Aggregator

DEVCORE 2024 第六屆實習生計畫

DEVCORE 戴夫寇爾
3 months 2 weeks ago

DEVCORE 創立迄今已逾十年,持續專注於提供主動式資安服務,並致力尋找各種安全風險及漏洞,讓世界變得更安全。為了持續尋找更多擁有相同理念的資安新銳、協助學生建構正確資安意識及技能,我們成立了「戴夫寇爾全國資訊安全獎學金」,2022 年初開始舉辦首屆實習生計畫,目前為止成果頗豐、超乎預期,第五屆實習生計畫也將於今年 7 月底告一段落。我們很榮幸地宣佈,第六屆實習生計畫即將登場,若您期待加入我們、精進資安技能,煩請詳閱下列資訊後來信報名!

實習內容

本次實習分為 Research 及 Red Team 兩個組別,主要內容如下:

  • Research (Binary/Web) 以研究為主,在與導師確定研究標的後,分析目標架構、進行逆向工程或程式碼審查。藉由這個過程訓練自己的思路,找出可能的攻擊面與潛在的弱點。另外也會讓大家嘗試分析及撰寫過往漏洞的 Exploit,理解過去漏洞都出現在哪,體驗真實世界的漏洞都是如何利用。
    • 漏洞挖掘及研究 60 %
    • 1-day 開發 (Exploitation) 30 %
    • 成果報告與準備 10 %
  • Red Team 研究並深入學習紅隊常用技巧,熟悉實戰中會遇到的情境、語言與架構。了解常見漏洞的成因、實際利用方法、嚴苛條件下的利用策略、黑箱測試方式及各種奇技淫巧。學習後滲透時的常見限制、工具概念與原理。
    • 漏洞與技巧的研究及深入學習 70 %
    • Lab 建置或 Bug Bounty 或漏洞挖掘 30 %
公司地點

台北市松山區八德路三段 32 號 13 樓

實習時間
  • 2024 年 9 月開始到 2025 年 1 月底,共 5 個月。
  • 每週工作兩天,工作時間為 10:00 – 18:00
    • 每週固定一天下午 14:00 - 18:00 必須到公司討論進度
      • 如果居住雙北外可彈性調整(但須每個組別統一)
    • 其餘時間皆為遠端作業
招募對象
  • 具有一定程度資安背景的學生,且可每週工作兩天
  • 此外並無其他招募限制,歷屆實習生可重複應徵
  • 對資格有任何疑慮,歡迎來信詢問
預計招收名額
  • Research 組:2~3 人
  • Red Team 組:2~3 人
薪資待遇

每月新台幣 16,000 元

招募條件資格與流程 實習條件要求 Research (Binary/Web)
  • 基本漏洞利用及挖掘能力
  • 具備研究熱誠,習慣了解技術本質
  • 熟悉任一種 Scripting Language(如:Shell Script、Python、Ruby),並能使用腳本輔以研究
  • 具備除錯能力,能善用 Debugger 追蹤程式流程、能重現並收斂問題
  • 具備獨立分析開放原始碼專案的能力,能透過分析程式碼理解目標專案的架構
  • 熟悉並理解常見的漏洞成因
    • OWASP Web Top 10
    • Memory Corruption
    • Race Condition
  • 加分但非必要條件
    • CTF 比賽經驗
    • pwnable.tw 成績
    • 有公開的技術 blog/slide、write-ups 或是演講
    • 精通 IDA Pro 或 Ghidra
    • 熟悉任一種網頁程式語言或框架(如:PHP、ASP.NET、Express.js),具備可以建立完整網頁服務的能力
    • 理解 PortSwigger Web Security Academy 中的安全議題
    • 獨立挖掘過 0-day 漏洞,或分析過 1-day 的經驗
    • 具備下列其中之一經驗
      • Web Application Exploit
      • Kernel Exploit
      • Windows Exploit
      • Browser Exploit
      • Bug Bounty
Red Team
  • 熟悉 OWASP Web Top 10
  • 理解 PortSwigger Web Security Academy 中所有的安全議題或已完成所有 Lab
  • 理解計算機網路的基本概念
  • 熟悉任一種網頁程式開發方式(如:PHP、ASP.NET、JSP),具備可以建立完整網頁服務的能力
  • 熟悉任一種 Scripting Language(如:Shell Script、Python、Ruby),並能使用腳本輔以研究
  • 具備除錯能力,能善用 Debugger 追蹤程式流程、能重現並收斂問題
  • 具備可以建置、設定常見網頁伺服器(如:Nginx、Apache、Tomcat、IIS)及作業系統(如:Linux、Windows)的能力
  • 加分但非必要條件
    • 曾經獨立挖掘過 0-day 漏洞
    • 曾經獨立分析過已知漏洞並能撰寫 1-day Exploit
    • 曾經於 CTF 比賽中擔任出題者並建置過題目
    • 擁有 OSCP 證照或同等能力之證照
應徵流程

本次甄選一共分為二個階段:

第一階段:書面審查

第一階段為書面審查,會需要審查下列兩個項目

  • 履歷內容
  • 簡答題答案
    • 應徵 Research 實習生:
      • 題目一:漏洞重現與分析過程
        • 請提出一個,你印象最深刻或感到有趣、於西元 2022 ~ 2024 年間公開的真實漏洞或攻擊鏈案例,並依自己的理解詳述說明漏洞的成因、利用條件和可以造成的影響。同時,嘗試描述如何復現此漏洞或攻擊鏈,即使無法成功復現,也請記錄研究過程。報告撰寫請參考範本,盡可能詳細,中英不限。
      • 題目二:實習期間想要研究的主題
        • 請提出三個可能選擇的明確主題,並簡單說明提出的理由或想完成的內容,例如:
          • 研究◯◯開源軟體,找到可 RCE 的重大風險弱點。
          • 研究常見的路由器,目標包括:AA-123 路由器、BB-456 無線路由器。
          • 研究常見的筆記平台或軟體,目標包括:XX Note、YY Note。
    • 應徵 Red Team 實習生:
      • 請提出兩個於西元 2022 ~ 2024 年間公開的、與 Web 攻擊面、漏洞或攻擊鏈相關的演講。請說明為什麼挑選這些演講並解釋它們為什麼有趣。用你的話詳細解釋這些演講的細節,並提供任何你覺得可以輔助或證明你理解的附加資料。這些演講可以來自包含但不限於 Black Hat、DEF CON、OffensiveCon、POC、ZeroConf、Hexacon、HITCON、TROOPERS CONFERENCE 等會議。

本階段收件截止時間為 2024/08/09 23:59,我們會根據您的履歷及題目所回答的內容來決定是否有通過第一階段,我們會在 10 個工作天內回覆。

第二階段:面試

此階段為 30~120 分鐘(依照組別需求而定,會另行通知)的面試,會有 2~3 位資深夥伴參與,評估您是否具備本次實習所需的技術能力與人格特質。

時間軸
  • 2024/07/18 - 2024/08/09 公開招募
  • 2024/08/12 - 2024/08/22 面試
  • 2024/08/26 前回應結果
  • 2024/09/02 第六屆實習計畫於當週開始
報名方式
  • 請將您的履歷題目答案以 PDF 格式寄到 [email protected]
    • 履歷格式請參考範例示意(DOCXPAGESPDF)並轉成 PDF。若您有自信,也可以自由發揮最能呈現您能力的履歷。
    • 請於 2024/08/09 23:59 前寄出(如果名額已滿則視情況提早結束)
  • 信件標題格式:[應徵] 職位 您的姓名(範例:[應徵] Red Team 組實習生 王小美)
  • 履歷內容請務必控制在三頁以內,至少需包含以下內容:
    • 基本資料
    • 學歷
    • 實習經歷
    • 社群活動經歷
    • 特殊事蹟
    • 過去對於資安的相關研究
    • MBTI 職業性格測試結果(測試網頁

若有應徵相關問題,請一律使用 Email 聯繫,如造成您的不便請見諒,我們感謝您的來信,並期待您的加入!

DevSecOps实施关键:研发安全团队

我的安全视界观
3 months 2 weeks ago
本文是“深耕研发安全”系列的第四篇,正式步入DevSecOps实施前的准备阶段。文中首次提出“研发安全团队”及架构,既是理想中的完备团队,又是做好研发安全工作必备的最小能力集。

AI-Powered Learning: Your NIST NICE Prompt Library (Built with Google Gemini)

Mandiant Threat Intelligence
3 months 2 weeks ago

Written by: Jake Liefer

 

In the ever-evolving landscape of cybersecurity, staying ahead of threats demands continuous learning and skill development. The NIST NICE framework provides a roadmap, but mastering its extensive tasks, knowledge, and skills (TKSs) can be daunting. That's where the power of artificial intelligence (AI) comes in.

We've leveraged Google Gemini AI to create a revolutionary solution: a comprehensive library of over 6,000 prompts designed to guide you through the NICE framework. These AI-powered prompts offer a dynamic and personalized learning experience, accelerating your journey to cybersecurity expertise.

In this blog post, we'll explore the NIST NICE framework in detail, delve into the art of prompt engineering, and share how we harnessed the power of Google Gemini AI to build this valuable resource. Whether you're a seasoned cybersecurity veteran or just starting your journey, this guide will provide you with the tools and insights you need to engage with large language models (LLMs) for a dynamic learning experience.

The NIST NICE Framework: Your Blueprint for Cybersecurity Success

The National Initiative for Cybersecurity Education (NICE) framework, developed by the National Institute of Standards and Technology (NIST), serves as the cornerstone of cybersecurity education and workforce development. 

At its core, the NICE framework provides a common language and taxonomy for describing cybersecurity work. Each role is mapped to specific TKSs necessary for successful responsibilities. By mapping out these competencies, the NICE framework helps individuals identify career paths, employers define job requirements, and training providers develop targeted curricula.

But the NICE framework isn't just about job descriptions and training programs. It's about building a robust and adaptable cybersecurity workforce capable of meeting the dynamic challenges of the digital age. By aligning your skillset with the NICE framework, you're not only investing in your own career advancement but also contributing to the collective defense against cyber threats.

Whether you're aspiring to become a security analyst, penetration tester, incident responder, or any other cybersecurity role, understanding and embracing the NICE framework is essential. It provides a roadmap for your professional development, highlighting the knowledge and skills you need to acquire to succeed in your chosen path. In the following sections, we'll explore how AI-powered prompts can help you navigate this roadmap and accelerate your mastery of the essential competencies outlined in the NICE framework.

Prompt Engineering: Unleashing the Power of LLMs for Cybersecurity Learning

In the realm of artificial intelligence, LLMs like Google Gemini have emerged as powerful tools capable of understanding and generating human-like text. At the heart of harnessing this power lies the art of prompt engineering. But what exactly is a prompt, and why is it so crucial for cybersecurity learning?

In simple terms, a prompt is the input you provide to an LLM to guide its response. Think of it as a question, a scenario, or a task that you present to the AI. The quality and specificity of your prompt directly influence the quality and relevance of the LLM's output.

In the context of cybersecurity, well-crafted prompts are the key to unlocking the full potential of LLMs for learning and skill development, especially when aligned with the NIST NICE framework. They can:

  • Pinpoint Knowledge Gaps and Focus Areas: By reviewing the TKSs for your current role and desired role, you can identify areas where you need to upskill. Prompts can then be tailored to focus on those specific areas, ensuring efficient and targeted learning.
  • Develop Specific Skills and Knowledge: Prompts can be designed to address specific TKSs within the NICE framework, such as "risk analysis" or "incident response." This targeted approach allows for deep dives into the exact skills you need to develop.
  • Create Realistic Job Scenarios: Prompts can simulate the day-to-day tasks and challenges you'll face in your target role, providing a practical understanding of how the TKSs are applied in real-world situations. This can help you prepare for new responsibilities and advance your career.
  • Facilitate Personalized Learning Plans: Based on your individual needs and career goals, LLMs can generate personalized learning paths that focus on the most relevant TKSs. This ensures that you're not wasting time on irrelevant information and can progress efficiently towards your goals.

There are several types of prompts you can use to enhance your cybersecurity learning:

  • Conceptual prompts: These prompts challenge your understanding of fundamental cybersecurity concepts, such as encryption, authentication, or risk management, and how they relate to specific NICE TKSs.
  • Scenario-based prompts: These prompts put you in the shoes of a cybersecurity professional facing a real-world challenge aligned with a particular TKS, such as responding to a data breach or investigating suspicious network activity.
  • Knowledge-check prompts: These prompts test your knowledge of specific TKSs within the NICE framework, helping you gauge your progress and identify areas for further study.

By incorporating diverse prompts aligned with the NICE framework into your learning routine, you can create a focused and efficient learning experience that directly translates to career advancement. In the next section, we'll explore how we used Google Gemini AI to create a comprehensive library of prompts specifically designed to help you master the NICE framework.

Building Your Cybersecurity Arsenal with Google Gemini AI

Google Gemini, a state-of-the-art large language model, isn't just a tool for generating text; it's a powerful ally in your journey to cybersecurity mastery. With its advanced capabilities in natural language understanding and generation, Gemini is uniquely suited for crafting prompts that align perfectly with the NIST NICE framework and accelerate your skill development.

Our Methodology:

Creating a comprehensive library of over 6,000 prompts was made efficient and effective by leveraging the structured nature of the NICE framework and the power of Google Gemini within the AI Studio environment. Here's a detailed breakdown of our streamlined process:

  1. TKS Identification and Extraction: We began by extracting the unique Task, Knowledge, Skill (TKS) statement IDs and their corresponding descriptions directly from the NICE framework. These served as the foundational building blocks for our prompt generation process.
  2. Prompt Generation with Gemini in AI Studio: Within AI Studio, we harnessed Google Gemini's language generation prowess to create a wide variety of prompts based on the extracted TKS IDs and descriptions. Specifically, we crafted three distinct types of prompts for each TKS:
    • Conceptual prompts: These are designed to challenge your understanding of the core concepts embedded within the TKS.
    • Scenario-based prompts: These immerse you in realistic situations where the TKS is applied, bridging theory and practice.
    • Knowledge-check prompts: These test your grasp of the specific knowledge outlined in the TKS.

   By utilizing the TKS ID and description as direct input, we ensured that each generated prompt was
   precisely aligned with the corresponding competency within the NICE framework.

  1. Structured Organization and Output withinAI Studio: Leveraging the table formatting capabilities of Google AI Studio, we organized our prompts and their corresponding outputs in a structured table format. This format included columns for TKS ID, TKS Description, Conceptual Prompt, Scenario-Based Prompt, and Knowledge Check Prompt. This streamlined approach allowed for easy review, analysis, and direct export into Google Sheets for further management and refinement of our comprehensive prompt library.

Your AI-Powered Cybersecurity Toolkit: Unveiled!

We are thrilled to announce the release of our meticulously crafted library of NIST NICE-aligned prompts. In a groundbreaking move to democratize cybersecurity education, we're making this invaluable resource freely available to the entire cybersecurity community.

Here, you'll find a glimpse of the treasure trove of prompts that await you:

TKS ID

TKS Description

Conceptual Prompt

Scenario-Based Prompt

Knowledge Check Prompt

K0833

Knowledge of cyberattack actor characteristics

"Identify different types of cyberattack actors, such as nation-states, cyber criminals, and hacktivists.”

"A sophisticated cyberattack is attributed to a state-sponsored actor. Describe the typical characteristics and motivations of this type of attacker."

"Compare and contrast the motives and methods of hacktivists and cybercriminals.”

aside_block
<ListValue: [StructValue([('title', 'Google Gemini AI Prompts'), ('body', <wagtail.rich_text.RichText object at 0x3e1df929b220>), ('btn_text', 'Get the prompts!'), ('href', 'https://docs.google.com/spreadsheets/u/1/d/e/2PACX-1vQBzljgM47QnO9F8iE33DkvQ96Ow5jNG01y7mxkDgZl0NEMEwsDBhFErI1rMz3GaysLZb2hNXAO4k2y/pubhtml#'), ('image', None)])]>

By harnessing the power of this AI-driven resource, you can take control of your cybersecurity learning journey. Explore the prompts, challenge yourself, and discover new ways to strengthen your expertise.

Take Action: Elevate Your Cybersecurity Expertise with AI

Congratulations! You now have access to a treasure trove of AI-powered prompts designed to accelerate your mastery of the NIST NICE framework. But how can you effectively incorporate these prompts into your daily learning routine? Here are some practical tips and strategies:

  1. Identify Your Goals: Start by clearly defining your learning objectives. Are you aiming to strengthen your knowledge in a specific NICE category or specialty area? Are you preparing for a certification exam or a career transition? Once you know your goals, you can select the most relevant prompts to focus on.
  2. Integrate Prompts into Your Daily Routine: Set aside dedicated time each day to engage with the prompts. You can use them as a warm-up exercise before diving into other learning materials, as a way to test your knowledge after studying, or as a creative spark to brainstorm new ideas.
  3. Experiment with Different Learning Styles: The beauty of prompts is their versatility. You can use them for solo study, group discussions, or even as a basis for creating presentations or training materials. Don't be afraid to experiment and find what works best for you.
  4. Embrace the Interactive Nature of AI: Large language models like Google Gemini are designed to engage in dialogue. Ask follow-up questions, challenge the AI's responses, and use the prompts as a springboard for deeper exploration of the topics at hand.
  5. Track Your Progress: As you work through the prompts, keep track of your responses, insights, and any questions that arise. This will help you monitor your progress, identify areas for further improvement, and measure the impact of your AI-powered learning journey.
The NIST NICE Framework and Security-Specific LLMs

The NIST NICE framework, beyond serving as a guide for human professionals, is also a valuable tool in the development of security-specific LLM agents. The framework's structured knowledge and comprehensive categorization of tasks provide a rich resource for training and building tuned agents. By aligning LLMs to particular TKS statements within the NICE framework, developers focus the models' understanding of cybersecurity concepts, terminology, and real-world scenarios.

The granular nature of TKS statements within the NICE framework makes them ideal to focus AI agents for specific cybersecurity tasks. For example, TKS statements related to "risk analysis" or "incident response" can be used to focus agents that specialize in these areas. By tailoring prompts to specific TKSs, we can create AI agents that are highly proficient in performing their assigned tasks and capable of providing valuable insights and recommendations to human analysts.

Additionally, when paired with a tuned model, such as Google's SecLM, the outputs will be further aligned to the daily needs of cybersecurity practitioners. By training on a massive corpus of security-related data, including information aligned with the NICE framework, SecLM has developed a sophisticated understanding of security threats, vulnerabilities, and mitigation strategies. This enables SecLM to perform a wide range of tasks, from threat detection and analysis to code review and security policy generation.

The integration of the NICE framework into the development of security-specific LLMs like SecLM represents a significant step forward in the field of AI-driven cybersecurity. By harnessing the structured knowledge of the framework and the power of LLMs, we are creating tools that can augment human expertise, accelerate threat detection and response, and ultimately strengthen our defenses against an ever-evolving threat landscape.

A Special Thanks to Google Gemini

We would be remiss if we didn't acknowledge the incredible power and versatility of Google Gemini. This cutting-edge language model not only enabled us to rapidly generate and iterate on thousands of NIST NICE-aligned prompts, but it has also been an invaluable collaborator in the creation of this very blog post. The future of AI in cybersecurity is bright, and we're excited to continue exploring its limitless potential with Gemini at our side.

Expanding the Horizon of Cybersecurity with AI

The release of our NIST NICE-aligned prompt library is just the first step in our mission to empower cybersecurity professionals with the power of AI. We are committed to continually exploring innovative ways to leverage AI to enhance cybersecurity capabilities for both individuals and organizations.

Stay tuned for upcoming blog posts where we'll delve into advanced prompt engineering techniques, share real-world applications of AI in cybersecurity, and explore opportunities to utilize AI in your daily workflow. Our goal is to create a vibrant community of learners, practitioners, and innovators who are passionate about harnessing the transformative potential of AI to strengthen our collective defense against cyber threats.

Mandiant

Managed ad