Hear why and how teachers deployed Project Ares in the classroom to elevate cyber learning and teaching and what students thought of the experience.
Every day we get more interconnected and that naturally widens the threat surface for cybercriminals. In order to protect vulnerabilities and keep pace with hacker methods, security – and non-security professionals must understand how to protect themselves (and their companies). And that involves looking for new ways to improve cyber security. To start, we believe cyber security can be improved by focusing on three areas: enterprise-wide cyber awareness programs, within cyber teams via persistent training, and in communication between the C-suite and the CISO. Check out our recommendations below and if you have a strategy that worked to improve cyber security in your company or organization, we’d love to hear about it.
Company-Wide Security Awareness Programs
Regardless of company size or budget, every person employed at a business should understand fundamental cyber concepts so they can protect themselves from malicious hackers. Failure to do so places the employee and the company at risk of being attacked and could result in significant monetary and reputation damages.
Simple knowledge of what a phishing email looks like, what an unsecured website looks like, and implications of sharing personal information on social media are all topics that can be addressed in a company-wide security program. Further, staff should understand how hackers work and what kinds of tactics they use to get information on a victim to exploit. Reports vary but a most recent article from ThreatPost notes that phishing attempts have doubled in 2018 with new scams on the rise every day.
But where and how should companies start building a security awareness program—not to mention a program that staff will actually take seriously and participate in?
We believe in the power of gamified learning to engage employees in cyber security best practices.
Our mobile app inCyt helps novice and non-technical professionals learn the ins and outs of cyber security from hacking methods to understanding cyber definitions. The game allows employees to play against one another in a healthy, yet competitive, manner. Players have digital “hackables” they have to protect in the game while trying to steal other player’s assets for vulnerabilities to exploit. The back and forth game play teaches learners how and why attacks occur in the first place and where vulnerabilities exist on a variety of digital networks.
By making the learning fun, it shifts the preconceived attitude of “have to do” to “want to do.” When an employee learns the fundamentals of cyber security not only are they empowering themselves to protect their own data, which translates into improved personal data cyber hygiene, but it also adds value for them as professionals. Companies are more confident when employees work with vigilance and security at the forefront.
Benefits of company-wide security awareness training
- Lowers risk – Prevents an internal employee cyber mishap with proper education and training to inform daily activities.
- Strengthens workforce – Existing security protocols are hardened to keep the entire staff aware of daily vulnerabilities and prevention.
- Improved practices – Cultivate good cyber hygiene by growing cyber aptitude in a safe, virtual environment, instead of trial and error on workplace networks.
For more information about company-wide cyber learning, read about our award-winning mobile app inCyt.
Persistent (Not Periodic) Cyber Training
For cyber security professionals like network analysts, IT directors, CISOs, and incident responders, knowledge of the latest hacker methods and ways to protect and defend, govern, and mitigate threats is key. Today’s periodic training conducted at off-site training courses has and continues to be the option of choice—but the financial costs and time away from the frontlines makes it a less-than-fruitful ROI for leaders looking to harden their posture productively and efficiently.
Further, periodic cyber security training classes are often dull, static, PowerPoint-driven or prescriptive, step-by-step instructor-driven—meaning the material is often too outdates to be relevant to today’s threats—and the learning is passive. There’s minimal opportunity for hands-on learning to apply learned concepts in a virtualized, safe setting. These roadblocks make periodic learning ineffective and unfortunately companies are spending thousands of dollars every quarter or month to upskill professionals without knowing if it’s money well spent. That’s frustrating!
What if companies could track cyber team performance to identify gaps in security skills—and do so on emulated networks to enrich the learning experience?
We believe persistent training on a cyber range is the modern response for companies to better align with today’s evolving threats. Cyber ranges allow cyber teams to engage in skill building in a “safe” environment. Sophisticated ranges should be able to scale as companies grow in security posture too. Our Project Ares cyber learning platform helps professionals develop frontier learning capabilities on mirrored networks for a more authentic training experience. Running on Microsoft Azure, enterprise, government and academic IT teams can persistently training on their own networks safely using their own tools to “train as they would fight.”
Browser-based, Project Ares also allows professionals to train on their terms – wherever they are. Artificial intelligence via natural language processing and machine learning support players on the platform by acting as both automated adversaries to challenge trainees in skill, and as an in-game advisor to support trainee progression through a cyber exercise.
The gamified element of cyber training keeps professionals engaged while building skill. Digital badges, leaderboards, levels, and team-based mission scenarios build communicative skills, technical skills, and increase information retention in this active-learning model of training.
Benefits of persistent cyber training
Gamifying cyber training is the next evolution of learning for professionals who are either already in the field or curious to start a career in cyber security. The benefits are noteworthy:
- Increased engagement, sense of control and self-efficacy
- Adoption of new initiatives
- Increased satisfaction with internal communication
- Development of personal and organizational capabilities and resources
- Increased personal satisfaction and employee retention
- Enhanced productivity, monitoring and decision making
For more information about gamified cyber training, read about our award-winning platform Project Ares.
CISO Involvement in C-Suite Decision-Making
Communication processes between the C-suite and CISO need to be more transparent and frequent to achieve better alignment between cyber risk and business risk.
Many CISOs are currently challenged in reporting to the C-suite because of the very technical nature and reputation of cyber security. It’s often perceived as “too technical” for laymen, non-cyber professionals. However, it doesn’t have to be that way.
C-suite execs can understand their business’ cyber risks in the context of business risk to see how the two are inter-related and impact each other.
A CISO is typically concerned about the security of the business as a whole and if a breach occurs at the sake of a new product launch, service addition, or employee productivity, it’s his or her reputation on the line.
The CISO perspective is, if ever a company is deploying a new product or service, security should be involved from the get-go. Having CISOs brought into discussions about business initiatives early on is key to ensuring there are not security “add ons” brought in too late in the game. Also, actualizing the cost of a breach on the company in terms of dollar amounts can also capture the attention of the C-suite.
Furthermore, CISOs are measuring risk severity and breaking it down for the C-suite to help them understand the business value of cyber. To achieve this alignment, CISOs are finding unique ways to do remediation or cyber security monitoring to reduce their workloads enough so they can prioritize communications with execs and keep all facets of the company safe from the employees it employs to the technologies it adopts to function.
Improving Cyber Security for the Future
Better communications between execs and security leaders, continual cyber training for teams, and company-wide cyber learning are a few suggestions we’ve talked about today to help companies reduce their cyber risk and harden their posture. We’ve said it before and we will say it again: cyber security is everyone’s responsibility. And evolving threats in the age of digital transformation mean that we are always susceptible to attacks regardless of how many firewalls we put up or encryption codes we embed.
If we have a computer, a phone, an electronic device that can exchange information in some way to other parties, we are vulnerable to cyber attacks. Every bit and byte of information exchanged on a company network is up for grabs for hackers and the more technical, business, and non-technical professionals come together to educate and empower themselves to improve cyber hygiene practices, the more prepared they and their company assets will be when a hacker comes knocking on their digital door.
Circadence’s inCyt security awareness platform was recognized as a Silver winner by the International Serious Play Awards Competition for its ingenuity and gamified learning approach to support enterprise companies in learning cyber practices.
Circadence’s Josh Davis shares what will transform cyber security for the better.
Which technologies are working to strengthen cybersecurity as we know it? This is an important question that will partially define the relative stability or chaos of our digital future. Circadence’s Josh Davis shares his perspectives.
Is your company doing through a digital transformation?
The age of digital transformation is prompting businesses to examine their increased threat surfaces and cyber risk. Circadence provides tips for how to ride the cyber security wave of digital transformation while keeping practices and preparedness efforts strong.
From unifying security architecture to automating routine security tasks to building a culture of continuous cyber training for professionals, Circadence helps businesses of all sizes upskill cyber security teams to fortify the vulnerable human element of cyber security.
We’ve made several new updates to our gamified cyber learning platform Project Ares. We are releasing new battle room and mission cyber security exercises for professionals to continue training and honing skills and competency and have optimized some aspects of performance to make the learning experience smoother.
New Missions and Battle Rooms
To ensure professionals have access to the latest threats to train against, we develop new missions and battle rooms for our users so they can continually learn new cyber security skills, both technical and professional. The following new missions are available to users of the Professional and Enterprise licenses of Project Ares; while the new battle rooms updates are available to users of the Academy, Professional, and Enterprise licenses of Project Ares.
Mission 5 – Operation Wounded Bear
Designed to feature cyber security protection for financial institutions, the learning objectives for this mission are to identify and remove malware responsible for identity theft and protect the network from further infections. Variability in play within the mission includes method of exfiltration, malicious DNS and IP addresses, infected machines, data collection with file share uploads that vary, method of payload and persistence, and a mix of Windows and Linux.
This mission provides practical application of the following skill sets:
- Computer languages
- Computer network defense
- Information systems
- Information security
- Command line interface
- Cyber defense analysis
- Network and O/S hardening techniques
- Signature development, implementation and impact
- Incident response
- Use IDS/IPS to alert on initial malware infection vectors
- Alert/prevent download of malicious executables
- Create alert for infections
- Kill malware processes and remove malware from the initially infected machine
- Kill other instances of malware processes and remove from machines
- Prevent further infection
Mission 6 – Operation Angry Tiger
Using threat vectors similar to the Saudi Arabia Aramco and Doha RasGas cyber attacks, this mission is about responding to phishing and exfiltration attacks. Cyber defenders conduct a risk assessment of a company’s existing network structure and its cyber risk posture for possible phishing attacks. Tasks include reviewing all detectable weaknesses to ensure no malicious activity is occurring on the network currently. Variability in play within the mission includes the method of phishing in email and payload injection, the alert generated, the persistence location and lateral movement specifics, and the malicious DNS and IP addresses.
Core competencies used in the mission:
- Incident response team processes
- Windows and *nix systems administration (Active Directory, Group Policy, Email)
- Network monitoring (Snort, Bro, Sguil)
- Verify network monitoring tools are functioning
- Examine current email policies for risk
- Examine domain group/user policies for risk
- Verify indicator of compromise (IOC)
- Find and kill malicious process
- Remove all artifacts of infection
- Stop exfiltration of corporate data
Mission 13 – Operation Black Dragon
Defending the power grid is a prevailing concern today and Mission 13 focuses on cyber security techniques for Industry Control Systems and Supervisory Control and Data Acquisition systems (ICS/SCADA). Players conduct a cyber defense assessment mission on a power distribution plant. The end state of the assessment will be a defensible power grid with local defender ability to detect attempts to compromise the grid as well as the ability to attribute any attacks and respond accordingly.
Core competencies used in the mission:
- Risk Management
- Incident Response Management
- Information Systems and Network Security
- Vulnerability Assessment
- Hacking Methodologies
- Evaluate risks to the plant
- Determine if there are any indicators of compromise to the network
- Improve monitoring of network behavior
- Mitigate an attack if necessary
Battle Room 8 – Network Analysis Using Packet Capture (PCAP)
Battle Room 8 delivers new exercises to teach network forensic investigation skills via analysis of a PCAP. Analyze the file to answer objectives related to topics such as origins of C2 traffic, identification of credentials in the clear, sensitive document exfiltration, and database activity using a Kali image with multiple network analysis tools installed.
Core competencies used in the mission:
- Intrusion Detection Basics
- Packet Capture Analysis
Battle Room 10 – Scripting Fundamentals
Scripting is a critical cyber security operator skillset for any team. Previously announced and now available, Battle Room 10 is the first Project Ares exercise focus on this key skill. The player conducts a series of regimented tasks using the Python language in order to become more familiar with fundamental programming concepts. This battle room is geared towards players looking to develop basic programming and scripting skills, such as:
- Classes and Objects
- File Manipulation
- Exception Handling
- User Input
- Data Structures
- Conditional Statements
- Numbers & Operators
- String Manipulation
Core competency used in the mission:
- Basic knowledge of programming concepts
Game client performance optimizations
We made several adjustments to improve the performance of Project Ares and ensure a smooth player experience throughout the platform.
- The application size has been reduced by optimizing the texture, font, and 3D assets. This will improve the load time for the game client application.
- 3D assets were optimized to minimize CPU and GPU loads to make the game client run smoother; especially on lower performance computers.
- The game client frame rate can now be capped to a lower rate (i.e. 15fps) to lower CPU utilization for very resource constrained client computers.
These features are part of the Project Ares version 3.6.4 on the Azure cloud which is available now. Similar updates in Project Ares version 3.6.5 for vCenter servers will be available shortly.
Targeted attacks against particular groups or entities are on the rise this year. Instead of a “spray and pray” approach, malicious hackers are getting particular about who and what they attack and how for maximum accuracy. Why? The right ransomware attack on the right data set to the right group of people can yield more monetary gain than an attack towards a general group of people at varying companies. To empower ourselves, we need to understand how cybercrime is “getting personal” and what we can do to prevent attacks like this.
Cybercriminals want to stay under the radar, so the more their attacks remain hidden from the public eye, the better chance they have to replicate that method on other vulnerable groups with lots to lose. Unauthorized adversaries target certain devices, computer systems, and groups of professionals most vulnerable to cybercrime.
Server hacking for faster monetary gain
Attacks on endpoint devices like computers and laptops are a thing of the past for evolving hackers who know that unsecured enterprise servers offer the best chances of staying undercover than device firewalls allow. Why get pennies and minimal personal information from a single laptop user when you can get millions from a few locked up servers that house incredibly sensitive data like billing information and credit cards?
The City of Baltimore experienced this firsthand with a ransomware attack that affected 14,000 customers with unverified sewer charges. Hackers demanded $76,000 in bitcoin to unlock city service computers, which impacted the delivery of water bills to local residents. While many residents might not mind skipping a payment, in the long run it’ll cause “surprise” bills when back-pay is requested.
Recently, Rivera Beach in Florida was one of the latest government entities to be crippled by a ransomware attack, and unfortunately, they paid almost $600,000 to hackers to regain access to their data.
But it’s more than a local city and state governments that are being attacked at this scale.
Multi-mass hacking for political disruption
Devices that are used by the masses are also at risk. Think about voting machines. Hacking into those machines has never been easier due to old devices and lack of security on them. To ensure the integrity of data, governments can consider using blockchain to maintain a more hardened security structure all the while, educating their election security professionals on the latest hacking methods so they can assess vulnerabilities on physical systems. The end result of voting machine hacking isn’t monetary per se—it’s much better—pure, unbridled political chaos and public distrust in election security and government operations.
Car-jacking to car hacking
Modern transportation system and vehicle attacks are on the rise too. Today’s cars are basically computers on wheels with the levels of code embedded within them. Hackers have been known to target cars to control key functions like brakes, steering and entertainment consoles to jeopardize the people in the car, as well as everyone around them on the road. In an interview with Ang Cui, CEO of Red Balloon Security, he notes “If you can disable a fleet of commercial trucks by infecting them with specialized vehicle ransomware or in some other way hijacking or crippling the key electronic control units in the vehicle, then the attacker could demand a hefty ransom.”
Cyber security professor Laura Lee notes, “The transportation sector is said to now be the third most vulnerable sector to cyber-attacks that may affect the seaport operations, air traffic control, and railways. The ubiquitous use of GPS information for positioning makes this sector especially concerned about resiliency.”
Preventing targeted cybercrime
In many of the incidences above and those not reported upon, humans are often the first and last line of defense for these companies and devices being attacked. Humans have the ability to detect vulnerabilities and gaps in security while also understanding what hackers are after when it comes to cybercrime tactics.
Our ability to handle both technical and analytical aspects of hacking means more can be done proactively to prevent targeted cybercrime like this. Specifically, in the field of training cyber security professionals, government and commercial entities should evaluate current training efforts to ensure their teams are 100% prepared for targeted attacks like these. How hackers attack changes every day so a persistent, enduring method of training would be critical to helping empower and enable defenders to anticipate, identify, and mitigate threats coming their way.
New cyber training approaches are using gamification to complement and enhance existing traditional, off-site courses. Currently, many traditional courses are passively taught with PowerPoint presentations and prescriptive video learning, often disengaging trainees who want to learn new cyber concepts and skill sets (in addition to staying “fresh” on the cyber fundamentals).
Government organizations and commercial enterprises would be smart to explore engaging ways to keep cyber team skills up to snuff while increasing skill retention rates during training.
InfoSecurity Magazine interviews CEO Michael Moniz on the future of cyber training — where it will go and how it will help us all stay safe online.
Teri Robinson interviews Circadence’s Keenan Skelly on the future of cyber security for women.