CYBERCOG Test Bed Overview

The Experiment Setup 2 Screens per analyst A common projector screen Experimenter observing the interactions and taking notes

Resources for each cyber analyst Each participant takes the role of a cyber analyst. Each participant will have two computer screens. The first screen displays the events, alerts, attack patterns and messages from other analyst in the experiment The second screen displays the map of the network segment that the analyst is responsible for, and also the alerts and events of importance, identified by the team. The common projector screen displays the entire network map and a timer to indicate the time left to complete the task.

Information available to each cyber analyst

Overview of tasks performed during an exercise

Sample Network Map

Attack Scenario Example attack scenario [1]

Example Scenario Workstations of several employees in a company XYZ becomes non responsive. Work is majorly affected in the company. It is estimated that if the situation continues for more than 2 hours, the company could incur a net loss of over a million dollars.

Ground Truth available to each Cyber Analyst Cyber Analyst 1 Web Server: reachability (Internet, webService, TCP,80) Web server :networkServiceInfo(webServer, httpd,tcp,80,apache) Web server :VulExists(webServer,’CAN ’,httpd,remoteExploit, privEscalation Cyber Analyst 2 Fileserver: reachability(webserver,fileserver,rpc,100005) Fileserver: vulExists(fileserver,vulID,mountd,remoteExploit,privEscalation) Fileserver: networkServiceInfo(fileServer,mountd,rpc,100005,root) Fileserver: canAccessFile(fileServer,root,write,’/export’) Fileserver: nfsExportInfo(fileServer,’/export’,write,webServer) Fileserver: reachability(webserver,fileServer,nfsProtocol,nfsPort) Cyber Analyst 3 nfsMounted(workstation,’/usr/local/share’,fileServer,’/export’,read)

Event distribution – Cyber Analyst 1 Event 1:TCP probe on port 80 on web server fails. Event 2:Successful data transfer through port 80 on web server Event 3:TCP probe on port 80 on web server fails. Event 4:Successful data transfer through port 80 on web server Event 5:Successful data transfer through port 80 on web server. Event Successful data transfer through port 80 on web server. Event 7:Successful data transfer through port 80 on web server. Event 8:TCP probe on port 80 on web server succeeds Event 9:Successful remote login to FTP server. Event 10:Unauthorized access to FTP server blocked.

Event distribution – Cyber Analyst 2 Event 1:TCP probe to the RPC port of fileServer fails. Event 2:Successful data transfer to the RPC port of fileServer. Event 3:TCP probe to the rpc port of fileServer succeeds. Event 4:Successful data transfer to the RPC port of fileServer. Event 5:Successful data transfer to the RPC port of fileServer. Event 6:Binary file “config.temp” in directory “/export” is changed by “shanter”. Event 7:Binary file “config.temp” in directory “/export” is changed by “jhun”. Event 8:Binary file “config.temp” in directory “/export” is changed by “unknown” – malicious file override. Event 9:Binary file “source.temp” in directory “/export” is changed by “nfinch”. Event 10:File “world.xml” updated by admin.

Event distribution - Cyber Analyst 3 Event1:Bad File “config.temp” is downloaded by “rjay”. Event2:File “config.temp” is executed on “rjay” user computer Event3:Executable File “free.exe” downloaded by “jkay”. Event4:File “free.exe” is executed by “jkay”. Event5:Bad File “config.temp” is downloaded by “praj” Event6:File “config.temp” is executed on on “praj” user computer Event7:Executable File “free.exe” downloaded by “skay”. Event8:File “free.exe” is executed by “skay”. Event9:Bad File “config.temp” is downloaded by “skay”. Event10:Trojan Horse detected on “skay” user computer

Alert distribution- Cyber Analyst 1 AE1 against Event 1: The probing packet matches a signature compromising webServer. AE2 against Event 3: The probing packet matches a signature compromising webServer. AE3 against Event 8: The probing packet matches a signature compromising webServer. AE4 false positive: saying that webServer runs a malicious NSF shell.

Alert distribution- Cyber Analyst 2 FN1 False Negative against Event 3: the sensor did not raise any alert about probe to file server. AE1 against event 6: file “change.temp” in directory “/export” is changed. AE2 against event 7: file “change.temp” in directory “/export” is changed. AE3 against event 8: file “change.temp” in directory “/export” is changed. AE4 against event 8: file “change.temp” is a Trojan horse. AE3 against event 9: file “source.temp” in directory “/export” is changed. AE3 against event 10: file “change.temp” in directory “/export” is changed.

Alert distribution- Cyber Analyst 3 AE1 against event 2: Trojan horse is being executed on rjay user computer. AE2 against event 6: Trojan horse is being executed on praj user computer. AE2 against event 10: Trojan horse is being executed on skay user computer.

CyberCog Feedback System Feedback to the users of what they have accomplished so far. The severity level (high, medium or low) of attacks identified and mitigated in the current exercise. Dynamic factors to measure SA Increasing information(Events & alerts) and data overload. Introducing new attacks. Changing environment factors real time. A delay to provide an important alert. Change to possible assumptions. Increasing and decreasing the time to respond to an attack. Providing multiple solutions in defending an attack (choosing the most cost effective solution). Road blocks introduced while defending an attack eg:- tool crash. Flashing new attack information on to individual user’s screen. 16

CyberCog Measuring and logging Team interaction is logged real time Team performance measured through the number of attacks identified and mitigated. Dynamic nature of the environment is used to measure SA. Enhancements Planned Visual representation of events and alerts E.g. – attack graph. 17

Reference [1] – “Using Bayesian Networks for Cyber Security Analysis”, Peng Xie, Jason H Li, Xinming Ou, Peng Liu, Renato Levy