Developing a Cyberwar Laboratory and Exercise: Issues and Lessons Learned Paul J. Wagner...
-
Upload
ami-pierce -
Category
Documents
-
view
218 -
download
1
Transcript of Developing a Cyberwar Laboratory and Exercise: Issues and Lessons Learned Paul J. Wagner...
Developing a Cyberwar Developing a Cyberwar Laboratory and Exercise: Laboratory and Exercise:
Issues and Lessons Issues and Lessons LearnedLearned
Paul J. WagnerPaul J. [email protected]@uwec.edu
UW-Stout Information and Cyber UW-Stout Information and Cyber Security WorkshopSecurity Workshop
8/24/20068/24/2006
Main MessagesMain Messages
Developing a good cyberwar laboratory Developing a good cyberwar laboratory and related exercise takes:and related exercise takes: PlanningPlanning ThoughtThought ResourcesResources
Helps to think about Helps to think about goalsgoals and and structurestructure
Main Messages (cont.)Main Messages (cont.)
Many issues arise during the development Many issues arise during the development and execution of a cyberwar exerciseand execution of a cyberwar exercise Consider and work through as many as Consider and work through as many as
possible up frontpossible up front A few more will arise in spite of your A few more will arise in spite of your
preparation…preparation…
Laboratory HistoryLaboratory History
Submitted a grant proposal to National Science Submitted a grant proposal to National Science Foundation (NSF) in late 2002Foundation (NSF) in late 2002 Course, Curriculum and Laboratory Improvement Course, Curriculum and Laboratory Improvement
(CCLI) program(CCLI) program Adaptation and Implementation (A&I) sub-programAdaptation and Implementation (A&I) sub-program
Grant awarded in June 2003Grant awarded in June 2003Three partsThree parts Develop computer security laboratoryDevelop computer security laboratory Develop two security-related coursesDevelop two security-related courses
Computer SecurityComputer SecurityCryptography and Network SecurityCryptography and Network Security
Develop course modules for introduction of security Develop course modules for introduction of security issues in other coursesissues in other courses
Laboratory GoalsLaboratory Goals
Mixed use laboratoryMixed use laboratory Not enough space to dedicate to securityNot enough space to dedicate to security Need to be able to connect/disconnect from Need to be able to connect/disconnect from
campus network quicklycampus network quickly
Support both Windows and LinuxSupport both Windows and Linux IUP only supported Linux, real-world IUP only supported Linux, real-world
environment is heterogenousenvironment is heterogenous
Be able to emulate a real-world enterprise Be able to emulate a real-world enterprise computing environmentcomputing environment
Laboratory – Spring 2004Laboratory – Spring 2004
Bait 1 Bait 2
Bait 3 Bait 4
DMZ
Secure Zone
Secure Business Theatre
Linux Win XP Linux Win XP Linux Win XP Linux Win XP
Pseudo Internet
CLICS Lab Environment
Linux Win XP Linux Win XP Linux Win XP Linux Win XP
Switch/HubSwitch/Hub
Hub
Campus Network & Internet
Hub
Hub
Hub
Hub
Bait 5
One Way to Lower the CostOne Way to Lower the Cost
Purchase one many-port switch to act as Purchase one many-port switch to act as physical switch, all hubsphysical switch, all hubs Can isolate groups of portsCan isolate groups of ports Can bridge groups where neededCan bridge groups where needed
AdvantagesAdvantages Significant cost savingsSignificant cost savings Reduced maintenance needReduced maintenance need
DisadvantageDisadvantage Initial setup difficultInitial setup difficult
Spring 2005 (and 2006) VersionSpring 2005 (and 2006) Version
Use of Virtual Machines within Physical Use of Virtual Machines within Physical MachinesMachinesProductsProducts
Microsoft Virtual PC (used 2005)Microsoft Virtual PC (used 2005) Support discontinued for Mac environment in 8/2006Support discontinued for Mac environment in 8/2006
VMWare (used 2006)VMWare (used 2006)Another possibility: XenAnother possibility: Xen
Operating systems must be modifiedOperating systems must be modified Higher performance gainedHigher performance gained
Layout similar to previous diagram, but only one Layout similar to previous diagram, but only one physical machine needed per stationphysical machine needed per station Bait machines are also virtualBait machines are also virtual
Virtual Machines – Pros/ConsVirtual Machines – Pros/Cons AdvantagesAdvantages
Easier to generate a heterogeneous network with a limited Easier to generate a heterogeneous network with a limited amount of hardwareamount of hardwareAble to restore virtual machine on any physical machine in Able to restore virtual machine on any physical machine in lablabCan give student root/administrator privilege on virtual Can give student root/administrator privilege on virtual machinemachineFlexibility in a dual-usage environmentFlexibility in a dual-usage environmentDamage to a virtual machine is a reduced impactDamage to a virtual machine is a reduced impact
DisadvantagesDisadvantagesSize of images (e.g. if saving state across semester)Size of images (e.g. if saving state across semester)Time to compress/saveTime to compress/saveNetwork bandwidthNetwork bandwidth
Ideas for FutureIdeas for Future
VMWare Player, Server are now freely VMWare Player, Server are now freely availableavailable
Virtual network as well as virtual machinesVirtual network as well as virtual machines Paper on this using UML (another Paper on this using UML (another
virtualization product)virtualization product)
Storage virtual machines on portable Storage virtual machines on portable storage (e.g. USB drives, iPods)storage (e.g. USB drives, iPods)
Laboratory – Physical IssuesLaboratory – Physical Issues
Want to provide some sense of physical Want to provide some sense of physical security for each stationsecurity for each stationLab furniture is currently 8 cubicles with Lab furniture is currently 8 cubicles with high wallshigh wallsProblem: not good for general usage, Problem: not good for general usage, students tend to “hide” in lab and take over students tend to “hide” in lab and take over stationsstationsFuture: a more open physical Future: a more open physical environment?environment?
Exercise OverviewExercise Overview
Based on exercises attempted and done Based on exercises attempted and done elsewhere (IUP, US military academies)elsewhere (IUP, US military academies)
Reverse version of “capture the flag” => Reverse version of “capture the flag” => “plant the flag”“plant the flag”
Final exercise in Computer Security Final exercise in Computer Security coursecourse
Exercise Overview (2)Exercise Overview (2)
Isolated network, consisting of:Isolated network, consisting of: Student systemsStudent systems ““Bait” systems (representing businesses)Bait” systems (representing businesses)
8 student teams each given unsecured 8 student teams each given unsecured Windows and Linux systemsWindows and Linux systems24 hours to secure their systems24 hours to secure their systems24 hours to locate other systems and plant 24 hours to locate other systems and plant a flag on as many other systems as a flag on as many other systems as possiblepossible
Student PreparationStudent PreparationCourseCourse Computer Security (CS 370)Computer Security (CS 370) Prerequisite – Data Structures (CS 265)Prerequisite – Data Structures (CS 265)
Goals for courseGoals for course Develop understanding and background in:Develop understanding and background in:
ConceptsConceptsToolsToolsEthicsEthics
Issue: ideally would like students to have Issue: ideally would like students to have some networking backgroundsome networking background Currently we present this background in courseCurrently we present this background in course
Student Preparation (2)Student Preparation (2)
Approach from perspective of security Approach from perspective of security professionalprofessional Learn as defenders of computer systems and Learn as defenders of computer systems and
networksnetworks Look at what attackers do to understand their mindset Look at what attackers do to understand their mindset
and methodsand methods Systems approach in an enterprise environmentSystems approach in an enterprise environment
Students sign an agreement that stresses ethical Students sign an agreement that stresses ethical issues and behavior, limits their use of tools to issues and behavior, limits their use of tools to scope of coursescope of course
Student Preparation (3)Student Preparation (3)
Weekly Laboratory ExercisesWeekly Laboratory Exercises PoliciesPolicies Ethics, Social EngineeringEthics, Social Engineering Information Gathering ToolsInformation Gathering Tools Packet SniffingPacket Sniffing Port ScanningPort Scanning Password Security/AnalysisPassword Security/Analysis Vulnerability AssessmentVulnerability Assessment System HardeningSystem Hardening Intrusion DetectionIntrusion Detection
The Cyberwar ExerciseThe Cyberwar Exercise
GoalsGoals Real-World ProjectReal-World Project Team-BasedTeam-Based Focus on Defense in a Realistic EnvironmentFocus on Defense in a Realistic Environment
Defense – understand what needs to be done and Defense – understand what needs to be done and how to accomplish ithow to accomplish it
Attack – to experience the mindset and techniques Attack – to experience the mindset and techniques of the attackerof the attacker
Cyberwar Exercise (2)Cyberwar Exercise (2)
More GoalsMore Goals Gain Experience in:Gain Experience in:
Technological security – with tools used in weekly Technological security – with tools used in weekly labslabs
Physical securityPhysical security
Social securitySocial security
The Cyberwar Exercise (3)The Cyberwar Exercise (3)
Exercise StructureExercise Structure Pre-labPre-lab
Set up heterogeneous isolated networkSet up heterogeneous isolated network
Group students into teamsGroup students into teams
Teams work to prepare, schedule coverageTeams work to prepare, schedule coverage
Teams discover exact environments (shortly before Teams discover exact environments (shortly before exercise starts)exercise starts)
Cyberwar Exercise (4)Cyberwar Exercise (4)
Structure (cont.)Structure (cont.) Defense PeriodDefense Period
Teams secure systems within constraints of Teams secure systems within constraints of exerciseexercise
Must keep certain services available; e.g. ssh, mail Must keep certain services available; e.g. ssh, mail serverserver
Business is a balance between functionality and securityBusiness is a balance between functionality and security
Students make entries in online log detailing what Students make entries in online log detailing what defensive techniques they’ve useddefensive techniques they’ve used
The Cyberwar Exercise (5)The Cyberwar Exercise (5)
Exercise Structure (cont.)Exercise Structure (cont.) Attack periodAttack period
Teams attempt to plant flag on as many systems on Teams attempt to plant flag on as many systems on network as possiblenetwork as possible
Defense continues (adjustments, further work)Defense continues (adjustments, further work)
All activities must be added to online logAll activities must be added to online log
Instructor keeps score based on various criteriaInstructor keeps score based on various criteria
Sysadmins attack all student machines at end of Sysadmins attack all student machines at end of period with variety of canned attacksperiod with variety of canned attacks
DiscussionDiscussionWhole class discussion after exercise completedWhole class discussion after exercise completed
Scoring CriteriaScoring Criteria
Positive additionsPositive additions Number of services up at certain checkpointsNumber of services up at certain checkpoints Successful attacks against other machinesSuccessful attacks against other machines Resistance to sysadmin attacksResistance to sysadmin attacks Quality of log entriesQuality of log entries
Negative additionsNegative additions Successful attacks against your machinesSuccessful attacks against your machines Rules violationsRules violations
Laboratory Setup for ExerciseLaboratory Setup for Exercise
GoalsGoals Heterogeneous and Isolated NetworkHeterogeneous and Isolated Network Same system for each student teamSame system for each student team
Replicating tool (e.g. Norton Ghost) saves much Replicating tool (e.g. Norton Ghost) saves much timetime
Don’t forget to give each machine its own identityDon’t forget to give each machine its own identity
Laboratory Setup (2)Laboratory Setup (2)
Structure of Isolated NetworkStructure of Isolated Network One zone (all systems off one hub)One zone (all systems off one hub) 8 Student Team Systems running older 8 Student Team Systems running older
Windows Server, Linux systemsWindows Server, Linux systemsNon-current OSs with known security holesNon-current OSs with known security holes
All tools used in lab exercisesAll tools used in lab exercises
Added several realistic-looking accounts (e.g. Added several realistic-looking accounts (e.g. backup, logwd, tomcat) with weak passwordsbackup, logwd, tomcat) with weak passwords
Laboratory Setup (3)Laboratory Setup (3)
Structure of Isolated Network (continued)Structure of Isolated Network (continued) Several Non-Student SystemsSeveral Non-Student Systems
Other variants of Windows and LinuxOther variants of Windows and Linux 1 Monitoring system1 Monitoring system
Additional Available SystemsAdditional Available Systems Host systems can be used for internet accessHost systems can be used for internet access
Laboratory Setup (4)Laboratory Setup (4)
Outside software transferred only by Outside software transferred only by “sneaker net”“sneaker net” Reasoning – no automated updates/patchesReasoning – no automated updates/patches Students had to understand issues and Students had to understand issues and
solutionssolutions
Major Exercise IssuesMajor Exercise Issues
Which services to require?Which services to require? Too few – not realisticToo few – not realistic Too many – configuration more complex, Too many – configuration more complex,
difficult to monitordifficult to monitor
How much physical access?How much physical access? Keyboard access allowed?Keyboard access allowed?
Problem with student rebooting another system, Problem with student rebooting another system, which hangs waiting for password on BIOS and/or which hangs waiting for password on BIOS and/or boot loaderboot loader
Exercise Issues (2)Exercise Issues (2)
Allow Denial of Service (DoS) attacks?Allow Denial of Service (DoS) attacks? Realistic, but …Realistic, but … Environment deterioratesEnvironment deteriorates
EthicsEthics Keyboard issue aboveKeyboard issue above Which resources can/should be used?Which resources can/should be used?
Exercise ExperiencesExercise Experiences
Added accounts were a significant holeAdded accounts were a significant hole Valid-sounding account names lower the Valid-sounding account names lower the
expectation of riskexpectation of risk
Non-attended machines were broken into Non-attended machines were broken into less than the student team machinesless than the student team machines
Successful teams combined multiple Successful teams combined multiple exploitsexploits Combining weak accounts/cracked passwords Combining weak accounts/cracked passwords
with buffer overflow exploitwith buffer overflow exploit
Exercise Experience (2)Exercise Experience (2)
Social engineering attack showed the Social engineering attack showed the power of this methodpower of this method One student team used spoofed email from One student team used spoofed email from
instructor to request privileged account on instructor to request privileged account on each system with given username/password each system with given username/password
Members of Members of halfhalf of the teams set this account of the teams set this account upup
Raised interesting ethical issue re: use of Raised interesting ethical issue re: use of non-class resourcesnon-class resources
Exercise Experience (3)Exercise Experience (3)
Must be *very* precise with instructionsMust be *very* precise with instructionsExampleExample Told class could only attack within the Told class could only attack within the
laboratory environmentlaboratory environment Sysadmin set up log system on regular Sysadmin set up log system on regular
campus networkcampus network Told all teams that log was private, they Told all teams that log was private, they
should report in detailshould report in detail One team accomplished SQL injection attack One team accomplished SQL injection attack
on log, gained access to all notes, used this to on log, gained access to all notes, used this to attack other systemsattack other systems
Student Problems / Lessons Student Problems / Lessons LearnedLearned
Time periods too short for each phaseTime periods too short for each phase Suggest extending up to several days for Suggest extending up to several days for
each phaseeach phase
Exercise too late in semesterExercise too late in semester Suggested to move it earlier to allow more Suggested to move it earlier to allow more
time on exercisetime on exercise Students were busy with other final projects, Students were busy with other final projects,
some didn’t participate wellsome didn’t participate well
Student Problems / Lessons Student Problems / Lessons Learned (2)Learned (2)
Not enough student system administration Not enough student system administration experienceexperience Some had, but others wanted more Some had, but others wanted more
background on thisbackground on this
Problems with software installation during Problems with software installation during exercise stemming from lack of knowledge exercise stemming from lack of knowledge of underlying hardwareof underlying hardware Need to document this next timeNeed to document this next time
Instructor Problems / Lessons Instructor Problems / Lessons LearnedLearned
Not requiring Networking course as a Not requiring Networking course as a prerequisite meant time spent on prerequisite meant time spent on networking basics during course, less networking basics during course, less background to apply to exercisebackground to apply to exercise Tradeoff between wanting to provide an Tradeoff between wanting to provide an
“overview” security course vs. having good “overview” security course vs. having good background knowledgebackground knowledge
Instructor Problems / Lessons Instructor Problems / Lessons Learned (2)Learned (2)
Needed to require more available services (e.g. Needed to require more available services (e.g. web, db, sftp – now done)web, db, sftp – now done)
Monitoring exercise is difficultMonitoring exercise is difficult Continuous physical presence is impossibleContinuous physical presence is impossible Ensuring that student system resources are always Ensuring that student system resources are always
available takes forethoughtavailable takes forethoughtManual checks, Automated checksManual checks, Automated checks
Monitoring all network activity during exercise is Monitoring all network activity during exercise is difficultdifficult
Large quantity of information generated, need to filterLarge quantity of information generated, need to filter
Benefits of ExerciseBenefits of ExerciseIncreased student appreciation of security as Increased student appreciation of security as a process, not product or statea process, not product or state Issues arise; need to respondIssues arise; need to respond Need to remain continuously vigilantNeed to remain continuously vigilant
Increased student appreciation of use of Increased student appreciation of use of toolstools How they can be used by hackersHow they can be used by hackers How they can be used for vulnerability How they can be used for vulnerability
assessmentassessment
High level of student enthusiasm!High level of student enthusiasm!
AcknowledgementsAcknowledgements
Our systems and networking staff, led by Our systems and networking staff, led by Jason Wudi and Tom PaineJason Wudi and Tom Paine It’s difficult to do this well without their support It’s difficult to do this well without their support
and their help!and their help!
Dr. Mary Micco, IUPDr. Mary Micco, IUP
Dr. Andrew PhillipsDr. Andrew Phillips Co-PI on our related NSF CCLI A&I GrantCo-PI on our related NSF CCLI A&I Grant
More InformationMore Information
CLICS – a Computational Laboratory for CLICS – a Computational Laboratory for Information and Computer SecurityInformation and Computer Security Development of Physical Lab, Courses, and Development of Physical Lab, Courses, and
ModulesModules More information: More information: http://clics.cs.uwec.eduhttp://clics.cs.uwec.edu Supported by NSF Grant, DUE 0309818Supported by NSF Grant, DUE 0309818
Paul Wagner, [email protected] Wagner, [email protected]