Re: Cyberwar talk video

[Jason Lewis <jlewis () packetnexus com>]

For those that wanted to read it.

http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf

On Mon, Aug 29, 2011 at 6:37 PM, Dan Guido <dguido () gmail com> wrote:
> tl;dr
>
> Part 1: Teaching security, how does it work?
> * http://pentest.cryptocity.net/history/
> *
> http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis
> * http://csawctf.poly.edu/
>
> Part 2: Intelligence-driven defense starts to fill in the strategic debt on
> defense that was cited in the Dave’s presentation. Find yourself a copy of
> 'Intelligence-Driven Computer Network Defense by Analysis of Adversary
> Campaigns and Intrusion Kill Chains' for the best description yet of how it
> works and what you can do with it.
>
> ---
>
> Hey Daily Dave,
>
> Dave is referring to an e-mail I sent him regarding his answer to this
> question near the end of the video:
>
> Adam: "… In the academia side, it's kind of slow and tedious to bring
> students up with the expertise that you need to be a very, very acute
> attacker. Like you said it takes you hundreds of hours to build out the
> tools, identify the 0day ...<snarky comment from Dave about Eve Online>…
> From an academic perspective, what kind of suggestions could you make for
> building out programs that are actually effective at making people more
> intelligent attackers?"
>
> Dave: "I don't know. This is straight up: attackers are basically crazy
> people, because you have to be to be successful. It's a combination of
> paranoia, OCD and a bunch of other stuff…"
>
> I’ve been teaching university students exactly the skills that Adam
> mentioned for the last four years at NYU:Poly and it’s a task that I’ve
> found is possible in the confines of a single 13-week class when presented
> effectively, although I would say I incite passion and obsession in my
> students rather than paranoia and OCD :-). Through the efforts of my class,
> the university has also been able to establish contacts with some of the
> most impressive “attackers” in the industry which is slowly changing their
> entire approach to security education and research.
>
> ---
>
> The Penetration Testing and Vulnerability Analysis course
>
> NYU:Poly has over 10 security courses available to both undergrads and
> graduates and the capstone course in the curriculum is my own penetration
> testing and vulnerability analysis course, which I’ve taught since 2008. We
> [1] teach students to think and act like attackers walking them through
> finding their own bugs, exploiting them, using them, establishing presence
> inside a target, and making use of their presence to accomplish a goal – we
> cover the entire lifecycle of an actual intrusion. It’s a programming
> intensive course where we teach fundamental skills like code auditing,
> reverse engineering and web hacking from the perspective of finding
> exploitable bugs rather than assessing applications for all vulnerabilities.
> To complete the course, students work on their own, self-selected
> independent research project which helps them identify where their passions
> lie in the subject area.
>
> In an effort to help others replicate this success I've released all of the
> course materials on my website [2], given specific advice to professors
> attempting similar courses in a presentation at SOURCE Boston 2009 [3], and
> given a video interview outlining the need for teaching security this way
> [4]. I also participated in a panel discussion on security education at
> SOURCE Boston 2011 and Andy Ellis was kind enough to tweet some of my more
> interesting comments as I made them [5].
>
> This course has resulted in significant numbers of students graduating with
> bachelors and masters in CS and CE changing career paths to enter the
> security consulting industry and becoming effective researchers – there are
> students of mine at iSEC Partners, Intrepidus Group, Gotham Digital Science
> and at least one of them has beaten me to presenting at Blackhat [6]. It’s
> also helped recruit and train a solid base of undergraduates to run the
> university’s yearly Cyber Security Awareness Week events, described below.
> On the other hand, what it hasn’t done is had much effect on graduate
> research at the university. I was never really concerned with this, but it’s
> something I’m looking at changing and improving upon this year. Having
> established close relationships with so many “acute attackers” after
> teaching the course for so long, the university is now moving to give some
> of us official research advisory positions which would give us more input
> into graduate research occurring throughout the department.
>
> [1] At this point I have to thank a few people as this course wouldn't be
> possible without the collective efforts of most of the NYC security
> community including Dino Dai Zovi, Brandon Edwards, Aaron Portnoy, Peter
> Silberman, Rajendra Umadas, Joe Hemler, Dean De Beer, Colin Ames, Stephen
> Ridley, Erik Cabetas, Mike Zusman, and Alex Sotirov.
>
> [2] http://pentest.cryptocity.net/
>
> [3] http://pentest.cryptocity.net/history/
>
> [4]
> http://searchsecurity.techtarget.com/video/Dan-Guido-on-teaching-penetration-testing-courses-intrusion-analysis
>
> [5] https://twitter.com/#!/csoandy/status/61144268122750976
> https://twitter.com/#!/csoandy/status/61143684103680000
> https://twitter.com/#!/csoandy/status/61142624693792768
> https://twitter.com/#!/csoandy/status/61141713409933312
> https://twitter.com/#!/csoandy/status/61140217855348737
> https://twitter.com/#!/csoandy/status/61140083016876032
>
> [6] http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Umadas
>
> ---
>
> Cyber Security Awareness Week (CSAW)
>
> CSAW [7] is one effort inside NYU:Poly to export some of our passion for
> security to other students and universities, in particular through hosting
> the largest academic Capture the Flag competition in the world [8] [9]. The
> CTF plays out in a similar fashion to Defcon CTF with a final round taking
> place at the awards ceremony in early November. This competition is run by
> existing students at the university and is led this year by Julian Cohen,
> however, many of the challenges are also provided by its extensive panel of
> judges which includes many of the same people involved in my class [10]. In
> this way, the CTF is able to remain playable to contestants at all skill
> levels, from undergrads without specific security expertise to many of the
> same teams that compete at Defcon.
>
> After the qualification round, the top 10 undergrad teams from the US are
> flown to New York to play in the final round. The top 3 teams receive
> scholarships for masters degrees at NYU:Poly as well as a cash prize. If
> you're a student, you really should sign up to at least one contest at CSAW
> [11].
>
> [7] http://www.poly.edu/csaw2011
>
> [8] http://csawctf.poly.edu/
>
> [9] They had 200+ registered teams last year and 85 of them score points.
> I’m not aware of any academic-only CTFs that are larger than that.
>
> [10] http://csawctf.poly.edu/judges.php
>
> [11] https://csawctf.poly.edu/register.php
>
> ---
>
> In terms of the incredible lack of effective defensive strategies exhibited
> by our industry, I've published some research in this area and collected
> some related works that you might also want to check out:
>
> My 'Exploit Intelligence Project'
> https://www.isecpartners.com/storage/docs/presentations/EIP-2.0.pdf
>
> I chose mass malware as a case study for this project because of the wealth
> of information that’s publicly accessible about their operations, making it
> possible for anyone to perform the same analysis including anyone working at
> any large corporation with limited time and resources. Since mass malware
> operates as one enormous, non-interactive campaign against large portions of
> the internet they generally don’t or can’t respond to local defensive
> actions like DEP or EMET and these can form the basis of an effective
> defense.
>
> For interactive attackers, this is not true and those claiming that EMET is
> an effective defense against APT should stop. You can’t compare a blind
> piece of technology to a threat – the fact that base addresses are
> randomized upon process creation rather than reboot doesn’t mean I want your
> data any less. Again, but in plainer language: deploying Adobe Reader X does
> not make APT go away. One more time: disclosing that vulnerability did not
> prevent anyone from breaking into the company they wanted to, in fact, it
> may have done the opposite by providing additional capabilities for
> crimeware packs to incorporate. The defenses that work against interactive
> attackers are ones that enable the collection of intelligence about your
> network and your adversary and then help you operationalize it. To pander to
> the mailing list owner for a moment, El Jefe is a great example of such a
> defense: it allows me to harness what I know about my network and how my
> computers should operate to identify and characterize attacker behavior that
> clearly doesn’t belong. This creates a hostile environment for the attacker
> where I have to avoid using the same technique twice or risk getting caught
> and the entire extent of my intrusion being discovered.
>
> Dino Dai Zovi's Attacker Math
> http://trailofbits.com/2011/08/09/attacker-math-101/
>
> Click-Trajectories: End-to-End Analysis of the Spam Value Chain
> http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
> http://www.cs.ucsd.edu/~savage/papers/LoginInterview11.pdf
>
> IMHO, the single best resource is Eric Hutchins', Mike Cloppert's, and Rohan
> Amin's excellent and incredibly long-titled paper 'Intelligence-Driven
> Computer Network Defense by Analysis of Adversary Campaigns and Intrusion
> Kill Chains' however I don't think I'm allowed to post it here due to some
> academic paywall nonsense.
>
> Finally, as long as we’re comparing offensive vs defense timelines as Dave
> did during the video, I think it’s interesting to note that all of the
> papers cited above were released this year and most of the research in them
> probably occurred sometime in early 2010. If you want to put a stake in the
> ground for when we finally started learning how to defend ourselves, I would
> do it around then.
>
> --
> Dan Guido
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave