Cyber exercise aims to teach the good guys to think like the bad guys

The National Defense University plans to hold its second cybersecurity contest in March as a way to teach federal information security professionals how hackers try to penetrate systems to cause damage, a skill overlooked in training but needed to be able to spot and block such attacks.

NDU's iCollege will host the Cybersecurity Challenge on March 12, which will pit government teams against one another to test their skills in launching cyberattacks and defending their applications and networks. The university's first cyber exercise was held in November 2009 and was only open to participants from the Defense Department, but NDU plans to invite technologists from civilian agencies to join in the second contest.

"Most government agencies don't understand the attackers, because they don't have much opportunity to [launch attacks] themselves," said Maj. Stephen Mancini, faculty member at the university who runs the exercise. "Most earn credentials geared toward defense, with only a handful that understand penetration testing. This challenge gives them opportunity to attack and defend simultaneously."

Multiple teams, each consisting of two participants, will compete against each other. Each team will be given two computers, one for launching attacks, which will be armed with hacking tools, and one to defend, which will be loaded with standard software including the Microsoft Windows operating system and e-mail. Each team earns points for successfully infiltrating other teams' computers and, for example, capturing files or defacing a web site. Teams are docked points for failure to defend against attacks.

"There are security officers that only understand what an attack will look like after their systems get broken into, and often it's not until months later," Mancini said. "Rarely do they see what's happening in real time. This provides them the opportunity to be the bad guy in a nice segmented network."

NDU offers 24 slots for the exercise, with half the positions already filled.

Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team, said cyber exercises like these focus on attacks that attempt to take down applications and networks, including denial-of-service attacks, which temporarily block access to an agency's network, or Web defacement, which alters online content.

But the attacks that are more damaging are those that keep the system up and running -- and therefore remain undetected -- so valuable information can be stolen without a trace. "The focus needs to be on integrity attacks, where I hack your box, but I don't knock it offline. I just change the integrity of the data that you rely upon and in doing so, make you deaf, blind and mute," he said. "I can control the way you behave. I make you my puppet. We're too focused on blitzkrieg, rather than the thousand grains of sand approach."

These are the kinds of attacks that hackers used to successfully to infiltrate 2,500 companies and government agencies, as reported by The Wall Street Journal on Thursday. The penetrations exposed large amounts of sensitive data and trade secrets, according to NetWitness Corp., which provides computer security for agencies and is headed by Amit Yoran, a former director of the National Cybersecurity Division at the Homeland Security Department.