Normally, it’s the job of the New York City Cyber Command (NYC3) to defend the city from online threats. But yesterday, its members were actually the ones dishing out the punishment, lobbing a series of attacks at a group of 25-30 New York University cybersecurity graduate students.
These besieged “Cyber Fellows” were participating in a two-day red team/blue team exercise, marking the launch of the first sim training program at the newly launched Cyber STRIKE cyber range. The Brooklyn facility is a joint project of New York University's Tandon School of Engineering, NYC3 and corporate sponsors.
A group of 25-30 students clad in blue shirts worked vigorously to thwart a series of attacks lobbed their way. Some actually flew in specifically for the event in from other cities where they already hold jobs while taking NYU's coursework remotely.
The environment they were tasked to defend was designed to operate like an average mid-sized corporation -- the kind that is typically desperate for quality IT security help. Inside their war room, a large dashboard screen displayed logs detailing observed anomalies, confirmed threats and remedial actions taken, such as blocking an offending IP address. Looking over their shoulders were multiple news reporters, including one from SC Media. No pressure.
The purpose of this exercise, and the larger NYU cybersecurity program that supports it, is to help chip away at the growing cybersecurity skills gap. “…We face the threat of a lack of talent, of manpower, that can [help us] defend ourselves,” said Nasir Memon, a professor of computer science and engineering at NYU’s Tandon School, and the department head of NYU Tandon Online. “If we don’t have that, then we are in trouble, and we need initiatives where industry, government and academia come together to address this problem.”
To help the fellows hunt for threats and detect and mitigate attacks, the range’s cloud-based system provided a variety of open-source tools that offer much of the same functionality as the cybersecurity solutions that are commonly found deployed in workplace environments.
“Sometimes they go down an investigatory course and it reaches a dead end, sometimes they go down a course and there’s a lot to find,” said Geoff Brown, New York City’s chief information security officer, who leads NYC3. When they do find something, the team then must follow proper corporate protocols and request permission before taking a corrective action (assuming the problem is not a simulated major emergency).
“Our goal is not to just shut down [the hacker] right away. We wanted to see exactly what is the TTP tactic the most that the hacker is trying to do,” said Sarwar Azad, threat management specialist at NYC3 who served as a mentor for the blue team. So after finding a suspicious PowerShell code, “What we did is we grabbed the PowerShell and tried to decode to try to see exactly which IP they’re coming from and then we are trying to block it…”
It’s not just about prevention, Azad added: “We are trying to detect and mitigate it because sometimes when you shut it down, that means the normal users could be impacted too… It depends on the criticality. If we see that that machine is really compromised, that that account has been compromised, then we can request to contain that machine.”
Meanwhile, the NYC3’s considerably smaller red team was holed up in its own room, plotting its next strike. “There are capabilities and tactics that a small grouping of individuals on the offense can deploy that might take an entire effort like you see in the other room to react to. It tells you a little bit of the importance of taking an all-team approach to this incredibly critical industry of cybersecurity,” said Brown.
Brown listed phishing among the red team’s most prevalent attack techniques, but said the threats would arrive in various forms, just as they would in real life. “You may have individuals with all kinds of different intentions, with all kinds of different outcomes that they’re trying to achieve, who are taking upon themselves activities that hold at risk the infrastructure you’re defending,” Brown continued.
First-year NYU cybersecurity grad student Spencer Brown (no relation to Geoff Brown) traveled from the Detroit area, where we works for security company Qualys, to attend the exercise. Day One was a little rough, he acknowledged, as the fellows struggled to find their footing. But then “some of us spent some time doing some additional studying or research on what we wanted to do, and we had more of a game plan coming in on Day Two, and we were actually able to detect and respond to multiple attacks,” he said. “It feels good to be able to stop something. It makes it more exciting for us. So I guess in summary, we’re improving, we’re doing better, and our hearts are more lifted than yesterday.”