Guide for Designing Cyber Security Exercises



Similar documents
Train Like You Will Fight

Penetration Testing in Romania

CANVAS: a Regional Assessment Exercise for Teaching Security Concepts

About Effective Penetration Testing Methodology

Hackers are here. Where are you?

SETTING UP AND USING A CYBER SECURITY LAB FOR EDUCATION PURPOSES *

Information Security Services

Penetration Testing - a way for improving our cyber security

How To Test For Security On A Network Without Being Hacked

Cyber Defense Competitions and Information Security Education: An Active Learning Solution for a Capstone Course

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

ESKISP Manage security testing

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Hackers are here. Where are you?

SECURITY. Risk & Compliance Services

Incident Response Plan for PCI-DSS Compliance

The Open Cyber Challenge Platform *

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Defending Against Data Beaches: Internal Controls for Cybersecurity

Information Security and Risk Management

Small-Scale Cyber Security Competitions

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

A Biologically Inspired Approach to Network Vulnerability Identification

Bellevue University Cybersecurity Programs & Courses

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Exploring a National Cyber Security Exercise for Colleges and Universities

Protecting against cyber threats and security breaches

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

Principles of Information Assurance Syllabus

Client logo placeholder XXX REPORT. Page 1 of 37

Introduction to Cyber Defense Competition. Module 16

EC-Council. Certified Ethical Hacker. Program Brochure

CyberNEXS Global Services

PENETRATION TESTING GUIDE. 1

EC-Council C E. Hacking Technology. v8 Certified Ethical Hacker

CONSULTING IMAGE PLACEHOLDER

Certification Programs

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Certification Programs

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Targeted attacks: Tools and techniques

Jumpstarting Your Security Awareness Program

167 th Air Wing Fast Track Cyber Security Blue Ridge Community and Technical College

Developing Small Team-based Cyber Security Exercises

The Protection Mission a constant endeavor

CYBERTRON NETWORK SOLUTIONS

Contestant Requirements:

Cyber Incident Response

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Footprinting and Reconnaissance Tools

Incident Response 101: You ve been hacked, now what?

Practical Steps To Securing Process Control Networks

Penetration Testing Services. Demonstrate Real-World Risk

Analyze. Secure. Defend. Do you hold ECSA credential?

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

EC Council Certified Ethical Hacker V8

167 th Air Wing Fast Track Cyber Program Blue Ridge Community and Technical College

Network Security Administrator

Cyber/ Network Security. FINEX Global

EC-Council Certified Security Analyst (ECSA)

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Learn Ethical Hacking, Become a Pentester

Minnesota State Community and Technical College Detroit Lakes Campus

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Cybersecurity: Protecting Your Business. March 11, 2015

Certified Ethical Hacker (CEH)

Cisco Security Optimization Service

Corporate Incident Response. Why You Can t Afford to Ignore It

Vinny Hoxha Vinny Hoxha 12/08/2009

CompTIA Security+ (Exam SY0-410)

Understanding Security Testing

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

SANS Top 20 Critical Controls for Effective Cyber Defense

Cyber Exercises, Small and Large

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

City University of Hong Kong. Information on a Course offered by Department of Computer Science with effect from Semester A in 2014 / 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Cyber Security Day: Creating a Mock Cyber Competition Event to Increase Student Interest in Cyber Security

Capabilities for Cybersecurity Resilience

Department of Homeland Security

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Transcription:

Guide for Designing Cyber Security Exercises VICTOR-VALERIU PATRICIU Computer Science Department Military Technical Academy Bucharest, Bd. George Cosbuc, no. 81-83 ROMANIA victorpatriciu@yahoo.com ADRIAN CONSTANTIN FURTUNA Computer Science Department Military Technical Academy Bucharest, Bd. George Cosbuc, no. 81-83 ROMANIA adif2k8@gmail.com Abstract: - Cyber security exercises are a very effective way of learning the practical aspects of information security. But designing such exercises is not an easy task and requires the work of several people. This paper presents a number of steps and guidelines that should be followed when designing a new cyber security exercise. The steps include: defining the objectives, choosing an approach, designing network topology, creating a scenario, establishing a set of rules, choosing appropriate metrics and learning lessons. The intended audience of this paper is persons who are in charge with design and organization of a new cyber security exercise and do not have the experience of previous exercises. Key-Words: - cyber security exercise, cyber defense exercise, security education, design guide 1. Introduction Cyber security exercises have been for a long time the ultimate learning experience for many students in some universities, especially from United States [1]. Periodical competitions are organized between universities or inside one university where students play the roles of attackers or defenders in a controlled and well defined environment. The whole purpose of these exercises is educational, to ensure that students have an experiential training in information security a process described in Kolb s Experiential Learning Theory [2]. This paper is meant to be a guide that can be used by universities or other organizations to prepare a cyber security exercise. The steps needed to do that were synthesized from a series of academic papers written after various cyber security exercises. The guide describes seven steps that should be taken when organizing such an exercise. Each step is presented in detail and some options for implementation are also given. The contribution this paper brings is a general method to organize a cyber security exercise that can be customized to the organizer s needs and objectives. The previous work in this area consists in some efforts to document a framework for cyber security education [3] and a series of analysis, overview opinions and questions about generalization of cyber security exercises [1]. 2. The Need for a Uniform Structure There is a great diversity among the cyber security exercises organized until now regarding their structure, objectives and approach. For instance, the Cyber Defense Exercise (CDX) is an inter-academy competition [4] in which teams design, implement, manage and defend a network of computers. The attacker role is played by a team of security professionals from various government agencies. In this exercise students are focusing on defensive tasks in network security, and spend a lot ISSN: 1790-5117 172 ISBN: 978-960-474-143-4

of time conducting forensic analysis and making security configurations. An opposite approach is taken by the organizers of the International Capture The Flag (also known as the ictf) form University of California, Santa Barbara. The ictf contest is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants. It is held once a year and it is a multi-site, multi-team hacking contest in which a number of teams compete independently against each other. The exercises are based on the DEFCON Capture the Flag contest [6]. To address this diversity, this guide can be used as a starting point for any university that wishes to organize its own cyber security exercise / competition. In this case, the exercise would best fit as a capstone project for last year students, which already have an Information Assurance background. But the guide does not apply only to university environment; it can be used also by other organizations with the purpose of training their employees in Information Assurance field. 3. Design Steps Designing a cyber security exercise requires careful planning by multiple persons involved in this activity. As we can see from the papers written as feedback for various cyber security exercises, a cyber defense exercise can have many forms but all of them share some common characteristics that we use to build this template. We have identified seven steps necessary for building a cyber security exercise Figure 1. First of all, the exercise must have a set of objectives. Based on these objectives, we take a specific approach in designing the exercise. Also based on the objectives, we decide which specific hardware and software equipment shall be used in the exercise and what will be their overall topology. Based on the topology and the objectives we build the scenario of the exercise the story. The set of rules derive from the scenario and from the objectives. The metrics necessary for measuring the efficiency of the exercise shall be based also on the established objectives. Finally, the exercise should have a method of gathering the lessons learned by the participants and also by the organizers. All of these template steps will be described in the following paragraphs of this paper. Another important aspect of the exercise is to define the entities that will compose it. In a general cyber security exercise there are mainly two sides: the attacker side and the defender side. On each side there are computer systems that are managed by teams of participants. Each side must have at least one system to participate to the exercise and the maximum number of participating systems is theoretically infinite. The components of the exercise are represented in Figure 2. Figure 2 The Components of a Cyber Defense Exercise Figure 1 Design Steps for a Cyber Security Exercise As we can see, the cyber security exercise contains five main components that must be defined in the following steps of the guide: Defender team Target system Infrastructure Attacker team ISSN: 1790-5117 173 ISBN: 978-960-474-143-4

Attacker system 4. Define Exercise Objectives Defining the exercise objectives is the starting point for the design of the cyber security exercise. All of the following steps of the exercise design depend on the chosen objectives and are influenced by them. The objectives for a cyber security exercise can be split in two main categories, according to the type of security training desired offensive security or defensive security. The defensive security training prepares the participants for the generic job of security administrator. Their main goal is to be experts in configuring and managing various security equipments. The best example for this kind of practical training is the annual Cyber Defense Exercise organized by the US Military Academy at Westpoint [4]. On the other side, the offensive security training is also an effective way to learn information security, as discussed by Vigna [7] and Mink [8]. This type of training prepares the participants for the generic job of penetration tester and helps them think like the enemy, in a proactive manner. But these training directions should not be seen as completely separated from each other. In order to implement effective defense mechanisms, a very good knowledge of the attack methods is needed. So a security administrator needs to know what are the attacks a penetration tester could implement in order to prepare defense mechanisms against them and also a penetration tester must know what defense methods a security administrator might implement in order to prepare attacks that try to bypass them. In Table 1 there are some common learning objectives for a cyber security exercise according to the participants specialization: Learning objective - implement security configurations - monitor systems activity Participant specialization: Security administrator () or Penetration tester (PT) - test / harden the administered system - security configuration fine tuning / improvement - incident handling / response - analyze logs and do forensics - hands-on experience with PT various attack tools - perform reconnaissance and PT gather information - perform scanning and PT enumeration - gain access PT - perform DDoS PT - escalate privileges PT - maintain access PT - cover tracks and place PT backdoors - write and test new tools +PT - understand the defense +PT techniques according to the attack methods Table 1 Cyber Security Exercise Objectives 5. Choose the Approach The approach chosen for the exercise shall be directly derived from its objectives. Generally, a cyber defense exercise intended to train security administrators would adopt a defense oriented approach while an exercise for penetration testers would take an offense oriented approach. Comprehensive security training should adopt a mixed approach, as described below. 5.1. Defense Oriented Approach When using this approach, the goals of the exercise are to study and practice the defense methods that can be used during a cybernetic attack. These methods are more related to system administration and forensics tasks. The defenders should know that the defense is a continuous process that can be split into the following actions: Create a security policy Implement security measures Monitor the security state ISSN: 1790-5117 174 ISBN: 978-960-474-143-4

Test your own security state Improve the security These actions constitute the well known Security Wheel Figure 3 and should be used in order to secure the defended asset, monitor its activity in order to detect any attacks and mitigate them by improving the configurations. In a defense oriented approach, there are at least three ways of organizing the exercise. The participants receive the requirements and services they should provide and they must develop their own computer systems to provide them The participants receive default installations for specific systems and services to provide and they must configure them in order to be protected The participants receive already installed and configured systems and they must protect them In this approach, the attacker can be the instructor or an external party. gain access or perform DoS escalation of privileges maintain access cover tracks and place backdoors In an offence oriented approach, the target can be a system preconfigured with known vulnerabilities and most not necessarily be administered by someone during the attack. Figure 4 Attacker Actions 5.3. Mixed Approach The mixed approach combines the defensive approach with the offensive approach and is the most comprehensive method to perform a cyber defense exercise. In this case the participants to the exercise will be split in two parts, the ones who will play the defender role and the ones who will be the attackers Figure 5. Figure 3 Defender Actions 5.2. Offense Oriented Approach The participants need to learn also the offensive component of a cyber defense exercise because this helps them better understand how to defend against attacks. There is a need for deep understanding of the attack methodologies in order to know how to efficiently mitigate them. So an offence oriented approach would place the participants into the attacker s position. They will have to perform attacks against various targets. In order to simulate a real life attack, the participants should follow the next steps of a regular attack (Figure 4): perform reconnaissance scanning and enumeration Figure 5 Mixed Approach 6. Design Network Topology At this stage, the organizers should define the infrastructure, what systems will be used during the exercise and how they will be interconnected in order to support the exercise objectives. For instance, if one of the exercise objectives is to train the participants in defending a local area network with a Windows Active Directory infrastructure, the topology should reflect that. ISSN: 1790-5117 175 ISBN: 978-960-474-143-4

The topology should also be according to the number of participants to the exercise, to ensure no bottlenecks and best communication between systems. 7. Create Exercise Scenario Until now, we have established what we want to do from the technical point of view. Now it s the time to give the exercise a shape that can be presented to the participants. This is the scenario and it should put the participants in a realistic situation in which they must defend or attack a target system. The scenario describes the situation that the exercise is trying to simulate and the logical flow of events that will be happening. It should also contain an intriguing story in order to increase the participants degree of interest. As part of the scenario, the participants could be asked to perform business related tasks during the exercise, in order to simulate a real working environment. The realism of the scenario is also given by the attacker s goals. In general, the cybernetic attack goals fall into the following categories: access confidential data (read/write) disrupt services control machines These are the things that the defenders must not allow to happen. From the logical point of view, the targets of the attacks can be: public services computer networks humans trust relationships 8. Establish a Set of Rules The rules and guidelines for a cyber defense exercise should address the following topics: General rules These rules should express clearly how the exercise is supposed to run and how the participant should be organized. They should also address problems like: equity between team resources, what tools are allowed to use, team responsibilities, each team s role in the competition, communication between participants, competition timing, etc. Another thing that these rules should specify is what happens if one participant breaks one rule (e.g. disqualification, penalty). Scoring engine This set of rules must express the way the teams obtain points, what are the winning conditions, what are the actions for which teams lose points and which actions will not get them any points. The scoring method should be transparent to all participants to the exercise. Eligibility There should be well defined criteria for the participation at the exercise. For instance, if the exercise was organized by a university, the participants would be eligible if they were students at that university and if they had passed successfully all their information security related exams. Other criteria could be: age, study year, clean background, etc. Legal issues From the legal point of view, the set of rules must express the limitations imposed by the state law and local law from where the exercise will be organized. Exercise organizers should check law related aspects for: unauthorized intrusion, unauthorized access to data in transmission, unauthorized access to stored data, individual privacy rights, contractual obligations. For instance, the usage of some attack tools might be interdicted like in Germany [9]. Limitations The rules should also establish what are strategies and practices that are and the ones that are not allowed during the exercise. They should be divided in rules for defenders and rules for attackers (e.g. DoS attacks are not allowed). The persons who arbitrate the competition should also know what are their limitations (e.g. they must not influence any of the teams). 9. Choose Appropriate Metrics To measure the effectiveness of the cyber security exercise, a set of metrics is needed. The effectiveness of the exercise expresses how well the objectives have been achieved. So the chosen metrics should be tightly related to the objectives. On the other side, the objectives should be expressed in measurable terms. In Table 2 there are some examples of objectives for a cyber security exercise and the associated metrics: ISSN: 1790-5117 176 ISBN: 978-960-474-143-4

Learning objective - implement security configurations on a specific system - monitor systems security - incident handling / response - analyze logs and do forensics - perform scanning and enumeration Metric for effectiveness - number of successful attacks performed by the attacker teams on that system - number of detected attacks from the total number of attacks performed - the time taken to recover from a successful attack - the number of attacks correctly identified - the number of open ports/services detected compared to the total number of open ports (pre-configured) - perform DDoS - the downtime of the attacked service compared to attack duration - cover tracks and place - number of successful backdoors accesses to target systems kept until the end of the exercise Table 2: Sample Metrics for Exercise Effectiveness 10. Don t Forget the Lessons Learned This step is very important for the effectiveness of the cyber security exercise. The organizers should find an appropriate mechanism for gathering feedback from the participants (e.g. evaluation forms at the end of the exercise). A very useful information would be the techniques and tools that each party had used in order to accomplish the scenario objectives. After centralization and analysis, this information should be made public because it will help the participants realize what was really going on during the exercise and will help the organizers improve other editions of the exercise. 11. Conclusions Designing a cyber security exercise is not an easy task and requires the work of several people. When organizing such an exercise it is always best to learn from the past experience of the ones who already did it. This paper presented a number of steps and guidelines that should be followed when designing a new cyber security exercise. The guidelines have been crystallized from the analysis of a number of papers written after various cyber security exercises. The ideas presented in this paper can be used by anyone who wants to organize a cyber security exercise for an educational purpose (e.g. universities, companies, governmental institutions, etc). References: [1] Lance J. Hoffman, Daniel Ragsdale: Exploring a National Cyber Security Exercise for Colleges and Universities, IEEE Security and Privacy, Volume 3, Issue 5 (September 2005) [2] D.A. Kolb, Experiential Learning: Experience as the Source of Learning and Development. Prentice- Hall, Inc., Englewood Cliffs, N.J. 1984. [3] Thomas Augustine, Ronald C. Dodge, Cyber Defense Exercise:Meeting Learning Objectives thru Competition, IEEE Security and Privacy, Volume 5, Issue 5 (September 2007) [4] Wayne Schepens, Daniel Ragsdale, John Surdu, The Cyber Defence Exercise: An Evaluation of the Effectiveness of Information Assurance Education, The Journal of Information Security, Volume 1, Number 2. July, 2002 [5] The UCSB ictf contest, http://ictf.cs.ucsb.edu/index.php [6] Defcon hacking event, Las Vegas. http://www.defcon.org [7] G. Vigna, Teaching network security through live exercises. Security education and critical infrastructures, Pages: 3 18, 2003 [8] Martin Mink and Felix C. Freiling, Is Attack Better Than Defense?Teaching Information Security the Right Way, Proceedings of the 3rd annual conference on Information security curriculum development, Kennesaw, Georgia, 2006 [9] http://www.theregister.co.uk/2007/08/13/german_an ti-hacker_law/ ISSN: 1790-5117 177 ISBN: 978-960-474-143-4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information