tl;dr Part 1: Teaching security, how does it work? * http://pentest.cryptocity.net/history/ * http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis * http://csawctf.poly.edu/
Part 2: Intelligence-driven defense starts to fill in the strategic debt on defense that was cited in the Dave’s presentation. Find yourself a copy of 'Intelligence-Driven Computer Network Defense by Analysis of Adversary Campaigns and Intrusion Kill Chains' for the best description yet of how it works and what you can do with it. --- Hey Daily Dave, Dave is referring to an e-mail I sent him regarding his answer to this question near the end of the video: Adam: "… In the academia side, it's kind of slow and tedious to bring students up with the expertise that you need to be a very, very acute attacker. Like you said it takes you hundreds of hours to build out the tools, identify the 0day ...<snarky comment from Dave about Eve Online>… From an academic perspective, what kind of suggestions could you make for building out programs that are actually effective at making people more intelligent attackers?" Dave: "I don't know. This is straight up: attackers are basically crazy people, because you have to be to be successful. It's a combination of paranoia, OCD and a bunch of other stuff…" I’ve been teaching university students exactly the skills that Adam mentioned for the last four years at NYU:Poly and it’s a task that I’ve found is possible in the confines of a single 13-week class when presented effectively, although I would say I incite passion and obsession in my students rather than paranoia and OCD :-). Through the efforts of my class, the university has also been able to establish contacts with some of the most impressive “attackers” in the industry which is slowly changing their entire approach to security education and research. --- The Penetration Testing and Vulnerability Analysis course NYU:Poly has over 10 security courses available to both undergrads and graduates and the capstone course in the curriculum is my own penetration testing and vulnerability analysis course, which I’ve taught since 2008. We [1] teach students to think and act like attackers walking them through finding their own bugs, exploiting them, using them, establishing presence inside a target, and making use of their presence to accomplish a goal – we cover the entire lifecycle of an actual intrusion. It’s a programming intensive course where we teach fundamental skills like code auditing, reverse engineering and web hacking from the perspective of finding exploitable bugs rather than assessing applications for all vulnerabilities. To complete the course, students work on their own, self-selected independent research project which helps them identify where their passions lie in the subject area. In an effort to help others replicate this success I've released all of the course materials on my website [2], given specific advice to professors attempting similar courses in a presentation at SOURCE Boston 2009 [3], and given a video interview outlining the need for teaching security this way [4]. I also participated in a panel discussion on security education at SOURCE Boston 2011 and Andy Ellis was kind enough to tweet some of my more interesting comments as I made them [5]. This course has resulted in significant numbers of students graduating with bachelors and masters in CS and CE changing career paths to enter the security consulting industry and becoming effective researchers – there are students of mine at iSEC Partners, Intrepidus Group, Gotham Digital Science and at least one of them has beaten me to presenting at Blackhat [6]. It’s also helped recruit and train a solid base of undergraduates to run the university’s yearly Cyber Security Awareness Week events, described below. On the other hand, what it hasn’t done is had much effect on graduate research at the university. I was never really concerned with this, but it’s something I’m looking at changing and improving upon this year. Having established close relationships with so many “acute attackers” after teaching the course for so long, the university is now moving to give some of us official research advisory positions which would give us more input into graduate research occurring throughout the department. [1] At this point I have to thank a few people as this course wouldn't be possible without the collective efforts of most of the NYC security community including Dino Dai Zovi, Brandon Edwards, Aaron Portnoy, Peter Silberman, Rajendra Umadas, Joe Hemler, Dean De Beer, Colin Ames, Stephen Ridley, Erik Cabetas, Mike Zusman, and Alex Sotirov. [2] http://pentest.cryptocity.net/ [3] http://pentest.cryptocity.net/history/ [4] http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis [5] https://twitter.com/#!/csoandy/status/61144268122750976 https://twitter.com/#!/csoandy/status/61143684103680000 https://twitter.com/#!/csoandy/status/61142624693792768 https://twitter.com/#!/csoandy/status/61141713409933312 https://twitter.com/#!/csoandy/status/61140217855348737 https://twitter.com/#!/csoandy/status/61140083016876032 [6] http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Umadas --- Cyber Security Awareness Week (CSAW) CSAW [7] is one effort inside NYU:Poly to export some of our passion for security to other students and universities, in particular through hosting the largest academic Capture the Flag competition in the world [8] [9]. The CTF plays out in a similar fashion to Defcon CTF with a final round taking place at the awards ceremony in early November. This competition is run by existing students at the university and is led this year by Julian Cohen, however, many of the challenges are also provided by its extensive panel of judges which includes many of the same people involved in my class [10]. In this way, the CTF is able to remain playable to contestants at all skill levels, from undergrads without specific security expertise to many of the same teams that compete at Defcon. After the qualification round, the top 10 undergrad teams from the US are flown to New York to play in the final round. The top 3 teams receive scholarships for masters degrees at NYU:Poly as well as a cash prize. If you're a student, you really should sign up to at least one contest at CSAW [11]. [7] http://www.poly.edu/csaw2011 [8] http://csawctf.poly.edu/ [9] They had 200+ registered teams last year and 85 of them score points. I’m not aware of any academic-only CTFs that are larger than that. [10] http://csawctf.poly.edu/judges.php [11] https://csawctf.poly.edu/register.php --- In terms of the incredible lack of effective defensive strategies exhibited by our industry, I've published some research in this area and collected some related works that you might also want to check out: My 'Exploit Intelligence Project' https://www.isecpartners.com/storage/docs/presentations/EIP-2.0.pdf I chose mass malware as a case study for this project because of the wealth of information that’s publicly accessible about their operations, making it possible for anyone to perform the same analysis including anyone working at any large corporation with limited time and resources. Since mass malware operates as one enormous, non-interactive campaign against large portions of the internet they generally don’t or can’t respond to local defensive actions like DEP or EMET and these can form the basis of an effective defense. For interactive attackers, this is not true and those claiming that EMET is an effective defense against APT should stop. You can’t compare a blind piece of technology to a threat – the fact that base addresses are randomized upon process creation rather than reboot doesn’t mean I want your data any less. Again, but in plainer language: deploying Adobe Reader X does not make APT go away. One more time: disclosing that vulnerability did not prevent anyone from breaking into the company they wanted to, in fact, it may have done the opposite by providing additional capabilities for crimeware packs to incorporate. The defenses that work against interactive attackers are ones that enable the collection of intelligence about your network and your adversary and then help you operationalize it. To pander to the mailing list owner for a moment, El Jefe is a great example of such a defense: it allows me to harness what I know about my network and how my computers should operate to identify and characterize attacker behavior that clearly doesn’t belong. This creates a hostile environment for the attacker where I have to avoid using the same technique twice or risk getting caught and the entire extent of my intrusion being discovered. Dino Dai Zovi's Attacker Math http://trailofbits.com/2011/08/09/attacker-math-101/ Click-Trajectories: End-to-End Analysis of the Spam Value Chain http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf http://www.cs.ucsd.edu/~savage/papers/LoginInterview11.pdf IMHO, the single best resource is Eric Hutchins', Mike Cloppert's, and Rohan Amin's excellent and incredibly long-titled paper 'Intelligence-Driven Computer Network Defense by Analysis of Adversary Campaigns and Intrusion Kill Chains' however I don't think I'm allowed to post it here due to some academic paywall nonsense. Finally, as long as we’re comparing offensive vs defense timelines as Dave did during the video, I think it’s interesting to note that all of the papers cited above were released this year and most of the research in them probably occurred sometime in early 2010. If you want to put a stake in the ground for when we finally started learning how to defend ourselves, I would do it around then. -- Dan Guido
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
