{"id":16300,"date":"2019-09-12T09:00:32","date_gmt":"2019-09-12T17:00:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/09\/12\/news-10042\/"},"modified":"2019-09-12T09:00:32","modified_gmt":"2019-09-12T17:00:32","slug":"news-10042","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/09\/12\/news-10042\/","title":{"rendered":"Are students prepared for real-world cyber curveballs?"},"content":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Thu, 12 Sep 2019 16:00:55 +0000<\/strong><\/p>\n<p>With a projected \u201cskills gap\u201d <a href=\"https:\/\/www.weforum.org\/agenda\/2019\/01\/addressing-the-growing-cybersecurity-skills-gap\/\" target=\"_blank\" rel=\"noopener\">numbering in the millions<\/a> for open cyber headcount, educating a diverse workforce is critical to corporate and national cyber defense moving forward. However, are today\u2019s students getting the preparation they need to do the cybersecurity work of tomorrow?<\/p>\n<p>To help educators prepare meaningful curricula, the National Institute of Standards and Technology (NIST) has developed the National Initiative for Cybersecurity Education (NICE) <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-181.pdf\" target=\"_blank\" rel=\"noopener\">Cybersecurity Workforce Framework<\/a>. The U.S. Department of Energy (DOE) is also doing its part to help educate our future cybersecurity workforce through initiatives like the <a href=\"https:\/\/cyberforcecompetition.com\/about\/\" target=\"_blank\" rel=\"noopener\">CyberForce Competition<\/a>,<img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/11\/72x72\/2122.png\" alt=\"\u2122\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> designed to support hands-on cyber education for college students and professionals. The CyberForce Competition<img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/11\/72x72\/2122.png\" alt=\"\u2122\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> emulates real-world, critical infrastructure scenarios, including &#8220;cyber-physical infrastructure and lifelike anomalies and constraints.&#8221;<\/p>\n<p>As anyone who\u2019s worked in cybersecurity knows, a big part of operational reality are the unexpected curveballs ranging from an attacker\u2019s pivot while escalating privileges through a corporate domain to a request from the CEO to provide talking points for an upcoming news interview regarding a recent breach. In many \u201ccapture the flag\u201d and \u201ccyber-range exercises,\u201d these unexpected anomalies are referred to as \u201cinjects,\u201d the curveballs of the training world.<\/p>\n<p>For the CyberForce Competition<img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/11\/72x72\/2122.png\" alt=\"\u2122\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> anomalies are mapped across the seven NICE Framework Workforce Categories illustrated below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89861 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/09\/CyberForce-Competition-insights-1.jpg\" alt=\"Image showing seven categories of cybersecurity: Operate and Maintain, Oversee and Govern, Collect and Operate, Securely Provision, Analayze, Protect and Defend, and Investigate.\" width=\"639\" height=\"562\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/09\/CyberForce-Competition-insights-1.jpg 639w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/09\/CyberForce-Competition-insights-1-300x264.jpg 300w\" sizes=\"auto, (max-width: 639px) 100vw, 639px\" \/><\/p>\n<p><em>NICE Framework Workforce categories, <\/em><a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-181.pdf\" target=\"_blank\" rel=\"noopener\"><em>NIST SP 800-181<\/em><\/a>.<\/p>\n<p>Students were assessed based on how many and what types of anomalies they responded to and how effective\/successful their responses were.<\/p>\n<h3>Tasks where students excelled<\/h3>\n<ul>\n<li><strong>Threat tactic identification<\/strong>\u2014Students excelled in identifying threat tactics and corresponding methodologies. This was shown through an anomaly that required students to parse through and analyze a log file to identify aspects of various identifiers of insider threat; for example, too many sign-ins at one time, odd sign-in times, or sign-ins from non-standard locations.<\/li>\n<li><strong>Log file analysis and review<\/strong>\u2014One task requires students to identify non-standard browsing behavior of agents behind a firewall. To accomplish this task, students had to write code to parse and analyze the log files of a fictitious company\u2019s intranet web servers. Statistical evidence from the event indicates that students are comfortable writing code to parse log file data and performing data analysis.<\/li>\n<li><strong>Insider threat investigations<\/strong>\u2014Students seemed to gravitate towards the anomalies and tasks connected to insider threat identification that maps to the Security Provision pillar. Using log analysis techniques described above, students were able to determine at a high rate of success individuals with higher than average sign-in failure rates and those with anomalous successful logins, such as from many different devices or locations.<\/li>\n<li><strong>Network forensics<\/strong>\u2014The data indicated that overall the students had success with the network packet capture (PCAP) forensics via analysis of network traffic full packet capture streams. They also had a firm grasp on related tasks, including file system forensic analysis and data carving techniques.<\/li>\n<li><strong>Trivia<\/strong>\u2014Students were not only comfortable with writing code and parsing data, but also showed they have solid comprehension and intelligence related to cybersecurity history and trivia. Success in this category ranked in the higher percentile of the overall competition.<\/li>\n<\/ul>\n<h3>Pillar areas for improvement<\/h3>\n<ul>\n<li><strong>Collect and Operate<\/strong>\u2014This pillar \u201c<a href=\"https:\/\/niccs.us-cert.gov\/workforce-development\/cyber-security-workforce-framework\" target=\"_blank\" rel=\"noopener\">provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence<\/a>.\u201d Statistical analysis gathered during the competition indicated that students had hesitancies towards the activities in this pillar, including for some tasks that they were successful with in other exercises. For example, some fairly simple tasks, such as analyzing logs for specific numbers of entries and records on a certain date, had a zero percent completion rate. Reasons for non-completion could be technical inability on the part of the students but could also have been due to a poorly written anomaly\/task or even an issue with sign-ins to certain lab equipment.<\/li>\n<li><strong>Investigate<\/strong>\u2014Based on the data, the Investigate pillar posed some challenges for the students. Students had a zero percent success rate on image analysis and an almost zero percent success rate on malware analysis. In addition, students had a zero percent success rate in this pillar for finding and identifying a bad file in the system.<\/li>\n<\/ul>\n<h3>Key takeaways<\/h3>\n<p>Frameworks like NIST NICE and competitions like the DOE CyberForce Competition<span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/11\/72x72\/2122.png\" alt=\"\u2122\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <\/span> are helping to train up the next generation of cybersecurity defenders. Analysis from the most recent CyberForce Competition<span style=\"display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/11\/72x72\/2122.png\" alt=\"\u2122\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <\/span> indicates that students are comfortable with tasks in the \u201cProtect and Defend\u201d pillar and are proficient in many critical tasks, including network forensics and log analysis. The data points to areas for improvement especially in the \u201cCollect and Operate\u201d and \u201cInvestigate\u201d pillars, and for additional focus on forensic skills and policy knowledge.<\/p>\n<p>Bookmark the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at <a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n<p><em>The CyberForce work was partially supported by the U.S. Department of Energy Office of Science under contract DE-AC02-06CH11357.<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/09\/12\/students-prepared-real-world-cyber-curveballs\/\">Are students prepared for real-world cyber curveballs?<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/09\/12\/students-prepared-real-world-cyber-curveballs\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Thu, 12 Sep 2019 16:00:55 +0000<\/strong><\/p>\n<p>Are today\u2019s students getting the preparation they need to do the cybersecurity work of tomorrow? Read the findings from the U.S. Department of Energy (DOE) CyberForce Competition.\u2122<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/09\/12\/students-prepared-real-world-cyber-curveballs\/\">Are students prepared for real-world cyber curveballs?<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[17187,21877,10428,18196],"class_list":["post-16300","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-security-intelligence","tag-security-strategies","tag-tips","tag-tips-talk"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16300"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16300\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16300"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}