Fabian Monrose is a Kenan Distinguished Professor in the Computer Science department at the University of North Carolina (UNC) at Chapel Hill. Monrose and research engineer Jan Werner teach cybersecurity using a challenge-based game framework called Riposte, which they developed as part of the IEEE Cybersecurity Initiative’s Try-CybSI project.
In this interview, they discuss why cybersecurity education is changing and how they’re using Riposte in the classroom. (See a video demonstration of Riposte here.)
Question: When you look at all of the factors that affect cybersecurity, where would you rank the skills gap/talent shortage?
Monrose: Although cybersecurity is multidisciplinary, it requires a pretty solid foundation in computer science. You need a good grasp of operating systems, networking, compilers, and so on before you can start to specialize in security.
Jan and I have been co-teaching a class at UNC for the past few years. For the most part, the gap we’ve seen involves students not getting hands-on exposure to computer science basics. So, by the time they end up in a security class, we have to reteach them the fundamentals that they should have mastered in their foundational courses.
It’s not that those courses didn’t introduce them to the basics. Instead, it’s that within the confines of a semester, it’s very difficult for them to have gotten hands-on exercises involving those basics. The “active learning exercises” that we have been putting together are key for solidifying concepts that they learned from textbooks. Jan and I realized that unless we addressed this gap, it was very difficult to do the types of things we wanted to do, even in an introductory level systems security course.
Question: A challenge-based approach seems like an ideal way to learn and master cybersecurity skills. In fact, in your presentation at IEEE SecDev 2017, you quoted Manson and Pike: “Educating a cybersecurity professional is similar to training a pilot, an athlete, or a doctor. Time spent on the task for which the person is being prepared [for] is critical for success.” So why didn’t cybersecurity take that approach earlier when so many other professions have shown its benefits?
Monrose: The field has been moving so quickly. As a result, the learning curve is not only steep, but it’s a very long road. So you really have to spend time on the task if you want to succeed in this area.
I do believe there’s been a shift in how we teach cybersecurity, with more universities like ours trying to address this by giving students more exposure to these hands-on types of exercises. I’m not sure what the aha moment was that caused that shift about five years ago, but it’s pretty consistent across most tier-one universities now.
Werner: There are many different areas in cybersecurity, and it’s difficult to cover it all. The hands-on approach gives students an excellent idea of what is there, and it invites them to explore more on their own. Most importantly, it gives them the very solid foundation to actually get into that.
Monrose: At UNC, some students consider the computer security courses to be the pinnacle of the classes they take in their final year. That’s because there’s now a much greater appreciation that to excel as a cybersecurity professional, you really have to get the foundations right.
I think that mindset change might have come about because we saw more people focusing on operational security, particularly due to the large number of security breaches in the news. Students are often interested in understanding why the state of cybersecurity is so poor, and to understand that, they really need exposure to the practical aspects of computer security.
If we give students these types of experiences, then they’ll do far better off as practitioners regardless of whether they go on to specialize in computer security. We were very happy to see that Brian Kirk and Rob Cunningham had the IEEE TryCybSI project trying to move the field in that direction. It became very natural for us to work on this problem together.
Question: Some hackers have a computer science background and have gone into hacking for reasons such as financial gain. Others are people who learned hacking on their own, such as the script kiddies. Is there anything we can glean from how they’re learning about the vulnerabilities that could be applied to the way the good guys are trained?
Werner: When I started my cybersecurity education quite some time ago, the amount of resources available was very limited: for the most part, magazines like Phrack were the only source of security information. Now there is a large body of literature on cybersecurity, but it still takes a lot of time and effort to deep-dive and figure out how the tools are working.
When people decide to get into computer security, there are many skills that don’t appear to be directly related. This is the script-kiddie phase, when one uses the tools found online without a good understanding of their inner workings. Hopefully, this phase would be short lived, and the learner would then seek a better understanding of the foundations and start building tools of their own. The drive to understand the software, diving deep to figure out how and why things are working the way they are, is a good quality for someone who wants to succeed in the field.
Question: Give us an overview of Riposte. For example, how does it work, and why is its approach particularly effective for learning cybersecurity fundamentals? How has Riposte evolved?
Monrose: Initially the course was structured around a small set of exercises that students would do at their own pace under a two- or three-week deadline. We were looking at how well they improved with each assignment. We noticed that once some of these assignments had a challenge around them, the students starting to become more engaged and a lot more creative.
In Riposte V2, we started to incorporate more of an adversarial setting, where every assignment has an attacker and a defender. Sometimes the defender was other students in the class. Other times the students were adversaries, and the instructors were the defenders.
Also, sometimes students were competing not only with one another, but against automated clients we built that would perform some of the same tasks. This approach forced them to work together to fight a common adversary. Those automated clients were designed to cheat, which forced students to figure out how to defeat an adversary who doesn’t play by any rules and thus starts with the upper hand.
Question: How are people who have learned about cybersecurity in a challenge-based environment different and better from those who haven’t?
Monrose: We’ve definitely seen a tremendous improvement in the students’ ability to solve unstructured tasks after they had done a hands-on exercise in that particular subject. Time and time again, we heard from students that the challenge-based exercises really forced them to understand their own technical limitations and find ways to effectively solve the challenges on their own.
For example, one learner noted “[t]his class was by far the best computer science class that I’ve ever taken. I’ve never had a class in which the projects are so practical and applicable, the results so rewarding … The assignments were an exciting and frustrating puzzle, and though they took an enormous amount of time to complete and sometimes had me on an emotional roller coaster for days, they challenged me in ways that really improved my programming skills and forced me to think outside of the box.”
Another stated “[t]he hands-on labs provided a unique opportunity to explore learned material rather than to simply read about it. The number of hours I spent outside of class was largely due to my fascination with some of the assignments. I spent ridiculously more time than I had to on them (mostly having fun with them).”