Understanding the Dark Web

Reading Time: 3 minutes

If you are familiar with recent news reports about security incidents and threats, you’ve probably heard of the ‘dark web’ or the ‘darknet.’ In fact, you don’t even need to pay attention to the news. TV shows, movies and even social networking sites will introduce the terms to you. The problem is, there often isn’t any explanation about what those terms mean. Likely, the people using them have no idea what they mean. Understanding what they mean can help you better protect yourself, as well as having an idea of what is going on in these news reports. To get there, though, we’re going to take a quick journey through history. 

A Brief History of the Internet 

In the beginning was the Advanced Research Projects Agency (ARPA), along with its companion organization Defense Advanced Research Projects Agency (DARPA). These organizations were federal agencies that used money from the federal budget (tax dollars) to distribute to companies to conduct research and advance our capabilities as a country, as well as a military power. In the 60s, several people and organizations discussed the idea of connecting computers together so they could communicate, including communicating over long distances. Keep in mind that at that time, “computers” were very large devices that cost millions of dollars. The idea was to make better use of those devices by letting researchers anywhere access resources where research was being done.   

In the late 1960s, two computers were connected together to create the start of the ARPANET. The ARPAnet was where TCP/IP was eventually developed. In the 1970s and then the 1980s, several other networks were developed by other organizations — CSNET, BITNET, THEORYNET, JANET and many others around the world. Eventually, the U.S. created the NSFnet, sponsored by the National Science Foundation. The NSFnet became a backbone network with very fast connections. As a side note, this is where the misquote of Al Gore originates. He didn’t say he invented the Internet. He said he took the initiative while in Congress to create the Internet. He’s correct, in that he was a driving force behind legislation creating the NSFnet, which became the Internet over time, as all other research networks were folded into the NSFnet. Additionally, Gore was involved in legislation allowing businesses to connect to the NSFnet, truly creating what we know today as the Internet. 

The Connected Internet 

The Internet isn’t a single network. It’s a large collection of networks, all interconnected. Every business and organization connect their own network to a service provider. The service provider connects to other service providers, sharing information about how to deliver information to businesses and organizations, where all the users live. The Web is an overlay on top of the Internet and refers to a specific service — servers that communicate using the Hypertext Transfer Protocol (HTTP).  

Search engines like Google, Bing and others, make navigating the Internet possible. Not everything is searchable, though. If Google doesn’t know anything about the site, Google’s robots that are used to index sites can’t look through the site and deliver it in search results.  

The Dark Web 

Any site that has no connections to other sites and no other sites have connections to it is completely isolated from the search engines. The collection of sites like this, which may be web sites but may also be systems that use other protocols to serve up content to users, is a subset of the overall Internet and is sometimes referred to as an overlay. This overlay is sometimes called the “darknet” or the “dark web,” because the systems and services are not searchable by traditional search engines and you’d have to know they are there to make use of them.  

More commonly, though, is another network overlay that was developed by the U.S. Navy. U.S. Naval Research Laboratory employees developed the concept of “onion routing” in the 1990s. Today, you may know this better as The Onion Router (TOR). TOR is a way of routing to sites through peer-to-peer connections, meaning system-to-system rather than site-or-network to site-or-network. When you hear about data being on the dark web or darknet, they are likely referring to TOR sites. They may, though, also be referring to other sites that are also connected to the Internet but can’t be found unless someone specifically knows about the site. 

The Implications for Cybersecurity 

It’s important to understand what the Dark Web is because it is intimately tied to the work conducted in cybersecurity. As hackers continue to evolve in their tactics and breach practices, stealing records including medical records and people’s personal data, that information is treated as currency, sold on the Dark Web. Beyond a profit motive, according to The Independent (a U.K. newspaper), “cyber criminals could exploit the healthcare records for other purposes like redirecting medication to different addresses, or request doctor appointments on other people’s health plans.”  

Healthcare is just an example of how the Dark Web informs cybersecurity efforts but as we continue to understand the intricacies of the Dark Web, its activity, and see the damaging repercussions of its mere existence, we need to take our cybersecurity efforts that much more seriously. The possibilities of exploitation are endless when hackers are motivated by financial gain, insinuating social chaos, and/or manipulating data for power and status.   

Game On: The Benefits of Active, Gamified Learning in Cyber Training

Reading Time: 3 minutes

What is gamified learning? Before we dive into that question, let’s discuss some of the ways we currently learn about cyber today. Traditional cyber training has been conducted in the same way for years, comprised of static, classroom-style settings complete with a teacher lecturing and passive listeners. This model causes people to forget 

  • 40% of what they’ve learned after 20 minutes 
  • Between 50-80% of what they’ve learned after one day   
  • 77% of what they’ve learned after six days
  • 90% of what they’ve learned after one month  

In addition to forgetting material learned, there’s minimal opportunity for the student to proactively solve problems, think critically, and analyze material. Instead, they superficially understand concepts without truly learning their application to real-world situations. This leaves the trainees disengaged, disempowered, bored, and unmotivated.  

We believe there’s a better way to deliver information security training—a way that engages teams in healthy competition and in critical thinking and problem-solving activity. Through active learning, studies show learners are more engaged, empowered, excited, and possess deep, conceptual understandings of topics learned. Active learning involves collaborating with teams and applying concepts to real-world exercises and scenarios, which improves retention rates to 75%, compared to 5% through traditional learning methods. 

So why is active learning so important for cybersecurity professionals?

Because the undeniable jobs shortage affecting the industry is prompting CISOs to take a closer look at ways in which they can close the skills gap. The first step involves leveling up existing cyber teams by equipping them with the tools and skills they need to do their jobs better. Without proper cyber training and skills development, professionals can’t keep pace with evolving cyber threats, causing teams, organizations, and companies to succumb to hacker attacks.  

How significant is this issue? According to a recent ESG/ISSA study, 70% of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage, with ramifications such as an increasing staff workload, hiring and training junior personnel rather than experienced professionals, and situations where teams spend most of their time dealing with the emergency du jour, leaving little time for training, planning, strategy, etc.  

So what can we do about this?  

Consider gamified cyber training 

Not only is hands-on, active learning important but we believe that gamification is the natural, logical step in training the next gen learner (born after 1980), who has never known a world without video games. Gamification is often defined as the process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. When we think about the benefits of gamification of cyber security training, it is a learning style best suited for today’s learner who grew up playing video games and being motivated by elements like leaderboards, competition, collaboration, and social proof/progression. 

Even academic institutions across cyber schools are exploring cyber security games for students to complement their classroom learning. Some institutions like CU Boulder have even crafted an entire class around gamified cyber training using Project Ares in their syllabus.

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. Further, it enables learners to apply what they know to simulated environments or “worlds,” creating a natural flow that keeps learners engaged and focused. Organizations that offer gamified exercises to teams report that 96% of workers see benefits including increased awareness of weaknesses, knowledge of how breaches occur, improved teamwork and response times, and enhanced self-efficacy.   

In gamified environments, trainees are typically:  

  • rewarded for good behavior 
  • incentivized to maintain good behavior 
  • encouraged to dialogue about their lessons learned with peers 
  • reminded of what they don’t yet know and held accountable 
  • engaged in their progress thanks to leaderboards 
  • prepared to participate in simulated threat situations that further prepare them when real-world situations occur 

 

Active, gamified cyber training is only effective if employees apply their skills learned and acquired to real-world scenarios. For this reason, cybersecurity leaders are encouraged to measure the effectiveness of training efforts through regular audits and assessments to determine which employees may still pose a risk to the overall security posture of the organization.  

“Keeping our workforce engaged, educated and satisfied at work is critical to ensuring organisations do not increase complexity in the already high-stakes game against cyber crime,” Grant Bourzikas, chief information security officer at McAfee. (ComputerWeekly) 

Great, there are clear benefits. Now what?

Now it’s time to reflect on how your organization can benefit from gamification in cybersecurity training. First, look at what training (if any) is currently occurring. Then, speak with teams about where they’d like to improve and draw clear parallels between the investment in training and desired business outcomes. And of course, when you’re ready to learn more, contact us to see how gamified training actually works through our Project Ares® platform.

Game of Titans Cyber Challenge Attracts Top Professionals, Raises Awareness of Gamified Training and Assessment Solutions

Reading Time: 1 minute

We hosted our first-ever “Game of Titans” Cybersecurity Challenge in Las Vegas recently, gathering security professionals together to compete on our Project Ares® cybersecurity platform for a chance to win several prizes.

The event did not disappoint! Between the amazing Esports Arena venue, which offered enticing views of the game play, combined with the presence and engagement from celebrity hacker Vinny Troia, who provided colorful commentary and judging, and enthusiastic YouTube sensation Zach Hill of TalkTechDaily, who graciously live streamed the event, it was a success!

Competitors had the opportunity to practice on the Project Ares platform for up to 11 days in July before entering the qualifiers and then attending the live final round in Vegas. For the CISOs and other tech leaders who wanted a more intimate view of the platform, we also hosted several private demonstrations of Project Ares in-suite at Mandalay Bay. We enjoyed conversations with leading cybersecurity influencers who were looking for a better way to solve their cybersecurity challenges in the face of staffing shortfalls and skills deficits.

The inaugural Game of Titans competition culminated with three winners including best defensive player, offensive player, and MVP (pictured here). Congrats to the night’s MVP Monique Moreno with Ellucian, to Tim Nary with Booz Allen Hamilton who was the Red Team winner and Jordan Scott with Boecore as the competition’s Blue Team winner.

We hope the event inspired these individuals and others to keep on strengthening the cybersecurity profession and gave interested cybersecurity professionals the opportunity to see how gamified cyber training and assessments can benefit their professional portfolio and organizational security position.

 

Recapping Jack Voltaic 2.0 Cyber Research Project: A Q&A with Laura Lee

Reading Time: 3 minutes

Late last week, Circadence® participated in the Jack Voltaic 2.0 Cyber Research Project held in Houston, Texas. The event was described as a “bottom-up approach to critical infrastructure resilience,” where the City of Houston, in partnership with AECOM and the Army Cyber Institute (ACI) gathered with critical infrastructure partners to study cybersecurity preparedness gaps.  

Developed by the ACI at West Point, Jack Voltaic 2.0 took place July 24–26 at the Houston Emergency Center and results from the activity will be published in a technical report from the Army Cyber Institute in November 2018.   

Our own Laura Lee, executive vice president of rapid prototyping, attended the exercise and shared her experience in a quick Q & A.  

What made this event special? 

LL: This truly was a first of its kind event where a major city brought together both public and private entities across many different critical infrastructure sectors to prepare for a cyber event. It involved energy, healthcare, transportation, water and government services all working together to resolve an attack. The City of Atlanta suffered a cyberattack in early 2018 that caused millions of dollars and interrupted services in the city for weeks. The goal of this event was to avoid that type of situation and prepare, just like Houston does for hurricanes or the Super Bowl. There are always risks but the key is getting ahead of an event and developing policies and procedures to handle it.  

What was the environment of the event like?  

LL: During service restoration and when determining what was happening during the simulation, technical experts were serious in their pursuits to remediate the issues. Each team chose a leader and immediately and got to work. Harris County (where Houston resides) were quietly discussing what they were seeing for web attacks in their network, while the Port of Houston Authority were dealing with ransomware. Each team reported up to the Houston Emergency Center, with some teams reporting live via an online conferencing system. The activity was taken very seriously, and it felt like a real-world response.  

What was one of the highlights of the event?   

LL: The team from Memorial Hermann Health was asked to brief what they saw in ransomware and how they handled it. It was a Webex broadcasted to the 150 people in the Houston Emergency Center. All the teams were listening carefully to the report, trying to understand if they were seeing similar things. At this point, the hospital had successfully handled the attack, and everyone was gaining confidence and excitement.  

Why did Circadence participate in this research exercise?  

LL: Circadence is in a unique position to support city and state-wide cyber exercises because the company’s cybersecurity training and assessment platform, Project Ares®, offers virtual worlds that represent businesses and agencies in the real world. We have a synthetic internet with simulated users performing normal day-to-day jobs all in a closed, safe environment. For the event, it allowed key users to see and test what happens with the latest malware or cyber tactic. By using the Project Ares platform, we can select multiple environments that make up a city and then bring in real people, as if it was the actual city under attack. This gives a new dimension and real-world feeling to traditional “table top” exercises that are typically used for disaster preparedness. It’s a way to bring all the people required (government, industry, academia) together and includes the technical and policy personnel so everyone learns how to work together. We are passionate about helping every critical industry sector, every state, and every city learn to successfully mitigate cyber risk.  

Circadence – Contributing to Critical Infrastructure Cybersecurity  

Circadence supported the 6-month event planning process for the Jack Voltaic 2.0 Cyber Research Project. “We met almost monthly and created a realistic scenario within Project Ares, which resulted in a coordinated attack on the city,” said Laura. “We worked together to create events that would challenge each participant and then during the event, we ran the Live Fire exercise portion for the technical team players. We also displayed the results and analysis in real time within the large Emergency Center area so the policy makers could understand what was happening technically.”   

Cyberattacks rarely affect a single target. Instead, unanticipated effects could ripple across interconnected infrastructure sectors, which is why infrastructure resilience is more critical than ever. Varying defensive capabilities and authorities complicate the response. If exploited by a determined adversary, these unidentified gaps leave our nation vulnerable. Circadence was proud to participate in this exercise and help close gaps in critical infrastructure cybersecurity through its Project Ares platform.  

Watch the full press briefing from the City of Houston here