Why You Should Use Offensive Techniques to Teach Defensive

all right well welcome to the appetizer lunch so right after this will dismiss you get a barbecue out there it's gonna be fantastic I don't generally agree by other than this was really impressive so cabarrus it's fantastic Michael French you guys on cyber operations officer with a passion for teaching obviously to you as you hear this past 30 years teaching cyber security at West at West Point focused on Red Team operations it's directed cyber security elective built and taught the first offensive ethical hacking course capture the flag cyber defense exercise and recently let the curriculum development for a full sack cyber Academy as part of the cyber game I see initiative a published author on and on

focus on cyber security vulnerabilities and annotation so I think I'm not concerned so therefore I'm also not with industry so I really have an academic focus and that's really what I want

trying to understand how fast we're losing teeth so here's a long title and a little bit about it but but this is ultimately the question I'm trying to answer perspective how do we best teach future cybersecurity professionals or all of you in here or in the industry and in some way right this is something we all know that we have a lot of job security okay in cybersecurity leads so many more people and in particular we're really focused on defensive cybersecurity even though this talk is going to be about why we should leverage offensive 85% those jobs out there we need to figure out how best and so here for this so what at the end of this

whole presentation here's what I hope to take away is that offensive and defensive techniques can both be used to teach the same cybersecurity core competencies okay and that is something using a very rigorous academic approach of going through and actually defining and talking about what these competencies are and showing you that we can get the same technique so at the end of the day we can teach the stuff we need to be an offender through an offensive means so really the second bullet here is the end state of why we should use offensive technologies scirus security really requires resilient lifelong learners okay you've learned something in your initial training program whatever it is whether it's academic or through

industry certifications you're going to go out on the job you wouldn't be expected to continue to learn throughout your entire career actually you have to write the tools are updating the techniques that are being used so we need to build people that are really passionate that one of those things like attend the size of the weekend and and to do that we need to create these resilient lifelong learners and the day offensive techniques are best for doing that for building that passion and then by combining this focus on concepts with the relevant training of industry certifications and some of the motivational techniques we'll talk about through gamification you really can build this best training platform

okay and so for my motivation we talked about seven percent so I got into this when I was in my undergraduate so I participated in a CD X at West Point in 2005 right so here's the headline the NSA attacks West Point relax there's a Cyberman so we have this competition where we spent about three months just building an enterprise network [Music] they're exchanged Active Directory Web Services DNS all this time go through our tech listen plenty books and establishing our procedures for what happened then we start this competition is a week-long look at four days okay one everything's going on right day to you know they move a little bit faster scanning and then like three

everything's on fire right you know all of this work for months to get to this point and it's just you know they again that we won the competition but I think we all leave this experiencing I want us to defender ahead the ants are all over my network so I got a walk away from that experience a little bit disheartened I got a chance to go back to Princeton really studied graduate level cyber security getting to a little bit more of it and I came back my started teaching cyber security and I joined about the cyber team in half there which is doing capture the flag exercise so I kinda hope you all have some understanding of

the what takes place at Def Con there's a lot of collegiate level so there's there's some difference here and it's not just the move lighting and the cool stickers and all the energy drinks right so my first competition there that I did with them I believe was a Boston Tea Party and in the fall or plaid one of those two but anyways a really a high-level using high-level passion applying these students respect all weekend working on one problem the problem that was already solved by the majority of people in this competition they're just sitting there and they're working on it and you know it's a 48-hour competition at two o'clock on on Sunday right three hours

before they they solved their first problem and they're all like cheering Ariel is super excited we finished in like 190 third place right and but they're still super excited that they went through this experience and I kind of think back to my experience with CD accent this is interesting right and so then I got the book from there and in the spring actually asked me to be one of the coaches in the CVS it's not like okay now I can start to get an experience for what it was like now they sent me to go be part of the red team and so I could see from the other side of the adversary was for the next year

and come back and teach and so cares me with the red team during this and first we got the cool pirate flag right now PBM going on and so all of this what when I notice there's my expectation was that I'd walk in and they're just sitting there and they just poop press the easy button big on the networks right and it wasn't like that and they actually had a very similar experience to go through the kinetic experience they spent three months building these images right installing the root kits and the back doors and intentionally weakening the the security features and there's multiple operating systems they had to do all of this infrastructure before they give it out

right and at the start of the competition the students are actually pretty good at defense I mean they have a lot of time right to do this but they spent all the time working on the callbacks right and they turn it on it nothing is calling that right and so they're sitting there and they're trying to figure out whether they just blocking the outbound communication method maybe I can still send commands in and get them through that this whole troubleshooting process of trying to figure out what the network actually looks like what security the students have implemented and I mean you're sitting there struggling like day one it's not that we didn't see anything as

they weren't doing anything right they're really having a hard time trying to figure out what's going on - a little bit more than three hours they start to make this breakthrough right and they start to use that and be able to pivot throughout the network the modifying and so it was a difficult resilient process here that the red team had to go very different I expected and then I go back right and now I'm a coach and it was exactly like I wanted as a student right I mean they're sitting there they have more advanced techniques now at me they're using elasticsearch and we have logstash and Gabbana and probably have these like custom tools that will detect

and kill processes but still the same checklist kind of things the students still get very frustrated because they're gonna get only have to write upon it within the competition to make sense and just sit there and do nothing and that's even part of it a lot of it is kind of waiting as a defense so this really left me with these two question does office techniques really establish a better mindset particularly this resilience this passion for cybersecurity compared to defensive techniques and then can I teach the same things with both offensive and defensive right this is the same skillset and I'll say that this is not entirely original other people have the same two thoughts right I'm

sure if you've been in the field or doggy Roo Steiner first I'm talking about that the security mindset back in the early 2000s there's been great debates on CTS vs. CB acts from a py Chris Eagle or even pile of ants wired by the early 2010's but when I started to look about this people write a lot about this but no one's actually done anything to say are these the same techniques what are the concepts were supposed to learn what is actually the impact of these two methods and so that's really what the rest of this is about is trying to formalize this to make it less of just I write a blog post because I'm an expert and you believe

what I say right so what can we do to actually prove one of these things is true so here are my three questions that we're going to answer right so what are the core skills that a person who is shows up day one in cybersecurity I'm on a new job what do you expect that person already done right do offensive and defensive techniques then teach those skills that we're going to find and then does the method of teaching those techniques actually make a difference doesn't matter at all so the first one here is what our cybersecurity core concepts so first thing I've got to kind of define core concept and again I already told you when you have so much

shove off the first day that's what I expect them to already know there's many terms that are basically a synonymous fundamental knowledge essential skills and they look at three components first we've talked about this they have three timeless I can't just teach a single tool because that's not necessarily gonna be relevant in the future they have to be not tired to current technology right ask me something that can be a more broadly and then most specifically these are the concepts that are the hardest to provide the greatest barrier to enter into the profession and future masters so those are the things we're gonna try and tackle so that they can continue to progress they can specialize in whatever

method they want as they go and so we'll play a little game here right so it is this a poor cybersecurity concept okay everyone's pretty much any grants how about programming scripting okay how about your ethics okay how about our analysis yes so here we go vulnerability assessment yes okay that's good I like to see that there how about reporting reporting command-line tools yeah oh that's probably a lot of the network how about enjoying tasty beverages right so maybe not so much but you can see even here we had some slightly different opinions right I'm trying to stay away from that so at the end of the day to talk together talk a lot about

frameworks there's a lot of frameworks out there that kind of solve this problem come out particularly in the past two years which is awesome tiny for me to do this so we have nice which I'm sure a lot of people have heard of it and use the workhorse framework as well as their cybersecurity we're going to talk about CSEC 2017 event packs and so the first one here is the nice you've probably seen this you know full circle with the five parts the cybersecurity framework they also have this hope workforce framework where they split everything down out into 53 different work roles and they list the skills required for each of those 53 separate programs what they don't do

though is they do not establish these core skills right and I tried and I'm still working on this and there is some more that needs to be done but trying to pull T's out of that what are the most common and you said a little more but they don't just establish they focus you have to pick your specialty and then basically your specialty here the skills the next one is the cybersecurity 3 through 2018 this is a huge project 300 plus X first 35 countries a CMS Triple E and I asked these are really big names in the computing space so this is when you talk about the degree when I say I'm a computer science degree most if you

have some idea in your brain what that means right you kind of think that the skills that I would know is computer scientists there's a lot of trouble with this with IT right if you think about I have an IT degree back in the early 2000s what do I actually know right it wasn't standardized and now have some expectation of what a 90 degree was they have come out since 2000 here are the things if you graduate for the computer a cyber security degree here are the skills that you that this person will have they have these eight knowledge areas of what's the most important here is that they find the essential concepts and each of these

knowledge areas okay so now I'm just pool of essential concepts that I can use and kind of test against okay so here is an example of some of the skills just from three of the eight knowledge areas there's about fifty so things like vulnerability of system components we've talked about reverse engineering being on here attacks authentication the access controls confidentiality integrity so they go over finding they go even further and actually say the learning outcomes you should get from each of these concepts so this is a great starting point they also mentioned documentation right we talk about reporting again it's another collaborative process a lot of experts they use a Delphi process which if it

means something to do that's good explain that we're just a way of bending this they come out with two mains tools for security concept inventory which is what you should expect after your first like training course or after a first semester really a cyber security and then the curriculum assessment which is what you should have when entering the workforce and here's an example and so these are rated by importance and so that's the panel when they came through this process everyone rates it and then they take ones that are most important and ask for things well as well as difficulty the barrier of learning and you can see some of the same things identifying a

vulnerability identify your security goals explain why they are happening so these are the types of things that they were establishes the core competencies that someone graduating so now I have this baseline of skills okay so now I got a look at different training techniques and see what are the actual skills you learn from those training techniques okay so this really has a problem here it's how I know something is offensive or defensive right so I need to classify something to be able to assess when I just talked about again so we have something in reverse engineering offensive or defensive bow okay you know so how about connection fence offense both okay how we could go through right

and go through these and a lot of opinion again we're trying to get this opinion out of there and so how do I actually classify a resource well one of the best ways to classify a resource is to use industries own classification right so sans offensive security a lot of these institutions specifically say if your defender here's a defender sparks if your red team here's a red team course so what we can do is we can use their own industry standard classification look at the skills they teach and then classifying the other offensive defensive abode there's also this whole taxonomy presented and do this on public resources and so what I did was I went through all these skills

right I went through a whole new syllabus and here's the list of resources publics ETF's security training missus all really focused on that introductory that like five hundred lover kind of courses so here's an example rights and blue red i mean so i can look at the skills taught here and these courses and then the last they do of the training and i can prepare to hear and that's how i can classify it and so now I have this classification and I gather there you're in education you understand Bloom's taxonomy and so a lot of this stuff is down here the knowledge or comprehension level but it's really cool is particularly with the way they do

challenges you need to have troubleshooting or problem solving which is really teaching you or assessing you at a much higher level than what is required and this is really what we when we're trying to actually do red team or blue team operations were at the application and analysis the synthesis model so it's great that they're already above what we need okay so what were the results of all of this so here's a lot of numbers okay so I'm going to break this down one category at a time instead so first we have the core concepts here's how many actual concepts they're worked over 135 of them assess concepts so things like documentation I have I

showed you that that really can be talking either way so there's not like you know or reporting public speaking was in here teamwork right so I kind of took a lot of those more social things and I just didn't really assessing because that wasn't so much the matter teaching that's how you decided the teaching itself establish the classroom so now here's the actual results right so when we talk about top I both product by offensive homely or defensive you can see offensive techniques and of covering eighty nine percent of the concepts here defensive techniques covered ninety five percent right so there is a little bit better on the defensive side but both of them is really vast majority of these

concepts and in either case there are some concepts you're gonna have to leverage the other one for and then we looked here at this idea of primarily offensive a primarily defensive so even though I have this yes quasi both some of those who really were more offensive you know vulnerability assessment explained how to exploit traffic analysis those are both but clearly more offensive things and then you can look at things like monitoring giving a brief explain however cover it so you can see even though right here the defensive it covers more more of those are actually a little more offensive so at the end of the day here conclusion right is that either technique can be used to teach

the majority of these concepts okay and so now doesn't actually matter doesn't matter how we teach and so this is where that a little bit more of that psychological analysis so what is the psychological outcome what we're looking for is that idea of lifelong worth learns we want people that are resilient we want to build this intrinsic motivation which is this idea that you motivate yourself from the inside right that you want to do things like those conferences like this or go hack to do see growth mindset does anyone here have kids okay right so growth mindset is this huge thing on how we're supposed to teach kids aside we have praising failure praising effort versus simply

praising the egg right in this idea of getting them to be resilient and to continue to learn and struggle through things we also have really this resilience and how do you build resilience it's by facing failing and then overcoming a moderate challenge right it can't be too easy because it doesn't mean anything to you can't be too hard that you stop right you've got to have that medium challenge it is actually physical effects don't contain releases that starts to get you to want to do this more right so when we look at offense it's got a lot of these positive attributes buildings there's already this idea this mantra is you see down there all kinds of security of that this

is supposed to be hard right you're supposed to fail you're gonna try things repeatedly even the same exploit when you send it across the target and sometimes it doesn't work right because of what's going on in memory and how they exploit is its structure and so and we also have I mentioned before I have this idea of the security mindset thing that you really need to think about how things can be made to fail to be able to identify the expectation that fell often and then of course this repeat small victories when we start to look at defensive impact there's several things here but at the end of the day the defensive defender either sets things up and just

wins right which there's really no challenge or they lose because someone breaks in and so part of it is the mindset of how do we better build this someone comes in and I work them out method into defensive training but it just doesn't have the same positive impact of the offense of the training it's not as exciting right and then you can see that just what about all of the stuff is even here in it Timmy Deane talking earlier about how to bring more red teaming into blue teaming and so it's just not as impactful and so at the end of the day offensive techniques really get people more excited about cybersecurity though the best for

building resilience and this new transit motivation getting a little part of our community and these are things that we need to build in so I have about three minutes left and so how do you actually build offensive drink alright that's the next question so I often the curriculum is harder and it has several really unique challenges we talk about things like you need this infrastructure you need these repeatedly raping machines that you can and keep fixing right at the end of the day people are going full access to your machine right and then there's legal and networking issues particularly if you're talking about doing this inside your own organization right I'm teaching college students how to act and what happens if

they go on do this somewhere else right so then there's always kind of external things that we have to worry about and so leverage industry right we have a lot of industries that's always doing this out there and now even these are somewhat expensive solutions we ended up using pwk over there in doing at our own pace at home that has the whole infrastructure but there's cheaper solutions out there okay right whole-hog there's places where you get machines already established or hack the box right it's like $19 a month so there's other places that you can go and get access to this and then it talks a little more about this but so I started

to purely offensive courses in here and the real key is to start to build in these things I talked about this failure and then winning is gamification this idea of having my students lukina cancel each other build Suites forwards right where they track their progress against each other the whole time they get achievement as they go the other thing is letting it be self-paced so in the classroom instead of focusing on how they do a technique right I can sit there and talk to them about why did you choose that technique right what is the underlying concept one of the things I only struggle with is so we enter the colonies I could fill that back in like what's happening here

using a TCP connection so what kind of things can't you send across the PCP like pain right that's why that doesn't work and so you can start the happy sleeper you can see my students here we're clearly competing against each other you can see the lines at Sunday midnight right everyone's throwing their submissions we gave bonuses at that point and they're way above the red here is what was required they're winning above it because they're competing against each other and then I have this idea here's the later last completion I've built teams and so they had to work together to build teams and you can see that we actually met each team winning even amount of time so it took a lot of

crying at first Bloods all of these different techniques appears the last thing is we actually had a live performance based exam okay so everyone sat there at a bunch of new machines and they got to compromise these with twitch you know everyone had their own like keyboard screaming streaming away the scoreboard and everyone wins right everyone defeated right phone at least one machine so even the person that ended up getting the lowest score stuff felt like I couldn't do this before the class I've done all of this now I have this public display and it was really an exciting inspirational so the end since this gamification aspect really works.i provides a lot of extra motivation that builds the passion

right the class format this letting them go at their own pace provides a deeper understanding and then you got to internalize this security mindset so here's the overall sowhat's thank you so much for your time does anyone have any questions there's BBQ waiting [Applause]

you