Training cyber-defense and securing information assets using student ...

Training Cyber-Defense and Securing Information Assets Using Student Blue Teams Scott Pack

Dale C. Rowe, Ph.D

Brigham Young University [email protected]

Brigham Young University [email protected]

security teams, the requirements of maintaining existing security infrastructure, performing analysis of previous incidents, and monitoring the network for new intrusions can be burdensome. In a recent interview with a security analyst it was revealed that it is typical for a university to experience attacks requiring a configuration change to occur on average over two hundred and fifty times per day. Although automated tools in many cases can be used to detect and prevent network attacks, human intervention is still required when an attack results in a breach of information, disruption of services, or site defacement.

ABSTRACT In this paper, we discuss the creation of a student Blue Team to assist campus organizations with security incident response. We also explore approaches for establishing a relationship with university information technology staff, informing blue team members of professional and ethical responsibilities, and aiding system administrators with incident response and system hardening. Finally, we discuss the benefits to students taking part in these activities, as well as their contributions to improving an organizations security posture.

In addition to providing a short-term fix to address the problem at hand, an analysis is frequently undertaken to determine the attack vector used and what measures should be taken to prevent future exploitation of similar vulnerabilities. As many systems may be outside the administrative domain of the university information technology group, the actual work of securing information assets often falls to departmental system administrators and developers; in many situations these individuals are full-time students who may not have the requisite knowledge or skills to prevent attack recurrence.

Categories and Subject Descriptors K.6.5 [Security and Protection]: Authentication, Insurance, Invasive Software, Physical Security, and Unauthorized Access. K.6.1 [Project and People Management]: Staffing, Systems Analysis and Design, Training

Keywords Security, Education, Training, Blue-Team, Forensics, Incident Response

While many consider this barrage of attacks as a hindrance to smooth university operation, we propose it can be leveraged as a learning tool. Information Technology students build a foundation of knowledge through classes in web application development, databases, networking, and system administration, the pillars upon which information systems are based. By organizing a team of security-minded Information Technology students to act as an incident response arm of a campus IT Security Team, or student “Blue Team,” some of the duties of campus security can be offloaded. This helps alleviate the first issue discussed, that of increasing relevant security experience for students.

1. INTRODUCTION Students attempting to enter the information security industry are often faced with position requirements such as “three years of work experience in the security industry required.” As a result, students search for part-time security work or other experience to increase their security work experience. This is not always easy to come-by on a part-time basis as relationships allowing students to work with confidentiality, trust and expertise often require significant time to foster. At the same time, university organizations are inundated with attacks on information assets on a daily basis. As is the case in most organizations, university information technology personnel are spread thin. Even in organizations with dedicated information

A typical process for this team would involve gathering sufficient information on the environment (including logs, packet captures drive images etc.), the Blue Team analyzes the data and prepares a list of recommendations, customizes an implementation guide, and assists with the deployment of recommended security measures. The Blue Team can also provide training to inform system administrators and developers of common security risks, and how to address them. Suggestions and implementation assistance for creating backups, monitoring, and an incident response plan are also made, ensuring that departmental IT staff is prepared to defend against, detect, and react to future problems.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. SIGITE’13, October 10–12, 2013, Orlando, Florida, USA. Copyright 2013 ACM 978-1-4503-2239-3/13/10…$15.00. http://dx.doi.org/10.1145/2512276.2512290

By providing security assistance in a variety of deployment scenarios, Blue Team members not only provide a valuable service to the university, but also gain the following benefits:

3



Authentic exposure to the same attack methods encountered in industry

campus organizations (in particular, the IT security analyst) as needed.



Proficiency with incident assessment and response



Exposure to prevention controls



Experience with monitoring tools and methodologies



Situations by which theoretical knowledge can be put in context.

A senior or experienced student is assigned to act as Blue Team Lead. Their responsibilities include soliciting work from various departments and IT security services, working closely with the security-team analyst, overseeing projects and activity logistics planning. To recruit students to the Blue Team, announcements were made in IT course lectures as well as meetings of the IT Student Association and Cyber Security Student Association meetings. In this announcement students were made aware of the goals of the Blue Team including:

These benefits as well as others increase their proficiency and marketability in a world that has a growing need of defensive cyber security professionals [5].

 

2. BACKGROUND Academically, most Information Assurance oriented programs expose students to security first to a theoretical approach; by studying the history and vocabulary. Many IT Security programs have adapted lab approaches in which students build upon this theoretical knowledge. In such an approach students are provided with a task or problem, and are expected to apply a methodology to find or build a solution. Many institutions found that security labs have special requirements such as “root” system privileges [6]. In a security scenario the subject matter may include live malware and tools that could be hazardous to information infrastructure, and may trigger mechanisms that prevent other legitimate users from accessing network resources [3]. Since security research can be volatile, and malware and infected hosts may react in unexpected ways, much security research takes place in isolated labs [2] or virtual environments [7]. This protects the surrounding network infrastructure, but also cuts out many of the variables that affect security in a large organization, such as network broadcasts, removal of remote command and control (C2), and normal user traffic. Some events are organized to place students in a situation which simulates these variables [1], but are time-limited to the duration of the event.

 

Stay abreast of current threats in information security. Provide clients with detailed and actionable security direction. Perform forensic analysis of security incidents. Represent the technical expertise and professionalism of the Information Technology program.

Application forms were provided to those interested on which they supplied names, academic year, and relevant security experience. From these applicants were selected several individuals from a range of classes, and differing experience. The intent of selecting both upper and lower classmen was to create senior and junior members which would roll over in future years, creating a persistent Blue Team and allowing more seasoned Blue Team members to pass on contacts and experience. We have found a team of 6 students to be an appropriate number in balancing management and capabilities and use a 2-2-2 breakdown of skill levels, meaning two more experienced students, two junior members and two apprentices. The Blue Team Lead is responsible for planning and conducting regular training meetings, ensuring that client engagements are making regular progress, and maintaining communication with clients in addition to regular member responsibilities. Training meetings include reviews of pen-test results and application logs, discussing hardening techniques, exploring forensics, and sharing useful security tools.

3. BLUE TEAM CREATION After the creation of a student Red Team in 2011 [4], several penetration tests were carried out and the results presented to the parties that had requested the security assessment. As client organizations reviewed the penetration test result and the list of vulnerabilities, of which many had been successfully exploited, they found that while now aware of the problems they were unsure as to how to go about fixing these holes. To assist organizations with response to both incidents caused by malicious attackers and vulnerabilities discovered by the Red Team, the Blue Team was created.

Blue Team members are responsible for researching security topics relevant to ongoing Blue Team engagements, training other members on the use of tools with which they are familiar, and writing portions of the recommendations report and implementation guide given to clients. Consideration was given to split the Blue Team into smaller specialty groups that can be assigned to focus on a particular technology or client as has been done elsewhere [3], but given that the Blue Team is an ongoing commitment, it proved difficult to recruit and manage the large number of individuals required for such an organizational hierarchy.

4. BLUE TEAM ORGANIZATION Prior to establishment of the Blue Team, a relationship was fostered between faculty, several students and members of the campus IT security team. The campus security team nominated a senior analyst to act as a communication point between campuswide IT services and the Blue Team. This individual is a regular attendee of Blue Team meetings where possible and also provides briefs on recent campus security events, incident response protocols, and forensics procedures.

In order to sufficiently assist client organizations in the hardening process, Blue Team members are often exposed to sensitive information such as passwords, infrastructure details, student information, etc. To ensure that each Blue Team member is aware of the ethical and professional responsibilities of their position, new Blue Team members are given a document detailing what constitutes appropriate and inappropriate use and disclosure of information and required to sign a non-disclosure agreement (NDA). Upon reading and signing this document, as well as

The team is operated and organized under the direction of a member of the IT faculty who invites students to the team, provides mentorship and advisement, and communication with the

4

obtaining a signed faculty endorsement, individuals are admitted to the Blue Team.

6. BLUE TEAM APPROACH Once the Blue Team enters into an engagement a topology and all information related to the vulnerable systems within scope is collected. This includes:  Service logs  Running services  List of web applications  Open ports  Database Schema  Firewall configuration  Packet captures where available  File system trees and timestamps  Other situation-specific material An intrusion report and service requirements are collected by interview. This data is analyzed to determine the attack vector that was used, where security principles of Least Privilege and Segregation of Duties are being implemented or neglected, and recommendations to remediate these issues are organized and proposed. If the department elects to implement these recommendations, the Blue Team acts as an advisory group, not implementing the changes themselves, but training system administrators and developers to do it themselves. This takes place in the form of providing implementation guides, being present or available during the deployment period, and providing guidance as issues arise. This results in system administrators and developers that are more aware of how their work has an impact on the security of their information systems. In addition to addressing the problem-at-hand, the Blue Team will also discuss with system administrators on whether or not it may be appropriate to set up additional hardening, redundancy, or monitoring solutions such as Tripwire, Fail2Ban, backup procedures, and RAID configurations to further increase the confidentiality, integrity, and availability of their computer systems and data.

5. FINDING BLUE TEAM ENGAGEMENTS For the Blue Team to be of use, departments need to be made aware of and offered its services. Blue Team-Client engagements currently can start one of four ways: 5.1 Office of Information Technology Relay The BYU Office of Information Technology (OIT) Security Team logs traffic that comes in and out of the network, which is monitored and analyzed by an Intrusion Detection System (IDS) as well as by manual inspection. Many exploits are recognizable to the IDS via attack signatures and statistical analysis. When the IDS detects that an exploit has been performed, a security analyst confirms whether or not the host has been compromised. A confirmed intrusion is communicated to the departmental system administrators, and where deemed appropriate, Blue Team services are offered. If accepted, the Blue Team is put into communication with the affected department. 5.2 Campus Network Community BYU has several resources available to web developers and system administrators, such as web community meetings, a campus-wide ticketing system, and email distribution lists. By connecting with the rest of the university as a whole via these methods, the Blue Team is able to be kept aware of what issues are being confronted by different organizations. A brief notice and Blue Team contact information is also given to newly hired employees via the Campus Web Developer meeting held each month. 5.3 Response to a Security Assessment When the BYU Red Team is commissioned by an organization to perform a penetration test, Blue Team services are offered at the scope-defining stage. If accepted, the Blue Team is put within the scope of “Trusted Parties” of the engagement agreement. This allows Blue Team members to be present for the duration of the penetration test, as well as allows Blue Team members to review the assessment results. Access to Pen-Test results allows the Blue Team to ensure that the most glaring problems are addressed quickly, fitting with the end-goal of locating and removing potentially exploitable vulnerabilities. Our experience has shown the coupling both teams in this manner to be an excellent and very effective method for increasing security across campus departments.

7. BLUE TEAM RESOURCES As the Blue Team is often asked to assist with system hardening on platforms with which they have little previous experience, a private cloud solution has been within which Blue Team members may deploy operating systems, test software configurations, and gain familiarity with security tools. For example, if a server suffers an intrusion and logs reveal that the exploit targeted an unsanitized input in a web application, a Blue Team member can start an instance, write a small application in the same language, and learn how to sanitize inputs in that language. The Blue Team operates as an organizational arm of the BYU Cyber Security Research Lab. This provides facilities such as an isolated private-cloud, lab workspace and a conference room for research and team meetings. If an investigation requires the copying of running configurations to this environment, written permission must be sought due to the multi-purpose nature of this lab equipment and lab space. This allows an approximation of a client’s environment where issues can more easily be identified, and solutions demonstrated.

5.4 Public Cyber Intel Gathering While the Blue Team does not have direct access to network and IDS logs, it does have access to search publically available information, such as pages crawled by searched engines, a practice colloquially referred to as “Google hacking.” In a January report by the National Post, a student was ejected from enrollment for using a vulnerability scanner. As vulnerability scanners make the step from public information gathering to fingerprinting, which can cause service disruption, they are prohibited for use by the Blue Team (unless requested in writing in an engagement proposal). By filtering search results to search for defaced sites within the University domain the Blue Team can locate defaced webservers and contact the appropriate departmental system administrator. Thus the blue team can also be effective in detecting previously undetected breaches.

5

service to the university offloading work of the university security team, but they also train campus developers and system administrators in concepts and practices that result in more secure computer systems.

8. LEARNING EFFECTIVENESS The aforementioned studies have explored the use of using shortterm simulated environments to teach information assurance, and have shown that providing students with an environment to get hands-on experience are effective. Increasing the authenticity of the situation by causing Blue Team members to react to actual security events in an existing information infrastructure causes them to get experience in an atmosphere that more accurately represents a situation in industry. In such an environment Blue Team members encounter the following issues that are unlikely to be present in a lab environment. 





 

Through this process Blue Team members are exposed to a number of security incidents, for which they research forensics, countermeasures, and general hardening techniques. Working with non-simulated systems suffering from authentic attacks places knowledge gained in classroom and lab environments in context, and further prepares students for security work in realworld environments.

Dealing with personnel issues that can arise from security-sensitive issues. (For example, a developer who upon becoming aware of programming errors becomes defensive). Lack of documentation increasing difficulty of administration (this is a frequent occurrence in a campus environment where many tasks are performed by part-time student employees). The justification of security policy, planning and equipment as part of a risk management exercise to help organizations get the funding required to provide adequate security. Pressure to maintain application availability Working under strict confidentiality and non-disclosure style environments where trust is paramount.

10. REFERENCES

Blue Team members gain experience in network defense and are in a position to observe both positive and negative examples of security practices. By working with production systems, Blue Teams are pushed to understand the feel of an organization under the pressure of an information attack. By establishing the Blue Team in continuous operation and interfacing with several departments, the Blue Team creates a reputation of technical ability and professional behavior which Blue Team members will be expected to uphold. These factors result in more authentic learning that will be valuable to Blue Team members in industry.

9. CONCLUSION Information Technology students have the foundation of knowledge that makes them a potentially valuable resource for university security teams. By organizing security-minded IT students into a Blue Team, students not only provide a valuable

6

[1]

Conklin, A. 2006. Cyber defense competitions and information security education: An active learning solution for a capstone course. System Sciences, 2006. HICSS’06. Proceedings of …. 00, C (2006), 1–6.

[2]

Hill, J.M.D., Carver, C. a., Humphries, J.W. and Pooch, U.W. 2001. Using an isolated network laboratory to teach advanced networks and security. ACM SIGCSE Bulletin. 33, 1 (Mar. 2001), 36–40.

[3]

Jr, R.D. 2003. Organization and training of a cyber security team. Systems, Man and …. (2003).

[4]

Kercher, K. and Rowe, D. 2012. Risks, Rewards and Raising Awareness: Training a Cyber Workforce Using Student Red Teams. SIGITE. (2012).

[5]

Rowe, D. 2012. Cyber-Security, IAS and the Cyber Warrior. The Colloquium for Information Systems Security …. (2012).

[6]

Vigna, G. 2003. Teaching Hands-On Network Security: Testbeds and Live Exercises. Journal of Information Warfare. 2, 3 (2003), 8–24.

[7]

Wang, X., Hembroff, G.C., Yedica, R., Ave, N.M. and Bay, G. 2008. Using VMware VCenter Lab Manager in Undergraduate Education for System Administration and Network Security Categories and Subject Descriptors. CISSE (2008), 43–51.