Cyber security threats and preventive measures go hand-in-hand. Yet cybercrime continues to impose threats on the financial industry. Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack,” according to a report by the Boston Consulting Group. These threats can arise at any time and occur through various sources (external sources such as hackers, and internal sources such as staff members and contracted employees). Some financial companies have developed action plans with steps to take if a cyber-attack strikes, but cyber security best practices also includes establishing and initiating threat prevention methods. One example of a threat prevention method is person-centered cyber training.
Statistics show that cyber threat prevention is an immense pain point for many financial companies. In a survey of 400 security professionals in financial services, it was observed that financial institutions are better at detecting and containing cyber-attacks and less efficient at preventing them. Almost 56% of financial institutions are useful in detection, and only 31% are good at prevention.
Financial services institutions must understand how to prevent cyber threats, which may require a ground-up approach.
Financial institutions can take immediate measures to engage in threat prevention methods with person-centered training. This type of training allows an IT or cyber professional to practice and hone skills by learning specific cyber lessons pertinent to the financial sector and applicable to their job role. The more upskilled the professional, the more they will be able to protect the company and company assets. A current platform that offers specific job role training is Project Ares.
Person-Centered Training with Project Ares
Circadence’s Project Ares is a browser-based learning platform designed for teaching cyber security in an engaging and hands-on applied method. This platform offers gamification and AI to train employees on the latest cyber threats and attacks. Project Ares is made up of foundational and specialized scenarios in the form of battle rooms and missions that address current cyber threats in the financial sector. The lessons within Project Ares are developed with specific job roles in mind.
For example, various scenarios are developed with the theme of a financial service, so the trainee can learn the skills needed to prepare for a cyber threat. In these specific financial missions, the trainee will learn how to disable botnets, identify and remove suspicious malware, and protect the financial institution.
Mission 1 – Operation Goatherd “Disable Botnet” – Acting as a cyber mission force member, the trainee will access the command and control server of a group of hackers to disable a botnet network that is designed to execute a widespread financial scan triggering the collapse of a national bank.
Mission 4 – Operation Arctic Cobra “Stop Malicious Processes” – The cyber trainee will analyze network traffic and stop a malicious exfiltration process.
Mission 5 – Operation Wounded Bear “Protect Financial Institution” – The trainee identifies and removes malware responsible for identity theft and protects the financial network from further infections.
This individual or team-based mission training delivers collaborative skill-building experiences aligned to NIST/NICE work roles, ensuring the trainee meets specific cyber competencies. This kind of immersive, hands-on training gives learners the ability to practice various forms of threat prevention, which will benefit the company’s overall security posture in the long run.
The more trained cyber professionals are for their job roles, the more likely they will be able to safeguard against threats—and take proactive measures to better prevent cyber threats. If cyber professionals are prepared and well-informed with the right knowledge and skills in their toolbox, threat prevention will be more attainable and achievable for professionals on the frontlines of defense. Professionals will be able to spot a cyber threat, but also prevent cyber threats from breaking the bank.
Circadence announced in May 2020 the latest development of an automated network mapping tool for IT use, based on collaborative work with Mississippi State University engineers and researchers. Circadence has had a six-year partnership with the university and the Threat Systems Management Office of Redstone Arsenal (TSMO) and has worked on several projects over the years to solve challenges related to National Defense. We sat down with two of our Circadence personnel: Dwayne Cole, the JMN NOSC (Network Operation and Security Center) Operations Manager and Craig Greenwood, Project Manager with Opposition Force/Advanced Red Team Intrusion Capabilities to understand more about the tool and learn about the benefits it provides to the technology community at large.
The Netmapper/Cyber Range Automation Framework (N/CRAF) project started as two separate projects, Netmapper and CRAF. The projects were recently combined to form a new tool integrating two previously independent efforts:
Netmapper — Commissioned by TSMO, developed by Circadence in collaboration with Mississippi State University (MSU) Center for Cyber Innovation (CCI). Netmapper is a graphical tool for the scanning and configuration collection of network infrastructure and integration with NOSC automation.
Cyber Range Automation Framework (CRAF) — Developed by NOSC engineers to meet mission requirements for rapid and repeatable deployment and configuration of virtual environments. CRAF uses Ansible and other open source tools to instantiate virtual environments.
N/CRAF Netmapper/Cyber Range Automation Framework is the enabling mechanism for effecting physical resource provisioning and virtual environment instantiation in a rapid and repeatable fashion. It supports the full lifecycle of cyber range virtual environment events.
The Netmapper project was born out of the need to improve the accuracy of Cyber Range emulated network environments. Craig noted that before N/CRAF, range environments were built from a subject matter expert’s assumption/belief of what their network looked like but inevitably those assumptions were never 100% correct. The network mapping process previously required a network administrator or engineer to draw a picture/map of the network which became the basis of virtualize environment used in the exercise(s). One can understand how there was room for error in this manual process – at the least, a small level of concern as to whether a network drawing and virtualization of it was indeed as realistic and accurate as possible.
As a result, Craig says, professionals training in the cyber range environments weren’t actually training on networks that were as ‘close to the real thing’ as possible. There was room to improve.
When automation engineers have real-world scanned networks as a reference, they can more accurately emulate the customers environment. Simply put, as Craig notes, “we took the assumption out of network mapping” with N/CRAF. Now the training moves ever closer to real world environment.
“Imagine scanning a network to extract the DNA which can be used to clone and re-build it” Circadence’s Dwayne Cole describes.
Combining the two programs (Netmapper and CRAF) enabled an iterative approach to cyber range environment build out that also drastically improved the end product. The scanning technology helps the automation engineers verify what they have built; it adds a check for the automation framework. It also can be used by the customer to validate the environment. The customer can easily compare the original design or scan versus the final emulated environment hosted on the Cyber Range.
With N/CRAF, it becomes easier for engineers to share their network models with one another and build out high fidelity networks to facilitate technologies assessments. N/CRAF saves everything to a single XML file to include all the configuration data. The tool also supports merging and diff’ing the output files. The merge capability allows the engineer to take parts and pieces from other networks or events to add to the current event. This allows the engineers to build special purpose network sections, like synthetic internet or traffic generation, that can be reused/added to current event. N/CRAF is a force multiplier, it enables repeatable, tedious deployment and configuration tasks and improves the reuse of detailed environments for multiple users to train within.
The tool is currently undergoing an accreditation process and is being demoed within defense departments with the goal to deploy it as a standardized tool across various agencies. The potential for the tool to be used in more commercial applications is promising as well.
Cyber Risk means different things to different people in an organization. Deloitte distinguishes it well: A CEO might worry about the expected financial loss related to cyber risk exposure; while the CFO is challenged to show the value of security while managing the associated costs. The CMO might worry about the impact to the brand if a breach to the company occurs; while the CISO is thinking about which key initiatives to prioritize to maximize risk buy down. But one thing that savvy executives agree on is that cyber security is a business risk that should be included in corporate risk mitigation strategy and processes.
Cyber Risk Mitigation focuses on the inevitability of disasters and applies actions and controls to reduce threats and impact to an acceptable level.
Lisa Lee, Chief Security Advisor for Financial Services in Microsoft’s Cybersecurity Solution Group, partnered with Circadence in April 2020 to talk about this topic in a webinar. Originally broadcast for a financial risk mitigation audience, the practical advice Lisa offers in 6 areas of cyber risk mitigation is broadly applicable.
Cyber Risk Insurance
Insurance can help to reduce the financial impact of an incident, but it does NOT mitigate the likelihood of a cyber breach happening – in the same way that having car insurance helps with the financial consequences of an accident but cannot in anyway prevent an accident from occurring.
Identity and Access Management
Microsoft recommends making “Identity” the security control plane. Employees use multiple devices (including personal devices), networks, and systems throughout their lifecycle with a company. The explosion of devices and apps and users makes security built around the physical device perimeter increasingly complex. At the same time, access to on-premise systems and cloud systems are shifting to transform to meet business needs. Partners, vendor/consultants, and customers might also all require varying degrees of access. A strongly protected, single user identity at the center of business for each of these constituents can exponentially improve the efficiency and efficacy of the overall security posture of the company.
Configuration and Patch Management
This is IT or cyber security 101. Everyone should be doing it on a consistent basis. But 20% of all vulnerabilities from unpatched software are classified as High Risk or Critical. The Center for Internet Security is an excellent resource for more information on best practices.
Asset Protection (devices, workload, data)
There is a massive amount and diversity of signal data coming in from the network and there are many tools on the market to help assist in the collection, management, and assessment. Lisa advised not to spend too much time trying to evaluate and select the best of breed tool in each category. Rather, find a suite that works well together so that you don’t have to spend time on integration. Beyond devices, also consider your security policies and practices to ensure visibility for workloads across on-prem, cloud, and hybrid cloud environments. And finally, consider protecting the information directly so that wherever data elements go, even outside the company, they carry protection with them. The key to this is encryption.
Monitoring and Management
These two concepts are seemingly more about ‘risk management’ vs. ‘risk mitigation’. But monitoring helps you to ‘know what you don’t know’ in order to adapt and improve mitigation strategies. And today, many of the monitoring tools from Microsoft and other vendors have features that enable cyber analysts to take action, i.e analysts can use the same tool that helps identify a vulnerability to then resolve it.
Cyber Security Training
Security is an ever-changing situation because bad actors are always developing new attacks. Therefore, training and education is an ongoing requirement for cyber professionals. Circadence’s Project Ares is a cloud-based learning platform specifically designed for continuous cyber security training and upskilling. IT and cyber organizations that invest in on-going training for their people are making as strong an investment in mitigation as in the tool stack that the analysts use on-the-job.
With consideration in all 6 of these areas, you will be able to architect and compose a comprehensive cyber mitigation strategy.
Here’s a link to the full webinar. It’s only 45 minutes long and Lisa provides more detail in each of these categories.
The cyber security workforce gap continues to grow, and the availability of qualified cyber professionals is predicted to decrease in the coming years. In fact, a Cyber Security Workforce Study from the International Information System Security Certification Consortium predicts a shortfall of 1.8 million in the cyber workforce by 2022. Some resources even claim upwards of a 3.5 million worker shortfall within the next two years. While this can feel like impending doom and gloom for the industry, AI, or artificial intelligence, can help to quell the concerns while empowering existing cyber workers.
While many other industries have seen robotic systems replacing the need for human workers, this doesn’t appear to be the case in cyber security. Humans are able to accomplish more when supported by the right set of tools. Allowing AI to support and react to human behavior allows cyber professionals to focus on critical tasks, utilize their expertise to analyze potential threats, and to make informed decisions when rectifying a breach. Autonomous cyber security doesn’t mean cyber security without humans.
AI can do the legwork of processing and analyzing data in order to help inform human decision making. If we were to rely completely on AI to manage security risks, it could lead to more vulnerabilities because such systems have high risks for things like program biases, exploitation, and yielding false data. Nevertheless, if utilize and deployed correctly for cyber teams, AI has the ability to automate routine tasks for processionals and augment their responsibilities to lighten the workload.
So, is AI going to take over the jobs of seasoned cyber pros? The answer is no; however, AI will drastically change the kinds of work cyber engineers are doing. In order for IT teams to successfully implement AI technologies, they will need a new category of experts to train the AI technology, run it, and analyze the results. While AI may be great for processing large amounts of data or replacing autonomous manual tasks, it will never be able to replace a security analyst’s insights or understanding of the field. There are some data points that require a level of interpretation that even computers and algorithms can’t quite support yet.
AI can help to fill the workforce gap in the cyber security sector, although it may create a need for new skillsets to be learned by humans in the industry. AI and the human workforce are not in conflict with one another in this field, in fact, they complement each other. The future is bright for AI and humans to work in tandem at the front lines of cyber defense.
For more information, check out our white paper on AI and gamification!
Happy National Cyber Security Awareness Month! We all know that cyber security isn’t just a month-long focus area for businesses and individuals—but this month, we are grateful for the collaborative effort between government entity Department of Homeland Security and the National Cyber Security Alliance that together, place a lens on cyber (as an industry, strategy, and operation). It reminds us that the industry is persistent and impacts us all, and is not siloed into a single time span, or targeted to a specific industry or person. We know this because of data cyberattacks on businesses occurring every day, the continual discussion about the cyber talent “gap” and lack of holistically-trained workforce, and because of the ineffectiveness of passive-learning training models many professionals are exposed to today. Nevertheless, as the world draws its attention around cyber in October and the industry evolves to better serve today’s professionals and businesses, we wanted to communicate the critical idea that cyber really IS for all as we strive to make cyber awareness learning accessible, intentional, and effective.
Making cyber learning accessible
We believe there are three ways to make cyber learning more accessible: providing a comprehensive learning curriculum, making it available via a browser, and using gamification as a tool for ingesting and retaining new information.
Before we dive into each of those areas, let’s get more context about the concept of cyber learning itself. For a long time, cyber security has been thought of as a technical career and while there is a great deal of technical prowess that goes into the day-to-day tasks of a cyber pro, the idea of cyber security being an “anyone can do it” profession hasn’t popularized – and rightly so.
With roots in the military and government (cyber range training), learning cyber security has been a structured, systematic, and data-driven process typically executed in a passive learning setting where students watch or listen and then take a test at the end of the lesson. There is minimal opportunity for hands-on practice in safe and secure environments, making cyber security learning and awareness of its purpose, value, and function a little more ethereal than we in the industry would like.
Comprehensive Learning Curriculum
One way to ensure “cyber for all” (our rally cry this year), is to make cyber training more readily available to reach today’s learner (the next generation of cyber pros) while injecting a touch of personal accountability toward the concept. This should include a learning curriculum that addresses:
– General awareness topics: These are topics that are broadly applicable to all employees of an organization and ones they should know regardless of IT level or expertise. Cyber security awareness topics at this level might include phishing, malware, social engineering, identity theft, removable media security, insider threats, social media vulnerabilities, etc.
– Industry-focused topics: relevant cyber security issues segmented by industry where security is a priority, especially highly regulated sectors like healthcare, government and industry, finance, election security, manufacturing, electricity, etc.
– Executive level topics: more functional/business topic areas where corporate leaders and other high-risk personnel and privilege users are impacted. Cyber security awareness topics at this level might include support/maintenance, consulting, managed services, legislation, risk assessment, etc.
By offering pathways upon which interested cyber enthusiasts or seasoned pros can “walk along,” it gives learners an idea as to how to develop their knowledge and skills. Further, cyber learning and awareness becomes more accessible because there is a route—or cyber learning journey—for everyone to choose.
The other component to ensure learning cyber awareness is accessible is by making the act of learning available to virtually anyone—via a browser. Online trainings today are quite popular for cyber enthusiasts and pros in training who want to hone their skills—and the idea of being able to access a cyber security course or activity online without having to leave the office or home is not only convenient but preferred these days. Some companies (like ours) are taking cyber training a step further by placing it in the cloud (Microsoft Azure) so learning can be scalable, more collaborative, and more customizable to learner needs.
Gamified Cyber Learning
Finally, cyber awareness learning can be attained by making learning fun. We do this with elements of gamification, which engage and inspire learners to train in environments that are not only realistic but also supported by a compelling narrative that invites players to progress through activities. Components like leaderboards, points, badges, and team-based collaboration allow learners to build a sense of “healthy competition” while learning and building skills and cyber competencies. Circadence offers learners of all skill levels various game-based activities from foundational concept learning in games like RegExile to application and analysis in Project Ares’ battle rooms and missions.
One student who played our RegExile cyber learning game in his cyber security course at CU Boulder said:
“I played the RegExile game today and I have to say I have hated regex till now, but when I learned it through the game, I actually liked it. It was really fun. I liked the concept of how a false sense of impending danger from the robots can make you think better and learn more. I was typing out my regex and actually thinking quite hard on how it could work and what I could do to make sure it was right as I did not want to lose the shield. I learned more through this game on regex than what I had in my undergrad class.” ~ Student at CU Boulder Cyber Security Course
Make Cyber Learning Intentional
Cyber learning has to be intentional. In order for students and existing cyber pros to get the most out of their training, they need a curriculum path that is not only diverse (based on skill needs), but also one that addresses all phases of learning: knowledge, comprehension, application/analysis, and synthesis/evaluation.
Can we insert an image that illustrates the “learning phases” of knowledge, comprehension, application/analysis, and synthesis/evaluation?
After understanding what cyber concepts are and how they impact our professional and personal lives (knowledge and comprehension), a learner needs to be able to build their cyber literacy and knowledge “essentials” by developing baseline cyber skills (application/analysis). Then, they can apply those skills in objective-based activities that synthesize concepts (evaluation).
“I personally found Project Ares to be a great learning experience and thought the mission environment was seamless.” ~ Chris N. UNCW Cyber Security Operations Club
Making Cyber Learning Effective
For IT Security Specialists and professionals, cyber learners can advance their competencies via recurring role-based trainingcombined with continuing education and real-world experience trainings. Cyber learning needs to be rooted in best practice, industry-defined frameworks and there’s no better model to follow than the framework set forth by the NIST/NICE organization.
By aligning learning curriculum against work roles, learning concepts and skills inherently becomes more effective because it is RELEVANT for people. They learn concepts, how to apply them and can draw connections to how those concepts apply to their own jobs or jobs they aspire to. Further, the learning permeates into individual’s personal lives as well, enhancing cybersecurity at home.
We have built-in five NIST/NICE work roles that are present in Project Ares for trainees to work toward including:
– Cyber Defense Infrastructure Support Specialist
– Information Systems Security Manager
– Threat Warning Analyst
– Systems Security Analyst
– Cyber Defense Analyst
Intentional cyber learning following this framework focuses on a particular technical topic, such as Incident and Event Management, Identification of Privilege Escalation Techniques, or Elections and Voting Security. This type of work role specification helps make learning cyber a reality.
Summing it up
While there’s no switch to turn on every part of this “cyber for all” plan, we hope it helps shed light on ways security leaders and HR directors can begin to cultivate an inclusive cyber culture in their own workplace, among their own teams. As we celebrate National Cyber Security Awareness Month (NCSAM 2019), it’s important for us to resurface conversations around what it means to actually be aware and how we can manifest that meaning into something that really makes an impact on business’ security posture. We hope this post is one inspiration to start initiating those conversations around shared responsibility to ensure all Americans stay safe.
Are you looking for a more effective, cost-conscious cyber training tool that actually teaches competencies and cyber skills? We’ve been there. Let us share our perspective on the top cyber training alternatives to complement or supplement your organization’s current training efforts.
Cyber training has evolved over the years but not at pace with the rapid persistence of cybercrime. Cyberattacks impact businesses of all sizes and it’s only a matter of time before your business is next in line. Traditional cyber training has been comprised of individuals sitting in a classroom environment, off-site, reading static materials, listening to lectures, and if you’re lucky, performing step-by-step, prescriptive tasks to “upskill” and “learn.” Unfortunately, this model isn’t working anymore. Learners are not retaining concepts and are disengaged from the learning process. This means by the time they make it back to your company to defend your networks, they’ve likely forgotten most of the new concepts that you sent them to learn about in the first place. Read more on the disadvantages of passive cyber training here.
So, what cyber training alternatives are available for building competency and skill among professionals? More importantly, why do you need a better way to train professionals? We hope this blog helps answer these questions.
Cyber Range Training
Cyber ranges provide trainees with simulated (highly scalable, small number of servers) or emulated (high fidelity testing using real computers, OS, and application) environments to practice skills such as defending networks, hardening critical infrastructure (ICS/SCADA) and responding to attacks. They simulate realistic technical settings for professionals to practice network configurations and detect abnormalities and anomalies in computer systems. While simulated ranges are considered more affordable than emulated ranges, several academic papers question whether test results from a simulation reflect a cyber pro’s workplace reality.
Traditional Cyber Security Training
Courses can be taken in a classroom setting from certified instructors (like a SANS course), self-paced over the Internet, or in mentored settings in cities around the world. Several organizations offer online classes too, for professionals looking to hone their skills in their specific work role (e.g. incident response analyst, ethical hacker). Online or in-classroom training environments are almost exclusively built to cater to offensive-type cyber security practices and are highly prescriptive when it comes to the learning and the process for submitting “answers”/ scoring.
However, as cyber security proves to be largely a “learn by doing” skillset, where outside-of-the-box thinking, real-world, high fidelity virtual environments, and on-going training are crucially important, attendees of traditional course trainings are often left searching for more cross-disciplined opportunities to hone their craft over the long term. Nevertheless, online trainings prove a good first step for professionals who want foundational learnings from which they can build upon with more sophisticated tools and technologies.
Gamified, Cyber Range, Cloud-Based Training
It wouldn’t be our blog if we didn’t mention Project Ares as a recommended, next generation alternative to traditional cyber training for professionals because it uses gamified backstories to engage learners in activities. And, it combines the benefits and convenience of online, cyber range training with the power of AI and machine learning to automate and augment trainee’s cyber competencies.
Our goal is to create a learning experience that is engaging, immersive, fun, and challenges trainee thinking in ways most authentic to cyber scenarios they’d experience in their actual jobs.
Check out the comparison table below for details on the differences between traditional training models and what Project Ares delivers.
(classroom and online delivery of lectured based material)
(immersive environment for hands on, experiential learning)
Instructors are generally experts in their field and exceptional classroom facilitators.
Often hired to develop a specific course.
It can take up to a year to build a course and it might be used for as long as 5 years, with updates.
Instructors are challenged to keep pace with evolving threats and to update course material frequently enough to reflect today’s attack surface in real time.
It is taught the same way every time.
Cyber subject matter experts partner with instructional design specialists to reengineer real-world threat scenarios into immersive, learning-based exercises.
An in-game advisor serves as a resource for players to guide them through activities, minimizing the need for physical instructors and subsequent overhead.
Project Ares is drawn from real-world threats and attacks, so content is always relevant and updated to meet user’s needs.
Courses are often concept-specific going deep on a narrow subject. And it can take multiple courses to cover a whole subject area.
Students take the whole course or watch the whole video – for example, if a student knows 70%, they sit through that to get to the 30% that is new to them.
On Demand materials are available for reference (sometimes for an additional fee) and are helpful for review of complex concepts. But this does not help student put the concepts into practice.
Most courses teach offensive concepts….from the viewpoint that it is easier to teach how to break the network and then assumes that students will figure out how to ‘re-engineer’ defense. This approach can build a deep foundational understanding of concepts but it is not tempered by practical ‘application’ until students are back home facing real defensive challenges.
Wherever a user is in his/her cyber security career path, Project Ares meets them at their level and provides a curriculum pathway.
From skills to strategy: Students / Players can use the Project Ares platform to refresh skills, learn new skills, test their capabilities on their own and, most critically, collaborate with teammates to combine techniques and critical thinking to successfully reach the end of a mission.
It takes a village to defend a network, sensitive data, executive leaders, finances, and an enterprises reputation: This approach teaches and enables experience of the many and multiple skills and job roles that come together in the real-world to detect and respond to threats and attacks….
Project Ares creates challenging environments that demand the kind of problem solving and strategic thinking necessary to create an effective and evolving defensive posture
Project Ares Battle Rooms and Missions present real-world problems that need to be solved, not just answered. It is a higher-level learning approach.
If there’s anyone who truly embodies the art of gamification, Hector Robles name just might top that list. As a lead game designer at Circadence, Hector works closely with the company’s content and curriculum departments to take complex cyber concepts and learning paths and artistically weaving them into fun cyber games that make learning desirable.
Hector has more than nine years of professional experience in the game design and cyber security/tech space, but his career wasn’t always rooted in making games for companies. In fact, after graduating from high school, Hector proudly served in the U.S. Army, as a military police officer. It was there he gained an understanding of and appreciation for the importance of security as a whole. Hector saw firsthand how proliferating technology impacted both civilian security and military security operations. After his service, Hector followed his interest and passion for game design by attending the Miami International University of Art and Design and graduating with a degree in game design. Then, he began working with media conglomerates and startup companies as a designer, producer, and artist.
But something was missing. While Hector was accumulating an impressive portfolio of entertainment game design work, he sought something more meaningful—a way to apply his skills in game design to help others. It was then he learned about Circadence and joined the game development team alongside colleagues Kari Sershon, Ronaldo Periera and Jose Velazquez.
Hector has worked on Circadence’s flagship platform Project Ares, specifically the cyber learning games embedded within it. The cyber learning games that Hector has designed will also soon become a part of the CyberBridge Essentials learning hub for wider customer access. Hector’s work can be seen most poignantly in Circadence’s new 2019 game, RegExile, which teaches players how to do regular expression coding work. RegExile helps players learn the syntax of regular expressions so they can efficiently parse through the data in search of evidence of a breach. It is a fast-paced pattern-recognition game that teaches the concepts of regular expression while exercising player’s muscle memory and reaction time. The game challenges players to form the correct expression to select or exclude data while immersing them in a futuristic “save the world” scenario filled with human-destroying robots. Players must recognize patterns in the names and type proper RegEx techniques to eliminate robots before they destroy the colony.
For Hector, designing games like this is fulfilling. “It’s a completely different beast from entertainment game design. It’s meaningful to take complex cyber concepts and turn them into fun, interactive, easily-digestible material for players—whether it’s people just starting out in cyber security or seasoned professionals looking to brush up on skills,” Hector says.
Hector typically approaches new game development by first thinking about how to make a certain concept or task in cyber “fun.” He does a lot of game research to come up with ideas of new game play designs and layouts. The research, which may include playing a game of Dungeons and Dragons to get the cognitive juices flowing, playing an arcade style game to think of narrative storylines and actions, or even breaking out a board game with friends, sparks Hector’s imagination and creativity. Once he has an idea of what kind of game he wants to create to teach the cyber concept that the Circadence Curriculum team has outlined, he develops a one-page pitch for stakeholders that presents his ideas cohesively, including details on game objectives, purpose, and technical specifications. After approval, the fun begins! Hector and his team start prototyping features and components of the game to make the ideas on paper become reality. For RegExile, he planned out the movement of the robots in the game by moving game board pieces around to capture an authentic “in game” feeling for the player.
“I try to always think about what games are out there and how we can make our games truly unique,” says Hector. “We’re constantly thinking about things like accessibility, narrative, and pacing to ensure our games aren’t just entertaining, but that people are really learning from them,” he adds.
Hector is also working on augmented reality and virtual reality card games where players can learn cyber security concepts in industry-specific settings like oil rigs and power plants to further engage one’s understanding of different cyber threats and defense tactics in the cyber kill chain. Users will eventually be able to use physical playing cards to learn things like ports and protocols too. Stay tuned for more on that!
While some may view Hector’s work as all fun and games, it does have a meaningful component that many end-users don’t think about at first. When someone logs onto a game, they are presented with audio/visual and text-based cues to inspire their behavior or ignite an action. Those cues are what allow a player to understand how to engage and act in a game setting, so they are not confused as to what to do or how to do something. Hector’s work takes the guessing out of game play for Circadence’s products. Players who engage with a cyber learning game like RegExile know immediately how to play the game and what the objective is without having to jump through hurdles or be confused at where to start. Thank Hector and his team for that!
“When they get to the platform, they know what to do, the basics of the tool, and more of the narrative and understanding of how they’ll engage with it,” said Hector. “It’s the components we build into the game that allow them to feel empowered when they hit “play” to start,” he adds.
It’s Hector’s team’s expertise behind the coding work, gamification elements, and user interface that comes together to create the best user experience for the player. The art of gamification not only engages and entertains, but it inspires, teaches, and instills cyber knowledge in the minds of players who want to grow in cyber competency and skill.
“Seeing someone’s face light up when they play our games brings a smile to my face,” says Hector. “At first they’re hesitant but then they start playing and there is a moment of clarity that washes over their face that makes the time and energy put into our games all worth it.”
Hector believes the best way to learn is by playing games. That’s what ‘living our mission’ at Circadence is all about. The power of games can cement cyber concepts and we look forward to seeing what Hector and his team whip up next to keep professionals and first-time cyber learners coming back for more knowledge and skill building.
Bringing his Air Force and military security engineering background to use, Senior Mission Designer Todd Humes understands what it takes to defend networks from adversaries. Prior to Circadence, he served in various government security roles including as a Systems Security Engineer and Systems Administrator and on the commercial side as a Director of Network Defense Operations at a Managed Security Service Provider. He noticed a gap in commercial cyber training and readiness that eventually lead him to Circadence.
In his current role, Todd ensures that real-world training exercises developed meet critical training objectives and are authentic for the end-user. “We want to provide a safe place for trainees to learn cyber…so he/she doesn’t have to worry about causing damage on actual networks when trying to build skills,” he says.
It’s important trainees in Project Ares experience true-to-life cyber threat scenarios that they would in their actual workplace.
In “mimicking a controlled environment that they would see” in the workplace, trainees gain “an experience that is highly relatable and allows for professional development,” Todd says.
When developing new missions Todd and his team examine market verticals and threats associated with those industries to identify unique scenarios that can be built out in a Project Ares mission. “We do our own research and threat intelligence targeting verticals, brainstorm specific scenarios and begin designing what the network environment should look like,” he says. The automation and orchestration of how the mission will unfold require a great deal of programming. Between building the mission components, the layout, and the services that will be “affected” in the exercise, Todd and his team bring cyber threats to life in the most authentic way possible. Sometimes, he adds, “we have to reverse engineer the malware [for example] to get the capability we want,” adding layers of complexity and back-end work to produce the final product.
But the intricacies of building missions is anything but dull. “It’s never boring! We’re always learning day in and day out and the people who are successful in this field are the individuals who continue to learn themselves,” Todd says.
To ensure missions stay relevant against today’s threats, Todd is always keeping a pulse on the latest research and vulnerabilities by studying online reports and attending cyber conferences and industry-related events to network with like-minded leaders.
He believes by continuously learning about the industry, all professionals in this line of work and beyond can find new and better ways to address an exploit and stay one (or several) steps ahead of hackers. He considers cyber security one the few industries and specializations that requires persistent learning and skill building in order to “extend the life” of security across organizations and companies.
Ransomware is gaining traction among hackers; emboldened by financial success and anonymity using cryptocurrencies. In fact, ransomware is now considered a tried and true cyberattack technique, with attacks spreading among small and medium-sized businesses, cities and county governments. Coveware’s recent 2019 Q1 Ransomware Report notes:
Ransoms have increased by an average of 89% over Q1 in 2019 to $12,762 per ransom request
Average downtime after a ransomware attack has increased to 7.3 days, up from 6.2 days in Q4 of 2018, with estimated downtime costs averaging $65,645
Victim company size so far in 2019 is anywhere from 28 to 254 employees (small, medium, and large-sized businesses)
Let’s review how ransomware works and why it’s so effective. Ransomware is a type of cyberattack where an unauthorized user gains access to an organization’s files or systems and blocks user access, holding the company’s data hostage until the victim pays a ransom in exchange for a decryption key. As you can surmise, the goal of such an attack is to extort businesses for financial gain.
Ransomware can “get into” a system in different ways, one of the most common through phishing emails or social media where the human worker inadvertently opens a message, attachment, or link acting as a door to the network or system. Messages that are urgent and appear to come from a supervisor, accounts payable professional, or perceived “friends” on social media are all likely ransomware actors disguising themselves to manipulate or socially engineer the human.
Near and Far: Ransomware Has No Limits
Many types of ransomware have affected small and medium-sized businesses over the last two decades but it shows no limitations in geography, frequency, type, or company target size.
Norwegian aluminum manufacturing company Norsk Hydro, a significant provider of hydroelectric power in the Nordic region, was shut down because of a ransomware infection. The company’s aluminum plants were forced into manual operations and the costs are already projected to reach $40 million (and growing). The ransomware name: LockerGoga. It has crippled industrial firms across the globe from French engineering firm Altran, and manufacturing companies Momentive, and Hexion, according to a report from Wired.
What was perceived as an unplanned system reboot at Maersk, a Danish shipping conglomerate, turned out to be a corrupt attack that impacted one-fifth of the entire world’s shipping capacity. Deemed the “most devastating cyberattack in history,” NotPetya created More than $10 billion in damages. To add insult to injury, the cyber risk insurance company for Maersk denied their claim on the grounds that the NotPetya attack was a result of cyberwar (citing an act of war exclusionary clause). WannaCry was also released in 2017 and generated between $4 billion and $8 billion in damages but nothing (yet) has come close to NotPetya.
On Black Friday 2016, the San Francisco Municipal Transportation Agency fell victim to a ransomware attack. The attacker demanded $73,000 for services to be restored. Fortunately, speedy response and backup processes helped the company restore systems in 2 days—avoiding having to pay the ransom. In March 2018, the City of Atlanta experienced a ransomware attack that cost upwards of $17 million in damages. The Colorado Department of Transportation fell victim, too, left with a bill totaling almost $2 million.
These headlines are stories of a digital war that has no geographical borders or structured logic. No one is truly immune to ransomware, and any company that thinks that way is likely not as prepared as they think they are. Beazley Breach Response (BBR) Services found a 105% increase in the number of ransomware attack notifications against clients in Q1 2019 compared to Q1 of 2018, as well as noting that attackers are shifting focus to targeting larger organizations and demanding higher ransom payments than ever before.
Immersive cyber ranges – Protect Yourself, Your Business, Your People
If your own security efforts, staff practices, and business infrastructure are continuously hardened every time a new breach headline makes the news, the things that matter most to you and your company will be better protected. One of the ways to consistently harden security practices is via immersive and persistent training on gamified cyber ranges. Some benefits of using cyber ranges like this include:
Helping professionals of all skill levels learn and apply preventative measures such as: regular backups, multi-factor authentication, and incident response planning and analysis.
Understanding what ransomware looks like and how it would “work” if it infected their company’s network.
Cloud-based environments can scale to emulate any size digital system and help users “see” and respond to threats in safe spaces.
Providing user assistance and immediate feedback in terms of rewards, badges, and progress indicators, allowing organizational leaders who want to upskill their cyber teams to see the skills gaps and strengths in their teams and identify ways to harden their defenses.
When ransomware does come knocking at your business door, will you be ready to recover from the costly and reputational damages? If there is any shred of doubt in your mind, then it’s time to re-evaluate your cyber readiness strategy. As we’ve learned, even the smallest vulnerability or level of uncertainty is enough for a cybercriminal to take hold.
Critical infrastructure is a term used by the government to describe assets that are essential for the functioning of a society and economy (think oil and gas, water, electricity, telecommunication, etc.). According to the Department of Homeland Security, there are 16 sectors of critical infrastructure. In the past few years, we’ve seen attacks on departments of transportation, cities, and other network infrastructure that are prompting many cyber security leaders to pay closer attention to their readiness strategy and risk management. With the threat of cyberattacks against public and private sector infrastructure on the rise, it is important to understand the history of these attacks, as well as what critical infrastructure cyber security professionals can do to protect themselves against them. Today, we are going to focus on three sectors: oil and gas, energy and electricity, and transportation.
Oil & Gas Cyber Security
Much of how we live and work is dependent upon the energy produced from oil and gas production, including cooking, heating/cooling, driving, and use of electronic devices and appliances. There have been several successful attacks on this industry already:
One of the most famous noted attacks came in 2010 with Stuxnet, a malicious computer worm used to hijack industrial control systems (ICS) around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
In August 2012, an unauthorized user with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computer data and resulted in an immediate shutdown of the company’s internal network.
National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations was remotely accessed by online attackers, manipulated to cause alerts, and set to shut down the flow of fuel. Several gas-tank-monitoring systems suffered electronic attacks thought to be instigated by hacktivist groups.
While we may not think of the energy sector as being a large cyber vulnerability, it is not only of intrinsic importance to a functioning society but necessary for all other sectors that make up the nation’s critical infrastructure.
There are not many documented cases of a successful power grid attack but that doesn’t mean they don’t occur! The first known instance taking place on December 23, 2015 in Ukraine. Hackers were able to compromise information systems of three energy distribution companies in the Ukraine and temporarily disrupt electric supply to end customers. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.
Although there may not be many examples of historical energy utility hacks, these kinds of attacks are no longer a theoretical concern. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before Congress that China and other countries likely had the capability to shut down the U.S. power grid. An adversary with the capability to exploit vulnerabilities within the electric utility silo may be motivated to carry out such an attack under a variety of circumstances, and it seems increasingly likely that the next war will be cyber.
Transportation Cyber Security
Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP (gross domestic product), which includes monetary value of all goods and services produced within the United States. Over the past couple of years, the industry has grown in operational complexity with logistical chains, production, facility and manufacturing partners and plant management. As a result of this growth, it has become an even more alluring and accessible hacking playground for cybercriminals. There have been a few noteworthy attacks on this silo of infrastructure in the last few years:
Maersk: Petyamalware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecieairport in June 2015.
Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.
You can see that attacks on these silos of industry have already begun (and show no signs of stopping) and we need to be prepared for what the future holds. To mitigate cyber attacks and protect critical infrastructure against looming threats, teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT critical infrastructures.
Reducing Risk in Critical Infrastructure Cyber Security
Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own IT and OT networks to be most effective. In fact, there are exercises within the cyber range platform that have players detect threats on a water treatment plant and in an oil and gas refinery. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in any critical infrastructure sector. Further, targeted training can be achieved from the library of battle room scenarios to work on specific skill sets like digital forensics, scripting and Linux.
Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kinds of learning include:
Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
Opportunities to close gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
Risk mitigation and improved problem solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.
By placing the power of security in human hands, cyber security teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Humans are the last line of defense against today’s adversary, so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cyber security across these critical infrastructure sectors.