Training Citizen Cyber Warriors on the Michigan Cyber Range

your town this is alphabet [Music] [Applause] [Music]

much the same as other small towns Alphaville is the sum of many lesser parts but unlike every other town Alphaville does not actually exist not in the traditional sense anyway a purely electronic creation of science Alphaville is an informational representation of a town a town which is perpetually Under Siege it exists only as data and in the minds of those who defend its critical information infrastructure and those who could attack it as you can see the four locations that make up Alphaville are the library School City Hall and Alphaville Emergency Services are there other locations in Alphaville sure I suppose so maybe a grocery store or a soda fountain but do you really want to be the hacker

that takes down the soda fountain

what are you going to do order a thousand cases of Coca-Cola I don't think so besides then you'll have the Coca-Cola Company to answer to and those gentlemen don't mess around while no longer commonly used in the Civilized world this switchboard is a useful visual metaphor for Alphaville no information can flow between any two points with the connection information can move from point A to point B with enough leaps information can be made to move between any two points on the board so let's look at the information technology infrastructure of Alphaville you might be asking yourself why would anyone attack a small town library the electronic card catalogs of today's libraries hardly represent a high value

Target while a miscreant could erase titles or at erroneous ones little seems to be gained by attacking those assets consider however that other information may be stored on the library's critical infrastructure full names addresses possibly phone numbers whether a city councilman's been checking out dirty books like The Story of O Catcher in the Rye once they've gained access to the system it may be possible to exploit weaknesses in that system to gain access to other places in Alphaville but surely the school poses no threat you might say what could be done here grades could be altered certainly but there's more to be had than an A in wood shop here once again names numbers addresses

and now the names ages and birth dates of children and again through weaknesses in the school's domain name service system or other exploits access to one system can be leveraged into access to another at this point a hostile user or team of users has access to alphaville's Municipal records legal documents and other sensitive information they may even have access to appleville's emergency services such as fire police or ambulance dispatches along the way they may have gathered information from the library or school systems which could allow them to guess passwords or socially engineer access to more and more critical systems it's possible that some resource or document was the perpetrator's target all along whatever their motives

Alphaville

has been hacked but who you may ask would do such a thing who would attack Alphaville Miss green youth spent on causing chaos and Havoc trash in your precious data for bragging rights to gain favor with females of their subculture professional thieves working for the highest bidder organized criminals looking to enrich themselves and forward their own illegal operations or perhaps shadowy operatives working under the auspices of some foreign government ultimately doesn't matter the point is your critical information infrastructure may be vulnerable and you may not have the skills to keep it safe so where do you obtain these skills where do you learn am I right here of course an alpha here you will learn to defend an

interconnected network of systems with real world Assets in real world infrastructure against Real World threats alphabet brought to you by the Michigan cyber range be prepared for the worst by learning to be the best [Music] thank you

so that's my movie uh you know one of the cool things about this job is that I get to make movies so uh you know just think about that getting paid for that yeah so uh just a little bit about the Michigan cyber range the Michigan cyber range is actually a public private partnership between the state of Michigan and Merit Network Incorporated uh if anybody has gone to college in the state of Michigan anybody here for gone to any of the four-year colleges yep you've used Merit Network okay so we uh we connect all the four-year colleges 85 percent of the two-year colleges and some 76 percent of the K-12 isds so uh we're a 501c3

nonprofit We Do all this uh to actually put the internet where other companies won't um the the thing you got to realize about the Cyber range is that it is a cloud-based service we run 4 500 miles of fiber optic network cable throughout Michigan we're internet two we're connected to the research and education networks in Ohio Illinois uh Wisconsin and Canada so we we have that kind of connectivity and we leverage that to make the the range accessible and I want to talk about that in a little bit so who am I I'm Joe Adams also known as Joe Adams um that was a joke you know everybody else has got a hacker handle and I don't

okay uh so that so there's a cyber range and who do they find they find some army guy to come and run it so that's what I did retired exactly a year ago so I still tell time in 24 hours okay I've got all these things and and loads of of titles uh the thing to learn the the takeaway for the Cyber range is that it's about information you go to a lot of places you take your standard five-day conference class you're going to learn about hacking applications you're going to learn about attacking services or this one server we actually can put up a persistent training environment that reflects the where the information is kept and just

like you saw in the movie you can pop an easy target pivot and use the information that you've harvested from the library for example to break into other places it is a virtual town and it keeps growing right so we did is take the information systems you would find in a small municipality there's a library a police station a town hall a couple small businesses and we Network them together to create a persistent training environment anybody in here been in the army all right been to NTC no okay wait there you go all right it's a Sandy Dusty little crap hole in the middle of the Mojave Desert but it's got a town it's cinder block it's Plywood And

there's a big spray painted sign on the on the side that says school right but what it does is it gives you a sense of place you're actually moving through a town you're not moving through obstacles we wanted to build the same kind of thing for hackers for system admins for Defenders I'm not just going to give you an IP range and say go figure out what's there you actually can can do a who is and you'll get this is the public library and here's the name of the system admin you can actually go in and take a look at the services they're running and they will be pretty much realistic and and we we keep we we work on that as hard as we

can to make it as realistic as possible this is kind of what it looks like uh this is old so it has been added to if anybody's familiar with uh vcloud director it's a vcenter so I can give you a copy of Alphaville and you a copy of Alphaville and you a copy of Alphaville and everybody can play in their own little sandbox right so that's that's how we do our training and that's what we're looking for is for people to come run classes run exercises test procedures test policies and see how they work out why do we do it well 85 percent of this nation's critical infrastructure is defended by you folks not defended by my friends at cybercom

I you know the NSA can watch over your shoulder but they are legally forbidden from doing anything to secure your network okay so if anybody knows about a cute little law called Posse Comitatus it prevents the federal government from coming in and doing things to DTE to Consumers to Blue Cross Network to the state of Michigan okay there is that separation yeah it's still here the other thing you need to realize is that over the last 10 years industrial Control Systems scada smart grid have actually been bridged into the public internet way back when in the day you actually had to go to a control room and there was a big steel door and you went

through and you worked on the control system somebody figured it'd be a good idea if you know schmidlap who's working the control system could check his email at the same time so they Bridge the two networks so now there's a neat little search engine by the way called showdone where you can just go out and find these scada systems they're accessible over the internet not only because it allows me to cut my I.T staff because now I can administer it from a central I.T place but it also makes it easier I don't have to buy two machines for for schmedlab we want to do more than just show the usual Enterprise systems right because they're they're out there all right

you got when I was the Chief Information officer for the National Defense University I had two guys on my network team and we called them Thing One and Thing Two guess how much training they got absolutely zero because when thing one left thing two is pulling 24-hour shifts seven days a week he's not happy there was a recruiter on before lunch that talked about burnout well that's how it happens okay so what we want to do with the range is be able to push training to Thing One and Thing Two because as the CIO I can't send them to you know a course for a week but I can give them Thursday afternoons in the

conference room to do an online class so that's how I want to approach it to keep things going because on the job training is good but it's only as good as the people who are giving you the on-the-job training and so this is how bad habits perpetuate themselves and become corporate culture um I can tell you all kinds of stories about people applying patches on a Wednesday night and it gets scary all right here's where you get through the so what slide well the the attacks aren't going to stop all right just embrace it wallow in it love the chaos you've got the fear-mongering that goes on in the Washington Post you've got people that are are fighting

for budget and they want to hire all kinds of cyber Warriors but I think this is probably closer to the truth I will tell you that the advanced persistent threat cue chilling music is there but there they don't want to just do a smash and grab they don't want to break in steal your stuff and leave they want to break in and move in with you they want to watch what you do over a long period of time because that's let's face it breaking in hacking takes time and time is money and I want to return on my investment so once I've broken in I'm going to stay I'm going to know what you do I'm going

to know how you do it because if I can figure out how you do it maybe I can figure out how your other Branch offices do it and I can keep on moving here's the attack distribution from 2012 just in case anybody's wondering who the real bad guys are yeah you've got your States your your nation states you've got a little bit of the active computer network offense lots of hacktivism going on but what we see is that hacktivists tend to have a cause they show up they get their headline they go away it's annoying it outs people it does what it's supposed to do which is you know get headlines but it's these guys in the red

the Cyber criminals who show up and want to stay in your backyard live in your living room you know see what's in your refrigerator they're the ones that you have to really defend against because they're the ones who are taking away the opportunities stealing intellectual property uh and and actually doing a lot of economic damage so who are you going to call nobody's nobody's getting my my Ghostbusters how all right so so pause for a sec how many people caught the doctor Strangelove references in the movie okay how many were there how many Doctor straight two there you go I knew an old guy would get it so who are you going to call that's right

a lot of times we look at the researchers we look at Geeks like me who work for a university who sit behind uh sit in a cubicle and think Deep Thoughts this is good but they tend to build all kinds of really wild overblown things write papers that nobody reads in journals that nobody subscribes to we need that the threat is moving too fast at the same time if you go and create a cyber militia who's going to police the militia okay don't know if anybody here has been to one of those far off Sandy places where there is no strong central government and you get militias but I can tell you that this the the

space between a militia and a bandit group is pretty small and it depends on what day of the week it is so how do you how do you fix this all right well we're going to start with a range okay like I said it's an actual place we put a lot into making it with a sense of place our range is different because it is completely unclassified okay it is one of the few in the in the country it is the only cloud-based unclassified range we have secure access we also have routing protocols that keep what happens on the Range in the range okay so if you go and and you're you're experimenting with with routing and you

happen to light off a broadcast storm or you rip off you know Metasploit and it just happens to go someplace unintended it's okay you hit reset just restart it no harm done nobody's production Network even sees it in addition to the hardware and the infrastructure we have built a complete education program to go along with the range all right in the army they teach us to crawl walk and run so what we want to do first is we want to teach you the individual skills that you need to be able to contribute to a team okay everybody talks about the loan hacker sitting in his basement you know crap it doesn't work like that I'm telling you that an I.T staff

and in fact a computer network offensive Squad is a team nobody's expert in everything and everybody's got to communicate with the other guys so that you can maximize benefit all right I'm a colonel I'm telling you I do this for a living and I don't do it onesie twosy all right so we want to teach you the individual skills then we want to teach you how to work as a small group perfect example web application security I give you a lamp stack you've got the firewall guy you've got the Apache guy who's taking care of the server and then you've got the SQL nerd who's back there making the website go tick tock but they've got to talk together they've

got to realize that the vulnerability or the configuration that is put in Apache ripples through and might make the SQL database vulnerable you've got to realize that not that doing data validation on some web front end some web page could actually expose a vulnerability the other way as well so we want to get you to work together because where we want to go is we want to go to the force on Force Red on blue full speed exercises that's where that's where we see the most benefit when I taught at West Point the NSA would come every year and would host the inter-service academy cyber defense exercise and we loved it you know we won three years in a row

okay but we did so because we got organized we practice hard we we actually did a lot of prep so if you were my SQL guy day one you dumped that whole database you wrote a script that said if this is supposed to be an eight character name it's eight characters and no more so we got rid of all the Easter eggs we did we did data validation and all the the web pages we looked through the mail stores we did all that we got prepped because that's the way you've gotta you've got to approach this you're going to be under attack you're going to take that attack and unplugging from the internet and saying wait a minute while

I figure this out is not the answer you can't do that so we want to teach you at full speed where the vulnerabilities are where the interconnections are and how to respond to that because one of these guys is going to die [Laughter] and you just want to make sure it's not you okay we want to provide a safe environment we want to teach you how to work like a team and because of the the way we've fixed the infrastructure it is easy for you to do it again we're going to evaluate you yeah you need to work on this hit reset make you do it again because we're going to put you through an

objective-based exercise okay capture the flags are a lot of fun because they have a focus all right but in a lot of cases these red on Blue capture the flags turn into a paintball okay paintball's a lot of fun it's a good cardio Saturday afternoon shoot the guy you don't like from work crap for training okay what I want to do is I want to give you an objective that says provide secure e-commerce ordering on this site and then I'm going to create exercise injects that test that objective I'm going to come at you with a certain set of of attacks and see how you respond and that's how we're going to give you that kind of feedback

adaptive assessment is is important and then we give you the feedback how can you do this how can you see this well through what we call secure sandbox so when an instructor wants to teach this we can actually be an extension of his classroom you want to do this for work we can actually be the place where you can put all this all your targets we can load it help you load it with all the the bad tools we can make it all real and available for you control access so you actually decide who gets credentials to log in and then you can like I said either bring your own environment or we can give you pieces of Alphaville

Labs from our classes uh and and you can give that a try the other things that we we've got we are developing a couple products personal lab space is where an individual can come just give me a credit card and get a 90-day lease on on a a sandbox and and either practice for one of the exams that we give or uh or actually just do their own thing really good if you're a starving graduate student who doesn't have a whole lot of money to spend on standing up infrastructure we can help you with that we're also building classes that are on demand I've mentioned classes a couple times but if you go to uh the Cyber Range

website you'll see we we offer about 14 different certificates in Resident and online we also do what we call remote in Resident so if you want us to come to your location and teach we will do that we're turning that into an on-demand kind of thing inside Alphaville our goal this summer is to build a scada environment that goes along with the town so we're going to have Alphaville Power and Electric idea came up this week hey can we can we add a nuclear power plant sure let's do it of course we'll have a donut shop somewhere in town too just because I've got a weird sense of humor like that so if you've got questions before we do

this let me let me show you real quick what the uh what the the uh uh what the range looks like and for some of you you're going to go oh this is it but um I think I think it'll be good there's no sound here so uh don't worry but for those of you who are used to vcloud this is it you log into the the virtual Data Center it then gives you your your library you choose your target or actually open up your your user interface in this case log in can you guys read that in the back me okay Nathan gets to fix this Monday morning but the idea is this is you are now

completely in a virtual environment so no matter what you do it's not coming back it's not going to live on your your PC it's not going to live in your office production Network you can go through you figure out where you are

do a scan to see what's around you

I got to work on the timing of this but what we're doing here is we're actually walking through the classic five steps of a hack okay you just did Recon so what comes next anybody here ceh come on enumerate um so we're gonna if this doesn't hurry up all right here we go you get to the public library

we take a look around

Banner grab

okay what kind of information can I find here

and this is also really interesting because you can actually start Discerning some of the rules they might use for naming

we take a look we play around a little bit with the database

and this is something we try to teach is you can actually change these error messages so don't leave them alone so we have we've actually looked it up now it's fun times over now let's get down to business

so as we start at burp Suite the important thing to know is it's not about tools you knowing how to use a tool is cool but if you don't know what that tool is supposed to do well then all you've got is a hammer and the world looks like a nail so what we want to do is is we're going to we're going to give you all the tools and you just have to know which one do you use for this job so we set up burp Suite gonna put ourselves in the middle so that we're capturing the traffic

and then we're going to go in and actually run the site again why would we do that anybody I've stunned you to silence okay so what we're doing is we're actually forcing the site to work so that we can capture the traffic so that we can see how it works

okay so you saw her get you saw our post

and so now I can actually go into burp suite and recreate the SQL query that pulled that information out of the database

all right just just speed this up

there you go so we use another tool to carve that data out

there's a problem with putting together screen capture movies

okay so SQL map just goes ahead and tells me hear your vulnerabilities color codes them because I'm lazy and I just want it quick

it also does the banner grabbing so it tells me all about what I can use and where I can use it I'll speed this up again okay here we go we go back in We Run The query again we've dumped the table then we're going to carve out the data

because that's what it looks like and it's ugly here's where we talked about you know can you script I've interviewed a lot of people and they don't have the slightest clue about a command line okay so if if hacking to you is using a GUI you might want to come and take a class and learn how to use a command line right because um it's more about what you know than how many buttons can you push so here you can see we've carved out information or that was the credit card information here's the the user user IDs and passwords yeah how realistic is this well this public library is actually modeled on the Ann Arbor District Library so

I didn't didn't have to go too far for inspiration um and this isn't unusual we did a we did a pen test of a certain place where I used to live and found that the local self-help garage you've seen these places you know you go in and you rent the tools and you basically yeah your key was your social security number and they stored your credit card information right there just to help you out so had it all right there you know Joe the mechanic punching it in really kind of bad but these are the kinds of things that PCI was supposed to fix but you'd be surprised how many times they keep popping up

so that real quick was my uh my example of what what it what does it look like to be on the uh on the Range so now I have no idea how much time I have uh plenty of time because I just ripped right through that so me and my buddy were ready for your questions what do you guys do for a two-part question what do you do for traffic generations part one and uh part two is uh do you have any kind of like simulated users to simulate like kind of like phishing attacks and like somebody clicking the link we're uh we're implementing a software-based uh traffic generator right now called I think it's astinto

um but it's just there to make make white noise okay and and that's just because my experience with cdx's uh it's really easy to spot the red team because the only traffic moving around is either mine or somebody else's and so uh we want to do that what we have not figured out how to do um is is really the the connection oriented I send you you know you reply so we're still yeah um we will have one eventually uh right now we're we're gonna run our first red on Blue uh exercise on the 24th of July out at Grand Valley State so we're we're very much building ourselves into this somebody had a question back in the back

yes

right yes so uh um if you just email cyber range all one word at merit.edu we can get you hooked up with that most uh not most many of the municipalities in the state of Michigan are actually Merit members and so we can help you out anybody else um

well there's there's a couple ways to run a cyber exercise uh the first like what we're going to do at the end of July is we've got a a county Consortium uh that is going to be the defender and then my guys are going to be the attackers okay or if your group is big enough you could play Both Sides you know uh my experience has mostly been on the defense side so my team has been the Defenders um it depends I guess a lot on what your objectives are I think that it's probably more useful for a state local education kind of marketplace to learn the defense we can we can talk over your fermented

beverage of choice at length over the the wisdom of hackback uh but I honestly I think that if if you're the exchange administrator or you're the firewall administrator for you know Houghton Lake Public Library uh you need to worry about defense uh you know don't

right yeah well that's it it's a valuable skill to have and as just about every uh speaker at this conference is going to tell you uh you know the the prevalence of of botnets the the prevalence of of owned computers if I hack back am I getting at the Russian business Network or am I taking Mrs Gonzalez off the off the internet for extended period of time um you know and thereby making myself legally liable um so yeah defense is is definitely uh our strong Focus because I think that's what our our Market needs to to know

no uh in fact uh we'll we'll teach anybody will host anybody um although within the state of Michigan we talk a lot to the higher ed we we have branched out uh we consumers in DTE are Platinum Platinum sponsors of the Cyber range so we work closely with that industry uh but we're we're very willing and able to work with anybody like I said if you can connect to the network we can figure it out and uh right now we've had some interest from other states so uh some other states and we're going to work with them in their education Network and you know build that bridge to them so that they can run this training as well

anybody else I guess I talked real fast

so you have people here from a very diverse audience being very diverse if someone in this audience wanted to attend the time kind of cost structure okay oh well actually we're not pricey how many of you guys have ever been to a Sans course okay we are half the price of Sands literally okay so I'll I'll take that one on right right by the horns you know Mama Adams one likes me to put food on the table no uh we're we're half the price of Sands and for member organizations it's even less than that uh so we are more affordable uh than than our competitors uh one of the things we also like to do is offer

our infrastructure uh at a very low margin uh so that student researchers Community College instructors College instructors depending on the school they go to you know you're pulling this stuff out of your own grants and your own money so we're trying to help that go farther um so

expensive because their employer isn't a member or well no I I don't we are to take our class you don't have to be a member I mean you can you can come from anywhere and take the class and the non-member price is half of what they're already paying to send you to someplace else if they're a member so you pick your four-year College pick your two-year college that you work for your municipality you know I don't know you work for the city of Detroit okay good come on that's a that's a 40 percent cut off of that discount off of that so um I think I think our pricing is is more than very competitive uh

and and I think that even even for folks because there there are a lot of folks I was surprised there are a lot of folks looking for a job that'll go out and lay down the money to get a certificate certificate uh to make themselves competitive for that next job um and and for the people that are looking for that kind of uh Edge uh I think we're we're affordable um you know you know I'd spend money on them some option what are you guys looking at for the rain so the the personal lab space is not yet available so please don't beat me up all right we're still working that out but what that does is

that gives you a small virtual Data Center uh I call it small because it's actually resource capped we start it you know at a modest level we do that so that you know you don't show up with your rainbow tables and start cracking passwords and chewing up you know lots of uh lots of resources but what that does is that gives you 90 days with your own personal space you can either build your own VMS and put them in there to replicate whatever you're trying to accomplish or you can take a look at some of the targets that we have and and we make those available as well so because we as we're building out

Alphaville you know every one of those you know information systems is a collection of VMS a collection of services and servers and applications so so that's what it's going to look like a rough order of magnitude of what you're thinking of charging no no so anybody else well I guess I'll cut you loose early then I'll be around for a while so uh please if you do have questions just come up and find me but thanks