no slide titleproceedings.ndia.org/stem/ayers.pdf1997-2005 saic participates in las vegas black hat...

November 13, 2008

NDIA STEM TeamDefend CompetitionPresented to: STEM Workforce Meeting

Energy | Environment | National Security | Health | Critical Infrastructure

Agenda

• TeamDefend Background

• Goals

• Conduct of Science, Technology, Engineering, and Math (STEM) Competition

• STEM Competition Results

• Lessons Learned

• TeamDefend Next Steps

• Questions

2

© 2008 SAIC. All rights reserved. SAIC, the SAIC logo, and “From Science to Solutions” are trademarks or registered trademarks of Science Applications International Corporation in the United States and/or other t i


TeamDefend History

1997-2005 SAIC participates in Las Vegas Black Hat Convention, Capture theFlag (aka Defcon); winner of 2 contests out of 8 events entered

2003 SAIC initiates CyberPatriot program to encourage routine exercising by cyberengineers

2003 SAIC begins development of cybergaming system to address deficiencies noted at Defcon and to provide target platform for CyberPatriot exercising

2006 SAIC files U.S. Provisional Patent Application for both concept and scoring system

2006 SAIC maps TeamDefend to meet CNSS 4013 certificationToday SAIC holds 40+ engagements around the world

3



Development of TeamDefend

Shortfalls of cyberdefense training:• NO RESOURCES: Few realistic exercise (non-operational) environments in

which to train with reconfigurable targets• NO CURRICULUM: No formalized and repeatable mechanism to conduct

routine exercises• EXPENSIVE: Difficult to send staff off site for classroom training• NO QUANTIFICATION: No automated evaluation capability to compare

apples-to-apples performance (trend or vis-à-vis others)• BOTTOM-LINE: No experience with real-world cyberthreat that answers the

following– How do you recognize problems that you have never been trained to see?– How do you fix problems that you have never had to solve?– Once you have been trained, how do you maintain your skills?

4



TeamDefend Evaluation and Scoring

• Aids instruction– Gives instructors real-time view into exercise– Permits identification and focused training on weak

areas during the exercise• Measures team performance

– Tracks multiple values over time– Quantitatively measures ability to keep the business

operational– Permits performance trend analysis to measure progress– Shows ebb and flow of team focus during exercise– Allows evaluation against best practices

• Provides a reliable, repeatable scoring of teams– Evaluates performance across multiple factors– Documents complete history of exercise– Provides full documentation to put performance in context

5



Past TeamDefend Exercises

• Academia– Peter Kiewit Institute – University

of Nebraska– Naval Post-Graduate School,

Monterey, CA– San Diego Super Computing

Center– University of California San Diego– San Diego High Schools

• Federal and State– Computer and Technology High

Tech Response Team– FBI (Cyber Squad)

• DoD– SPAWAR Systems Center San

Diego– Navy Criminal Investigative

Service – United States European

Command – Fleet Information Warfare

Command – Joint Interoperability Test Center


6


Mobile Training System

Sun Fire Blade Platform- Sparc and Intel x86 blades

3Com 24-port managed hub

Cisco PIX 515 firewall

Cisco router

Integrated power filtration

Roll away 21U chassis- Ships via standard freight services

Configurable targets- Based on customer configuration

Two instructorsTwo instructors

7



STEM Goals

• Innovate in the classroom and beyond the bell

• Expand math and science educational opportunities

• Reach all regions with equal training opportunities

• Address the achievement gap

• Make math and science FUN


8


San Diego High School Competition Schedule


9

Date High School CoachDecember 15 Canyon Crest Academy Mike RemingtonDecember 22 Westview Tammy NeuhausJanuary 26 La Jolla Greg VolgerFebruary 9 Torrey Pines Richard BryanFebruary 23 High Tech High Jeff MajorsMarch 17 Face Off: Canyon Crest vs. Torrey Pines


STEM TeamDefend Competition Format

• One school per day

• Team size assumed to be 6-8 students

• Windows operating systems (OS) and Intrusion detection system (IDS)

• Scenarios exactly the same for each high school

• Attacks will be launched according to a script that will be closely followed

• Target OS and network/security device types are provided ahead of competition (contained in student guide)

• Scoring points criteria1. Quantitative: maintain critical services and remove vulnerabilities2. Qualitative: submit timely and substantive trouble tickets

10



TeamDefend Competition Schedule

• 8 a.m. - 11:30 a.m. – White Team provides quick refresher of the cyberdefense basics, including intrusion detection system. The students would also be instructed in the use of the TeamDefend system.

• 11:30 a.m. - 12:30 p.m. –Pizza, questions, and team strategies• 12:30 p.m. - 1:30 p.m. – Exercise begins; students take control of the “Blue”

systems, remove pre-programmed vulnerabilities and report status via the Trouble Ticket system

• 1:30 p.m. - 3:30 p.m. – Red Team members begin both insider and external attacks

• 3:30 p.m. - 4:15 p.m. – Exercise ends; White and Red Teams debrief students’ performance and calculate a team score

• 4:15 p.m. - 4:30 p.m. – Career message (industry security professional talks about career in computer science/cybersecurity)

11



NDIA STEM Web Site

12



TeamDefend Objectives

Increase student’s ability to:1. Identify vulnerabilities and lock down systems (network, server, or

workstation) according to the organization’s security policy

2. Configure router policies according to the organization’s security policy

3. Configure and monitor host-based and network-based intrusion detection systems

4. Recognize hacker and computer misuse activity

5. Properly respond to hacker and computer misuse activity in accordance with the organization’s CONOPs

6. Conduct forensics and collect data for litigation


13


Example TeamDefend Training Infrastructure


14

IDS running SPAN port on switch

Firewall Router(No ACLs)

External Switch VLAN

IDS running via VMWare

Bridged NetworkInternal Switch VLAN

Internal Switch VLAN

DMZ VLAN

VMWare images running on b12

External VLAN

Kicker

Blue Team

Red Team

Red Team

Scorebot

KickerScorebot


High Schools: Blue Team Windows Hosts (subset)

CNDX-W2K-DC (172.16.3.100)• Operating System

– Windows 2000 Server• Purpose

– Windows Domain Controller for the CNDX-DOM domain.

• Critical Services– DNS (DOMAIN) TCP/53– DHCP UDP/67– NetBIOS TCP/139– SNMP UDP/161– Microsoft-DS TCP/445– MS-TERMS RV TCP/3389


15

No UNIX Operating Systems • No Network Devices • No Firewall

CNDX-W2K-WWW (172.16.3.102)• Operating System

– Windows 2000 server• Purpose

– Internal web services for the CNDX-DOM domain.• Critical Services

– HTTP TCP/80– NetBIOS TCP/139– SNMP UDP/161– HTTPS TCP/443– Microsoft-DS TCP/445– MS-TERMS RV TCP/3389

CNDX-W2K-EXCH (172.16.3.101)• Operating System

– Windows 2000 Server• Purpose

– Exchange (Mail) Server for the CNDX domain.• Critical Services

– SMTP TCP/25– NetBIOS TCP/139– SNMP UDP/161– Microsoft-DS TCP/445– MS-TERMS RV TCP/3389

CNDX-W2K-SQL (172.16.3.103)• Operating System

– Windows 2000 server• Purpose

– MS-SQL Server for the CNDX-DOM domain.• Critical Services

– NetBIOS TCP/139– SNMP UDP/161– Microsoft-DS TCP/445– MS-SQL TCP/1433– MS-TERMS RV TCP/3389


End-of-Game Debrief

16



1st Runner Up – Westview High School

Jerry Shang, Victor Tsai, Andrew Niles, William Ho, Ryan Bird, Jason Carpenter, Benjamin Young, Coach Tammy Neuhaus

17



Winner – Canyon Crest Academy

Mansi Thakar, Spencer Thompson, Jeff LeBeau, Anand Mallick, Matt Parcher, Slava Maslennikov, John Hayes, Coach Mike Remington

18



Mayor Sanders Visits NDIA Competition

19



Lessons Learned

• The state of California needs to establish a high school curriculum requirement for computer science for entrance into University of California school system

• Teams that openly share discoveries of root causes and fixes were the most successful

• High school students are capable of serious information security learning

• Students applied knowledge learned after the exercise

• Students learn the effects, not the art of hacking

• Students LOVED IT

20



Next Steps

• SAIC investment of $500,000 in IR&D to evolve TeamDefend into– Offensive trainer

– Modeling and simulation

– Testing environment

• 2008 AFA Air Warfare Symposium High School Cyberdefense Competition

• Ongoing UCSD staff cyberdefense training

• Integration with DoD simulation and modeling systems such as OneSAF

21


Energy | Environment | National Security | Health | Critical Infrastructure22
