2020 NSF Summit Training Sessions

Web Security and Automated Assessment Tools

Instructors: Barton P. Miller, Elisa Heymann

Description: As basic background, we will start explaining web attacks and how they can be mitigated. We will then discuss how assessment tools work, so that the attendee can understand the capabilities and limitations of such tools. We then focus on a selection of both commercial and open source tools for C/C++ and Java, and demonstrate how to apply them to sample programs with known flaws. Next, the attendees will have the opportunity to do hands-on exercises automated assessment tools. For the hands-on exercises, the students will perform web attacks (XSS and CSRF), use tools to locate the problem, and then mitigate it. The attendees will have access to a quick-to-install VirtualBox appliance with the applications and build environment pre-configured.

Using a Digital Forensics Tool to Analyze ENRON data

Instructor: Ebru Cankaya

Description: Using a digital forensics tool (Aid4Mail) to analyze the publicly available infamous ENRON database emails in an effort to unearth select rogue clandestine plans in the ENRON company. We hope this will be a good training for digital forensics students as well as professionals to gain hands on experience on a digital forensics tool using real life data.

Foundations of Secure CI

Instructors: Ciprian Popoviciu, Samir Tout, Lola Killey

Description: We are on the cusp of a technical revolution that is akin to that of the original Internet. IPv6 and the Internet of Things (IoT) are proving to be an integral part of this revolution. IPv6 overcomes the prominent constraints of IPv4’s limited address space that can no longer accommodate today’s Internet. IPv6 is critical to the scalability of key IT infrastructures, notably IoT, which is proliferating into our lives across multiple industries through a plethora of “smart” technologies (e.g., smart grid, smart cities, intelligent transportation systems, etc.) that transform established staples of our lives such as our homes, vehicles, and modern workplaces. The current understanding and use of IPv6, cybersecurity operations, and IoT exist in separate silos. It is time to bring the three together into a holistic Cyber-Infrastructure (CI) view. The future researcher and workforce at large need to understand these technologies and know how to properly leverage them for their own research or work and how to innovate on top of IPv6 based secure CI. The United States has a tremendous shortage of people with such knowledge and skills.

Both Sides Of the Looking Glass: how vulnerability scanning and honeypots can work together in proactive cybersecurity operations

Instructors: Richard Biever, Ken Goodwin

Description: The National Science Foundation has invested over $7B in scientific research projects, and those projects lead the world in providing opportunities for scientific discoveries. Yet this investment and leadership are at risk, threatened by cyberattacks from malicious technology actors, some foreign-sponsored and highly targeted, others rogue with no agenda other than maliciousness. Due to the collaborative, international, and open nature of scientific research and the highly specialized instruments and high performance computing resources we depend on in open science, we cannot rely on checkbox security. We must give ourselves every opportunity to learn about our assets, the threats and risks that are actually touching our environments, and then adapt to the things that we see rather than counting on a generic IT threat assessment to have all the answers we need. By pairing vulnerability scanning from outside the network perimeter with strategically placed honeypots inside the perimeter, we take powerful steps toward using the defender’s home court advantage to successfully defend NSF research against today’s evolving cyber threats.

Tackling Cybersecurity Regulations: DFARS,CMMC, HIPAA, FISMA,and GDPR

Instructors: Anurag Shankar , Erik Deumens, Gabriella Perez, Scott Russell

Description: Compliance is emerging as a major challenge for research organizations unfamiliar with cybersecurity rules and regulations. It arrives through terms in grants, contracts, and data use agreements, or a sudden discovery of regulated data in a project. Lacking compliance expertise and the means to afford commercial offerings to fill the gap, organizations often respond with fear, uncertainty, and doubt, or overreact. This training session is especially designed to help those who are new to the world of cybersecurity compliance or struggling with it. It will familiarize the attendee with DFARS, CMMC, HIPAA, FISMA, and GDPR, common compliance regimes affecting research in the US, and provide strategies to address them.

Leveraging AI/ML for SOC Threat Hunting and Incident Investigation

Instructors: Shanchieh (Jay)Yang, Ryan Kiser, Emily Adams, Scott Orr

Description: Cyber threat hunting and incident investigation often takes hours if not days to complete. The long response time is often due to a combination of potentially sophisticated cyberattack tactics, diverse and evolving system and user settings, ever-increasing attack surfaces, and large volume of heterogenous intrusion alerts and threat intelligence. Recognizing such challenges, many AI/ML solutions have been developed in an attempt to assist SOC analysts to aggregate, correlate, or summarize intrusion activities. Yet, most practices in the field still focus on sorting through intrusion alerts using dash boards. This hands-on training will offer a perspective where SOC analysts leverage “attack models” to digest the ongoing and evolving attack behaviors on one’s network. Attack models are statistical summary of “what”, “how”, “when”, and “where” of intrusion activities synthesized using ASSERT (Attack Strategy Synthesis for Enhanced Threat Recognition) [1,2]. Specifically, it provides “method intelligence” and “asset intelligence” by revealing the attack intent-stages [3], targeted services, IP maneuvers, and time-elapsed statistics in each unique attack models. ASSERT is being deployed as a test-case prototype to consume anonymized Suricata alerts from OmniSOC (omnisoc.iu.edu) at Indiana University in collaboration with the Center for Applied Cybersecurity Research (CACR – cacr.iu.edu).

Developing Cybersecurity Programs to Support NSF Science

Instructors: Craig Jackson, Bob Cowles

Description: This online training covers the foundational requirements for a competent cybersecurity program, and the application of those requirements to organizations and facilities that provide scientific cyberinfrastructure. It is based on the Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators (RCOs) (currently in development). See https://www.trustedci.org/framework.

Security Log Analysis Workshop

Instructors: Mark Krenz, Ishan Abhinit

Description: This security log analysis workshop walks participants through the security log analysis lifecycle, providing considerations for centralized log collection and log management tools, phases of compromise, and examples from real world attacks. We will be using logs from Zeek, which is a Network Security Monito (NSM) used for general network traffic analysis. This includes Zeek logs like mysql, http, irc, etc. We will also be using logs from the Apache webserver. This tutorial also includes a hands-on exercise that will demonstrate techniques to analyze logs to detect security incidents. We have expanded our exercise this time to include both command line and Elastic Stack based analysis. The hands-on exercise will provide an overview of investigation techniques to determine security incident logs of some common attacks like SQL injection, filesystem transversal, brute force attacks, command-line injection and more. This will be an interactive session allowing Q&A and also will feature interactive polls to enhance the audience’s learning experience.