thoughts: The future of cybersecurity training Moving from traditional cybersecurity upskilling to cyber drills and outcome-based programs requires: A shift in mindset – focus on long-term resilience, not just one-time testing. Cross-department collaboration – security is not just IT’s responsibility; leadership buy-in is crucial. Expertise in design and delivery – outcome-based programs must be well-structured and measurable. By embracing cyber drills and outcome-based cybersecurity training programs, organizations can stay ahead of threats and build a stronger, lasting security culture. Share your thoughts Is your organization ready to move beyond traditional cyber upskilling? Where do you feel the biggest challenge lies, out of the three points mentioned above? Have you had success in overcoming these challenges? If so, share how with the community. Let’s build a cybersecurity strategy that delivers accurate, measurable results.Understanding CVE-2024-21412: A Zero-Day Exploit Targeting Windows Users
What is CVE-2024-21412? CVE-2024-21412 is a security feature bypass vulnerability in Windows Defender SmartScreen. SmartScreen typically evaluates the safety of downloaded files and displays warnings for unrecognised or suspicious ones. But this vulnerability allows attackers to circumvent warnings and install malware on unsuspecting systems. Which systems are affected? CVE-2024-21412 impacts a broad range of Windows systems, including: Windows 10 (various versions) Windows 11 (various versions) Windows Server 2019 and later versions How can this vulnerability be used against your systems? Attackers exploited CVE-2024-21412 by crafting a Windows Internet shortcut (.url file) that pointed to another .url file on a remote SMB share. This technique tricked the system into automatically executing the file at the final location, bypassing SmartScreen's security warnings. Researchers even created a proof-of-concept exploit, demonstrating how easy the vulnerability is to exploit. Attackers also abused the Microsoft Search Protocol (MSP) to deceive users. They crafted malicious links that appeared to point to local files, but in reality, connected to an attacker-controlled server. This tricked users into opening malicious files without realising they were downloading them from an external source. How to protect your organisation Microsoft addressed CVE-2024-21412 with a patch released in mid-February 2024. Installing this patch is crucial to mitigate the risk associated with this vulnerability. In addition to patching, organisations should implement comprehensive monitoring and detection systems to identify and mitigate threats across all stages of an attack. This includes using intrusion detection systems, firewalls, and security information and event management (SIEM) tools to monitor network traffic and system activity for suspicious behaviour. Organisations should also consider employing advanced real-time behaviour analytics to monitor unusual activity and identify potential threats, even when they bypass traditional security measures. This involves analysing user and system behaviour patterns to detect anomalies that could indicate an attack. Conclusion CVE-2024-21412 highlights the importance of cybersecurity awareness and proactive measures, which can be mitigated with improved organisational cyber resilience and regular patching policies. As always, staying informed about potential vulnerabilities is a crucial step in reducing the risk of your organisation being attacked. Recommended content To learn how to detect this vulnerability in a sandboxed environment, check out the following lab: CVE-2024-21412 (SmartScreen Bypass) – Elastic Log Analysis. In this lab, you'll use ElasticSearch to detect the presence of malicious URL files in logs. Share your thoughts Have you seen this vulnerability being exploited in the wild? Have you patched your systems yet? Share your thoughts by commenting in the thread below.Breaking Down Walls to Make Way for AI
The rapid rise in the popularity and application of AI has been unprecedented. We are actively experiencing the dawn of a revolutionary chapter in technology and innovation, but it also feels a little like this, don't you think? AI is everywhere. Even where you didn’t ask for it, or frankly may not want it. Its rise brings security risks that require comprehensive, strategic management. Are you training your teams on AI security risks? Are you reviewing procedures to protect your business as the threat surface expands? You’re not alone. Let’s get into how we’re guiding customers through these challenges. Immersive can provide knowledge, skills building, and engaging challenges for your teams to address risks from different angles. Artificial intelligence foundations To protect an organization, you need to know what you’re protecting from. These are some of our core recommendations: AI for Business Gain an understanding of various risks associated with implementing and integrating AI in a business context. These risks include understanding the challenges of implementation, potential issues in day-to-day AI utilization, and the broader implications of AI on operations. These labs will equip individuals with the knowledge to effectively leverage AI, while being mindful of these risks. AI Fundamentals Learn about emerging threats, generative AI models, and prompt injection attacks. Gain a comprehensive understanding of AI's implications in cybersecurity, AI-related security risks, and gain practical experience mitigating those risks. Build knowledge around internal risks AI often enters businesses through productivity tools or internal chatbots, like ChatGPT, for HR or finance queries. Using internal AI apps creates risks around data access, data handling, privilege management, improper use of LLM, and compliance considerations (or consequences). Some of these considerations are also relevant for external risks with AI. Here are some collections to get your team’s gears turning around AI-adjacent considerations and internal risk: Cloud Security Identity and Access Management Secrets and Encryption in AWS NIST – Guidelines on Security and Privacy in Public Cloud Computing (800-144) Risk and Compliance ISO 22381 – Security and Resilience for Identification Systems ISO 27014 – Governance of Information Security ISO 27018 – Protecting Private Data in Public Clouds ISO 28000 – Security Management Systems for Supply Chains ISO 31000 – Risk Management Let’s not forget – with new tools comes new access and alerting patterns. You’ll need to ensure your Digital Forensics and Incident Response (DFIR) teams are ready for new signal analysis and identifying corresponding indicators of compromise (IoCs) with new technologies. Digital Forensics Introduction to Digital Forensics Digital Forensics Threat Hunting – Theory Threat Hunting Introduction to Incident Response and Forensics in AWS Upskill to protect your business from external risk As customer-facing AI expands, so does your threat surface. The risks remain rooted in attacks humans conduct today; they’re just becoming more sophisticated with AI. If threat actors use AI maliciously against your business, you might see advanced social engineering attacks. This could include sophisticated phishing attacks or AI-generated voice, image, or video to manipulate users into disclosing credentials. Here are a few hands-on content recommendations that will keep your team response ready: Events and Breaches Gain familiarity with some of the biggest cyber events and most infamous data breaches in hacking history. Buckle up for interactive labs that will get you thinking about real-world events and how AI could affect these types of scenarios. Events and Breaches: Data Exposure Events and Breaches: Phishing Fraud Events and Breaches: Data Leaks Emerging Threats Attackers are quick to adopt new tools and tactics, giving them a first-mover advantage. Labs in this collection will get you hands-on with the latest methods used by threat actors around the globe. These labs aren’t explicitly focused on AI threats, but since AI threats are rooted in legacy techniques, this collection will help your team prepare for the variations AI may introduce. There are also increased risks with publicly facing AI tools that are integrated into internal databases or systems. These non-human identities have access to potentially sensitive databases, making them inherently open to prompt injection attacks in addition to legacy techniques. Here are some of our content recommendations to prepare your teams explicitly for these types of AI challenges: Fundamental AI Algorithms Gain a deep understanding of various AI algorithms and their practical applications in cybersecurity. Engage with labs on machine learning, deep learning, specific algorithms, and complete tasks such as implementing algorithms and analyzing results. Practitioners will gain hands-on experience in applying AI techniques to enhance cybersecurity measures and mitigate cyber threats. AI Challenges Test your knowledge and skills around AI security risks such as AI plugin injections, function calling, and prompt injection attacks. Complete hands-on exercises to find vulnerabilities in AI systems, beat the bot, and actively exploit vulnerable LLM implementations. Staying ahead in a rapidly evolving tech landscape requires continuous learning and skill-building. But readiness doesn’t just stop there. You must also be well-practiced in handling new and challenging situations. Regular exercises, like prompt injection attack detection and AI-driven social engineering tabletop drills, are essential for keeping your teams prepared. As threats evolve, Immersive will continue to deliver integrated labs and industry-leading exercising capabilities so your teams are ready to protect your business. Share your thoughts What skills are critical for your team to mitigate AI risks? Did you beat our AI Challenges? Are you hungry for another byte 👾? Comment below! Stay ready in the face of increased risks – bot or not. Get updates in your inbox on posts like this by following the Human Connection Blog!Human Connection Challenge: Season 1 – Scanning Walkthrough Guide (Official Version)
Time’s Up! Congratulations to everyone who completed Lab 2: Scanning from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completing the lab, based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! The goal is to learn, and I hope these notes help clarify any steps and reinforce key concepts for the next challenge. This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed. I’ve also used placeholders in some of the commands that would give away an answer directly, so if you see anything enclosed in angle brackets, such as <name server>, please make sure you replace it with the actual value, such as nameserver. With all that considered, let's get started. Overview Task: Identify the name server records of tinytown.bitnet. 1. What is the IP of the first name server for tinytown.bitnet? You’ll first need to open a Terminal on the Kali desktop. Next, you’ll need to query the DNS Server IP (found in the Machines panel) about the tinytown.bitnet domain using the nslookup (Name Server Lookup) tool. You’re specifically looking for NS (Name Server) records, so you can use the -type=ns parameter with nslookup to specify this: nslookup -type=ns tinytown.bitnet [DNS Server IP] The output of this command will return two name servers for the domain labelled with 1 and 2. Your next step is to identify what IP address is associated with the first name server (1). To do this, you can use nslookup along with the name server, domain, and DNS Server IP: nslookup <name server>1.tinytown.bitnet [DNS Server IP] This command will then return an IP address for the name server. 2. What is the IP of the second name server for tinytown.bitnet? As you’ve already identified both name servers, you’ll just need to run the previous command, except with the second (2) name server: nslookup <name server>2.tinytown.bitnet [DNS Server IP] You’ll then find the IP address associated with it. Task: Identify port service information for Target 1. 3. What service version is running on port 53? A network scanning tool like Nmap can help you identify the service version running on a specific port. To do this with Nmap, you can use the -sV option for service detection: nmap -sV [Target 1 IP Address] The output will show what service version is running on port 53. 4. What is the full service banner of port 22? There are a couple of ways to find the full service banner of port 22 – such as with Nmap or Netcat. If you’re using Nmap, you can modify the previous command to include the “banner” script along with the port number: nmap -sV -script=banner [Target 1 IP Address] -p22 The command line will then display the service banner from port 22. You can alternatively use netcat to manually connect to the SSH server. When a client connects, Netcat may present a banner that contains version information. To use Netcat, you’ll need the nc command along with the Target 1 IP address and specify you want to connect to port 22: nc [Target 1 IP Address] 22 When you run this command, the banner appears before the terminal hangs. Task: Identify a token on one of the ports. 5. What is the token? With the previous Nmap command, you initially found that three ports were open on Target 1. However, you’ll need to do a more thorough network scan to find another open port, one not initially found with the previous scans. To do this, you can expand your port scan to cover a much wider range by using Netcat to scan for open ports from 1 through 9000: nc -zvn <Target 1 IP Address> 1-9000 Here, -z will scan for listening services but won’t send any data, -v is verbose mode, which provides more detailed information, and -n tells Netcat not to resolve hostnames via DNS. This command will reveal a fourth open port. Now, you can use Netcat to connect to this port: nc <Target 1 IP Address> <open port> The token will then be displayed in the terminal. Task: Scan the TLS configuration on Target 2. 6. How many protocols are enabled? To scan for SSL/TLS configurations, you can use the sslscan tool. By default, sslscan scans port 443 and will return supported server ciphers, certificate details, and more. You can use sslscan like this: sslscan <Target 2 IP Address> The returned output will be verbose, but you can find and count the number of enabled protocols under the SSL/TLS Protocols subheading. 7. Name an enabled protocol. Using the previous output, name one of the enabled protocols. 8. What exploit are the protocols NOT vulnerable to? Using the same output, scroll down through the results until you find a subheading that’s named after a vulnerability and contains a similar string to: <Protocol> not vulnerable to <vulnerability name> The vulnerability has the same name as the subheading. Task: Identify and extract information from an SMB share on Target 3. 9. What Disk shared directory can you access? To extract information from an SMB (Server Message Block) share, you can use the smbclient tool. First, you’ll need to list the SMB shares on the target using the -L flag (the list/lookup option) with: smbclient -L //<Target 3 IP> You’ll then be prompted for a password, but you can press Enter to skip this. A list of SMB shares will then be displayed, three of which are shown to be a Disk type, so you know the answer will be one of these. You can now begin to go through the list and try to connect to the shares with: smbclient //<Target 3 IP>/<Sharename> However, this time when you’re prompted for a password and you press Enter, you might encounter a message when you try and connect to a share: NT_STATUS_ACCESS_DENIED If you attempt to connect to all shares, you’ll find you can connect to one share without a password. You’ll then be greeted with the following prompt to show the successful connection: smb: \> 10. What is the token stored in the directory? Now that you’re connected, you can execute commands to interact with the SMB share. If you run ls, you’ll find a token.txt file in the current directory. You can then download the file from the share onto your local machine with: get token.txt On the Kali desktop, open the Home folder and the token.txt will be inside. Open this file and find the token. 11. What is the username stored in the directory? After you’ve run ls in the SMB share, you’ll find not only token.txt, but also a file named creds.txt. Use the same command as you just did previously to download the file onto your machine: get creds.txt This file will also be downloaded to the Home folder, where you can find a username and password. Task: Identify open services on Target 3. Task: Connect to Target 3 with the previously found credentials. 12. What is the token stored in the user's /Documents directory? For this final task, you first need to scan the target using Nmap. You’ll find that if you attempt to scan the target without using the -Pn flag, you’ll get a response saying that the host seems down. However, if you run Nmap with -Pn, you’ll find some ports are open: nmap -Pn <Target 3 IP Address> However, the ports returned from this command don’t offer a way to connect to the target. You’ll also need to scan the 6000 most popular ports: nmap -Pn --top-ports 6000 <Target 3 IP Address> These results will now show two additional ports are open regarding the Web Services Management (Wsman) protocol, which is used to communicate with remote machines and execute commands. One of the tools that implement this protocol is Windows Remote Management (WinRM) which is Microsoft’s implementation of Wsman. Knowing this, you can now use Metasploit to interact with the target. In your terminal, run: msfconsole Once loaded, you can use the the following auxiliary module to connect to a system with WinRm enabled and execute a command with: set cmd ls You’ll then need to set the following options, using the credentials you found in the creds.txt file: set username <username> set password <password> set rhosts <Target 3 IP Address> Next, you need to set the cmd option with the command you want to run. If you use the ls command, you’ll be able to find what out files are in the directory you connect to: set cmd ls With all the options set, you can now run the module: run The results of the executed command will be printed on the screen and also saved to a directory, but both show the existence of a token.txt file in the current directory. You can now set the cmd option to type token.txt in Metasploit: set cmd type token.txt Once set, use the run command to send the updated command: run The contents of token.txt will then be displayed on the screen and outputted to a file. Tools For this challenge, you’ll use a range of tools including: Nslookup Nmap Netcat Sslscan Smbclient Metasploit Tips You can use different tools and parameters within those tools to scan for and find information, so don’t be afraid to try out a few different things! If you want to learn more about some of the tools within this lab, take a look at the following collections: Reconnaissance Nmap Infrastructure Hacking Introduction to Metasploit Post Exploitation with Metasploit Conclusion The steps I’ve laid out here aren’t the only way to find the answers to the questions, as long as you find the answer, you did it – well done! If you found another way to find some of these answers and think there’s a better way to do it, please post them in the comments below! I hope you enjoyed the challenge and I’ll see you for the next one.Experience-Driven and Intrinsic Learning in Cybersecurity
Experience-driven learning Experience-driven learning can take many forms, including: Practical simulations Role-playing exercises Individual hands-on learning Team-based exercising For example, some employees may be presented with micro exercises that pivot around key risk areas such as device security, data handling or social engineering. Others may participate in a tabletop exercise that simulates a ransomware attack, allowing them to practice incident response, crisis management, and recovery procedures in a safe and engaging environment. More technical teams can experience a real attack on real infrastructure in a cyber range, working together to identify and understand the attack using defensive and forensic tools. These types of activities foster intrinsic learning, driven by personal interest and the desire for self-improvement rather than external rewards like grades or promotions. These types of activities also engage natural human behaviours related to gamified learning, both individually and as a team. Intrinsic learning Intrinsic learning can be particularly valuable, especially in the context of cybersecurity, because it allows employees to develop a deeper understanding and appreciation of the subject matter beyond what is required for their job. This approach to learning is not only more engaging and effective but also helps organizations identify areas for improvement and potential vulnerabilities. Intrinsic learning can also help foster a culture of continuous learning within the workforce. By encouraging employees to pursue their interests and explore new areas of cybersecurity, organizations can create an environment where individuals feel empowered to take ownership of their learning and seek out new opportunities for growth and development. To make your cybersecurity training more experiential and foster intrinsic motivation for learning, consider the following steps: Align with personal goals Empower team members to align upskilling pathways with their career aspirations and professional development. Emphasize real-world relevance Showcase how the skills learned directly apply to current cybersecurity challenges and job responsibilities. Provide autonomy Allow learners to freely explore different topics and skills. Create a supportive environment Encourage peer-to-peer learning and mentorship opportunities to build a culture of continuous improvement. Celebrate progress Recognize and highlight individual and team achievements to boost confidence and motivation. Implement adaptive challenges Gradually increase difficulty levels, ensuring learners are consistently challenged but not overwhelmed - the right level of learning is more important than the quantity. Encourage reflection Prompt learners to analyse their performance after each exercise, especially team-based, fostering a growth mindset and self-awareness. Facilitate knowledge sharing Organize regular debriefing sessions where individuals can discuss their experiences and insights gained from the training. Connect to organizational impact Demonstrate how improved cybersecurity skills contribute to the overall success and resilience of the organization. Provide immediate feedback Leverage Immersive Labs' real-time feedback mechanisms to help individuals understand their progress and areas for improvement. By implementing these steps, you can create a more engaging and intrinsically motivating cybersecurity training experience, fostering a culture of continuous learning and skill development within your organization. Conclusion Incorporating intrinsic and experience-driven exercises into your cyber resilience strategy can be an effective way of measuring and improving your overall resilience. Today, the need to exercise effectively has become a key feature of many cyber security frameworks and directives such as ISO27001, NIS2 and DORA, requiring organisations to maintain proof with policies and procedures underpinned by data and results. What have you experienced in your own upskilling journeys to get you where you are today, have you found some ways work better than others; Individual, team, hands-on, theory, classroom? What are your favourite ways to learn and stay motivated with the ever-changing cyber landscape right now? Share your stories and insights in the comments below!
