Interview: Ben Spring, University of Portsmouth Student & TryHackMe Founder

Training platforms to enable learning about cybersecurity are fairly prominent, but one was launched this year by an entrepreneurial student from the University of Portsmouth to enable Capture the Flag events to be run.

Named TryHackMe, the first HackBack CTF event for universities took place in March and founder Ben Spring explained that TryHackMe was “created as a way to get others learning cybersecurity in an enjoyable and interactive way.” The concept works with deliberately vulnerable machines deployed in a cloud with supporting tutorials and questions, allowing users with different skill sets to learn at their own pace.

This has been scaled-up and reached over 1000 members and the platform is being used within universities teaching computer science and ethical hacking, with challenges and questions across six categories: web exploitation, forensics, OSINT, scripting, networking and reverse engineering.

Spring talked to Infosecurity about setting up the company and what he was hoping to achieve with the concept.

Give us an explanation of what TryHackMe is and how it works
The reason we created TryHackMe was to make it easier for people to break into and upskill in cybersecurity. The current approach to learning is fragmented: people use a combination of books, contrived training environments and a lot of online research is required just to get started. To make it simpler, we use virtual rooms that allow users to deploy training environments and use question-answer based approaches to actually learn instead of blindly attempting to run tools (without checking if it fits the use case).

For example, this beginner level room shows you how to configure the BurpSuite web application security tool and use it to learn web security.

Our platform has the capability to deploy vulnerable machines in the cloud that support the courses available on TryHackMe. This allows teachers and students to focus on learning, rather than setting up an environment. We are different because anyone in the security community can create their own rooms and contribute to spreading their resources/knowledge; we are focused on training individuals from the ground up using fundamental methodologies and real-world environments/scenarios. 

We are still in the process of creating rooms and educational resources for our users. At the moment, our main focus is to create courses for the fundamentals of the major security areas and build customer relationships.

Is it your intention to remove the complication around CTF events so they are easier to organize?
While TryHackMe can be used for security training or organizing CTF’s, our platform offers the flexibility for different options like running one off events and organizing workshops. TryHackMe is great for this because anyone can easily distribute their own materials and focus on core learning instead of spending hours setting everything up. Learning is done by creating or using virtual rooms on the platform.
We also create bespoke workshops and CTF events upon request. For example, we have been contacted by CompTIA to create a custom CTF event for Infosec 2019 and a wargames scenario for CyberReady using the platform. Once we have created the challenges and added them to TryHackMe, they can be easily distributed by giving users a code to enter a virtual classroom. Every room has a chart and scoreboard so everyone can monitor users’ progress; this is also being used to assess potential employees’ ability when hiring.
Have you had any trials of running this internally, or across other universities - is it your intention to do this across universities?
Our aim is to show people that cybersecurity-based roles are viable career options and we want to make it as easy as possible for people to gain the skills needed for these roles. With the flexibility that our platform offers, it is painless for any user to build challenges, add training material and make it available to others.

We use this functionality ourselves to create beginner-friendly rooms for areas like web application security, reverse engineering and cloud exploitation. Other users have also contributed by creating their own training material and challenges, including for learning Nessus, learning nmap and learning the basics on penetration testing, enumeration and privilege escalation.

Is this your intention to give people some experience of attack/defense in a live environment to aid that?
Giving people a virtual environment is just one part of gaining experience. TryHackMe tries to provide training through the use of virtual classrooms; these classrooms provide realistic training environments with a focus on reinforcing learning so that users can apply their skills to real world situations.

We don’t want to throw people into an environment, but provide a guided approach to learning fundamental skills that are applicable in industry.
As our platform grows and community members upload their own material to share, it will benefit everyone as we hope to cover the majority of areas cyber security has to offer. With our University outreach and platform to not only encourage individuals to get involved with security but learn about an area which interests them, we contribute to helping fill the skills gap in the industry.
You held your first event in March with over 16 universities, was there a positive response to the platform?
Our goal was for people to learn about different concepts within cybersecurity, whilst collaborating with other students to enrich their own understanding, and in the end over 200 participants signed up to the event. We were very grateful to Context Information Security for sponsoring this event, and supporting the development of students in computer security. 
We were in communication with students even after the event to work with them to solve the challenges and help them better understand how to enter the field of cybersecurity. We were overwhelmed that our event opened a large number of students’ eyes to a potential new career path, and it makes the hundreds of hours we put into making the platform and HackBack challenges all worth it. Due the first HackBack event being so successful, we are running another University event this October.

What’s Hot on Infosecurity Magazine?