1 / 18

CyberCog

CyberCog. Test Bed Overview. The Experiment Setup. 2 Screens per analyst. A common projector screen. Experimenter observing the interactions and taking notes . Resources for each cyber analyst. Each participant takes the role of a cyber analyst.

fleta
Download Presentation

CyberCog

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CyberCog Test Bed Overview

  2. The Experiment Setup 2 Screens per analyst A common projector screen Experimenter observing the interactions and taking notes

  3. Resources for each cyber analyst • Each participant takes the role of a cyber analyst. • Each participant will have two computer screens. • The first screen displays the events, alerts, attack patterns and messages from other analyst in the experiment • The second screen displays the map of the network segment that the analyst is responsible for, and also the alerts and events of importance, identified by the team. • The common projector screen displays the entire network map and a timer to indicate the time left to complete the task.

  4. Information available to each cyber analyst

  5. Overview of tasks performed during an exercise

  6. Sample Network Map

  7. Attack Scenario Example attack scenario [1]

  8. Example Scenario • Workstations of several employees in a company XYZ becomes non responsive. Work is majorly affected in the company. It is estimated that if the situation continues for more than 2 hours, the company could incur a net loss of over a million dollars.

  9. Ground Truth available to each Cyber Analyst • Cyber Analyst 1 • Web Server: reachability (Internet, webService, TCP,80) • Web server :networkServiceInfo(webServer, httpd,tcp,80,apache) • Web server :VulExists(webServer,’CAN-2002-0392’,httpd,remoteExploit, privEscalation • Cyber Analyst 2 • Fileserver: reachability(webserver,fileserver,rpc,100005) • Fileserver: vulExists(fileserver,vulID,mountd,remoteExploit,privEscalation) • Fileserver: networkServiceInfo(fileServer,mountd,rpc,100005,root) • Fileserver: canAccessFile(fileServer,root,write,’/export’) • Fileserver: nfsExportInfo(fileServer,’/export’,write,webServer) • Fileserver: reachability(webserver,fileServer,nfsProtocol,nfsPort) • Cyber Analyst 3 • nfsMounted(workstation,’/usr/local/share’,fileServer,’/export’,read)

  10. Event distribution – Cyber Analyst 1 • Event 1:TCP probe on port 80 on web server fails. • Event 2:Successful data transfer through port 80 on web server • Event 3:TCP probe on port 80 on web server fails. • Event 4:Successful data transfer through port 80 on web server • Event 5:Successful data transfer through port 80 on web server. • Event Successful data transfer through port 80 on web server. • Event 7:Successful data transfer through port 80 on web server. • Event 8:TCP probe on port 80 on web server succeeds • Event 9:Successful remote login to FTP server. • Event 10:Unauthorized access to FTP server blocked.

  11. Event distribution – Cyber Analyst 2 • Event 1:TCP probe to the RPC port of fileServer fails. • Event 2:Successful data transfer to the RPC port of fileServer. • Event 3:TCP probe to the rpc port of fileServer succeeds. • Event 4:Successful data transfer to the RPC port of fileServer. • Event 5:Successful data transfer to the RPC port of fileServer. • Event 6:Binary file “config.temp” in directory “/export” is changed by “shanter”. • Event 7:Binary file “config.temp”in directory “/export” is changed by “jhun”. • Event 8:Binary file “config.temp” in directory “/export” is changed by “unknown” – malicious file override. • Event 9:Binary file “source.temp” in directory “/export” is changed by “nfinch”. • Event 10:File “world.xml” updated by admin.

  12. Event distribution - Cyber Analyst 3 • Event1:Bad File “config.temp” is downloaded by “rjay”. • Event2:File “config.temp” is executed on “rjay” user computer • Event3:Executable File “free.exe” downloaded by “jkay”. • Event4:File “free.exe” is executed by “jkay”. • Event5:Bad File “config.temp” is downloaded by “praj” • Event6:File “config.temp” is executed on on“praj”user computer • Event7:Executable File “free.exe” downloaded by “skay”. • Event8:File “free.exe” is executed by “skay”. • Event9:Bad File “config.temp” is downloaded by “skay”. • Event10:Trojan Horse detected on “skay”user computer

  13. Alert distribution- Cyber Analyst 1 • AE1 against Event 1: The probing packet matches a signature compromising webServer. • AE2 against Event 3: The probing packet matches a signature compromising webServer. • AE3 against Event 8: The probing packet matches a signature compromising webServer. • AE4 false positive: saying that webServer runs a malicious NSF shell.

  14. Alert distribution- Cyber Analyst 2 • FN1 False Negative against Event 3: the sensor did not raise any alert about probe to file server. • AE1 against event 6: file “change.temp” in directory “/export” is changed. • AE2 against event 7: file “change.temp” in directory “/export” is changed. • AE3 against event 8: file “change.temp” in directory “/export” is changed. • AE4 against event 8: file “change.temp” is a Trojan horse. • AE3 against event 9: file “source.temp” in directory “/export” is changed. • AE3 against event 10: file “change.temp” in directory “/export” is changed.

  15. Alert distribution- Cyber Analyst 3 • AE1 against event 2: Trojan horse is being executed on rjay user computer. • AE2 against event 6: Trojan horse is being executed on praj user computer. • AE2 against event 10: Trojan horse is being executed on skay user computer.

  16. CyberCog • Feedback System • Feedback to the users of what they have accomplished so far. • The severity level (high, medium or low) of attacks identified and mitigated in the current exercise.  • Dynamic factors to measure SA • Increasing information(Events & alerts) and data overload. • Introducing new attacks. • Changing environment factors real time. • A delay to provide an important alert. • Change to possible assumptions. • Increasing and decreasing the time to respond to an attack. • Providing multiple solutions in defending an attack (choosing the most cost effective solution). • Road blocks introduced while defending an attack eg:- tool crash. • Flashing new attack information on to individual user’s screen.

  17. CyberCog • Measuring and logging • Team interaction is logged real time • Team performance measured through the number of attacks identified and mitigated. • Dynamic nature of the environment is used to measure SA. • Enhancements Planned • Visual representation of events and alerts E.g. – attack graph.

  18. Reference • [1] – “Using Bayesian Networks for Cyber Security Analysis”, PengXie, Jason H Li , XinmingOu , Peng Liu , Renato Levy

More Related