Developing a Cyberwar Developing a Cyberwar Laboratory and Exercise: Laboratory and Exercise:

Issues and Lessons Issues and Lessons LearnedLearned

Paul J. WagnerPaul J. Wagnerwagnerpj@uwec.eduwagnerpj@uwec.edu

UW-Stout Information and Cyber UW-Stout Information and Cyber Security WorkshopSecurity Workshop

8/24/20068/24/2006

Main MessagesMain Messages

Developing a good cyberwar laboratory Developing a good cyberwar laboratory and related exercise takes:and related exercise takes: PlanningPlanning ThoughtThought ResourcesResources

Helps to think about Helps to think about goalsgoals and and structurestructure

Main Messages (cont.)Main Messages (cont.)

Many issues arise during the development Many issues arise during the development and execution of a cyberwar exerciseand execution of a cyberwar exercise Consider and work through as many as Consider and work through as many as

possible up frontpossible up front A few more will arise in spite of your A few more will arise in spite of your

preparation…preparation…

Laboratory HistoryLaboratory History

Submitted a grant proposal to National Science Submitted a grant proposal to National Science Foundation (NSF) in late 2002Foundation (NSF) in late 2002 Course, Curriculum and Laboratory Improvement Course, Curriculum and Laboratory Improvement

(CCLI) program(CCLI) program Adaptation and Implementation (A&I) sub-programAdaptation and Implementation (A&I) sub-program

Grant awarded in June 2003Grant awarded in June 2003Three partsThree parts Develop computer security laboratoryDevelop computer security laboratory Develop two security-related coursesDevelop two security-related courses

Computer SecurityComputer SecurityCryptography and Network SecurityCryptography and Network Security

Develop course modules for introduction of security Develop course modules for introduction of security issues in other coursesissues in other courses

Laboratory GoalsLaboratory Goals

Mixed use laboratoryMixed use laboratory Not enough space to dedicate to securityNot enough space to dedicate to security Need to be able to connect/disconnect from Need to be able to connect/disconnect from

campus network quicklycampus network quickly

Support both Windows and LinuxSupport both Windows and Linux IUP only supported Linux, real-world IUP only supported Linux, real-world

environment is heterogenousenvironment is heterogenous

Be able to emulate a real-world enterprise Be able to emulate a real-world enterprise computing environmentcomputing environment

Laboratory – Spring 2004Laboratory – Spring 2004

Bait 1 Bait 2

Bait 3 Bait 4

DMZ

Secure Zone

Secure Business Theatre

Linux Win XP Linux Win XP Linux Win XP Linux Win XP

Pseudo Internet

CLICS Lab Environment

Linux Win XP Linux Win XP Linux Win XP Linux Win XP

Switch/HubSwitch/Hub

Hub

Campus Network & Internet

Hub

Hub

Hub

Hub

Bait 5

One Way to Lower the CostOne Way to Lower the Cost

Purchase one many-port switch to act as Purchase one many-port switch to act as physical switch, all hubsphysical switch, all hubs Can isolate groups of portsCan isolate groups of ports Can bridge groups where neededCan bridge groups where needed

AdvantagesAdvantages Significant cost savingsSignificant cost savings Reduced maintenance needReduced maintenance need

DisadvantageDisadvantage Initial setup difficultInitial setup difficult

Spring 2005 (and 2006) VersionSpring 2005 (and 2006) Version

Use of Virtual Machines within Physical Use of Virtual Machines within Physical MachinesMachinesProductsProducts

Microsoft Virtual PC (used 2005)Microsoft Virtual PC (used 2005) Support discontinued for Mac environment in 8/2006Support discontinued for Mac environment in 8/2006

VMWare (used 2006)VMWare (used 2006)Another possibility: XenAnother possibility: Xen

Operating systems must be modifiedOperating systems must be modified Higher performance gainedHigher performance gained

Layout similar to previous diagram, but only one Layout similar to previous diagram, but only one physical machine needed per stationphysical machine needed per station Bait machines are also virtualBait machines are also virtual

Virtual Machines – Pros/ConsVirtual Machines – Pros/Cons AdvantagesAdvantages

Easier to generate a heterogeneous network with a limited Easier to generate a heterogeneous network with a limited amount of hardwareamount of hardwareAble to restore virtual machine on any physical machine in Able to restore virtual machine on any physical machine in lablabCan give student root/administrator privilege on virtual Can give student root/administrator privilege on virtual machinemachineFlexibility in a dual-usage environmentFlexibility in a dual-usage environmentDamage to a virtual machine is a reduced impactDamage to a virtual machine is a reduced impact

DisadvantagesDisadvantagesSize of images (e.g. if saving state across semester)Size of images (e.g. if saving state across semester)Time to compress/saveTime to compress/saveNetwork bandwidthNetwork bandwidth

Ideas for FutureIdeas for Future

VMWare Player, Server are now freely VMWare Player, Server are now freely availableavailable

Virtual network as well as virtual machinesVirtual network as well as virtual machines Paper on this using UML (another Paper on this using UML (another

virtualization product)virtualization product)

Storage virtual machines on portable Storage virtual machines on portable storage (e.g. USB drives, iPods)storage (e.g. USB drives, iPods)

Laboratory – Physical IssuesLaboratory – Physical Issues

Want to provide some sense of physical Want to provide some sense of physical security for each stationsecurity for each stationLab furniture is currently 8 cubicles with Lab furniture is currently 8 cubicles with high wallshigh wallsProblem: not good for general usage, Problem: not good for general usage, students tend to “hide” in lab and take over students tend to “hide” in lab and take over stationsstationsFuture: a more open physical Future: a more open physical environment?environment?

Exercise OverviewExercise Overview

Based on exercises attempted and done Based on exercises attempted and done elsewhere (IUP, US military academies)elsewhere (IUP, US military academies)

Reverse version of “capture the flag” => Reverse version of “capture the flag” => “plant the flag”“plant the flag”

Final exercise in Computer Security Final exercise in Computer Security coursecourse

Exercise Overview (2)Exercise Overview (2)

Isolated network, consisting of:Isolated network, consisting of: Student systemsStudent systems ““Bait” systems (representing businesses)Bait” systems (representing businesses)

8 student teams each given unsecured 8 student teams each given unsecured Windows and Linux systemsWindows and Linux systems24 hours to secure their systems24 hours to secure their systems24 hours to locate other systems and plant 24 hours to locate other systems and plant a flag on as many other systems as a flag on as many other systems as possiblepossible

Student PreparationStudent PreparationCourseCourse Computer Security (CS 370)Computer Security (CS 370) Prerequisite – Data Structures (CS 265)Prerequisite – Data Structures (CS 265)

Goals for courseGoals for course Develop understanding and background in:Develop understanding and background in:

ConceptsConceptsToolsToolsEthicsEthics

Issue: ideally would like students to have Issue: ideally would like students to have some networking backgroundsome networking background Currently we present this background in courseCurrently we present this background in course

Student Preparation (2)Student Preparation (2)

Approach from perspective of security Approach from perspective of security professionalprofessional Learn as defenders of computer systems and Learn as defenders of computer systems and

networksnetworks Look at what attackers do to understand their mindset Look at what attackers do to understand their mindset

and methodsand methods Systems approach in an enterprise environmentSystems approach in an enterprise environment

Students sign an agreement that stresses ethical Students sign an agreement that stresses ethical issues and behavior, limits their use of tools to issues and behavior, limits their use of tools to scope of coursescope of course

Student Preparation (3)Student Preparation (3)

Weekly Laboratory ExercisesWeekly Laboratory Exercises PoliciesPolicies Ethics, Social EngineeringEthics, Social Engineering Information Gathering ToolsInformation Gathering Tools Packet SniffingPacket Sniffing Port ScanningPort Scanning Password Security/AnalysisPassword Security/Analysis Vulnerability AssessmentVulnerability Assessment System HardeningSystem Hardening Intrusion DetectionIntrusion Detection

The Cyberwar ExerciseThe Cyberwar Exercise

GoalsGoals Real-World ProjectReal-World Project Team-BasedTeam-Based Focus on Defense in a Realistic EnvironmentFocus on Defense in a Realistic Environment

Defense – understand what needs to be done and Defense – understand what needs to be done and how to accomplish ithow to accomplish it

Attack – to experience the mindset and techniques Attack – to experience the mindset and techniques of the attackerof the attacker

Cyberwar Exercise (2)Cyberwar Exercise (2)

More GoalsMore Goals Gain Experience in:Gain Experience in:

Technological security – with tools used in weekly Technological security – with tools used in weekly labslabs

Physical securityPhysical security

Social securitySocial security

The Cyberwar Exercise (3)The Cyberwar Exercise (3)

Exercise StructureExercise Structure Pre-labPre-lab

Set up heterogeneous isolated networkSet up heterogeneous isolated network

Group students into teamsGroup students into teams

Teams work to prepare, schedule coverageTeams work to prepare, schedule coverage

Teams discover exact environments (shortly before Teams discover exact environments (shortly before exercise starts)exercise starts)

Cyberwar Exercise (4)Cyberwar Exercise (4)

Structure (cont.)Structure (cont.) Defense PeriodDefense Period

Teams secure systems within constraints of Teams secure systems within constraints of exerciseexercise

Must keep certain services available; e.g. ssh, mail Must keep certain services available; e.g. ssh, mail serverserver

Business is a balance between functionality and securityBusiness is a balance between functionality and security

Students make entries in online log detailing what Students make entries in online log detailing what defensive techniques they’ve useddefensive techniques they’ve used

The Cyberwar Exercise (5)The Cyberwar Exercise (5)

Exercise Structure (cont.)Exercise Structure (cont.) Attack periodAttack period

Teams attempt to plant flag on as many systems on Teams attempt to plant flag on as many systems on network as possiblenetwork as possible

Defense continues (adjustments, further work)Defense continues (adjustments, further work)

All activities must be added to online logAll activities must be added to online log

Instructor keeps score based on various criteriaInstructor keeps score based on various criteria

Sysadmins attack all student machines at end of Sysadmins attack all student machines at end of period with variety of canned attacksperiod with variety of canned attacks

DiscussionDiscussionWhole class discussion after exercise completedWhole class discussion after exercise completed

Scoring CriteriaScoring Criteria

Positive additionsPositive additions Number of services up at certain checkpointsNumber of services up at certain checkpoints Successful attacks against other machinesSuccessful attacks against other machines Resistance to sysadmin attacksResistance to sysadmin attacks Quality of log entriesQuality of log entries

Negative additionsNegative additions Successful attacks against your machinesSuccessful attacks against your machines Rules violationsRules violations

Laboratory Setup for ExerciseLaboratory Setup for Exercise

GoalsGoals Heterogeneous and Isolated NetworkHeterogeneous and Isolated Network Same system for each student teamSame system for each student team

Replicating tool (e.g. Norton Ghost) saves much Replicating tool (e.g. Norton Ghost) saves much timetime

Don’t forget to give each machine its own identityDon’t forget to give each machine its own identity

Laboratory Setup (2)Laboratory Setup (2)

Structure of Isolated NetworkStructure of Isolated Network One zone (all systems off one hub)One zone (all systems off one hub) 8 Student Team Systems running older 8 Student Team Systems running older

Windows Server, Linux systemsWindows Server, Linux systemsNon-current OSs with known security holesNon-current OSs with known security holes

All tools used in lab exercisesAll tools used in lab exercises

Added several realistic-looking accounts (e.g. Added several realistic-looking accounts (e.g. backup, logwd, tomcat) with weak passwordsbackup, logwd, tomcat) with weak passwords

Laboratory Setup (3)Laboratory Setup (3)

Structure of Isolated Network (continued)Structure of Isolated Network (continued) Several Non-Student SystemsSeveral Non-Student Systems

Other variants of Windows and LinuxOther variants of Windows and Linux 1 Monitoring system1 Monitoring system

Additional Available SystemsAdditional Available Systems Host systems can be used for internet accessHost systems can be used for internet access

Laboratory Setup (4)Laboratory Setup (4)

Outside software transferred only by Outside software transferred only by “sneaker net”“sneaker net” Reasoning – no automated updates/patchesReasoning – no automated updates/patches Students had to understand issues and Students had to understand issues and

solutionssolutions

Major Exercise IssuesMajor Exercise Issues

Which services to require?Which services to require? Too few – not realisticToo few – not realistic Too many – configuration more complex, Too many – configuration more complex,

difficult to monitordifficult to monitor

How much physical access?How much physical access? Keyboard access allowed?Keyboard access allowed?

Problem with student rebooting another system, Problem with student rebooting another system, which hangs waiting for password on BIOS and/or which hangs waiting for password on BIOS and/or boot loaderboot loader

Exercise Issues (2)Exercise Issues (2)

Allow Denial of Service (DoS) attacks?Allow Denial of Service (DoS) attacks? Realistic, but …Realistic, but … Environment deterioratesEnvironment deteriorates

EthicsEthics Keyboard issue aboveKeyboard issue above Which resources can/should be used?Which resources can/should be used?

Exercise ExperiencesExercise Experiences

Added accounts were a significant holeAdded accounts were a significant hole Valid-sounding account names lower the Valid-sounding account names lower the

expectation of riskexpectation of risk

Non-attended machines were broken into Non-attended machines were broken into less than the student team machinesless than the student team machines

Successful teams combined multiple Successful teams combined multiple exploitsexploits Combining weak accounts/cracked passwords Combining weak accounts/cracked passwords

with buffer overflow exploitwith buffer overflow exploit

Exercise Experience (2)Exercise Experience (2)

Social engineering attack showed the Social engineering attack showed the power of this methodpower of this method One student team used spoofed email from One student team used spoofed email from

instructor to request privileged account on instructor to request privileged account on each system with given username/password each system with given username/password

Members of Members of halfhalf of the teams set this account of the teams set this account upup

Raised interesting ethical issue re: use of Raised interesting ethical issue re: use of non-class resourcesnon-class resources

Exercise Experience (3)Exercise Experience (3)

Must be *very* precise with instructionsMust be *very* precise with instructionsExampleExample Told class could only attack within the Told class could only attack within the

laboratory environmentlaboratory environment Sysadmin set up log system on regular Sysadmin set up log system on regular

campus networkcampus network Told all teams that log was private, they Told all teams that log was private, they

should report in detailshould report in detail One team accomplished SQL injection attack One team accomplished SQL injection attack

on log, gained access to all notes, used this to on log, gained access to all notes, used this to attack other systemsattack other systems

Student Problems / Lessons Student Problems / Lessons LearnedLearned

Time periods too short for each phaseTime periods too short for each phase Suggest extending up to several days for Suggest extending up to several days for

each phaseeach phase

Exercise too late in semesterExercise too late in semester Suggested to move it earlier to allow more Suggested to move it earlier to allow more

time on exercisetime on exercise Students were busy with other final projects, Students were busy with other final projects,

some didn’t participate wellsome didn’t participate well

Student Problems / Lessons Student Problems / Lessons Learned (2)Learned (2)

Not enough student system administration Not enough student system administration experienceexperience Some had, but others wanted more Some had, but others wanted more

background on thisbackground on this

Problems with software installation during Problems with software installation during exercise stemming from lack of knowledge exercise stemming from lack of knowledge of underlying hardwareof underlying hardware Need to document this next timeNeed to document this next time

Instructor Problems / Lessons Instructor Problems / Lessons LearnedLearned

Not requiring Networking course as a Not requiring Networking course as a prerequisite meant time spent on prerequisite meant time spent on networking basics during course, less networking basics during course, less background to apply to exercisebackground to apply to exercise Tradeoff between wanting to provide an Tradeoff between wanting to provide an

“overview” security course vs. having good “overview” security course vs. having good background knowledgebackground knowledge

Instructor Problems / Lessons Instructor Problems / Lessons Learned (2)Learned (2)

Needed to require more available services (e.g. Needed to require more available services (e.g. web, db, sftp – now done)web, db, sftp – now done)

Monitoring exercise is difficultMonitoring exercise is difficult Continuous physical presence is impossibleContinuous physical presence is impossible Ensuring that student system resources are always Ensuring that student system resources are always

available takes forethoughtavailable takes forethoughtManual checks, Automated checksManual checks, Automated checks

Monitoring all network activity during exercise is Monitoring all network activity during exercise is difficultdifficult

Large quantity of information generated, need to filterLarge quantity of information generated, need to filter

Benefits of ExerciseBenefits of ExerciseIncreased student appreciation of security as Increased student appreciation of security as a process, not product or statea process, not product or state Issues arise; need to respondIssues arise; need to respond Need to remain continuously vigilantNeed to remain continuously vigilant

Increased student appreciation of use of Increased student appreciation of use of toolstools How they can be used by hackersHow they can be used by hackers How they can be used for vulnerability How they can be used for vulnerability

assessmentassessment

High level of student enthusiasm!High level of student enthusiasm!

AcknowledgementsAcknowledgements

Our systems and networking staff, led by Our systems and networking staff, led by Jason Wudi and Tom PaineJason Wudi and Tom Paine It’s difficult to do this well without their support It’s difficult to do this well without their support

and their help!and their help!

Dr. Mary Micco, IUPDr. Mary Micco, IUP

Dr. Andrew PhillipsDr. Andrew Phillips Co-PI on our related NSF CCLI A&I GrantCo-PI on our related NSF CCLI A&I Grant

More InformationMore Information

CLICS – a Computational Laboratory for CLICS – a Computational Laboratory for Information and Computer SecurityInformation and Computer Security Development of Physical Lab, Courses, and Development of Physical Lab, Courses, and

ModulesModules More information: More information: http://clics.cs.uwec.eduhttp://clics.cs.uwec.edu Supported by NSF Grant, DUE 0309818Supported by NSF Grant, DUE 0309818

Paul Wagner, wagnerpj@uwec.eduPaul Wagner, wagnerpj@uwec.edu