Although we are facing a shortage of cybersecurity professionals, the shortage can be reduced by using technology to empower all security educators to efficiently and effectively educate the professionals of tomorrow. One powerful tool in some educators' toolboxes are Capture the Flag (CTF) competitions. Although participants in all the different types of CTF competitions learn and grow their security skills, Attack/Defense CTF competitions offer a more engaging and interactive environment where participants learn both offensive and defensive skills, and, as a result, they develop their skills even faster. However, the substantial time and skills required to host a CTF, especially an Attack/Defense CTF, is a huge barrier for anyone wanting to organize one. Therefore, we created an on-demand Attack/Defense tool via an easy-to-use website that makes the creation of an Attack/Defense CTF as simple as clicking a few buttons. In this paper, we describe the design and implementation of our system, along with lessons learned from using the system to host a 24-hour 317 team Attack/Defense CTF.
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
There are new threats to cybersecurity for HMI/SCADA applications every week, and it can be difficult to stay on top of current threats and concerns. InduSoft is here to help, with an analysis of recent cybersecurity threats and how to take steps to protect SCADA/HMI systems from the vulnerabilities they seek to exploit. We will also be discussing the security features available in InduSoft Web Studio and how to take advantage of them to create the most stable, secure HMI or SCADA application possible.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
This document describes a proposed user-centric machine learning framework for a cyber security operations center. It discusses the typical data sources in a SOC like security logs and alerts from various systems. It explains how this data can be processed and used to create an effective machine learning system to evaluate user risks. This would help security analysts prioritize investigations and improve efficiency. The proposed framework integrates alert information, security logs, and analyst notes to generate features and labels for machine learning models. It aims to reduce manual analysis workload while enhancing security. The document also provides an example implementation using real industry data to demonstrate the full process from data collection and labeling to model training and evaluation.
Architecture centric support for security orchestration and automationChadni Islam
The presentation was prepared for the University of Adelaide School of Computer Science Research Seminar Series. See the slides to know
- what is security orchestration?
- what are the key challenges in this domain?
- how software architecture can play a role in improving the design decision of security orchestration and automation platform?
1) The document discusses Accenture's DevOps capability group and their focus on DevOps transformations with clients. It describes how the group is embedded in wider client delivery and support within Accenture.
2) The group aims to scale DevOps adoption by starting small with continuous delivery pipelines and then expanding automation and sharing successes enterprise-wide.
3) The group provides services like training, consultancy, tools, and platforms to help clients replicate successes and improve DevOps capabilities over time.
The document discusses trustworthy systems and trusted AI. It provides background on the Singapore Cybersecurity Consortium and its vision of trustworthy systems. It then summarizes ongoing work, including capabilities for security testing, formal verification of systems, and research on defending against Spectre attacks and fuzz testing. It also discusses model training and robustness, fuzzing for deep neural networks, and research on self-healing systems through specification inference and genetic programming.
600-199 Exam Questions - Securing Cisco Networks with Threat Detection and An...Susan Hannan
This document provides information about Cisco's Securing Cisco Networks with Threat Detection and Analysis (SCYBER) 600-199 exam training course. The 5-day course uses lectures and hands-on labs to teach students how to monitor, analyze, and respond to security threats and prepares them for the Cyber Security Specialist Certification exam. The course covers topics such as packet analysis, log analysis, detecting and responding to security incidents. It utilizes software and a simulated lab topology to expose students to real-world cyber security threats.
This document provides an overview of the KTH Applied Information Security Lab at NUST in Islamabad, Pakistan. It discusses the lab's vision and focus on bridging research and solving cybersecurity problems. It outlines the lab's achievements, including organized workshops and seminars for students, and funded/non-funded research projects in domains like cloud security and digital forensics. It also profiles the lab's faculty and staff and describes some of their current and past funded projects, industrial collaborations, and events.
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
There are new threats to cybersecurity for HMI/SCADA applications every week, and it can be difficult to stay on top of current threats and concerns. InduSoft is here to help, with an analysis of recent cybersecurity threats and how to take steps to protect SCADA/HMI systems from the vulnerabilities they seek to exploit. We will also be discussing the security features available in InduSoft Web Studio and how to take advantage of them to create the most stable, secure HMI or SCADA application possible.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
This document describes a proposed user-centric machine learning framework for a cyber security operations center. It discusses the typical data sources in a SOC like security logs and alerts from various systems. It explains how this data can be processed and used to create an effective machine learning system to evaluate user risks. This would help security analysts prioritize investigations and improve efficiency. The proposed framework integrates alert information, security logs, and analyst notes to generate features and labels for machine learning models. It aims to reduce manual analysis workload while enhancing security. The document also provides an example implementation using real industry data to demonstrate the full process from data collection and labeling to model training and evaluation.
Architecture centric support for security orchestration and automationChadni Islam
The presentation was prepared for the University of Adelaide School of Computer Science Research Seminar Series. See the slides to know
- what is security orchestration?
- what are the key challenges in this domain?
- how software architecture can play a role in improving the design decision of security orchestration and automation platform?
1) The document discusses Accenture's DevOps capability group and their focus on DevOps transformations with clients. It describes how the group is embedded in wider client delivery and support within Accenture.
2) The group aims to scale DevOps adoption by starting small with continuous delivery pipelines and then expanding automation and sharing successes enterprise-wide.
3) The group provides services like training, consultancy, tools, and platforms to help clients replicate successes and improve DevOps capabilities over time.
The document discusses trustworthy systems and trusted AI. It provides background on the Singapore Cybersecurity Consortium and its vision of trustworthy systems. It then summarizes ongoing work, including capabilities for security testing, formal verification of systems, and research on defending against Spectre attacks and fuzz testing. It also discusses model training and robustness, fuzzing for deep neural networks, and research on self-healing systems through specification inference and genetic programming.
600-199 Exam Questions - Securing Cisco Networks with Threat Detection and An...Susan Hannan
This document provides information about Cisco's Securing Cisco Networks with Threat Detection and Analysis (SCYBER) 600-199 exam training course. The 5-day course uses lectures and hands-on labs to teach students how to monitor, analyze, and respond to security threats and prepares them for the Cyber Security Specialist Certification exam. The course covers topics such as packet analysis, log analysis, detecting and responding to security incidents. It utilizes software and a simulated lab topology to expose students to real-world cyber security threats.
This document provides an overview of the KTH Applied Information Security Lab at NUST in Islamabad, Pakistan. It discusses the lab's vision and focus on bridging research and solving cybersecurity problems. It outlines the lab's achievements, including organized workshops and seminars for students, and funded/non-funded research projects in domains like cloud security and digital forensics. It also profiles the lab's faculty and staff and describes some of their current and past funded projects, industrial collaborations, and events.
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
This document provides an overview of a presentation given by Dave Herrald, a security architect at Splunk, on Splunk's Enterprise Security and User Behavior Analytics solutions. The presentation covered new features in Splunk Enterprise Security 4.1, including enhanced threat intelligence integration, risk-based searching and incident review, and integration with Splunk User Behavior Analytics. It also reviewed capabilities in Splunk User Behavior Analytics 2.2 like custom threat modeling, expanded attack coverage, and context enrichment.
Architecture-centric Support for Integrating Security Tool in a Security Orch...Chadni Islam
Presentation of ECSA 2020 Conference
Security Operation Centers (SOC) leverage a number of tools to detect, thwart and deal with security attacks. One of the key challenges of SOC is to quickly integrate security tools and operational activities. To address this chal-lenge, an increasing number of organizations are using Security Orchestration, Automation and Response (SOAR) platforms, whose design needs suitable ar-chitectural support. This paper presents our work on architecture-centric support for designing a SOAR platform. Our approach consists of a conceptual map of SOAR platform and the key dimensions of an architecture design space. We have demonstrated the use of the approach in designing and implementing a Proof of Concept (PoC) SOAR platform for (i) automated integration of security tools and (ii) automated interpretation of activities to execute incident response processes. We also report a preliminary evaluation of the proposed architectural support for improving a SOAR’s design.
SF Bay Area Splunk User Group Meeting October 5, 2022Becky Burwell
Andrew D'Auria, the Director of Sales Engineering at Anvilogic, gave a presentation on modernizing threat detection engineering. He discussed problems with the current detection engineering process, including that it is slow, results in noisy alerts, and lacks coordination across tools. D'Auria proposed using Anvilogic's platform to build detections based on MITRE ATT&CK techniques and scenarios, correlate events of interest without code, and measure detection program effectiveness to improve security operations. He provided examples of how Anvilogic helped a financial client improve detections and reduce alerts.
Accelerating incident response in organizations of any sizeCisco Canada
The document discusses accelerating incident response in organizations of any size. It describes how a typical incident response workflow involves investigating incidents, recovering from incidents, improving defenses, and reducing the attack surface. The document then outlines Cisco's security architecture and technologies that can help accelerate each step of the incident response process by providing recorded network history, continuous analysis of that history for automated hunting, and integrated threat intelligence across email, web, firewalls, and endpoints to more quickly block, investigate and respond to incidents.
2014-12-16 defense news - shutdown the hackersShawn Wells
The document discusses technologies for continuous monitoring and data standardization. It begins with an overview of a presentation on vulnerability management, configuration management, and the DoD Centralized Super Computing Facility story. It then covers various topics related to cybersecurity including reliance on technology over time, the ever-increasing capability and complexity of systems, cybercrime statistics, and the Security Content Automation Protocol (SCAP).
Multi-vocal Review of security orchestrationChadni Islam
The document summarizes a literature review on security orchestration. The review analyzed papers from various sources to understand different aspects of security orchestration such as definitions, challenges it addresses, proposed solutions, adoption practices, and architectural considerations. Key findings include that security orchestration aims to integrate disparate security tools, automate incident response workflows, and bridge the gap between detection and response. It addresses issues like lack of interoperability, skills shortage and inefficient manual processes. Taxonomies of proposed solutions and open challenges in technology, people and processes are also discussed.
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation SecurityBGA Cyber Security
This document discusses Cisco's next generation security strategy and solutions. It outlines Cisco's approach of integrating products to provide unified visibility, advanced threat protection, and consistent control across networks, endpoints, cloud, and mobile environments. It highlights key Cisco security technologies like FirePOWER, Advanced Malware Protection (AMP), and Identity Services Engine (ISE) and how they work together to provide defense, detection, and remediation against evolving threats.
InduSoft Speaks at Houston Infragard on February 17, 2015AVEVA
One of InduSoft's Cybersecurity Engineers, Richard Clark, along with Professor Stephen Miller of Eastern New Mexico University – Ruidoso spoke at the February meeting of the Houston Infragard on the subject of "Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications". InduSoft and ENMU-Ruidoso have collaborated to produce a Security Guidance eBook and an eTextbook that will be used in the Cybersecurity Certificate curriculum at ENMU.
The document discusses different cybersecurity curricular frameworks and how they can be characterized using the CyBOK (Cybersecurity Body of Knowledge). It finds that while the frameworks each teach topics related to risk management and security operations, they differ in their specific emphases. By mapping topics from the frameworks to CyBOK knowledge areas, commonalities and differences are identified. There is no single best framework as they serve different purposes, but CyBOK provides a standardized way to understand and compare their scope and content.
This document summarizes a presentation on model-based design and analysis. It discusses how model-based development and automated analysis can be combined to significantly reduce costs and improve quality for safety-critical software. Specific techniques discussed include modeling system requirements, simulating models, translating models to formal specification languages for automated analysis using model checkers and theorem provers, and reusing models. Case studies are presented where this approach found 10 times more errors than traditional methods and reduced development costs and cycle times by half.
The document discusses Capture the Flag (CTF) competitions, which provide a safe environment for practicing hacking skills and learning about cybersecurity threats. CTF competitions involve challenges at different skill levels related to hacking, cryptography, forensics, and other IT security topics. Participants can learn about vulnerabilities and misconfigurations, practice real attacks, and improve their skills through the game-like format of CTF events. Examples of challenges described in the document include extracting a hidden image from DNS traffic and analyzing an audio file spectrogram to reveal hidden text.
Quality engineering in a world with AI and IoTSTePINForum
The document discusses how quality engineering is changing in an AI and IoT world. It notes that the new world of IT involves things like IoT connected devices, online marketing, continuous supply tracking, and just-in-time production. It also discusses how software is becoming more distributed through microservices and continuous delivery allows for thousands of teams to deploy updates 50 million times per year. Other topics covered include chaos engineering to test systems reliability, using machine learning to help with code analysis and failure prediction, and focusing on fast detection and response to failures rather than trying to prevent them.
The document discusses managing cyber security across enterprises, specifically in oil and gas. It notes that 76% of organizations report an increase in sophistication of cyber attacks against infrastructure. The energy industry experiences 53% of cyber incidents, posing challenges as industrial control systems have a longer lifespan than enterprise systems and require more consideration of security during implementation. The presentation recommends a risk-based, defense-in-depth approach to security including network segmentation to help mitigate risks across an organization, though risks cannot be eliminated entirely given growing hacker knowledge and more sophisticated attacks.
To protect and ensure the availability of network services in charge to control critical infrastructure of organizations
The SIMOC is a platform that allows the creation of segregated cyber environments, with FOCUS on SECURITY.
AI on Spark for Malware Analysis and Anomalous Threat DetectionDatabricks
At Avast, we believe everyone has the right to be safe. We are dedicated to creating a world that provides safety and privacy for all, not matter where you are, who you are, or how you connect. With over 1.5 billion attacks stopped and 30 million new executable files monthly, big data pipelines are crucial for the security of our customers. At Avast we are leveraging Apache Spark machine learning libraries and TensorflowOnSpark for a variety of tasks ranging from marketing and advertisement, through network security to malware detection. This talk will cover our main cybersecurity usecases of Spark. After describing our cluster environment we will first demonstrate anomaly detection on time series of threats. Having thousands of types of attacks and malware, AI helps human analysts select and focus on most urgent or dire threats. We will walk through our setup for distributed training of deep neural networks with Tensorflow to deploying and monitoring of a streaming anomaly detection application with trained model. Next we will show how we use Spark for analysis and clustering of malicious files and large scale experimentation to automatically process and handle changes in malware. In the end, we will give comparison to other tools we used for solving those problems.
Rise of the Machines: Can Artificial Intelligence Terminate Manual Testing?TechWell
The state of the art in automated software testing is far from being a replacement for human-guided testing. There is more to testing than setting up preconditions, applying inputs, verifying outputs, and logging the results. Testing requires significant planning, exploring, learning, modeling, inferencing, experimenting, and more. Therefore, before we can truly automate testing, we must bridge the gap between the testing capabilities of humans and machines. Tariq King says that breakthroughs in artificial intelligence (AI) and machine learning (ML) are challenging our thinking about the types of problems that machines can tackle. Can AI discoveries—a machine that masters a game like Go or autonomously drives an unmanned vehicle—help us find better solutions for automated oracles, test generation, system modeling, and defect discovery? Tariq believes they can and will share his vision of how. Drawing on his experiences working on, leading, and advising teams in the development of software that automatically tests software, Tariq walks us through recent advances in AI and ML. Join Tariq as he maps these advances to potential solutions for important software testing research problems.
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
This document provides an overview of a presentation given by Dave Herrald, a security architect at Splunk, on Splunk's Enterprise Security and User Behavior Analytics solutions. The presentation covered new features in Splunk Enterprise Security 4.1, including enhanced threat intelligence integration, risk-based searching and incident review, and integration with Splunk User Behavior Analytics. It also reviewed capabilities in Splunk User Behavior Analytics 2.2 like custom threat modeling, expanded attack coverage, and context enrichment.
Architecture-centric Support for Integrating Security Tool in a Security Orch...Chadni Islam
Presentation of ECSA 2020 Conference
Security Operation Centers (SOC) leverage a number of tools to detect, thwart and deal with security attacks. One of the key challenges of SOC is to quickly integrate security tools and operational activities. To address this chal-lenge, an increasing number of organizations are using Security Orchestration, Automation and Response (SOAR) platforms, whose design needs suitable ar-chitectural support. This paper presents our work on architecture-centric support for designing a SOAR platform. Our approach consists of a conceptual map of SOAR platform and the key dimensions of an architecture design space. We have demonstrated the use of the approach in designing and implementing a Proof of Concept (PoC) SOAR platform for (i) automated integration of security tools and (ii) automated interpretation of activities to execute incident response processes. We also report a preliminary evaluation of the proposed architectural support for improving a SOAR’s design.
SF Bay Area Splunk User Group Meeting October 5, 2022Becky Burwell
Andrew D'Auria, the Director of Sales Engineering at Anvilogic, gave a presentation on modernizing threat detection engineering. He discussed problems with the current detection engineering process, including that it is slow, results in noisy alerts, and lacks coordination across tools. D'Auria proposed using Anvilogic's platform to build detections based on MITRE ATT&CK techniques and scenarios, correlate events of interest without code, and measure detection program effectiveness to improve security operations. He provided examples of how Anvilogic helped a financial client improve detections and reduce alerts.
Accelerating incident response in organizations of any sizeCisco Canada
The document discusses accelerating incident response in organizations of any size. It describes how a typical incident response workflow involves investigating incidents, recovering from incidents, improving defenses, and reducing the attack surface. The document then outlines Cisco's security architecture and technologies that can help accelerate each step of the incident response process by providing recorded network history, continuous analysis of that history for automated hunting, and integrated threat intelligence across email, web, firewalls, and endpoints to more quickly block, investigate and respond to incidents.
2014-12-16 defense news - shutdown the hackersShawn Wells
The document discusses technologies for continuous monitoring and data standardization. It begins with an overview of a presentation on vulnerability management, configuration management, and the DoD Centralized Super Computing Facility story. It then covers various topics related to cybersecurity including reliance on technology over time, the ever-increasing capability and complexity of systems, cybercrime statistics, and the Security Content Automation Protocol (SCAP).
Multi-vocal Review of security orchestrationChadni Islam
The document summarizes a literature review on security orchestration. The review analyzed papers from various sources to understand different aspects of security orchestration such as definitions, challenges it addresses, proposed solutions, adoption practices, and architectural considerations. Key findings include that security orchestration aims to integrate disparate security tools, automate incident response workflows, and bridge the gap between detection and response. It addresses issues like lack of interoperability, skills shortage and inefficient manual processes. Taxonomies of proposed solutions and open challenges in technology, people and processes are also discussed.
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation SecurityBGA Cyber Security
This document discusses Cisco's next generation security strategy and solutions. It outlines Cisco's approach of integrating products to provide unified visibility, advanced threat protection, and consistent control across networks, endpoints, cloud, and mobile environments. It highlights key Cisco security technologies like FirePOWER, Advanced Malware Protection (AMP), and Identity Services Engine (ISE) and how they work together to provide defense, detection, and remediation against evolving threats.
InduSoft Speaks at Houston Infragard on February 17, 2015AVEVA
One of InduSoft's Cybersecurity Engineers, Richard Clark, along with Professor Stephen Miller of Eastern New Mexico University – Ruidoso spoke at the February meeting of the Houston Infragard on the subject of "Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications". InduSoft and ENMU-Ruidoso have collaborated to produce a Security Guidance eBook and an eTextbook that will be used in the Cybersecurity Certificate curriculum at ENMU.
The document discusses different cybersecurity curricular frameworks and how they can be characterized using the CyBOK (Cybersecurity Body of Knowledge). It finds that while the frameworks each teach topics related to risk management and security operations, they differ in their specific emphases. By mapping topics from the frameworks to CyBOK knowledge areas, commonalities and differences are identified. There is no single best framework as they serve different purposes, but CyBOK provides a standardized way to understand and compare their scope and content.
This document summarizes a presentation on model-based design and analysis. It discusses how model-based development and automated analysis can be combined to significantly reduce costs and improve quality for safety-critical software. Specific techniques discussed include modeling system requirements, simulating models, translating models to formal specification languages for automated analysis using model checkers and theorem provers, and reusing models. Case studies are presented where this approach found 10 times more errors than traditional methods and reduced development costs and cycle times by half.
The document discusses Capture the Flag (CTF) competitions, which provide a safe environment for practicing hacking skills and learning about cybersecurity threats. CTF competitions involve challenges at different skill levels related to hacking, cryptography, forensics, and other IT security topics. Participants can learn about vulnerabilities and misconfigurations, practice real attacks, and improve their skills through the game-like format of CTF events. Examples of challenges described in the document include extracting a hidden image from DNS traffic and analyzing an audio file spectrogram to reveal hidden text.
Quality engineering in a world with AI and IoTSTePINForum
The document discusses how quality engineering is changing in an AI and IoT world. It notes that the new world of IT involves things like IoT connected devices, online marketing, continuous supply tracking, and just-in-time production. It also discusses how software is becoming more distributed through microservices and continuous delivery allows for thousands of teams to deploy updates 50 million times per year. Other topics covered include chaos engineering to test systems reliability, using machine learning to help with code analysis and failure prediction, and focusing on fast detection and response to failures rather than trying to prevent them.
The document discusses managing cyber security across enterprises, specifically in oil and gas. It notes that 76% of organizations report an increase in sophistication of cyber attacks against infrastructure. The energy industry experiences 53% of cyber incidents, posing challenges as industrial control systems have a longer lifespan than enterprise systems and require more consideration of security during implementation. The presentation recommends a risk-based, defense-in-depth approach to security including network segmentation to help mitigate risks across an organization, though risks cannot be eliminated entirely given growing hacker knowledge and more sophisticated attacks.
To protect and ensure the availability of network services in charge to control critical infrastructure of organizations
The SIMOC is a platform that allows the creation of segregated cyber environments, with FOCUS on SECURITY.
AI on Spark for Malware Analysis and Anomalous Threat DetectionDatabricks
At Avast, we believe everyone has the right to be safe. We are dedicated to creating a world that provides safety and privacy for all, not matter where you are, who you are, or how you connect. With over 1.5 billion attacks stopped and 30 million new executable files monthly, big data pipelines are crucial for the security of our customers. At Avast we are leveraging Apache Spark machine learning libraries and TensorflowOnSpark for a variety of tasks ranging from marketing and advertisement, through network security to malware detection. This talk will cover our main cybersecurity usecases of Spark. After describing our cluster environment we will first demonstrate anomaly detection on time series of threats. Having thousands of types of attacks and malware, AI helps human analysts select and focus on most urgent or dire threats. We will walk through our setup for distributed training of deep neural networks with Tensorflow to deploying and monitoring of a streaming anomaly detection application with trained model. Next we will show how we use Spark for analysis and clustering of malicious files and large scale experimentation to automatically process and handle changes in malware. In the end, we will give comparison to other tools we used for solving those problems.
Rise of the Machines: Can Artificial Intelligence Terminate Manual Testing?TechWell
The state of the art in automated software testing is far from being a replacement for human-guided testing. There is more to testing than setting up preconditions, applying inputs, verifying outputs, and logging the results. Testing requires significant planning, exploring, learning, modeling, inferencing, experimenting, and more. Therefore, before we can truly automate testing, we must bridge the gap between the testing capabilities of humans and machines. Tariq King says that breakthroughs in artificial intelligence (AI) and machine learning (ML) are challenging our thinking about the types of problems that machines can tackle. Can AI discoveries—a machine that masters a game like Go or autonomously drives an unmanned vehicle—help us find better solutions for automated oracles, test generation, system modeling, and defect discovery? Tariq believes they can and will share his vision of how. Drawing on his experiences working on, leading, and advising teams in the development of software that automatically tests software, Tariq walks us through recent advances in AI and ML. Join Tariq as he maps these advances to potential solutions for important software testing research problems.
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
Similar to Shell We Play A Game? CTF-as-a-Service for Security Education (20)
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Shell We Play A Game? CTF-as-a-Service for Security Education
1. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing (SEFCOM) ● URL : sefcom.asu.edu ● BYENG 486 ASU
Shell We Play A Game?
CTF-as-a-service for Security Education
Erik Trickel, Francesco Disperati, Eric Gustafson, Faezeh Kalantari, Mike Mabey,
Naveen Tiwari, Yeganeh Safaei, Adam Doupé, and Giovanni Vigna
5. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 5
Current Cybersecurity
Workforce
Cybersecurity Workforce
Needed by 2019
1.5 Million
6. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 6
Current Cybersecurity
Workforce
1.5 Million
8. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 8
Cost of Cybercrime
Current Cybersecurity
Workforce
Cybersecurity Workforce
Needed by 2019
1.5 Million
GlobalCostofCybercrime
Years
9. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 9
Cybersecurity Workforce
Needed by 2019
1.5 Million
10. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 10
Current Cybersecurity
Workforce
Cybersecurity Workforce
Needed by 2019
1.5 Million
11. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 11
Current Cybersecurity
Workforce
Cybersecurity Workforce
Needed by 2019
1.5 Million
12. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 12
Security
Professionals
Open Security
Positions
1.5 Million
By 2019
22. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 24
Theory Practice Execution
23. ARIZONA STATE UNIVERSITY
Benefits of Capture the Flag Competitions
Hands on experience
Active learning
Small groups
Creates strong intrinsic motivation
– Practice and research
– Post competition analysis
The Laboratory of Security Engineering for Future Computing Slide 25
28. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 30
Team 1
Service A
Service B
Service C
Team 2
Service A
Service B
Service C
Gamebot
Scoring
Team1: 10
Team2: 25
Team1: 10
Team2: 30
Service B
29. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 31
Team 1
Service A
Service B
Service C
Team 2
Service A
Service B
Service C
Gamebot
Scoring
Team1: 10
Team2: 30
Team1: 10
Team2: 35
30. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 32
Team 1
Service A
Service B
Service C
Team 2
Service A
Service B
Service C
Gamebot
Scoring
Team1: 10
Team2: 35
31. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 33
Team 1
Service A
Service B
Service C
Team 2
Service A
Service B
Service C
Gamebot
Scoring
Team1: 10
Team2: 30
Team1: 00
Team2: 30
Team1: 10
Team2: 35
32. ARIZONA STATE UNIVERSITY
Create Your Own CTF
Accessibility
– Adjust difficulty
– Tailor to content of class
– Control access
– Less intimidating
Practice
– Build/Test tools for competition
The Laboratory of Security Engineering for Future Computing Slide 34
33. ARIZONA STATE UNIVERSITY
Creating an Attack Defense CTF
Base Skills
Server Configuration and Setup
Create Vulnerable Services
Scoring & Tracking Application
Secure Everything
The Laboratory of Security Engineering for Future Computing Slide 35
{dev}
34. ARIZONA STATE UNIVERSITY
Creating an Attack Defense CTF
2014 UCSB Released iCTF Framework
2015 UCSB Created Pre-configured VMs
The Laboratory of Security Engineering for Future Computing Slide 36
35. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 37
ARIZONA STATE UNIVERSITY
36. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 38
https://ShellWePlayAGame.org
Current Cybersecurity
Workforce
37. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 39
Current Cybersecurity
Workforce
38. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 40
Theory Practice Execution
40. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 42
AWS
On-Demand
CTF 1
On-Demand
CTF 2
On-Demand
CTF 3
Games
Controller James's Halliday’s AWS Acct
Vigna’s AWS Acct
Your-name-here AWS Acct
41. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 43
Current Cybersecurity
Workforce
42. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 44
Current Cybersecurity
Workforce
43. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 45
Current Cybersecurity
Workforce
44. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 46
Current Cybersecurity
Workforce
45. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 47
Current Cybersecurity
Workforce
46. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 48
Current Cybersecurity
Workforce
47. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 49
Current Cybersecurity
Workforce
48. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 50
Current Cybersecurity
Workforce
49. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 51
Current Cybersecurity
Workforce
50. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 52
Current Cybersecurity
Workforce
51. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 53
Current Cybersecurity
Workforce
52. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 54
Current Cybersecurity
Workforce
53. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 55
Current Cybersecurity
Workforce
54. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 56
Current Cybersecurity
Workforce
55. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 57
Current Cybersecurity
Workforce
56. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 58
Current Cybersecurity
Workforce
Cybersecurity Workforce
Needed by 2019
1.5 Million
57. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 59
Current Cybersecurity
Workforce
Cybersecurity Workforce
Needed by 2019
1.5 Million
iCTF
58. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 60
Current Cybersecurity
Workforce
1.5 Million
March 2017
iCTF
• 24 Hours
• 317 Teams
• 12 Services
59. ARIZONA STATE UNIVERSITY
Incidence Report
18 Hours with few issues
– Infrastructure handled load
– Team VMs responsive
– Service checking ran smoothly
Switchover
– 650 VMs running concurrently
4 AM
– DDos
• Ouch
The Laboratory of Security Engineering for Future Computing Slide 61
60. ARIZONA STATE UNIVERSITY
Cost
Only pay for AWS costs
– 6 Hour Game with 20 teams costs < $25
ShellWePlayAGame.org is free
The Laboratory of Security Engineering for Future Computing Slide 62
61. ARIZONA STATE UNIVERSITY
TODO:
Increase robustness of VM tests and automated restart
Custom services
Expand to more cloud platforms
Open source the framework
The Laboratory of Security Engineering for Future Computing Slide 63
62. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 64
https://ShellWePlayAGame.org
Current Cybersecurity
Workforce
63. ARIZONA STATE UNIVERSITY
The Laboratory of Security Engineering for Future Computing Slide 65
Shell We Play A Game?
CTF-as-a-service for Security Education
https://ShellWePlayAGame.org
Erik Trickel
Arizona State University
Erik.Trickel@asu.edu
@ErikTrickel
https://www.trickel.com
64. ARIZONA STATE UNIVERSITY
Game Overview
The Laboratory of Security Engineering for Future Computing Slide 66
War Range Subnet
Game Components Subnet
Game Master
Database
Score Board Game Bot
Team Interface
RouterTeam 1
Scriptbot
Team 2
65. ARIZONA STATE UNIVERSITY
External F/W
External F/W
External F/W
Team’s Network
The Laboratory of Security Engineering for Future Computing Slide 67
Scriptbot
Team 1
Team 2
Team 3
SSH Port 1338 SSH Port 22
Port 20000 Port 20000
Router
Port20000
OriginTeam3
Editor's Notes
Thank you for the intro Mark,
Good morning everyone, very happy to be here and excited for the workshop
I’m Erik Trickel, I’m a PhD Student at Arizona State University,
I’m here to talk about a very exciting CTF-as-a-service that we here at ASU created with my adviser Adam Doupe and Giovanni Vigna’s group at UCSB.
Our tool makes it easy for anyone to run their own attack/defense CTF
Set this up a bit, in the Internet stone age:
Ram was quite a bit larger
Network comm’n was quite a bit slower
Not only was UCSB one of the first nodes, but they were also the first to connect up Xbox 360
Ok, not an Xbox, but is the predecessor
Originally, designers and developers were more focused on creating connections and developing basic applications
Security researchers, were the pioneers of the electron and the switch, exploring systems and trying to understand and boldly go where no electron has gone before.
The internet has become highly commercialized with trillions of dollars flowing over it daily and billions of nodes
Making it a much more attractive target for criminal activities
The global cost of cyber crime was nearly 500 billion last year
Estimated to reach 2 trillion by 2019
The beautiful world of the electron and switch has transcended into a battlefield where organized crime and nation states all battle.
Constant threat
In 2019, 1.5m gap between the number of open cybersecurity positions and qualified cybersecurity professionals
It’s not that we need just more, we need more that are highly skilled
Just like if you want to be good a football, or anything, you must have both
The highly skilled security professionals must go deeper than just lectures
Theory often comes from lectures
Practice from HW
But, how to get the hands on experience?
Fun and safe environment for participants to compete and practice their skills and deepen their understanding
Fun and safe environment for participants to compete and practice their skills and deepen their understanding
Teams work to solve computer security puzzles, allowing them to uncover a hidden flag
Once the problem is solved, the flag is left and is evidence that you solved it.
The problems range from crypto, binary exploitation, network detection, and programming puzzles
We call them CTF’s but they are really security exercises testing and developing those skills necessary to become a security samurai
CTFs incorporate creative thinking, problem solving, OS, network, development, and security theory
Hands on experience with realistic scenarios
After these competitions, there’s often many blog posts about the problems
improving the blogger’s learning while also contributing to the community
Talk about different areas and points
Find vulns
Craft exploits
Central Server
No direct interaction
No defending
Each team get’s their own server to defend and launch attacks from
Every so often, new flags get sent out to each of the teams
Each team looks at their own services (instead of pulling from a central server), craft an exploit, run against opponent’s machines
Similar services on each VM
Not only do you have to steal flags like in jeopardy but you have to automate exploitation and patch your own services
Disable, even though most secure, not the point
SIMILAR & DIFFERENT
Similar to the jeopardy style with additional moving parts
Not perfect, b/c somewhat limited in types of problems
There’s a CTF every weekend, WHY?
I’m sure some of you out there have thought about creating a CTF but haven’t
Even if you have the skills
Completely open sourced our framework for hosting ctfs (no body used it)
Released a pre-configured setup and maybe 200 downloads over roughly a year
WHY? This stuff is complicated!
Even Adam,
Hopefully, it’s ok to use you as an example,
had issues while creating an 18 team game for a class, and he helped design and develop the platform
That doesn’t even include the time it took to create the vulnerable services
ASU and UCSB partnered to create
As simple as pressing a button
One great way to give students hands on experience with security theories is to have them participate in capture the flag competitions
Exercise those skills in a realistic scenario
When a game is created on SWPAG, the VMs are hosted on AWS
While currently require AWS we plan to extend it to other platforms in the future.
Help community & security professionals of tomorrow we created an easy-to-use A/D that requires limited knowledge and skills
Add your own teams or incorporate teams adding by others
We will expand the number of vulnerable services in the future
After each VM is spun up, it’s tested
What happens if a component fails
E.g., what if a team breaks their box and cannot fix it?
What happens if a component fails
E.g., what if a team breaks their box and cannot fix it?
Does it work?
Does it work?
First time that open to all teams
First time 24 hours
First time been a DEFCON qualifying event
Due to a technical glitch with one of the components, we needed a fresh restart of all the servers, so for a period of time we had 2 games running concurrently on AWS
Ruined, super successful, use of this tool
A/D CTFs are a fun way for participants to improve their security skills and now its easy and inexpensive to setup yourself!
I’m ET
Game Master – oversees game creation and comm’n with GC
Database – central component of game’s operation
Gamebot – moves the game forward and calculates the score
Team Interface – Team’s interact with system
Scoreboard – View scores
Router – Traffic b/t teams and game components
Teams -
Scriptbot – tests services on team VMs and updates flags