Embed Size (px)
Citation preview
CYBERCOGTest Bed Overview
The Experiment Setup 2 Screens per analyst
A common projector screen
Experimenter observing the
interactions and taking notes
Resources for each cyber analyst• Each participant takes the role of a cyber analyst.• Each participant will have two computer screens.• The first screen displays the events, alerts, attack
patterns and messages from other analyst in the experiment
• The second screen displays the map of the network segment that the analyst is responsible for, and also the alerts and events of importance, identified by the team.
• The common projector screen displays the entire network map and a timer to indicate the time left to complete the task.
Information available to each cyber analyst
Overview of tasks performed during an exercise
Sample Network Map
Attack Scenario
Example attack scenario [1]
Example Scenario• Workstations of several employees in a company XYZ
becomes non responsive. Work is majorly affected in the company. It is estimated that if the situation continues for more than 2 hours, the company could incur a net loss of over a million dollars.
Ground Truth available to each Cyber Analyst
• Cyber Analyst 1• Web Server: reachability (Internet, webService, TCP,80)• Web server :networkServiceInfo(webServer, httpd,tcp,80,apache)• Web server :VulExists(webServer,’CAN-2002-0392’,httpd,remoteExploit, privEscalation
• Cyber Analyst 2• Fileserver: reachability(webserver,fileserver,rpc,100005)• Fileserver: vulExists(fileserver,vulID,mountd,remoteExploit,privEscalation)• Fileserver: networkServiceInfo(fileServer,mountd,rpc,100005,root)• Fileserver: canAccessFile(fileServer,root,write,’/export’)• Fileserver: nfsExportInfo(fileServer,’/export’,write,webServer)• Fileserver: reachability(webserver,fileServer,nfsProtocol,nfsPort)
• Cyber Analyst 3• nfsMounted(workstation,’/usr/local/share’,fileServer,’/export’,read)
Event distribution – Cyber Analyst 1• Event 1:TCP probe on port 80 on web server fails.• Event 2:Successful data transfer through port 80 on web server• Event 3:TCP probe on port 80 on web server fails.• Event 4:Successful data transfer through port 80 on web server• Event 5:Successful data transfer through port 80 on web server.• Event Successful data transfer through port 80 on web server.• Event 7:Successful data transfer through port 80 on web server.• Event 8:TCP probe on port 80 on web server succeeds• Event 9:Successful remote login to FTP server. • Event 10:Unauthorized access to FTP server blocked.
Event distribution – Cyber Analyst 2• Event 1:TCP probe to the RPC port of fileServer fails.• Event 2:Successful data transfer to the RPC port of fileServer.• Event 3:TCP probe to the rpc port of fileServer succeeds.• Event 4:Successful data transfer to the RPC port of fileServer.• Event 5:Successful data transfer to the RPC port of fileServer.• Event 6:Binary file “config.temp” in directory “/export” is changed by
“shanter”.• Event 7:Binary file “config.temp” in directory “/export” is changed by
“jhun”.• Event 8:Binary file “config.temp” in directory “/export” is changed by
“unknown” – malicious file override.• Event 9:Binary file “source.temp” in directory “/export” is changed by
“nfinch”.• Event 10:File “world.xml” updated by admin.
Event distribution - Cyber Analyst 3• Event1:Bad File “config.temp” is downloaded by “rjay”. • Event2:File “config.temp” is executed on “rjay” user
computer• Event3:Executable File “free.exe” downloaded by “jkay”.• Event4:File “free.exe” is executed by “jkay”.• Event5:Bad File “config.temp” is downloaded by “praj”• Event6:File “config.temp” is executed on on “praj” user
computer• Event7:Executable File “free.exe” downloaded by “skay”.• Event8:File “free.exe” is executed by “skay”.• Event9:Bad File “config.temp” is downloaded by “skay”.• Event10:Trojan Horse detected on “skay” user computer
Alert distribution- Cyber Analyst 1• AE1 against Event 1: The probing packet matches a
signature compromising webServer.• AE2 against Event 3: The probing packet matches a
signature compromising webServer.• AE3 against Event 8: The probing packet matches a
signature compromising webServer.• AE4 false positive: saying that webServer runs a
malicious NSF shell.
Alert distribution- Cyber Analyst 2• FN1 False Negative against Event 3: the sensor did not
raise any alert about probe to file server.• AE1 against event 6: file “change.temp” in directory “/export”
is changed.• AE2 against event 7: file “change.temp” in directory “/export”
is changed.• AE3 against event 8: file “change.temp” in directory “/export”
is changed.• AE4 against event 8: file “change.temp” is a Trojan horse.• AE3 against event 9: file “source.temp” in directory “/export”
is changed.• AE3 against event 10: file “change.temp” in directory
“/export” is changed.
Alert distribution- Cyber Analyst 3• AE1 against event 2: Trojan horse is being executed on
rjay user computer.• AE2 against event 6: Trojan horse is being executed on
praj user computer.• AE2 against event 10: Trojan horse is being executed on
skay user computer.
CyberCog• Feedback System
• Feedback to the users of what they have accomplished so far.• The severity level (high, medium or low) of attacks identified and mitigated
in the current exercise.
• Dynamic factors to measure SA• Increasing information(Events & alerts) and data overload.• Introducing new attacks.• Changing environment factors real time.• A delay to provide an important alert.• Change to possible assumptions. • Increasing and decreasing the time to respond to an attack.• Providing multiple solutions in defending an attack (choosing the most cost
effective solution).• Road blocks introduced while defending an attack eg:- tool crash.• Flashing new attack information on to individual user’s screen.
16
CyberCog
• Measuring and logging• Team interaction is logged real time• Team performance measured through the number of attacks identified and mitigated.
• Dynamic nature of the environment is used to measure SA.
• Enhancements Planned • Visual representation of events and alerts E.g. – attack graph.
17
Reference• [1] – “Using Bayesian Networks for Cyber Security
Analysis”, Peng Xie, Jason H Li , Xinming Ou , Peng Liu , Renato Levy
