For those that wanted to read it. http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf
On Mon, Aug 29, 2011 at 6:37 PM, Dan Guido <[email protected]> wrote: > tl;dr > > Part 1: Teaching security, how does it work? > * http://pentest.cryptocity.net/history/ > * > http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis > * http://csawctf.poly.edu/ > > Part 2: Intelligence-driven defense starts to fill in the strategic debt on > defense that was cited in the Dave’s presentation. Find yourself a copy of > 'Intelligence-Driven Computer Network Defense by Analysis of Adversary > Campaigns and Intrusion Kill Chains' for the best description yet of how it > works and what you can do with it. > > --- > > Hey Daily Dave, > > Dave is referring to an e-mail I sent him regarding his answer to this > question near the end of the video: > > Adam: "… In the academia side, it's kind of slow and tedious to bring > students up with the expertise that you need to be a very, very acute > attacker. Like you said it takes you hundreds of hours to build out the > tools, identify the 0day ...<snarky comment from Dave about Eve Online>… > From an academic perspective, what kind of suggestions could you make for > building out programs that are actually effective at making people more > intelligent attackers?" > > Dave: "I don't know. This is straight up: attackers are basically crazy > people, because you have to be to be successful. It's a combination of > paranoia, OCD and a bunch of other stuff…" > > I’ve been teaching university students exactly the skills that Adam > mentioned for the last four years at NYU:Poly and it’s a task that I’ve > found is possible in the confines of a single 13-week class when presented > effectively, although I would say I incite passion and obsession in my > students rather than paranoia and OCD :-). Through the efforts of my class, > the university has also been able to establish contacts with some of the > most impressive “attackers” in the industry which is slowly changing their > entire approach to security education and research. > > --- > > The Penetration Testing and Vulnerability Analysis course > > NYU:Poly has over 10 security courses available to both undergrads and > graduates and the capstone course in the curriculum is my own penetration > testing and vulnerability analysis course, which I’ve taught since 2008. We > [1] teach students to think and act like attackers walking them through > finding their own bugs, exploiting them, using them, establishing presence > inside a target, and making use of their presence to accomplish a goal – we > cover the entire lifecycle of an actual intrusion. It’s a programming > intensive course where we teach fundamental skills like code auditing, > reverse engineering and web hacking from the perspective of finding > exploitable bugs rather than assessing applications for all vulnerabilities. > To complete the course, students work on their own, self-selected > independent research project which helps them identify where their passions > lie in the subject area. > > In an effort to help others replicate this success I've released all of the > course materials on my website [2], given specific advice to professors > attempting similar courses in a presentation at SOURCE Boston 2009 [3], and > given a video interview outlining the need for teaching security this way > [4]. I also participated in a panel discussion on security education at > SOURCE Boston 2011 and Andy Ellis was kind enough to tweet some of my more > interesting comments as I made them [5]. > > This course has resulted in significant numbers of students graduating with > bachelors and masters in CS and CE changing career paths to enter the > security consulting industry and becoming effective researchers – there are > students of mine at iSEC Partners, Intrepidus Group, Gotham Digital Science > and at least one of them has beaten me to presenting at Blackhat [6]. It’s > also helped recruit and train a solid base of undergraduates to run the > university’s yearly Cyber Security Awareness Week events, described below. > On the other hand, what it hasn’t done is had much effect on graduate > research at the university. I was never really concerned with this, but it’s > something I’m looking at changing and improving upon this year. Having > established close relationships with so many “acute attackers” after > teaching the course for so long, the university is now moving to give some > of us official research advisory positions which would give us more input > into graduate research occurring throughout the department. > > [1] At this point I have to thank a few people as this course wouldn't be > possible without the collective efforts of most of the NYC security > community including Dino Dai Zovi, Brandon Edwards, Aaron Portnoy, Peter > Silberman, Rajendra Umadas, Joe Hemler, Dean De Beer, Colin Ames, Stephen > Ridley, Erik Cabetas, Mike Zusman, and Alex Sotirov. > > [2] http://pentest.cryptocity.net/ > > [3] http://pentest.cryptocity.net/history/ > > [4] > http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis > > [5] https://twitter.com/#!/csoandy/status/61144268122750976 > https://twitter.com/#!/csoandy/status/61143684103680000 > https://twitter.com/#!/csoandy/status/61142624693792768 > https://twitter.com/#!/csoandy/status/61141713409933312 > https://twitter.com/#!/csoandy/status/61140217855348737 > https://twitter.com/#!/csoandy/status/61140083016876032 > > [6] http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Umadas > > --- > > Cyber Security Awareness Week (CSAW) > > CSAW [7] is one effort inside NYU:Poly to export some of our passion for > security to other students and universities, in particular through hosting > the largest academic Capture the Flag competition in the world [8] [9]. The > CTF plays out in a similar fashion to Defcon CTF with a final round taking > place at the awards ceremony in early November. This competition is run by > existing students at the university and is led this year by Julian Cohen, > however, many of the challenges are also provided by its extensive panel of > judges which includes many of the same people involved in my class [10]. In > this way, the CTF is able to remain playable to contestants at all skill > levels, from undergrads without specific security expertise to many of the > same teams that compete at Defcon. > > After the qualification round, the top 10 undergrad teams from the US are > flown to New York to play in the final round. The top 3 teams receive > scholarships for masters degrees at NYU:Poly as well as a cash prize. If > you're a student, you really should sign up to at least one contest at CSAW > [11]. > > [7] http://www.poly.edu/csaw2011 > > [8] http://csawctf.poly.edu/ > > [9] They had 200+ registered teams last year and 85 of them score points. > I’m not aware of any academic-only CTFs that are larger than that. > > [10] http://csawctf.poly.edu/judges.php > > [11] https://csawctf.poly.edu/register.php > > --- > > In terms of the incredible lack of effective defensive strategies exhibited > by our industry, I've published some research in this area and collected > some related works that you might also want to check out: > > My 'Exploit Intelligence Project' > https://www.isecpartners.com/storage/docs/presentations/EIP-2.0.pdf > > I chose mass malware as a case study for this project because of the wealth > of information that’s publicly accessible about their operations, making it > possible for anyone to perform the same analysis including anyone working at > any large corporation with limited time and resources. Since mass malware > operates as one enormous, non-interactive campaign against large portions of > the internet they generally don’t or can’t respond to local defensive > actions like DEP or EMET and these can form the basis of an effective > defense. > > For interactive attackers, this is not true and those claiming that EMET is > an effective defense against APT should stop. You can’t compare a blind > piece of technology to a threat – the fact that base addresses are > randomized upon process creation rather than reboot doesn’t mean I want your > data any less. Again, but in plainer language: deploying Adobe Reader X does > not make APT go away. One more time: disclosing that vulnerability did not > prevent anyone from breaking into the company they wanted to, in fact, it > may have done the opposite by providing additional capabilities for > crimeware packs to incorporate. The defenses that work against interactive > attackers are ones that enable the collection of intelligence about your > network and your adversary and then help you operationalize it. To pander to > the mailing list owner for a moment, El Jefe is a great example of such a > defense: it allows me to harness what I know about my network and how my > computers should operate to identify and characterize attacker behavior that > clearly doesn’t belong. This creates a hostile environment for the attacker > where I have to avoid using the same technique twice or risk getting caught > and the entire extent of my intrusion being discovered. > > Dino Dai Zovi's Attacker Math > http://trailofbits.com/2011/08/09/attacker-math-101/ > > Click-Trajectories: End-to-End Analysis of the Spam Value Chain > http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf > http://www.cs.ucsd.edu/~savage/papers/LoginInterview11.pdf > > IMHO, the single best resource is Eric Hutchins', Mike Cloppert's, and Rohan > Amin's excellent and incredibly long-titled paper 'Intelligence-Driven > Computer Network Defense by Analysis of Adversary Campaigns and Intrusion > Kill Chains' however I don't think I'm allowed to post it here due to some > academic paywall nonsense. > > Finally, as long as we’re comparing offensive vs defense timelines as Dave > did during the video, I think it’s interesting to note that all of the > papers cited above were released this year and most of the research in them > probably occurred sometime in early 2010. If you want to put a stake in the > ground for when we finally started learning how to defend ourselves, I would > do it around then. > > -- > Dan Guido > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > > _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
