CyberCog

18
CYBERCOG Test Bed Overview

description

CyberCog. Test Bed Overview. The Experiment Setup. 2 Screens per analyst. A common projector screen. Experimenter observing the interactions and taking notes . Resources for each cyber analyst. Each participant takes the role of a cyber analyst. - PowerPoint PPT Presentation

Transcript of CyberCog

Page 1: CyberCog

CYBERCOGTest Bed Overview

Page 2: CyberCog

The Experiment Setup 2 Screens per analyst

A common projector screen

Experimenter observing the

interactions and taking notes

Page 3: CyberCog

Resources for each cyber analyst• Each participant takes the role of a cyber analyst.• Each participant will have two computer screens.• The first screen displays the events, alerts, attack

patterns and messages from other analyst in the experiment

• The second screen displays the map of the network segment that the analyst is responsible for, and also the alerts and events of importance, identified by the team.

• The common projector screen displays the entire network map and a timer to indicate the time left to complete the task.

Page 4: CyberCog

Information available to each cyber analyst

Page 5: CyberCog

Overview of tasks performed during an exercise

Page 6: CyberCog

Sample Network Map

Page 7: CyberCog

Attack Scenario

Example attack scenario [1]

Page 8: CyberCog

Example Scenario• Workstations of several employees in a company XYZ

becomes non responsive. Work is majorly affected in the company. It is estimated that if the situation continues for more than 2 hours, the company could incur a net loss of over a million dollars.

Page 9: CyberCog

Ground Truth available to each Cyber Analyst

• Cyber Analyst 1• Web Server: reachability (Internet, webService, TCP,80)• Web server :networkServiceInfo(webServer, httpd,tcp,80,apache)• Web server :VulExists(webServer,’CAN-2002-0392’,httpd,remoteExploit, privEscalation

• Cyber Analyst 2• Fileserver: reachability(webserver,fileserver,rpc,100005)• Fileserver: vulExists(fileserver,vulID,mountd,remoteExploit,privEscalation)• Fileserver: networkServiceInfo(fileServer,mountd,rpc,100005,root)• Fileserver: canAccessFile(fileServer,root,write,’/export’)• Fileserver: nfsExportInfo(fileServer,’/export’,write,webServer)• Fileserver: reachability(webserver,fileServer,nfsProtocol,nfsPort)

• Cyber Analyst 3• nfsMounted(workstation,’/usr/local/share’,fileServer,’/export’,read)

Page 10: CyberCog

Event distribution – Cyber Analyst 1• Event 1:TCP probe on port 80 on web server fails.• Event 2:Successful data transfer through port 80 on web server• Event 3:TCP probe on port 80 on web server fails.• Event 4:Successful data transfer through port 80 on web server• Event 5:Successful data transfer through port 80 on web server.• Event Successful data transfer through port 80 on web server.• Event 7:Successful data transfer through port 80 on web server.• Event 8:TCP probe on port 80 on web server succeeds• Event 9:Successful remote login to FTP server. • Event 10:Unauthorized access to FTP server blocked.

Page 11: CyberCog

Event distribution – Cyber Analyst 2• Event 1:TCP probe to the RPC port of fileServer fails.• Event 2:Successful data transfer to the RPC port of fileServer.• Event 3:TCP probe to the rpc port of fileServer succeeds.• Event 4:Successful data transfer to the RPC port of fileServer.• Event 5:Successful data transfer to the RPC port of fileServer.• Event 6:Binary file “config.temp” in directory “/export” is changed by

“shanter”.• Event 7:Binary file “config.temp” in directory “/export” is changed by

“jhun”.• Event 8:Binary file “config.temp” in directory “/export” is changed by

“unknown” – malicious file override.• Event 9:Binary file “source.temp” in directory “/export” is changed by

“nfinch”.• Event 10:File “world.xml” updated by admin.

Page 12: CyberCog

Event distribution - Cyber Analyst 3• Event1:Bad File “config.temp” is downloaded by “rjay”. • Event2:File “config.temp” is executed on “rjay” user

computer• Event3:Executable File “free.exe” downloaded by “jkay”.• Event4:File “free.exe” is executed by “jkay”.• Event5:Bad File “config.temp” is downloaded by “praj”• Event6:File “config.temp” is executed on on “praj” user

computer• Event7:Executable File “free.exe” downloaded by “skay”.• Event8:File “free.exe” is executed by “skay”.• Event9:Bad File “config.temp” is downloaded by “skay”.• Event10:Trojan Horse detected on “skay” user computer

Page 13: CyberCog

Alert distribution- Cyber Analyst 1• AE1 against Event 1: The probing packet matches a

signature compromising webServer.• AE2 against Event 3: The probing packet matches a

signature compromising webServer.• AE3 against Event 8: The probing packet matches a

signature compromising webServer.• AE4 false positive: saying that webServer runs a

malicious NSF shell.

Page 14: CyberCog

Alert distribution- Cyber Analyst 2• FN1 False Negative against Event 3: the sensor did not raise

any alert about probe to file server.• AE1 against event 6: file “change.temp” in directory “/export” is

changed.• AE2 against event 7: file “change.temp” in directory “/export” is

changed.• AE3 against event 8: file “change.temp” in directory “/export” is

changed.• AE4 against event 8: file “change.temp” is a Trojan horse.• AE3 against event 9: file “source.temp” in directory “/export” is

changed.• AE3 against event 10: file “change.temp” in directory “/export”

is changed.

Page 15: CyberCog

Alert distribution- Cyber Analyst 3• AE1 against event 2: Trojan horse is being executed on

rjay user computer.• AE2 against event 6: Trojan horse is being executed on

praj user computer.• AE2 against event 10: Trojan horse is being executed on

skay user computer.

Page 16: CyberCog

CyberCog• Feedback System

• Feedback to the users of what they have accomplished so far.• The severity level (high, medium or low) of attacks identified and mitigated in

the current exercise. 

• Dynamic factors to measure SA• Increasing information(Events & alerts) and data overload.• Introducing new attacks.• Changing environment factors real time.• A delay to provide an important alert.• Change to possible assumptions. • Increasing and decreasing the time to respond to an attack.• Providing multiple solutions in defending an attack (choosing the most cost

effective solution).• Road blocks introduced while defending an attack eg:- tool crash.• Flashing new attack information on to individual user’s screen.

16

Page 17: CyberCog

CyberCog

• Measuring and logging• Team interaction is logged real time• Team performance measured through the number of attacks identified and mitigated.

• Dynamic nature of the environment is used to measure SA.

• Enhancements Planned • Visual representation of events and alerts E.g. – attack graph.

17

Page 18: CyberCog

Reference• [1] – “Using Bayesian Networks for Cyber Security

Analysis”, Peng Xie, Jason H Li , Xinming Ou , Peng Liu , Renato Levy