Author: Circadence

Ever wondered about the people behind Project Ares’ development? How does Circadence identify and develop learning curriculum material to benefit today’s cyber professionals? The crux of the strategy stems from the talents within our own Circadence family and is the driving force behind this “Living our Mission” article. We are sharing the unique talents of Megan Daudelin, Team Lead of Curriculum Development for our flagship gamified learning platform, Project Ares. While one might expect that a cyber background is critical to any tech-focused role in a security company, Megan would argue that having a strong understanding of learning theories, experience teaching cyber subjects, and placing oneself in the customer’s shoes equally weigh in importance to successfully build rich cyber curriculum into our products.

Blending Forensics, Hospital Security, and Cyber Education

Megan has a rich history in the cybersecurity industry, which started after she graduated with her bachelor’s degree, and continued as she worked full time while completing her Master’s in Digital Forensics Management from Champlain College. Prior to Circadence, she served as a Digital Forensic Analyst at ManTech and Information Security Content Analyst at Tenable Network Security. She also worked as a Network Security Analyst at New London Hospital between her stints at ManTech and Tenable, monitoring networks and medical devices in accordance with HIPPA. Those experiences helped her learn the importance of understanding an end-user’s behavior to identify and investigate digital evidence.

Her career as a digital forensic analyst revolved around gathering and interpreting data. She recalls a previous job where she was responsible for writing up a narrative around a customer by referencing only the information available in a customer’s device. She would get a sense of the day-to-day digital life the user led to understand who and how that person was using the technology.

“That’s the part I liked, taking a vast amount of information and drawing the lines through the ‘dust cloud’ of data to figure out the connections between everything and turn the ‘cloud’ into a digestible amount of information.”

As Megan embraced new skill acquisition on the job, she grew to appreciate how problem-solving played a critical role in managing threats for her employers and their customers.

It was her passion for identifying the tools and techniques that best helped harden security posture that led her back to the classroom as an Adjunct Professor at her alma mater, Champlain College, to help groom the next generation of cyber professionals. Her professional experience across multiple disciplines in cyber, from digital forensics to network security to ethical hacking and incident response, allows her to teach courses on a variety of cybersecurity disciplines—a job she still does today.

Using Teaching to Inform Cyber Learning in Project Ares

Over the last two years, Megan has taken her love for teaching and applied it directly to the innovation within Project Ares. She is able to see how her students learn best whether through direct, hands-on experiences or learning from peers, and she applies those observations within a customer’s experience in the platform. All of this comes with the understanding that she must remember not to get “too deep” into one thought pattern, to maintain the “10,000 foot view” as she puts it, so that she can build cyber learning curriculum that is cross-disciplinary and cross-functional.

Megan put her cyber and teaching skills to the ultimate test at the Microsoft Ignite “Into the Breach”  cyber defense experience in November 2019. She helped design six custom-built Battle Rooms in Project Ares that were used in a competition-style activity among event registrants. The battle rooms provided a gamified learning approach to teach cyber professionals about Microsoft Security Tools. Megan used the Project Ares virtual environments to create a hands-on, experiential learning activity that focused on problem-solving using Microsoft tools. By adopting the end-user’s perspective, she was able to help the players through the maze from the home page of the Project Ares interface down to the data they were looking for to find the answers they needed.

“It was quite the adventure learning all these new security solutions and organizing them into a cohesive storyline. We weren’t asking independent questions to teach TTPs in a silo. Instead, we were walking the players through a single attack pattern. The narrative was knit together so that they could understand that the tasks in the Battle Rooms were related to the progressive arc of a full-scope attack and there were different points along the kill chain where the Microsoft tools could help to identify, analyze, and respond.”

Looking ahead…

As Megan works hard to build learning curriculum into Project Ares, she can’t help but think about what lies ahead for the cybersecurity industry.

“I hope the prioritization of training and education continues to increase; I hope the prioritization of security as a pillar of someone’s organization continues to get recognition. I think we’re coming out of a phase where organizations felt that they could just ignore the elephant that’s stomping around their data center.

I’m hopeful we’re moving into a time that people are becoming more aware of their organization’s digital activity online…. not just in a check-the-box periodic program kind of way, but in the sense that cybersecurity readiness and training has ongoing funding and cross-function collaboration. The industry is moving toward recognition that this is where priorities lie.”

It is this kind of forward-thinking mindset in employees that helps Circadence deliver state-of-the-art products and we are incredibly proud to have Megan within the Circadence family!

Circadence’s Curriculum Developer Tony Hammerling wasn’t always interested in a career in cyber—but he was certainly made for it. In fact, he initially wanted to be a musician! While his musical talents didn’t pan out for him early in his career, he quickly learned how to create unique harmonies using computers instead of instruments…After joining the Navy in 1995 as a Cryptologist and Morse Code operator, he transitioned to a Cryptologic Technician Networks professional where he performed network analysis and social network/persona analysis. It was there he learned more offensive and defensive strategies pertinent to cybersecurity and was introduced to network types and communication patterns. He moved to Maryland to do offensive analysis and then retired in Pensacola, Florida. The world of cyber grew on Tony and he enjoyed the digital accompaniment of the work it offered.

For the last few years, now settled in Pensacola, Florida, Tony is a critical part of Circadence’s Curriculum Team, working alongside colleagues to develop learning objectives and routes for players using platforms like Project Ares, and  inCyt. Currently, Tony and his team are focused on building out learning of network essentials in NexAgent, and “…are bridging the gap between what new IT professional’s learn in NexAgent and getting them onto more advanced learning pathways in Project Ares,” says Tony.

“We’re starting to introduce new content for [Project Ares] battle rooms so users coming out of NexAgent can have an understanding of the tools and techniques needed for more advanced learning of cyber defense—and actually apply those tools and techniques in realistic scenarios.”

As the technical subject matter expert for cyber curriculum, Tony digs into the details with his work—and that’s where he shines. Tony and his team ensure that user learning is reflective of today’s cyber attacks and vulnerabilities. From separating election polling servers to working with registration databases to designing networks to prevent election fraud, learning becomes much more interesting for the end-user.

The most exciting part about Tony’s job is the diversity of material he gets to work on every day. One day he could be helping end-users of Project Ares identify fraudulent IP addresses in a battle room and another day he could be working on a full-scale technical design of a SCADA system modeled after a cyber incident at a Ukrainian power plant.

By understanding corporate demands for new content, Tony and his team have more direction to build out cyber learning curriculum that aligns to customer’s needs. He believes the technical training he’s able to support with learning material in Circadence’s platforms complements traditional cyber learning paths like obtaining certifications and attending off-site classes. The variety of learning options for users of all cyber ability levels (both technical and non-technical), gives professionals the opportunity to be more thoughtful in their day-to-day lives, more critical and discerning of vulnerabilities and systems, and more creative in how they address threats.

“Knowing that people are able to come into a Circadence product and learn something that they didn’t know before or refine specific knowledge into an application/skill-based path is exciting. I don’t think too much of the greater impact my work provides—but perhaps 10 years down the line when we can say ‘we were the first to gamify and scale cyber training,’ it will mean so much more.”

We are grateful for the unique talents Tony brings to the Circadence family of products and how he’s able to craft learning “chords” that when orchestrated, provide a symphonic concerto of cyber learning activity—empowering cyber professionals across the globe with relevant, persistent, and scalable cyber training options to suit their security needs.

Photo by Marius Masalar on Unsplash

Photo by Alphacolor on Unsplash

Getting a job in cybersecurity doesn’t have to be an intimidating process. If you haven’t been taught the basics and/or are looking to change careers for something different, launching a cybersecurity career can start with basic learnings that lead to more formal training, certifications, and skills development. And there are several online resources for developing security competencies that are free or at a minimal cost. These resources can be complemented with cyber range training to expedite learning to land the cybersecurity job you want.”

To bring cybersecurity to the surface as a strong and lucrative career option for young professionals, we’ve taken the liberty to share some fast facts and fun things about the industry.

Fast Facts About the Cybersecurity Industry

• The market is expected to grow to over $300 billion by 2024 according to a report from Global Market Insights
• The demand to fill cyber jobs is great – over 504,000 cyber positions are available in the U.S alone
• There are 33 distinct areas of cybersecurity work according to NIST/NICE
• The national average career salary is $94,000-119,000 (on the low end) for security-related positions in the U.S. according to the Robert Half Technology’s 2020 Salary Guide
• Earning cyber certifications like CompTIA Security + Certification and Certified Information System Security Professional is highly regarded and respected amongst prospective employers (impress the hiring manager and prove your value)
• Information security jobs are expected to increase by 32% through 2028 according to the Bureau of Labor Statistics

Technical Abilities and Knowledge Needed for the Cybersecurity Industry

• IT fundamentals like system and web application administration
• Coding skills (C, C++, Java, Python, Ruby, Perl, PHP)
• Understanding network architecture, administration and operating system functionality, policies, performance, and features
• Database knowledge from permissions access to structure to storage security
• Understanding of how attackers operate and function
• Foundational understandings of things like risk management, networking basics, toolkit maintenance and situational awareness of what’s happening in the industry today

Professional Skills Needed for the Cybersecurity Industry

• Leadership – Call the shots alongside a team of cyber pros to build decision-making skills
• Communication – Articulate what and how threats need to be mitigated to teams
• Analytical thinking – Reflect and continuously learn the hacker mindset to grow your understanding of why and how attacks happen
• Passion for learning and developing skills – Learning never stops as long as technology keeps advancing. You’ll find new ways to secure assets and data with every keystroke and software update
• Determination – You’ll want to protect critical assets just as your own PII is at stake (imagine having your own bank account hacked and wanting to do something proactive about it)
• Collaborative – You’ll likely work alongside a crew of cyber enthusiasts, and will need to work in harmony in order to keep security posture hardened
• Writing – Developing reports to roll up to your security and business supervisor will require stellar writing skills so they can understand the technical jargon in laymen’s terms

The Benefits of a Cybersecurity Career

• You’re never bored—there’s always an attacker to stop or a vulnerability to assess
• You get to learn about and use cutting-edge technology
• There’s always a new challenge to tackle (and if you’re a problem-solver, this is fun!)
• You’ve likely got job security as positions like information security analysts and penetration testers are in demand in every industry
• You can advance in your expertise as a professional (there’s no limits to moving up the ladder or laterally across it to grow in knowledge and abilities)
• Remote work in cybersecurity is prevalent as cloud-based services and VPNs are expected parts of how companies operate today—you can live and work anywhere
• A cyber career straddles both public and private sectors, so you can have the benefits either division brings based on your professional preference
• Increasing your value in cyber is easy with persistent training platforms like Project Ares that can complement degree programs and virtual, online courses
• Recruiters will look for candidates on LinkedIn so if you think you’ll have a sweet gig out of college or your school training, just wait. Google might call. No, seriously.

To prepare yourself for a fruitful career in cybersecurity, consider training and building your skills in Project Ares . Project Ares is the premier gamified, hands-on learning tool that can support novice and aspiring cybersecurity and IT professionals in acquiring and maturing cybersecurity skills and competencies needed for on-the-job placement.

• Learn specific tools, tactics, and procedures in our foundational scenario exercises we call Battle Rooms and brush up on foundational cyber concepts and terms wit Cyber Learning Games (inspired by arcade-style games like Solitaire!).
• You also have the opportunity to build ‘soft skills’ via team-related exercises, communication skills, and problem-solving and critical thinking skills in our specialized scenario activities called Missions.
• Learning becomes engaging and fun–and relevant. Our activities are aligned to the NIST/NICE work role framework and the scenarios are based on real attacks.
• Learn using real tools and real virtual machines (nothing is simulated!).
• The best part? It’s all accessible via our CyberBridge portal online (browser-based).
• We have four subscription models to choose from (we recommend the Academy or Professional subscription model if you are just starting out).

Watch an on-demand demonstration of Project Ares

Happy cyber career searching!

Photo by Danial RiCaRoS on Unsplash 

Photo by Fabian Grohs on Unsplash

It might surprise you to know that the education industry is a prime target for malicious hackers. While threats in this sector are on the rise, many education institutions are not prepared for a cyber attack nor do they know how to recover from one. In fact, there were 122 cyber attacks last year at 119 K-12 public education institutions, averaging out to an attack every three days. A 2018 Education Cybersecurity Report published by SecurityScorecard also found that of 17 industries, the education sector ranked dead last in total cybersecurity safety. Schools are leaving themselves open to student and faculty identity theft, stolen intellectual property, and extremely high cost data breach reconciliation. In fact, a study done by the Ponemon Institute shows the average cost of a data breach in the education sector is $141 per record leaked.

This industry faces some unique cybersecurity challenges:

• Historically, this industry is based on the free exchange of information, i.e the philosophy that information should be readily available to all. The use of computers and internet in education has allowed information to be stored and accessed in many different ways, creating vulnerabilities in storage, network security, and user error which leaves systems susceptible to hacks.
• Students and staff may have limited technical skills and prowess to know how to stay safe online.
• Online education systems are highly distributed across multiple schools in a district or across state lines, making it easier to infect one system to gain access to all.
• Computer systems used by schools often lack a single application, or “source of truth” to safely manage student and employee identities.
• There’s a significant change in the user population every year due to students graduating and new students enrolling, making it difficult to track who is using certain resources and who has access to them.
• Remote access is often required, with students and parents accessing systems from home computers and smartphones. When you access an online resource repeatedly from potentially vulnerable or unsecure networks, it creates more opportunity for hacks.

So how can educational institutions better protect themselves against looming cyber threats?

• Shift the focus to prevention instead of mitigation – by making the focus on securing data before an attack happens rather than after, organizations will be better prepared to protect students and staff against a breach.
  • IT directors and security operators within educational institutions would be wise to consider persistent training solutions for their teams to optimize existing cyber skills so they don’t go “stale” after a period of time.
  • Likewise, perform a security audit and work across departments to understand all the digital systems in place (financial, teacher, student portals, etc.) and where vulnerabilities might exist.
  • HR departments of institutions should consider updating or adopting employee security awareness training to ensure every education-employed professional working on a computer understands the basics of cybersecurity and how to stay safe online.
• Minimize internal threats – Verizon’s 2019 Data Breach Investigations Report found that nearly 32% of breaches involved phishing and that human error was the causation in 21% of breaches. Proper and continued training and awareness around security issues is key in preventing possible attacks.
• Make cybersecurity a priority in IT budgeting – Schools and other educational institutions need to recognize the growing cyber threatscape and prioritize allocating funds to training tools, IT teams, and continued education for internal staff.

Circadence is here to help. Cybersecurity in the education sector is more important than ever, and our immersive, gamified cyber learning platform, Project Ares , can help ensure that your cyber team is ready to defend against malicious attacks. Our inCyt product (coming soon!) will keep everyone else in your organization up to snuff on cyber defense and offense. We pair gamification with prolonged learning methods to make learning and retaining cybersecurity tactics simple and fun for all. Don’t let your institution and students be next in line for a breach–think inCyt, and Project Ares when you think cybersecurity for the education sector!

If you’re still looking for more information on education and cybersecurity, check out this white paper:   handy references:  The Faces of Cyber Ranges: Tapping into Experiential Skill Building for Cybersecurity Teaching and Learning White Paper

Photo by Vasily Koloda  on Unsplash

We’re getting in the Halloween spirit (with a cybersecurity spin of course)! We started wondering about the mysterious (or not-so-mysterious) world of hacking. We wondered just how frightfully easy it might be to gather intel from social platforms with minimal prerequisite knowledge.

To that end, we did a little experiment in an attempt to understand the hacking process. We asked ourselves…

• What details can hackers find about us online?
• Are there enough details out there for a hacker to really manipulate us?

Are we “sharing too much” as a population committed to living our lives on social media?

To answer these questions and learn if we’re just asking to be tricked or if what hackers can find out about us is really their treat to exploit…[insert gloomy music here], we simulated an online “intel gathering” exercise.

Read the scarily simple steps we took to find personal details of someone online.

• Identify a known person you want to learn more about
• Go to the ol’ Google to dig up articles and social profiles about that person
  1. Easily obtain properties like their full name, interests, employer, etc.
• Search their social accounts in greater depth to find:
  1. Their interests and passions
  2. Their work history
  3. Education level
  4. Birthday
  5. Previous co-workers and friends
  6. Geographic residence
  7. Links to their Instagram profile (for visual data)
  8. Pet’s name
  9. Marital status
• Search through their friend list on Facebook, connections on LinkedIn, or followers on Twitter to isolate any missing social profiles or details on the person
  1. Find their hometown, family members, and political/religious views

So gosh. This turned out to be a frighteningly straightforward path to take to find intel on someone….even if some of their social accounts are private! And, you might be shocked to know that it took us less than an hour to discover enough information about a random person.

So what might a hacker do with the intel like what we just dug up? They use the information to manipulate us and make us vulnerable to an attack.

• A hacker might craft a Twitter message asking about this person’s pet or commenting on the weather in her place of residence to start a conversation.
• A hacker might name drop her former co-worker as a “friend” of ours and thereby “established a connection.”
• A hacker might have contacted the persons parents or a friend claiming we were associated with individual’s previous employer to get his/her phone number to call them.
• The TRICKS are endless!

And it can happen fairly quickly. Are you surprised?

There’s good news here though. While we did learn from this exercise that what we each choose to share online is, indeed, asking to be tricked by hacker, the fact is WE have some control of what information is “out there”. Hackers LOVE any data they can use about our interests and personal information to gain access to something they want (e.g. bank accounts, social security numbers, credit cards, etc.); but we can limit our personal information and lock down our profiles to minimize how much intel is out there to start with.

Photo by Ehud Neuhaus  on Unsplash

Happy National cybersecurity Awareness Month ! We all know that cybersecurity isn’t just a month-long focus area for businesses and individuals—but this month, we are grateful for the collaborative effort between government entity Department of Homeland Security and the National cybersecurity Alliance that together, place a lens on cyber (as an industry, strategy, and operation). It reminds us that the industry is ever-evolving and impacts each of us. It is not an isolated moment in time (despite the month-long focus), nor is it targeted to a specific industry or professional. Breaches continue to damage businesses and the discussion about the cyber talent “gap” forges on in conversations. As the world draws its attention around cyber in October and the industry evolves to better serve today’s professionals and businesses, we wanted to communicate the critical idea that cyber really IS for all as we strive to make cyber awareness learning accessible, intentional, and effective.

Making cyber learning accessible

We believe there are 3 ways to make cyber learning more accessible:

1. Provide a comprehensive learning curriculum
2. Make cyber training accessible via the Internet
3. Use gamification as a mechanism for ingesting and retaining new information

Before we dive into each of those areas, let’s get more context about the concept of cyber learning itself. For a long time, cybersecurity has been thought of as a technical career and while there is a great deal of technical prowess that goes into the day-to-day tasks of a cyber pro, the idea of cybersecurity being an “anyone can do it” profession hasn’t popularized – and rightly so.

With roots in the military and government (cyber range training ), learning cybersecurity has been a structured, systematic, and data-driven process typically executed in a passive learning setting where students watch or listen and then take a test at the end of the lesson. There is minimal opportunity for hands-on practice in safe and secure environments, making cybersecurity learning and awareness of its purpose, value, and function a little more ethereal than we in the industry would like.

Comprehensive Learning Curriculum

One way to ensure “cyber for all” (our rally cry year-round), is to make cyber training more readily available to reach today’s learner (the next generation of cyber pros) while injecting a touch of personal accountability to actualize this motto.

A cyber learning curriculum should address 3 things:

– General awareness topics: These are topics that are broadly applicable to all employees of an organization and ones they should know regardless of IT level or expertise. cybersecurity awareness topics at this level might include phishing, malware, social engineering, identity theft, removable media security, insider threats, social media vulnerabilities, etc.

– Industry-focused topics: Relevant cybersecurity issues segmented by industry where security is a priority, especially highly regulated sectors like healthcare, government and industry, finance, election security, manufacturing, electricity, etc.

– Executive-level topics: More functional/business topic areas where corporate leaders and other high-risk personnel and privileged users are impacted. cybersecurity awareness topics at this level might include support/maintenance, consulting, managed services, legislation, risk assessment, etc.

By offering pathways upon which interested cyber enthusiasts or seasoned pros can “walk along,” it gives learners an idea as to how to develop their knowledge and skills. Further, cyber learning and awareness becomes more accessible because there is a route—or cyber learning journey —for everyone to choose.

Browser-Based Access

The other component to ensure learning cyber awareness is accessible is by making the act of learning available to virtually anyone—via a browser. Online trainings today are quite popular for cyber enthusiasts and pros in training who want to hone their skills—and the idea of being able to access a cybersecurity course or activity online without having to leave the office or home is not only convenient but preferred these days. Some companies (like ours) are taking cyber training a step further by placing it in the cloud (Microsoft Azure) so learning can be scalable, more collaborative, and more customizable to learner needs.

Gamified Cyber Learning

Finally, cyber awareness learning can be attained by making learning fun. We do this with elements of gamification, which engage and inspire learners to train in environments that are not only realistic but also supported by a compelling narrative that invites players to progress through activities. Components like leaderboards, points, badges, and team-based collaboration allow learners to build a sense of “healthy competition” while learning and building skills and cyber competencies. Circadence offers learners of all skill levels various game-based activities from foundational concept learning in games like RegExile to application and analysis in Project Ares’ battle rooms and missions.

One student who played our RegExile cyber learning game in his cybersecurity course at CU Boulder said:

“I played the RegExile game today and I have to say I have hated regex till now, but when I learned it through the game, I actually liked it. It was really fun. I liked the concept of how a false sense of impending danger from the robots can make you think better and learn more. I was typing out my regex and actually thinking quite hard on how it could work and what I could do to make sure it was right as I did not want to lose the shield. I learned more through this game on regex than what I had in my undergrad class.” 

Make Cyber Learning Intentional

Cyber learning has to be intentional. In order for students and existing cyber pros to get the most out of their training, they need a curriculum path that is not only diverse (based on skill needs), but also one that addresses all phases of learning: knowledge, comprehension, application/analysis, and synthesis/evaluation.

After understanding what cyber concepts are and how they impact our professional and personal lives (knowledge and comprehension), a learner needs to be able to build their cyber literacy and knowledge “essentials” by developing baseline cyber skills (application/analysis). Then, they can apply those skills in objective-based activities that synthesize concepts (evaluation).

“I personally found Project Ares to be a great learning experience and thought the mission environment was seamless.” ~ Chris N. UNCW cybersecurity Operations Club

Making Cyber Learning Effective

For IT Security Specialists and professionals, cyber learners can advance their competencies via recurring role-based training combined with continuing education and real-world experience training. Cyber learning needs to be rooted in best practice, industry-defined frameworks and there’s no better model to follow than the framework set forth by the NIST/NICE organization.

By aligning learning curriculum against work roles, learning concepts and skills inherently becomes more effective because it is RELEVANT for people. They learn concepts, how to apply them and can draw connections to how those concepts apply to their own jobs or jobs they aspire to. Further, the learning permeates into individual’s personal lives as well, enhancing cybersecurity at home.

We have built-in five NIST/NICE work roles that are present in Project Ares for trainees to work toward including:

– Cyber Defense Infrastructure Support Specialist

– Information Systems Security Manager

– Threat Warning Analyst

– Systems Security Analyst

– Cyber Defense Analyst

Intentional cyber learning following this framework focuses on a particular technical topic, such as Incident and Event Management, Identification of Privilege Escalation Techniques, or Elections and Voting Security. This type of work role specification helps make learning cyber a reality.

Summing it up

While there’s no switch to turn on every part of this “cyber for all” plan, we hope it helps shed light on ways security leaders and HR directors can begin to cultivate an inclusive cyber culture in their own workplace, among their own teams. As we celebrate National cybersecurity Awareness Month (NCSAM 2020), it’s important to resurface conversations around what it means to actually be aware and how we can manifest that meaning into something that really makes an impact on business’ security posture. We hope this post is one inspiration to start initiating those conversations around shared responsibility to ensure everybody stays safe during these unprecedented times.

Are you looking for a more effective, cost-conscious cyber training tool that actually teaches competencies and cyber skills? We’ve been there. Let us share our perspective on the top cyber training alternatives to complement or supplement your organization’s current training efforts.

Cyber training has evolved over the years but not at pace with the rapid persistence of cybercrime. Cyberattacks impact businesses of all sizes and it’s only a matter of time before your business is next in line. Traditional cyber training has been comprised of individuals sitting in a classroom environment, off-site, reading static materials, listening to lectures, and if you’re lucky, performing step-by-step, prescriptive tasks to “upskill” and “learn.” Unfortunately, this model isn’t working anymore. Learners are not retaining concepts and are disengaged from the learning process. This means by the time they make it back to your company to defend your networks, they’ve likely forgotten most of the new concepts that you sent them to learn about in the first place. Read more on the disadvantages of passive cyber training here .

So, what cyber training alternatives are available for building competency and skill among professionals? More importantly, why do you need a better way to train professionals? We hope this blog helps answer these questions.

Cyber Range Training

Cyber ranges provide trainees with simulated (highly scalable, small number of servers) or emulated (high fidelity testing using real computers, OS, and application) environments to practice skills such as defending networks, hardening critical infrastructure (ICS/SCADA) and responding to attacks. They simulate realistic technical settings for professionals to practice network configurations and detect abnormalities and anomalies in computer systems. While simulated ranges are considered more affordable than emulated ranges, several academic papers question whether test results from a simulation reflect a cyber pro’s workplace reality .

Traditional Cybersecurity Training

Courses can be taken in a classroom setting from certified instructors (like a SANS course), self-paced over the Internet, or in mentored settings in cities around the world. Several organizations offer online classes too, for professionals looking to hone their skills in their specific work role (e.g. incident response analyst, ethical hacker). Online or in-classroom training environments are almost exclusively built to cater to offensive-type cybersecurity practices and are highly prescriptive when it comes to the learning and the process for submitting “answers”/ scoring.

However, as cybersecurity proves to be largely a “learn by doing” skillset, where outside-of-the-box thinking, real-world, high fidelity virtual environments, and on-going training are crucially important, attendees of traditional course trainings are often left searching for more cross-disciplined opportunities to hone their craft over the long term. Nevertheless, online trainings prove a good first step for professionals who want foundational learnings from which they can build upon with more sophisticated tools and technologies.

Gamified, Cyber Range, Cloud-Based Training

It wouldn’t be our blog if we didn’t mention Project Ares as a recommended, next generation alternative to traditional cyber training for professionals because it uses gamified backstories to engage learners in activities. And, it combines the benefits and convenience of online, cyber range training with the power of AI and machine learning to automate and augment trainee’s cyber competencies.

Our goal is to create a learning experience that is engaging, immersive, fun, and challenges trainee thinking in ways most authentic to cyber scenarios they’d experience in their actual jobs.

Project Ares was built with an active-learning approach to teaching, which studies show increase information retention among learners to 75% compared to passive-learning models .

Check out the comparison table below for details on the differences between traditional training models and what Project Ares delivers.

Traditional Training (classroom and online delivery of lectured based material) Project Ares (immersive environment for hands on, experiential learning) Curriculum Design

• Instructors are generally experts in their field and exceptional classroom facilitators.
• Often hired to develop a specific course.
• It can take up to a year to build a course and it might be used for as long as 5 years, with updates.
• Instructors are challenged to keep pace with evolving threats and to update course material frequently enough to reflect today’s attack surface in real time.
• It is taught the same way every time.

Curriculum Design

• Cyber subject matter experts partner with instructional design specialists to reengineer real-world threat scenarios into immersive, learning-based exercises.
• An in-game advisor serves as a resource for players to guide them through activities, minimizing the need for physical instructors and subsequent overhead.
• Project Ares is drawn from real-world threats and attacks, so content is always relevant and updated to meet user’s needs.

Learning Delivery

• Courses are often concept-specific going deep on a narrow subject. And it can take multiple courses to cover a whole subject area.
• Students take the whole course or watch the whole video – for example, if a student knows 70%, they sit through that to get to the 30% that is new to them.
• On Demand materials are available for reference (sometimes for an additional fee) and are helpful for review of complex concepts. But this does not help student put the concepts into practice.
• Most courses teach offensive concepts….from the viewpoint that it is easier to teach how to break the network and then assumes that students will figure out how to ‘re-engineer’ defense. This approach can build a deep foundational understanding of concepts but it is not tempered by practical ‘application’ until students are back home facing real defensive challenges.

Learning Delivery

• Wherever a user is in his/her cybersecurity career path, Project Ares meets them at their level and provides a curriculum pathway.
• From skills to strategy: Students / Players can use the Project Ares platform to refresh skills, learn new skills, test their capabilities on their own and, most critically, collaborate with teammates to combine techniques and critical thinking to successfully reach the end of a mission.
• It takes a village to defend a network, sensitive data, executive leaders, finances, and an enterprises reputation: This approach teaches and enables experience of the many and multiple skills and job roles that come together in the real-world to detect and respond to threats and attacks….

• Project Ares creates challenging environments that demand the kind of problem solving and strategic thinking necessary to create an effective and evolving defensive posture
• Project Ares Battle Rooms and Missions present real-world problems that need to be solved, not just answered. It is a higher-level learning approach.

Photo by Helloquence  on Unsplash

DeepFake is a term you may have heard lately. The term is a combination of “deep learning” and “fake news”. Deep learning is a class of machine learning algorithms that impact image processing, and fake news is just that – deliberate misinformation spread through news outlets or social media. Essentially, DeepFake is a process by which anyone can create audio and/or video of real people saying and doing things they never said or did. One can imagine immediately why this is a cause for concern from a security perspective.

DeepFake technology is still in its infancy and can be easily detected by the untrained eye. Things like glitches in the software, current technical limitations, and the need for a large collection of shots of other’s likeness from multiple angles in order to create fake facial models can make this a difficult space for hackers to master. While not a security threat now, given how easy it is to spot manipulations, the possibility of flawless DeepFakes is on the horizon and, as such, yields insidious implications far worse than any hack or breach.

The power to contort content in such a way yields a huge trust problem across multiple channels with varying types of individuals, communities, and organizations: politicians, media outlets, brands and consumers just to name a few. While the cyber industry focuses on the severity of unauthorized data access as the “problem,” hackers are shifting their attacks to now modify data while leaving it in place rather than holding it hostage or “stealing” it. One study from Sonatype, a provider of DevOps-native tools, predicts that, by 2020, 50% of organizations  will have suffered damage caused by fraudulent data and software, while another report by DeepTrace B.V, a company based in Amsterdam building technologies for fake video detection and analysis, states, “Expert opinion generally agrees that Deepfakes are likely to have a high profile, potentially catastrophic impact on key events or individuals in the period 2019-2020.”

What do hackers have to gain from manipulated data?

• Political motivation – From propaganda by foreign governments to reports coming from an event and being altered before they reach their destination, there are many ways this technology can impact public perception and politics across the globe. In fact, a quote from Katja Bego, Senior Researcher at Nesta says, “2019 will be the year that a malicious ‘deepfake’ video sparks a geopolitical incident. We predict that within the next 12 months, the world will see the release of a highly authentic looking malicious fake video which could cause substantial damage to diplomatic relations between countries.” Bego was right about Deepfake being introduced to the market this year, so we will see how it develops in the near future.
• Individual impacts –It’s frightening to think that someone who understands this technology enough could make a person do or say almost anything if convinced enough. These kinds of videos if persuasive enough, have far reaching impacts on individuals, such as relationships, jobs, or even personal finances. If anyone can essentially “be you” through audio or video, the possibilities of what a hacker could do are nearly limitless.
• Business tampering – While fraud and data breaches are by no means a new threat in the business and financial sectors, Deepfakes will provide an unprecedented means of impersonating individuals. This will contribute to fraud in traditionally “secure” contexts, such as video conferencing and phone calls. From a synthesized voice of a CEO requesting fund transfers, to a fake client video requesting sensitive details on a project, these kinds of video and audio clips open a whole new realm of fraud that businesses need to watch out for.

While the ramifications of these kinds of audio and video clips seem disturbing, DeepFake technology can be used for good. New forms of communication are cropping up, like smart speakers that can talk like our favorite artists , or having our own virtual selves representing us when we’re out of office. Most recently, the Dalí Museum in Florida leveraged this technology to create a lifelike version of the Spanish artist himself where visitors could interact with him. These instances show us that DeepFake is a crucial building block in creating humanlike AI characters, advancing, robotics, and widening communication channels around the world.

In order to see the benefits and stay safe from the threats, it is no longer going to be enough to ensure your security software is up to date or to create strong passwords. Companies must be able to continuously validate the authenticity of their data, and software developers must look more deeply into the systems and processes that store and exchange data. Humans continue to be the beginning and ending lines of defense in the cyber-scape, and while hackers create DeepFakes, the human element of cybersecurity reminds us that just as easily as we can use this technology for wrongdoing, we have the power to use it to create wonderful things as well.

Photo by vipul uthaiah  on Unsplash