Re: Cyberwar talk video

["Dan Guido" <dguido () gmail com>]

tl;dr

Part 1: Teaching security, how does it work?
* http://pentest.cryptocity.net/history/
* http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis
* http://csawctf.poly.edu/

Part 2: Intelligence-driven defense starts to fill in the strategic debt on defense that was cited in the Dave’s presentation. 
Find yourself a copy of 'Intelligence-Driven Computer Network Defense by Analysis of Adversary Campaigns and Intrusion Kill 
Chains' for the best description yet of how it works and what you can do with it.

---

Hey Daily Dave,

Dave is referring to an e-mail I sent him regarding his answer to this question near the end of the video:

Adam: "… In the academia side, it's kind of slow and tedious to bring students up with the expertise that you need to be a very, 
very acute attacker. Like you said it takes you hundreds of hours to build out the tools, identify the 0day ...<snarky comment from Dave 
about Eve Online>… From an academic perspective, what kind of suggestions could you make for building out programs that are actually 
effective at making people more intelligent attackers?"

Dave: "I don't know. This is straight up: attackers are basically crazy people, because you have to be to be successful. 
It's a combination of paranoia, OCD and a bunch of other stuff…"

I’ve been teaching university students exactly the skills that Adam mentioned for the last four years at NYU:Poly and 
it’s a task that I’ve found is possible in the confines of a single 13-week class when presented effectively, although 
I would say I incite passion and obsession in my students rather than paranoia and OCD :-). Through the efforts of my 
class, the university has also been able to establish contacts with some of the most impressive “attackers” in the 
industry which is slowly changing their entire approach to security education and research.

---

The Penetration Testing and Vulnerability Analysis course

NYU:Poly has over 10 security courses available to both undergrads and graduates and the capstone course in the 
curriculum is my own penetration testing and vulnerability analysis course, which I’ve taught since 2008. We [1] teach 
students to think and act like attackers walking them through finding their own bugs, exploiting them, using them, 
establishing presence inside a target, and making use of their presence to accomplish a goal – we cover the entire 
lifecycle of an actual intrusion. It’s a programming intensive course where we teach fundamental skills like code 
auditing, reverse engineering and web hacking from the perspective of finding exploitable bugs rather than assessing 
applications for all vulnerabilities. To complete the course, students work on their own, self-selected independent 
research project which helps them identify where their passions lie in the subject area.

In an effort to help others replicate this success I've released all of the course materials on my website [2], given 
specific advice to professors attempting similar courses in a presentation at SOURCE Boston 2009 [3], and given a video 
interview outlining the need for teaching security this way [4]. I also participated in a panel discussion on security 
education at SOURCE Boston 2011 and Andy Ellis was kind enough to tweet some of my more interesting comments as I made them 
[5].

This course has resulted in significant numbers of students graduating with bachelors and masters in CS and CE changing 
career paths to enter the security consulting industry and becoming effective researchers – there are students of mine 
at iSEC Partners, Intrepidus Group, Gotham Digital Science and at least one of them has beaten me to presenting at 
Blackhat [6]. It’s also helped recruit and train a solid base of undergraduates to run the university’s yearly Cyber 
Security Awareness Week events, described below. On the other hand, what it hasn’t done is had much effect on graduate 
research at the university. I was never really concerned with this, but it’s something I’m looking at changing and 
improving upon this year. Having established close relationships with so many “acute attackers” after teaching the 
course for so long, the university is now moving to give some of us official research advisory positions which would 
give us more input into graduate research occurring throughout the department.

[1] At this point I have to thank a few people as this course wouldn't be possible without the collective efforts of 
most of the NYC security community including Dino Dai Zovi, Brandon Edwards, Aaron Portnoy, Peter Silberman, Rajendra 
Umadas, Joe Hemler, Dean De Beer, Colin Ames, Stephen Ridley, Erik Cabetas, Mike Zusman, and Alex Sotirov.

[2] http://pentest.cryptocity.net/

[3] http://pentest.cryptocity.net/history/

[4] http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis

[5] https://twitter.com/#!/csoandy/status/61144268122750976
https://twitter.com/#!/csoandy/status/61143684103680000
https://twitter.com/#!/csoandy/status/61142624693792768
https://twitter.com/#!/csoandy/status/61141713409933312
https://twitter.com/#!/csoandy/status/61140217855348737
https://twitter.com/#!/csoandy/status/61140083016876032

[6] http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Umadas

---

Cyber Security Awareness Week (CSAW)

CSAW [7] is one effort inside NYU:Poly to export some of our passion for security to other students and universities, 
in particular through hosting the largest academic Capture the Flag competition in the world [8] [9]. The CTF plays out 
in a similar fashion to Defcon CTF with a final round taking place at the awards ceremony in early November. This 
competition is run by existing students at the university and is led this year by Julian Cohen, however, many of the 
challenges are also provided by its extensive panel of judges which includes many of the same people involved in my 
class [10]. In this way, the CTF is able to remain playable to contestants at all skill levels, from undergrads without 
specific security expertise to many of the same teams that compete at Defcon.

After the qualification round, the top 10 undergrad teams from the US are flown to New York to play in the final round. The 
top 3 teams receive scholarships for masters degrees at NYU:Poly as well as a cash prize. If you're a student, you 
really should sign up to at least one contest at CSAW [11].

[7] http://www.poly.edu/csaw2011

[8] http://csawctf.poly.edu/

[9] They had 200+ registered teams last year and 85 of them score points. I’m not aware of any academic-only CTFs that 
are larger than that.

[10] http://csawctf.poly.edu/judges.php

[11] https://csawctf.poly.edu/register.php

---

In terms of the incredible lack of effective defensive strategies exhibited by our industry, I've published some 
research in this area and collected some related works that you might also want to check out:

My 'Exploit Intelligence Project'
https://www.isecpartners.com/storage/docs/presentations/EIP-2.0.pdf

I chose mass malware as a case study for this project because of the wealth of information that’s publicly accessible 
about their operations, making it possible for anyone to perform the same analysis including anyone working at any 
large corporation with limited time and resources. Since mass malware operates as one enormous, non-interactive 
campaign against large portions of the internet they generally don’t or can’t respond to local defensive actions like 
DEP or EMET and these can form the basis of an effective defense.

For interactive attackers, this is not true and those claiming that EMET is an effective defense against APT should 
stop. You can’t compare a blind piece of technology to a threat – the fact that base addresses are randomized upon 
process creation rather than reboot doesn’t mean I want your data any less. Again, but in plainer language: deploying 
Adobe Reader X does not make APT go away. One more time: disclosing that vulnerability did not prevent anyone from 
breaking into the company they wanted to, in fact, it may have done the opposite by providing additional capabilities 
for crimeware packs to incorporate. The defenses that work against interactive attackers are ones that enable the 
collection of intelligence about your network and your adversary and then help you operationalize it. To pander to the 
mailing list owner for a moment, El Jefe is a great example of such a defense: it allows me to harness what I know 
about my network and how my computers should operate to identify and characterize attacker behavior that clearly 
doesn’t belong. This creates a hostile environment for the attacker where I have to avoid using the same technique 
twice or risk getting caught and the entire extent of my intrusion being discovered.

Dino Dai Zovi's Attacker Math
http://trailofbits.com/2011/08/09/attacker-math-101/

Click-Trajectories: End-to-End Analysis of the Spam Value Chain
http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
http://www.cs.ucsd.edu/~savage/papers/LoginInterview11.pdf

IMHO, the single best resource is Eric Hutchins', Mike Cloppert's, and Rohan Amin's excellent and incredibly long-titled paper 
'Intelligence-Driven Computer Network Defense by Analysis of Adversary Campaigns and Intrusion Kill Chains' however I don't think I'm 
allowed to post it here due to some academic paywall nonsense.

Finally, as long as we’re comparing offensive vs defense timelines as Dave did during the video, I think it’s 
interesting to note that all of the papers cited above were released this year and most of the research in them 
probably occurred sometime in early 2010. If you want to put a stake in the ground for when we finally started learning 
how to defend ourselves, I would do it around then.

--
Dan Guido

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave