-Frank DiGiovanni, Director of Force Training and
Assistant Secretary for Personnel and Readiness
We have recently started to build a cyber attacker course for the Pentagon. Why did they need us, why do we need them, and how does this matter to you?
I will address the last question first. Every company, business, school, and individual is a target. As is, of course, the government. Cyber attack is now considered one of the top five risks to businesses globally. Consider these 2014 statistics (from selective.com):
So, we should just be more vigilant, right?
There is a Dept. of Homeland Security campaign to make businesses more aware of the threat, called Stop, Think, Connect. That's very nice but how does that help the average small business? DHS says 40% of all cyber attacks target businesses with fewer than 500 employees.
From Venture Beat:
In the past six months alone, we've seen attacks like the DNC and Yahoo breaches, which focused on influencing political and economic public opinion, rather than simply gaining a profit. And the hackers aren't done yet: The Russian group thought to be behind the election-related breaches is moving on to Germany's elections next, according to a recent 'statement'.
The scenario is particularly worrying for industries that rely heavily on public confidence.
Ransomware, like Cryptolocker, has plagued companies around the world experts reckon these attacks have increased fivefold in 2016 alone. They encrypt critical files at a speed that is virtually impossible to keep up with and leave companies facing hefty fees for their release.
Hospitals have suffered particularly at the hands of ransomware attacks. They are prime targets, as they have become digital jungles full of everything from life-saving medical equipment and critical patient records to patient devices and staff computers, all with cyber defenses that have failed to keep pace. The result is organizations that pay up. Hollywood Presbyterian Medical Center in Los Angeles paid the equivalent of $17,000 in Bitcoin to extortionists after its computers were taken offline for over a week.
This is from macafee.com:
Attacks outpace defense, and one reason for this is the lack of an adequate cybersecurity workforce. The cybersecurity workforce shortfall remains a critical vulnerability for companies and nations. Conventional education and policies can't meet demand. New solutions are needed to build the cybersecurity workforce necessary in a networked world. The deficit of cybersecurity talent is a challenge for every industry sector. The lack of trained personnel exacerbates the already difficult task of managing cybersecurity risks.
Whoops. Funny question. I meant cyber defenders didn't I? No, I didn't. You can't just guess where your vulnerabilities lie, you need people who can attack your systems and attempt to break things. Upon succeeding, you need other people, to repair things. So, first and foremost, businesses need attackers. Then, they need defenders.
This is from GovTechWorks.com
A second tenet of DiGiovanni's approach is that technical skills alone are inadequate for the challenge. Cyber involves technology, he says, but also politics, economics, tradecraft and culture. So students must learn to understand adversaries on multiple levels.
He built an instructor led course, but there are limits to how many people can be taught face to face. Lecturing is not a really effective method for learning how to do something. We learn how to do things with one on one mentoring and we learn from trying and failing. DiGiovanni knows this: "We infused the course with sociology, ethnography and anthropology... You don't conduct an assault on the enemy if you don't know the terrain they're in, what surrounds them."
The social science disciplines help students better understand who they're up against and why. Those facts can then be aligned with what we know of an adversary's signature techniques, tactics, and procedures.
"Techniques give clues about who you are and could also tip off what you're after," DiGiovanni says. This includes the way adversaries might seek to cover their tracks. For example, Russia adapted the concept of maskirovka, (literally, masking), from conventional battlefield usage and applied it to the cyber arena. Students learn to identify the tactics of different adversaries, as well as the techniques that can be employed to cover one's tracks. They have to become adept at identifying what the adversary is doing as well as executing their own cyber missions without leaving digital fingerprints in their wake.
"The biggest complaint about journeyman-apprentice is: It doesn't scale," DiGiovanni says. That makes it more costly and slower, compared to traditional teaching methods. Journeyman-apprentice is another core concept built into this course.
DiGiovanni doesn't want to ditch the approach, just find a way to make it more efficient.
But, typically, Socratic Arts courses are mentored by people, usually at a ratio of one mentor to 30 students, although an experienced mentor can handle more than that. So, while Socratic Arts knows very well how to build an exciting interactive course to train cyber attackers (by working with the cyber experts already working with DOD, of course) that isn't all that is needed. What is also needed is to answer the question about how a mentored course can handle 10,000 students.
Fortunately, many of the key people at Socratic Arts were originally in the field of Artificial Intelligence, specifically in the field of natural language processing. From the early 70's until the mid 80's, those people specialized in building programs that could understand English sentences by using representations of real world knowledge to make inferences about meanings within the context of the known goals and plans of a speaker. This work stopped when over-promising in AI killed all funding. Fortunately, we still know what to do and how to do it.
The trick is representations of what people are doing, why they are doing it, and being able to anticipate what they might ask the computer. For example, here is a picture:
If we were to guess about what the man might be about to say, our guesses might include:
Our natural language parses would do well with all these questions but had the man said, I thought it was always hot in Miami, our program would not understand the remark because it has nothing to do with the context.
Within the context of mentoring a cyber attack course, we know the goals of the students, the plans they are pursuing and the likely problem they might encounter in completing their task. Therefore, we can anticipate what they might ask at any given time and have a very good response to the anticipated question already composed. The problem becomes one of matching good mentor's answers to our best understanding of what question is likely to be asked by a student in a particular situation. When you have taught a course many times, you know what students ask and when they ask it. Thus it is possible to build an AI mentor, one that does a good job of mentoring a student most of the time, still allowing for a live mentor to appear when the AI mentor is baffled. In this way, we can handle thousands of students.
Socratic Arts' job is to build what DiGiovanni needs.
We expect cyber troops to be asked to do both. Hack attacks are not typically one-shot deals, but on-going affairs with moves and counter moves, like Cold War spy-on-spy maneuvers or live military engagements.
This is from dark reading.com:
The big takeaway from DiGiovanni's research: STEM, aka science, technology, engineering, and mathematics, was not one of the top skills organizations look for in their cyber-Jedis. "Almost no one talked about technical capabilities or technical chops," he says. "That was the biggest revelation for me."
DiGiovanni compiled a list of attributes for the cyber-Jedi archetype based on his interviews. The ultimate hacker/security expert, he found, has skillsets such as creativity and curiosity, resourcefulness, persistence, and teamwork, for example.
[DiGiovanni] is looking for a completely different mindset and background, and [to] then train that person with the technical detail to do the job. They are looking for folks who are more resourceful and persistent, and creative in their mindset.
DoD's training program is about being more proactive in building out its cybersecurity workforce. That's how it has to work now, given that more than 200,000 cybersecurity jobs were left unfilled last year overall.
Every business will need to employ cyber attackers. Their job will be to find vulnerabilities before outsiders do and get them fixed by the defenders they also employ. Banks, Hospitals, and Defense Contractors are especially likely targets. Pharmaceuticals and Oil companies too.
How can we help? The cyber attack course Socratic Arts is building for the DOD will be modified to make the projects specific to particular industries. The banks' problems are obvious: hackers might want to steal money. Pharma's problems are obvious: hackers might want to steal secrets. We intend to put out versions of our cyber attack course for each industry. These courses will take 6 months for a student to complete. We are not interested in giving an overview in the typical one week course that is no more than an intro. We want to train real cyber attackers who can help. The only way to learn is by practice (with advice). That's how you learn to ride a bike and that's how you learn to do anything.
You'll start with an unknown executable file that contains password-protected information. Using special tools for reverse-engineering such files, you'll locate password-checking code inside the file and use that password to learn about a chat channel for a cyber crime ring. When you drop into the chat room, you find out that the crime ring is associated with a recent ransom-ware attack on a hospital. You begin assembling an "actor attribution network" to develop a picture of the crime ring.
Given your success with the last file, you are now given a second executable file, which also contains password-protected information. But this time the password is encrypted so now you've got to decrypt the password. Cracking an encrypted password requires more reverse-engineering skills, a basic understanding of computer assembly language, and the ability to recognize which encryption technique has been applied to the password. Once you crack the password, you'll learn where the crime ring is talking now, and you'll learn about an impending attack along with the name of a web server where you can get more details about the attack.
Not surprisingly, the file on the server is another executable file containing an encrypted password, but this password is now doubly encrypted, and new reverse engineering techniques are required to crack this password. Once cracked, this file gives you the address of an FTP server maintained by the cGwerime ring. On the server you find a README file that is not encrypted, but identifies a website that is known to have a local file inclusion vulnerability and explains how to exploit that vulnerability.
Your government supervisor asks you to examine the web server, and you verify that the server is indeed vulnerable and has already been infected with malware. So acting under government authority, you break into the web server, which makes it possible for you to locate and decrypt the webmaster's password. Using the webmaster's own login credentials, you log onto the web server, remove the site's malware, and correct the LFI vulnerability so no one else can break into the server or deposit malware on the web site. Fixing this web server was just a good deed (still illegal, but with good intentions).
Your supervisor now wants you to handle some disk forensics. A laptop belonging to a government employee no longer runs, and you need to figure out why. If the computer was nuked by malware, you need to find it and report your findings. You are then asked to analyze a log of malicious network traffic to and from the personal laptop of a U.S. military aide at the U.S. Embassy in the U.K.
At this point, significant criminal activity has been associated with the crime ring you first investigated, and you are tasked with the job of gathering intelligence from social media and other open sources of online information. You conduct sociological and ethnographic research on the crime ring's actors, and extend your actor attribution network to include all the people involved. Your research involves an assessment of the skills and threat level associated with this organization, which is crucial in the effort to prevent or contain any damage they are capable of inflicting.
It's time to infiltrate the crime ring and gain their trust. But first, you need to prove your usefulness to them. They have no use for run-of-the-mill script kiddies: they want to see what you can do. One of the ring leaders asks you to develop a series of increasingly difficult buffer overload exploits to break into a company's internal servers. The last one requires you to acquire remote control over a DNS server by running a reverse-shell payload on the server — a serious exploit that requires considerable technical analysis and skill.
The buffer overflow malware with the reverse-shell payload that you designed for the DNS exploit has stopped working. You need to figure out why and fix it. This requires reverse engineering techniques of the type you acquired at the start of the course, along with a new return-oriented programming (ROP) exploit that needs to be tested remotely over a network.
Another government employee has a compromised computer, and you are asked to perform a forensic analysis on a memory image that was taken immediately after the malware infection was noticed. This image allows you to identify processes that were running at the time the image was taken, which in turn leads you to malware inside a DLL (Dynamically-Linked Library) file. The DLL file is a binary file which requires the ability to analyze a sophisticated library-based exploit.
The crime ring asks you to use your previously developed DNS exploit to add a user account to the machine. Unfortunately, the DNS server has added a Snort signature for the reverse-shell payload that you developed in Task 7 and used again in Task 9. So now you must develop, test, and use your own custom shell code payload.
Now that you've created and launched a successful reverse-shell payload, the government wants you to write a Snort signature for that payload. That way the government will be able to detect this malware if the crime ring should use it in another exploit. This involves writing and testing your Snort signature, along with generalizations of your signature using regular expressions.
The crime group asks you to do a spear-phishing attack that targets a European Union-based company in order to break into their network and maintain access. This involves researching the company, finding a target inside the company who is likely to open the email (HR personnel are often good targets because they are expected to open email from unknown people outside the company). You will install and use Linux's Social Engineering Toolkit to develop and send a malware payload as an email attachment.
The government has detected a possible nation-state attack on a government honeypot, and your supervisor asks you to perform network traffic analysis of the attack. This involves network analysis skills and tools developed in Task 5, as well as inferences about attribution in order to link indicators of compromise to additional intelligence.
The crime ring asks you to use the persistent foothold gained in Task 12 to access the network of the EU-based company, pivot through its network, and steal its HR database containing personally identifiable information that might be used as leverage against employees. You will use an SQL-injection attack to access the database and download employee information.
At this point you will be asked to develop an exploit to be used against a non-traditional computing device (e.g. you might install a key-logger on an Android phone). Alternatively, you might intercept and analyze software-defined radio signals. Or you might build an Arduino "brute forcer" for hacking an electronic pin pad.
The government has connected a nation-state security agency to the crime ring you infiltrated. You are therefore asked to break into the nation-state's network, steal their hacking tools, analyze the tools, and repurpose them in an attack against another nation-state. You must mask your identity and location so that the attack seems to come from the nation-state from which you stole the tools. This task reinforces, extends, and assesses a wide range of analysis and exploitation skills that you have gained throughout the program.
Note: Legalities, ethics, and personal safety will be discussed, as needed, in all tasks involving illegal activities. All activities described above will be conducted in a safe "sandbox" that is separated from the actual internet. Many of these activities would be illegal on the actual internet if not sanctioned by appropriate authorities.
We are testing our courses now. Here is how our first student is doing.
Alice grew up in a small rural town where she had few friends, did not get along with her siblings, and grew increasingly unhappy. She dropped out of high school at age 14, petitioned the School Board for a home schooling exclusion, and designed her own home schooling curriculum for the next 2 years. During this period, she devoured books, dove into lots of creative projects, and despised math with a passion. At age 16 she was accepted into Simon's Rock (a branch of Bard College). After three years, she dropped out of Simon's Rock and took some time off to sort things out. She had no blueprint for the future, she didn't want to live at home, and she saw no reason to finish college.
After a few false starts at financial independence, Alice decided to enroll in a massage school where she could study for one year, get licensed, and make enough money to live independently. Which she did. She moved out of state and set up her own business out of a tiny apartment. She designed and maintained her own web site, customized software for maintaining patient records, and set out to learn everything she could about medical massage. To be the best possible massage therapist, Alice felt compelled to study body language & expressions in humans, infant development, neuroendocrinology, the peripheral nervous system, neurogastroenterology, medical neuroscience, trigger point therapy, the evolution of the hand, medical anthropology, and relationships between chronic pain, stress, & poverty.
Alice had no trouble learning all kinds of things, as long as there was some good reason for learning it. If learning made it possible to do something, learning was easy. She just didn't see any point in learning something that would never be useful to her. That, in a nutshell, is why she had trouble in school. And why she despised math in particular.
After five years as a highly successful massage therapist, Alice began to feel bored. When an opportunity to learn about cyber security arose, she jumped at the chance. Alice had never taken a single programming course in her life, and everything she knew about computers and the internet was self-taught, but she felt confident that she could do this. She loves the internet and felt that she would be happy keeping networks safe. After four weeks of learning by doing, Alice had learned enough about reverse-engineering that she could locate and decrypt sensitive information hidden inside binary executable program files. She also learned how to exploit a common web server vulnerability which allowed her to hunt down the server's password files, crack the encrypted passwords, and fix the very same web server vulnerabilities she had learned to exploit. She has accomplished all this in just the first four tasks of the Cyber Attack Academy curriculum (she has 14 more tasks to go). Alice has found a new passion in life, as well as a learning environment that makes sense to her.