no slide titleproceedings.ndia.org/stem/ayers.pdf1997-2005 saic participates in las vegas black hat...
TRANSCRIPT
November 13, 2008
NDIA STEM TeamDefend CompetitionPresented to: STEM Workforce Meeting
Energy | Environment | National Security | Health | Critical Infrastructure
Agenda
• TeamDefend Background
• Goals
• Conduct of Science, Technology, Engineering, and Math (STEM) Competition
• STEM Competition Results
• Lessons Learned
• TeamDefend Next Steps
• Questions
2
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
TeamDefend History
1997-2005 SAIC participates in Las Vegas Black Hat Convention, Capture theFlag (aka Defcon); winner of 2 contests out of 8 events entered
2003 SAIC initiates CyberPatriot program to encourage routine exercising by cyberengineers
2003 SAIC begins development of cybergaming system to address deficiencies noted at Defcon and to provide target platform for CyberPatriot exercising
2006 SAIC files U.S. Provisional Patent Application for both concept and scoring system
2006 SAIC maps TeamDefend to meet CNSS 4013 certificationToday SAIC holds 40+ engagements around the world
3
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
Development of TeamDefend
Shortfalls of cyberdefense training:• NO RESOURCES: Few realistic exercise (non-operational) environments in
which to train with reconfigurable targets• NO CURRICULUM: No formalized and repeatable mechanism to conduct
routine exercises• EXPENSIVE: Difficult to send staff off site for classroom training• NO QUANTIFICATION: No automated evaluation capability to compare
apples-to-apples performance (trend or vis-à-vis others)• BOTTOM-LINE: No experience with real-world cyberthreat that answers the
following– How do you recognize problems that you have never been trained to see?– How do you fix problems that you have never had to solve?– Once you have been trained, how do you maintain your skills?
4
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
TeamDefend Evaluation and Scoring
• Aids instruction– Gives instructors real-time view into exercise– Permits identification and focused training on weak
areas during the exercise• Measures team performance
– Tracks multiple values over time– Quantitatively measures ability to keep the business
operational– Permits performance trend analysis to measure progress– Shows ebb and flow of team focus during exercise– Allows evaluation against best practices
• Provides a reliable, repeatable scoring of teams– Evaluates performance across multiple factors– Documents complete history of exercise– Provides full documentation to put performance in context
5
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
Past TeamDefend Exercises
• Academia– Peter Kiewit Institute – University
of Nebraska– Naval Post-Graduate School,
Monterey, CA– San Diego Super Computing
Center– University of California San Diego– San Diego High Schools
• Federal and State– Computer and Technology High
Tech Response Team– FBI (Cyber Squad)
• DoD– SPAWAR Systems Center San
Diego– Navy Criminal Investigative
Service – United States European
Command – Fleet Information Warfare
Command – Joint Interoperability Test Center
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
6
Energy | Environment | National Security | Health | Critical Infrastructure
Mobile Training System
Sun Fire Blade Platform- Sparc and Intel x86 blades
3Com 24-port managed hub
Cisco PIX 515 firewall
Cisco router
Integrated power filtration
Roll away 21U chassis- Ships via standard freight services
Configurable targets- Based on customer configuration
Two instructorsTwo instructors
7
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
STEM Goals
• Innovate in the classroom and beyond the bell
• Expand math and science educational opportunities
• Reach all regions with equal training opportunities
• Address the achievement gap
• Make math and science FUN
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
8
Energy | Environment | National Security | Health | Critical Infrastructure
San Diego High School Competition Schedule
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
9
Date High School CoachDecember 15 Canyon Crest Academy Mike RemingtonDecember 22 Westview Tammy NeuhausJanuary 26 La Jolla Greg VolgerFebruary 9 Torrey Pines Richard BryanFebruary 23 High Tech High Jeff MajorsMarch 17 Face Off: Canyon Crest vs. Torrey Pines
Energy | Environment | National Security | Health | Critical Infrastructure
STEM TeamDefend Competition Format
• One school per day
• Team size assumed to be 6-8 students
• Windows operating systems (OS) and Intrusion detection system (IDS)
• Scenarios exactly the same for each high school
• Attacks will be launched according to a script that will be closely followed
• Target OS and network/security device types are provided ahead of competition (contained in student guide)
• Scoring points criteria1. Quantitative: maintain critical services and remove vulnerabilities2. Qualitative: submit timely and substantive trouble tickets
10
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
TeamDefend Competition Schedule
• 8 a.m. - 11:30 a.m. – White Team provides quick refresher of the cyberdefense basics, including intrusion detection system. The students would also be instructed in the use of the TeamDefend system.
• 11:30 a.m. - 12:30 p.m. –Pizza, questions, and team strategies• 12:30 p.m. - 1:30 p.m. – Exercise begins; students take control of the “Blue”
systems, remove pre-programmed vulnerabilities and report status via the Trouble Ticket system
• 1:30 p.m. - 3:30 p.m. – Red Team members begin both insider and external attacks
• 3:30 p.m. - 4:15 p.m. – Exercise ends; White and Red Teams debrief students’ performance and calculate a team score
• 4:15 p.m. - 4:30 p.m. – Career message (industry security professional talks about career in computer science/cybersecurity)
11
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
NDIA STEM Web Site
12
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
TeamDefend Objectives
Increase student’s ability to:1. Identify vulnerabilities and lock down systems (network, server, or
workstation) according to the organization’s security policy
2. Configure router policies according to the organization’s security policy
3. Configure and monitor host-based and network-based intrusion detection systems
4. Recognize hacker and computer misuse activity
5. Properly respond to hacker and computer misuse activity in accordance with the organization’s CONOPs
6. Conduct forensics and collect data for litigation
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
13
Energy | Environment | National Security | Health | Critical Infrastructure
Example TeamDefend Training Infrastructure
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
14
IDS running SPAN port on switch
Firewall Router(No ACLs)
External Switch VLAN
IDS running via VMWare
Bridged NetworkInternal Switch VLAN
Internal Switch VLAN
DMZ VLAN
VMWare images running on b12
External VLAN
Kicker
Blue Team
Red Team
Red Team
Scorebot
KickerScorebot
Energy | Environment | National Security | Health | Critical Infrastructure
High Schools: Blue Team Windows Hosts (subset)
CNDX-W2K-DC (172.16.3.100)• Operating System
– Windows 2000 Server• Purpose
– Windows Domain Controller for the CNDX-DOM domain.
• Critical Services– DNS (DOMAIN) TCP/53– DHCP UDP/67– NetBIOS TCP/139– SNMP UDP/161– Microsoft-DS TCP/445– MS-TERMS RV TCP/3389
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
15
No UNIX Operating Systems • No Network Devices • No Firewall
CNDX-W2K-WWW (172.16.3.102)• Operating System
– Windows 2000 server• Purpose
– Internal web services for the CNDX-DOM domain.• Critical Services
– HTTP TCP/80– NetBIOS TCP/139– SNMP UDP/161– HTTPS TCP/443– Microsoft-DS TCP/445– MS-TERMS RV TCP/3389
CNDX-W2K-EXCH (172.16.3.101)• Operating System
– Windows 2000 Server• Purpose
– Exchange (Mail) Server for the CNDX domain.• Critical Services
– SMTP TCP/25– NetBIOS TCP/139– SNMP UDP/161– Microsoft-DS TCP/445– MS-TERMS RV TCP/3389
CNDX-W2K-SQL (172.16.3.103)• Operating System
– Windows 2000 server• Purpose
– MS-SQL Server for the CNDX-DOM domain.• Critical Services
– NetBIOS TCP/139– SNMP UDP/161– Microsoft-DS TCP/445– MS-SQL TCP/1433– MS-TERMS RV TCP/3389
Energy | Environment | National Security | Health | Critical Infrastructure
End-of-Game Debrief
16
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
1st Runner Up – Westview High School
Jerry Shang, Victor Tsai, Andrew Niles, William Ho, Ryan Bird, Jason Carpenter, Benjamin Young, Coach Tammy Neuhaus
17
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
Winner – Canyon Crest Academy
Mansi Thakar, Spencer Thompson, Jeff LeBeau, Anand Mallick, Matt Parcher, Slava Maslennikov, John Hayes, Coach Mike Remington
18
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
Mayor Sanders Visits NDIA Competition
19
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
Lessons Learned
• The state of California needs to establish a high school curriculum requirement for computer science for entrance into University of California school system
• Teams that openly share discoveries of root causes and fixes were the most successful
• High school students are capable of serious information security learning
• Students applied knowledge learned after the exercise
• Students learn the effects, not the art of hacking
• Students LOVED IT
20
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure
Next Steps
• SAIC investment of $500,000 in IR&D to evolve TeamDefend into– Offensive trainer
– Modeling and simulation
– Testing environment
• 2008 AFA Air Warfare Symposium High School Cyberdefense Competition
• Ongoing UCSD staff cyberdefense training
• Integration with DoD simulation and modeling systems such as OneSAF
21
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i
Energy | Environment | National Security | Health | Critical Infrastructure22
© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i