12Sep Longoria

8/13/2019 12Sep Longoria

1/85

NAVAL

POSTGRADUATE

SCHOOLMONTEREY, CALIFORNIA

THESIS

Approved for public release; distribution is unlimited

SCALABILITY ASSESSMENTS FOR THE MALICIOUS

ACTIVITY SIMULATION TOOL (MAST)

by

Ray Longor i a J r .

Sept ember 2012

Thesi s Co- Advi sor s: Gurmi nder Si ngh

J ohn H. Gi bson


2/85

THI S PAGE I NTENTI ONALLY LEFT BLANK


3/85

i

REPORT DOCUMENTATION PAGEForm Approved OMB No. 0704-0188

Publ i c report i ng bur den f or t hi s col l ect i on of i nf ormati on i s est i mated t o average 1 hour perr esponse, i ncl udi ng the t i me f or r evi ewi ng i nst r ucti on, sear chi ng exi st i ng dat a sour ces, gat her i ngand mai ntai ni ng the data needed, and compl et i ng and revi ewi ng the col l ect i on of i nf ormat i on. Sendcomment s r egardi ng thi s bur den esti mate or any ot her aspect of t hi s col l ect i on of i nf ormati on,i ncl udi ng suggesti ons f or r educi ng thi s bur den, t o Washi ngt on headquart ers Servi ces, Di r ect orat ef or I nf ormati on Oper ati ons and Report s, 1215 J ef f erson Davi s Hi ghway, Sui t e 1204, Arl i ngt on, VA

22202- 4302, and t o t he Of f i ce of Management and Budget , Paperwork Reduct i on Pr oj ect ( 0704- 0188)Washi ngt on DC 20503.

1. AGENCY USE ONLY (Leave blank) 2. REPORT DATESept ember 2012

3. REPORT TYPE AND DATES COVEREDMaster s Thesi s

4. TITLE AND SUBTITLE Sca a i i ty Assessments or t eMal i ci ous Act i vi t y Si mul at i on Tool ( MAST)

5. FUNDING NUMBERS

6. AUTHOR(S) Ray Longor i a J r .

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)

Naval Post graduate SchoolMonter ey, CA 93943- 5000

8. PERFORMING ORGANIZATION

REPORT NUMBER

9. SPONSORING /MONITORING AGENCY NAME(S) AND

ADDRESS(ES)

N/ A

10. SPONSORING/MONITORING

AGENCY REPORT NUMBER

11. SUPPLEMENTARY NOTES T e vi ews expr esse i n t i s t esi s ar e t ose o t e aut or ando not r ef l ect t he of f i ci al pol i cy or posi t i on of t he Depar t ment of Def ense or t he U. S.Gover nment . I RB Protocol number : N/ A.

12a. DISTRIBUTION / AVAILABILITY STATEMENTAppr oved f or publ i c r el ease; di st r i but i on i s unl i mi t ed

12b. DISTRIBUTION CODEA

13. ABSTRACT (maximum 200 words)

MAST Mal i ci ous Act i vi t y Si mul at i on Tool ai ms t o support t he conduct ofnet work admi ni st r at or secur i t y t r ai ni ng on t he ver y network t hat t headmi ni st r ator i s supposed t o manage. A key el ement of MAST i s t o use mal waremi mi cs t o si mul ate mal ware behavi or . Mal ware mi mi cs l ook and behave l i ke r ealmal ware except f or t he damage t hat r eal mal ware causes. MAST enhances t r ai ni ngby pr ovi di ng r eal i st i c scenar i os t hat ar e dynami c, r epeat abl e, and pr ovi der el evant f eedback.

Thi s t hesi s i s meant t o t est t he scal abi l i t y char act er i st i cs of MAST.Speci f i cal l y, we show t hat an exponent i al i ncr ease i n cl i ent s usi ng t he MASTsof t war e does not i mpact net wor k and syst em r esour ces si gni f i cant l y.Addi t i onal l y, we demonst r ate and di scuss how MAST i s i nst al l ed on a newnet wor k, and del i ver s f eedback t o t he or gani zat i on bei ng t r ai ned.

14. SUBJECT TERMS Re Teams, Ma war e, Net wor Secur i t y, Trai ni ng,Comput er Network Def ense, Si mul at i on, Scal abi l i t y

15. NUMBER OF

PAGES85

16. PRICE CODE

17. SECURITY

CLASSIFICATION OF

REPORTUncl assi f i ed

18. SECURITY

CLASSIFICATION OF THIS

PAGE

Uncl assi f i ed

19. SECURITY

CLASSIFICATION OF

ABSTRACT

Uncl assi f i ed

20. LIMITATION OF

ABSTRACT

UU

NSN 7540- 01- 280- 5500 St andar d Form 298 ( Rev. 2- 89)Prescr i bed by ANSI Std. 239- 18


4/85

i i



5/85

i i i

Approved for public release; distribution is unlimited

SCALABILITY ASSESSMENTS FOR THE MALICIOUS ACTIVITY

SIMULATION TOOL (MAST)

Ray Longor i a J r .Capt ai n, Uni t ed St at es Mar i ne Cor ps

B. A. , The Ci t adel , Mi l i t ar y Col l ege of Sout h Car ol i na, 2006

Submi t t ed i n par t i al f ul f i l l ment of t her equi r ement s f or t he degr ee of

MASTER OF SCIENCE IN COMPUTER SCIENCE

f r om t he

NAVAL POSTGRADUATE SCHOOL

September 2012

Aut hor : Ray Longor i a J r .

Appr oved by: Gurmi nder Si nghThesi s Co- Advi sor

J ohn H. Gi bsonThesi s Co- Advi sor

Pet er J . Denni ngChai r , Depar t ment of Comput er Sci ence


6/85

i v



7/85

v

ABSTRACT

MAST Mal i ci ous Act i vi t y Si mul at i on Tool ai ms t o suppor t

t he conduct of net wor k admi ni st r at or secur i t y t r ai ni ng on

t he ver y net wor k that t he admi ni st r at or i s supposed t o

manage. A key el ement of MAST i s t o use mal war e mi mi cs t o

si mul at e mal war e behavi or . Mal ware mi mi cs l ook and behave

l i ke r eal mal ware except f or t he damage that r eal mal ware

causes. MAST enhances t r ai ni ng by pr ovi di ng r eal i st i c

scenar i os t hat ar e dynami c, r epeat abl e, and pr ovi de

r el evant f eedback.

Thi s t hesi s i s meant t o t est t he scal abi l i t y

char act er i st i cs of MAST. Speci f i cal l y, we show t hat an

exponent i al i ncr ease i n cl i ent s usi ng t he MAST sof t war e

does not i mpact net wor k and system r esour ces s i gni f i cant l y.

Addi t i onal l y, we demonst r ate and di scuss how MAST i s

i nst al l ed on a new net wor k, and del i ver s f eedback t o t he

or gani zat i on bei ng t r ai ned.


8/85

vi



9/85

vi i

TABLE OF CONTENTS

I. INTRODUCTION ............................................1A. NETWORK SECURITY AND INFORMATION ASSURANCE

TRAINING ...........................................1B. SHORTFALLS WITH CURRENT TRAINING METHODS ...........2C. MALICIOUS ACTIVITY SIMULATION TOOL (MAST) ..........3D. OBJECTIVES .........................................3E. ORGANIZATION .......................................4

II. BACKGROUND ..............................................7A. TRAINING METHODS FOR DOD NETWORK ADMINISTRATORS ....7

1. Red Teams .....................................7a. Contemporary Example of a Red Team

Implementation ...........................8b. Historical Example of a Red Team

Implementation ...........................9c. Red Team Implementation within a Cyber

Domain ...................................92. Defense Information Systems Agency (DISA)

Training Programs ............................103. USMC Communication Training Centers (CTCs) ...11

B. MALWARE ...........................................121. Worms ........................................132. Viruses ......................................143. Botnets ......................................15

C. PROOF OF CONCEPT FOR A MALICIOUS ACTIVITYSIMULATION TOOL ...................................16D. SUMMARY ...........................................17

III. DESIGN CONSIDERATIONS AND TEST PLATFORM ................19A. TRAINING ..........................................19

1. Training Objectives and Environment ..........192. Shortfalls of Current Training Methods .......20

a. Finite Resources ........................20b. Non-standardized Training Methods .......20c. Inconsistent Feedback ...................21d. Different Training Platform .............21

3. Benefits of Implementing MAST ................22B. MALICIOUS ACTIVITY SIMULATION TOOL (MAST) .........22

1. System Functionality .........................23a. Scenario Generation .....................24b. Scenario Distribution ...................24c. Scenario Execution ......................25d. Reporting and Archiving .................25

2. System Architecture ..........................26


10/85

vi i i

3. Safety Features ..............................27a. Client Check-in .........................27b. Kill Switch .............................28c. Roll-Back Module ........................28

4. Modular Features .............................285. A Scenario Example ...........................29

C. TESTING PLATFORM ..................................311. Hardware .....................................312. Software .....................................323. Common PC Operating System Environment

(COMPOSE) CG-71 Virtual Machines .............33a. Integrated Shipboard Network System

(ISNS) Domain Controller One and Two ....34b. Integrated Shipboard Network System

(ISNS) Exchange Server ..................34c. Integrated Shipboard Network System

(ISNS) System Management Server .........34d. Computer Network Defense-Operating

system Environment (CND-OSE) Host-Based

Security System (HBSS) Server ...........35e. Computer Network Defense-Operating

system Environment (CND-OSE) Microsoft

Structured Query Language (MSSQL)

Server ..................................35f. CG-71 Common PC Operating System

Environment (COMPOSE) Server ............35g. CG-71 Common PC Operating System

Environment (COMPOSE) Secure

Configuration Compliance ValidationInitiative (SCCVI) Host .................35

h. CG-71 Common PC Operating SystemEnvironment (COMPOSE) Workstation .......36

D. HOST-BASED SECURITY SYSTEM (HBSS) .................361. McAfee ePolicy Orchestrator (ePO) ............372. McAfee Agent .................................373. McAfee Host Intrusion Prevention System

(HIPS) .......................................37a. Intrusion Prevention System (IPS) .......37b. Host Intrusion Prevention System (HIPS)

Firewall ................................37c. Host Intrusion Prevention System (HIPS)Application Blocking ....................38

4. Device Control Module (DCM) ..................385. McAfee Asset Baseline Module (ABM) ...........386. McAfee Policy Auditor (PA) ...................387. McAfee Virus Scan Enterprise (VSE) ...........38


11/85

i x

8. McAfee Rogue System Detection (RSD) ..........38E. SUMMARY ...........................................39

IV. SCALABILITY ASSESSMENT METHODOLOGY AND RESULTS .........41A. MAST DEPLOYMENT AND INSTALLATION ..................41

1. Over-The-Air (OTA) Deployment ................412. Local distribution and Installation ..........42

B. SCENARIO EXECUTION ................................431. System Resources .............................432. Network Resources ............................443. Experiment Design ............................444. Experiment Methodology .......................475. Results ......................................50

a. System Resources ........................50b. Network Resources .......................52

C. TRAINING FEEDBACK AND DISTRIBUTION ................55D. SUMMARY ...........................................56

V. CONCLUSIONS AND FUTURE WORK ............................59A. CONCLUSIONS .......................................59B. FUTURE WORK .......................................60

1. Continued Development of Module Library ......602. Graphical User Interface .....................613. Test and Evaluation on Operational Network ...61

LIST OF REFERENCES ..........................................63INITIAL DISTRIBUTION LIST ...................................65


12/85

x



13/85

xi

LIST OF FIGURES

Fi gur e 1. The MAST Ar chi t ect ure Over vi ew. . . . . . . . . . . . . . . . . . 23Fi gur e 2. Logi cal Vi ew of MAST Ar chi t ect ur e ( From Gr eg

Bel l i and Er i k Lowney) . . . . . . . . . . . . . . . . . . . . . . . . . . 27Fi gur e 3. Exampl e of a MAST Scenar i o. . . . . . . . . . . . . . . . . . . . . . 30Fi gur e 4. MAST Physi cal Equi pment Set up ( Fr om Gr eg Bel l i

and Er i k Lowney) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Fi gur e 5. Ar chi t ect ure f or MAST depl oyment and

i nst al l at i on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Fi gur e 6. Vi r t ual t est bed conf i gur at i on. . . . . . . . . . . . . . . . . . 45Fi gur e 7. MAST Scenar i o sel ect i on wi ndow. . . . . . . . . . . . . . . . . . 46Fi gur e 8. Br eakdown of MAST cl i ent s f or exper i ment at i on. . . 48Fi gur e 9. Exper i ment pr ocedur e. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Fi gur e 10. Per cent age of CPU r esour ces used f or

exper i ment s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Fi gur e 11. Percent age of CPU used compar ed t o number ofcl i ent s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Fi gur e 12. Char act er i st i cs of net wor k dur i ng exper i ment s. . . 53Fi gur e 13. Net wor k t r af f i c st at i st i cs capt ur ed by

Wi r eshar k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Fi gur e 14. Per cent age of net wor k resour ces used. . . . . . . . . . . . 55


14/85

xi i



15/85

xi i i

LIST OF ACRONYMS AND ABBREVIATIONS

AdWare Adver t i si ng Sof t ware

CND Computer Net wor k Def ense

CNSS Commi t t ee on Nat i onal Secur i t y Syst ems

COMPOSE Common PC Oper at i ng Syst em Envi r onment

COTS Commerci al Of f The Shel f

CPU Cent r al Processi ng Uni t

CTC Communi cat i on Tr ai ni ng Cent er

DC Domai n Cont r ol l er

DCM Devi ce Cont r ol Modul e

DDoS Di st r i but ed Deni al of Ser vi ce

DHCP Dynami c Host Conf i gur at i on Protocol

DHS Depar t ment of Homel and Secur i t y

DI SA Def ense I nf ormat i on Syst ems Agenct

DNS Domai n Name Syst em

DoD Depart ment of Def ense

ePO ePol i cy Or chest r at or

ExComm Execut i ve Commi t t ee

FOC Ful l Oper at i ng Capabi l i t y

Gb Gi gabi t

GB Gi gabyt e

GHz Gi gaher t z

GUI Gr aphi cal User I nt er f ace

HBSS Host Based Secur i t y Syst em


16/85

xi v

HI PS Host I nt r usi on Prevent i on Syst em

I A I nf or mat i on Assur ance

I CMP I nt er net Cont r ol Message Prot ocol

I DS I nt r usi on Det ect i on Syst em

I I S I nt er net I nf or mat i on Ser ver

I I T I nf ant r y I mmer si on Tr ai ner

I OC I ni t i al Oper at i onal Capabi l i t y

I P I nt er net Pr ot ocol

I PS I nt r usi on Pr event i on Syst em

I SNS I nt egr ated Shi pboar d Network Syst em

Mal war e Mal i ci ous Sof t ware

MAST Mal i ci ous Act i vi t y Si mul at i on Tool

MEF Mar i ne Expedi t i onary For ce

NNTP Network News Transf er Protocol

NSA Nat i onal Secur i t y Agency

OPFOR Opposi ng For ces

OTA Over The Ai r

RaD- X Rapi d Exper i ence Bui l der

RAM Random Access Memor y

SMTP Si mpl e Mai l Tr ansf er Prot ocol

TB Terabyt e

TCP Tr ansmi ssi on Cont r ol Pr ot ocol

TTP Tact i cs , Techni ques and Pr ocedur es

UPS Uni nt er r upt abl e Power Suppl y

USCYBERCOM Uni t ed St at es Cyber Command


17/85

xv

USMC Uni t ed Stat es Mar i ne Corps

VM Vi r t ual Machi ne


18/85

xvi



19/85

xvi i

ACKNOWLEDGMENTS

Fi r st and f or emost , I gi ve t hanks t o my Heavenl y

Fat her , Hi s Gr ace, and al l t he bl essi ngs I am so l ucky t o

have.

Thi s t hesi s woul d not have been possi bl e wi t hout t he

gui dance, pat i ence, and suppor t of my thesi s advi sor ,

Prof essor Gur mi nder Si ngh. Thank you f or your t i me and t he

oppor t uni t y t o wor k wi t h you. My t hesi s co- advi sor , Mr .

J ohn Gi bson, provi ded gui dance and ment or shi p not onl y f or

t hi s thesi s, but t hr oughout my NPS car eer as wel l . Thank

you.

I woul d be r emi ss i f I di d not of f er my hear t f el t

t hanks and appr eci at i on t o CDR J i m Hammond and LT J ust i n

Nef f . I cannot say enough about J i m s ef f or t , har d wor k,

and l eader shi p whi l e wor ki ng on t he MAST pr oj ect . I t hank

J ust i n f or hi s dedi cat i on and mot i vat i on t o not onl y t he

MAST pr oj ect , but t o al l our endeavor s t oget her . Al so, I

woul d l i ke t o t hank Mr . Ar i j i t Das, Mr . Er i k Lowney, and

Mr . Gr eg Bel l i . Thei r har d wor k and cont r i but i ons advanced

and el evat ed t hi s pr oj ect t o l evel s we hadn t consi der ed

possi bl e wi t hi n our t i mel i ne. Thank you gent l emen.

Addi t i onal l y, I want t o t hank Ms. Susan Hood f r om

SPAWARSYSCEN- PACI FI C and Mr . Qui ncy Tai t t f r om Man Tech

Syst ems f or pr ovi di ng t he sof t war e and t r ai ni ng t hat

al l owed us t o t est MAST i n our shi pboar d si mul at edenvi r onment .

I woul d al so l i ke t o acknowl edge and thank al l my

pr of essor s and f el l ow cohort members over t he l ast t wo

year s. Speci f i cal l y, I woul d l i ke t o acknowl edge, CDR Al


20/85

xvi i i

Shaf f er , J . D. Ful p, Scot t Cot e, Pr of essor Rob Bever l y, LT

J oey Car t er , and of cour se al l my f el l ow Mar i nes. Semper

Fi br ot her s.

Fi nal l y, t o my amazi ng wi f e Tar a, I t hank you f r om t he

bot t om of my hear t . I coul d not have done t hi s wi t hout

your l ove and suppor t . I am f or ever gr at ef ul and t hankf ul

t hat God br ought us t oget her . I l ove you. To my beaut i f ul

chi l dr en, Emel i ne, Ever et t , El i anna, and t he t wi ns, you al l

ar e my dr i ve and mot i vat i on. Thank you f or your l ove,

suppor t , sacr i f i ces, and occasi onal dr ama. I woul dn t have

i t any ot her way.


21/85

1

I. INTRODUCTION

Dur i ng the summer of 2009, t hen Secr etary of Def ense

Rober t Gat es di r ect ed t he est abl i shment of Uni t ed St at es

Cyber Command ( USCYBERCOM) . The new command achi eved

I ni t i al Oper at i onal Capabi l i t y ( I OC) t he f ol l owi ng summer ,

f ol l owed by Ful l Oper at i ng Capabi l i t y ( FOC) on Oct ober 31,

2010. USCYBEROM i s:

Responsi bl e f or pl anni ng, coor di nat i ng, i nt egr at i ng,

synchr oni zi ng, and di r ect i ng act i vi t i es t o oper at e and

def end the Depar t ment of Def ense i nf ormat i on net works and

when di r ect ed, conduct s f ul l - spect r um mi l i t ar y cyber space

oper at i ons ( i n accor dance wi t h al l appl i cabl e l aws and

r egul at i ons) i n or der t o ensur e U. S. and al l i ed f r eedom of

act i on i n cyberspace, whi l e denyi ng the same t o our

adver sar i es. [ 1]

A key di r ect i ve i n USCYBERCOM s mi ss i on st atement i s

t o def end t he DoD i nf ormat i on network. Whi l e t here are

many methods and t echni ques used t o execute thi s t ask, t he

under l yi ng f oundat i on f or each of t hose met hods i s

t r ai ni ng. Tr ai ni ng occur s at al l l evel s and st ages. I t

must be r el evant , cont i nuous, and above al l ef f ect i ve.

A. NETWORK SECURITY AND INFORMATION ASSURANCE TRAINING

As t he use of comput i ng devi ces, I nt er net

connect i vi t y, and cl oud- based ser vi ces r i ses, t he need f or

mor e per sonnel t r ai ned t o i nst al l , mai nt ai n, and pr ot ect

t hese servi ces al so r i ses. These devel opment s ar e not

i sol at ed t o busi ness, gover nment , or pr i vat e communi t i es.

These same t echnol ogi cal devel opment s ar e al so i n demand


22/85

2

and i n use by t he U. S. mi l i t ar y. However , a key di f f er ence

bet ween mi l i t ar y use and al l ot her i s t he cr i t i cal need t o

pr otect t hose ser vi ces and t he network they pr opagate over

due t o mi l i t ar y s nat i onal def ense mi ssi on.

Tr ai ni ng f or U. S. ser vi ce members and DoD per sonnel

var i es based on l ocat i on, exper i ence, l evel of exper t i se

r equi r ed, and mi ssi on. Opt i ons f or t r ai ni ng r ange f r om

cl assr oom- t ype t r ai ni ng, comput er - based t r ai ni ng, and r ed

t eam t r ai ni ng. Cl assroom t r ai ni ng of f er s a l ot of hands-

on exper i ence i n a cont r ol l ed set t i ng, whi l e r ed t eams

pr ovi de a mor e r eal i st i c exper i ence, as t hei r t r ai ni ng i s

conduct ed on t he act ual net wor k t he admi ni st r at or s

mai nt ai n.

B. SHORTFALLS WITH CURRENT TRAINING METHODS

Whi l e our cur r ent t r ai ni ng met hods ar e ef f ect i ve,

t her e ar e a f ew key shor t f al l s we wi sh t o addr ess wi t h t hi s

t hesi s. Red t eams, f or exampl e, ar e f i ni t e r esour ces t hat

ar e i n ver y hi gh demand. As mor e commander s under st and t he

t hr eat i n t he cyber domai n, t hey want t o ensure t hei r

uni t s pr epar edness by pr ovi di ng r el evant and ef f ect i ve

t r ai ni ng. Whi l e r ed t eams ar e capabl e of pr ovi di ng t hi s,

t he r eal i t y i s t her e ar e not enough of t hem. Addi t i onal l y,

t he t r ai ni ng of f er ed t hr ough t he use of r ed t eams i s

dynami c i n nat ur e, whi ch i n t ur n can l ead t o i nconsi st ent

t r ai ni ng r esul t s and f eedback f or t he uni t or or gani zat i on

bei ng t r ai ned or eval uat ed.

Cl assr oom or l abor at or y t r ai ni ng can al so be ef f ect i ve

and r el evant . However , a pot ent i al shor t f al l i s t he

oper at i ng envi r onment i n whi ch a t r ai nee wi l l t r ai n. The

comput er syst ems and net work t o whi ch t hey are connect ed


23/85


24/85

4

i mpor t ant we underst and how MAST uses syst em and net work

r esour ces whi l e conduct i ng t r ai ni ng. MAST must be abl e t o

t r ai n hundr eds of cl i ent s whi l e ut i l i zi ng mi ni mal

r esour ces.

E. ORGANIZATION

Chapt er I pr ovi des a br i ef descr i pt i on of cur r ent

shor t f al l s i n net wor k secur i t y and I A t r ai ni ng.

Addi t i onal l y, a gener al descr i pt i on of MAST and i t s

f unct i onal i t y i s det ai l ed al ong wi t h t he obj ect i ves of t hi s

t hes i s .

Chapt er I I out l i nes pr evi ous r esear ch, cur r entt r ai ni ng met hods and t he wor k of Taf f , Sal evski , and Nef f .

Addi t i onal l y, we pr ovi de a det ai l descr i pt i on of r ed t eams

and some hi st or i cal exampl es of t hei r use. We concl ude t he

chapt er wi t h a di scussi on of var yi ng t ypes of mal i ci ous

sof t war e ( Mal war e) .

Chapt er I I I di scusses our desi gn consi der at i ons wi t h

r espect t o MAST and t he t est pl at f or m. Speci f i cal l y, wedet ai l MAST s f unct i onal i t y and ar chi t ect ur e, and pr ovi de

an exampl e of a t r ai ni ng scenar i o. We pr ovi de det ai l s of

t he t est pl at f or m s har dwar e and sof t war e f eat ur es al ong

wi t h a det ai l ed di scussi on of t r ai ni ng and t he aspect s

i nvol ved i n conduct i ng t r ai ni ng. We concl ude t he chapt er

wi t h an over vi ew of t he Host - Based Secur i t y Syst em ( HBSS)

sof t war e sui t e.

Chapt er I V pr ovi des a det ai l ed descr i pt i on of t he

assessment s r equi r ed t o det er mi ne MAST s scal abi l i t y

char acter i st i cs. We di scuss t he i nst al l at i on of t he

sof t war e f r om a r emot e l ocat i on on a net wor k that does not


25/85

5

have MAST. Addi t i onal l y, we show how MAST uses syst em and

network r esour ces when execut i ng a t r ai ni ng scenar i o. We

concl ude t he chapt er wi t h a di scussi on of MAST s f eedback

and r epor t i ng capabi l i t i es.

Chapt er V pr ovi des concl usi ons and recommendat i ons as

a r esul t of t hi s exper i ment . We gi ve our assessment of

MAST s i mpl ement at i on of a l arge network and t he

ut i l i zat i on of r esour ces by t he t ool . We concl ude t he

chapt er wi t h a di scussi on of f ut ur e wor k t o be conduct ed t o

pr epare MAST f or i mpl ement at i on i n an operat i onal

envi r onment .


26/85

6



27/85

7

II. BACKGROUND

Thi s chapter det ai l s some of t he var yi ng cyber

secur i t y and I nf or mat i on Assurance ( I A) t r ai ni ng met hods

ut i l i zed by t he Uni t ed St at es ( U. S. ) uni f or med ser vi ce

member s and Depar t ment of Def ense ( DoD) per sonnel .

Speci f i cal l y, we pr ovi de some i nsi ght i nt o r ed t eams, who

t hey are, and how t hey operate, and other sour ces of

t r ai ni ng wi t hi n t he DoD. Addi t i onal l y, we di scuss some

mal i ci ous t hr eat si gnat ur es and behavi or s, and t he pr oof of

concept f or our syst em, cal l ed Mal i ci ous Act i vi t y

Si mul at i on Tool ( MAST) .

A. TRAINING METHODS FOR DOD NETWORK ADMINISTRATORS

1. Red Teams

I n a 2008 i nt ervi ew, Popul ar Mechani cs was gi ven

unpr ecedent ed access t o a Nat i onal Secur i t y Agency ( NSA)

r ed t eam member. The i nt ervi ewee r eveal ed t hat t he mai n

t ask of t he r ed t eams was t o pr ovi de adver sar i al net wor kser vi ces t o al l uni t s and per sonal wi t hi n t he DoD whi l e

ensur i ng st r i ct adher ence t o t hei r f i r st r ul e of oper at i on:

do no har m [ 4] . Wi t hi n t hi s cont ext , and i n gener al , a

r ed t eam i s made up of hi ghl y ski l l ed and exper i enced

per sonnel whose mi ssi on i s t o ant i ci pat e and si mul at e the

deci si on- maki ng and behavi or s of pot ent i al adver sar i es

[ 5] . Red t eams al l ow uni t s t o t r ai n as [ t hey] f i ght by

conduct i ng t hei r act i ons i n t he act ual oper at i onal

envi r onment , whi l e ut i l i zi ng t he same tact i cs, t echni ques,

and pr ocedur es ( TTPs) of a real enemy.


28/85

8

Accordi ng t o t he Commi t t ee on Nat i onal Secur i t y

Syst ems ( CNSS) , a red t eam i s def i ned as:

A gr oup of peopl e aut hor i zed and organi zed t oemul at e a pot ent i al adver sary s at t ack or

expl oi t at i on capabi l i t i es agai nst an ent er pr i se ssecur i t y post ur e. The Red Team s obj ect i ve i s t oi mpr ove ent er pr i se I nf or mat i on Assur ance bydemonst r at i ng t he i mpact s of successf ul at t acksand by demonst r at i ng what works f or t he def enders( i . e. , t he Bl ue Team) i n an oper at i onalenvi r onment al . [ 6]

The use of r ed t eams i s not l i mi t ed t o t he comput er

secur i t y or comput er net work domai n. Red t eams, who are

somet i mes r ef er r ed t o as an Opposi ng Force (OPFOR) , areut i l i zed f or t r ai ni ng, pl anni ng, and eval uat i ng at t he

st r at egi c l evel down t o t he t act i cal l evel .

a. Contemporary Example of a Red Team

Implementation

One way i n whi ch U. S. Mar i ne Cor ps i nf ant r y uni t s

pr epar e f or oper at i ons i n a host i l e ur ban envi r onment i s t o

send t hei r members t hr ough t he I nf ant r y I mmersi on Trai ner( I I T) f aci l i t y l ocat ed on Mar i ne Cor ps Base Camp Pendl et on,

Cal i f or ni a. I I T i s a physi cal t r ai ni ng envi r onment t hat

i ncor por at es comput er si mul at i on t echnol ogy t o pr ovi de a

vi vi d and r eal i st i c vi r t ual envi r onment t o pr epar e

war f i ght er s f or a r ange of possi bl e scenar i os [ 7] . The

scenar i os and si mul at i ons i ncor por at ed i nt o t he t r ai ni ng

pr ogr am, known as TTPs, ar e i nt egr at ed by a r ed- t eam- l i ke

ent i t y.


29/85


30/85

10

are varyi ng l evel s of competency and exper i ence among t he

i ndi vi dual members of t he t eam. The amount of r ed- t eami ng

or dept h of penet r at i on a t eam can make on a respect i ve

net wor k i s unpr edi ct abl e and not st andar di zed due t o

var i abl es associ at ed wi t h t he par t i cul ar r ed t eam, t he

net wor k bei ng pr obed, and the per sonnel admi ni st er i ng that

net wor k. Addi t i onal l y, f eedback t o t he r espect i ve uni t

bei ng t est ed or t r ai ned i s cr i t i cal t o i t s secur i t y

enhancement s, oper at i onal secur i t y post ur e, and most

i mpor t ant l y mi ssi on accompl i shment but i t i s of t en

i nconsi st ent and negl ect ed.

2. Defense Information Systems Agency (DISA)

Training Programs

Anot her r esour ce f or cyber secur i t y and I A t r ai ni ng

f or net wor k admi ni st r at or s i s t he t r ai ni ng pr oduct s of f er ed

by t he Def ense I nf ormat i on Syst ems Agency ( DI SA) . DI SA

of f er s a var i ety of comput er - based and web- based t r ai ni ng

pr ogr ams; i nst r uct or l ed t r ai ni ng pr ogr ams; and vi r t ual

t r ai ni ng envi r onment s. One cour se i n par t i cul ar , t he Rapi dExper i ence Bui l der ( RaD- X) cour se, i s desi gned t o expose

st udent s t o mal i ci ous sof t ware ( mal ware) and pr ovi de hands-

on t r ai ni ng wi t h f i r ewal l l og r evi ews, i nt r usi on det ect i on

syst em ( I DS) anal ysi s and conf i gur at i on, and anomal y

det ect i on usi ng comput er net wor k def ense ( CND) t ool s [ 10] .

Tr ai nees i n t hi s cour se ar e abl e t o obser ve and i nter act

wi t h a var i et y of r eal mal war e i n a l abor at or y set t i ng.

The l abor at or y envi r onment i s ai r - gapped, or i sol at ed f r om

al l ot her net wor ks and t he I nt er net . Whi l e t her e ar e many

posi t i ve aspect s t o t hi s hands- on, i nst r uctor - l ed t r ai ni ng,

t her e ar e a f ew shor t f al l s. Fi r st , t he cost of


31/85

11

t r anspor t i ng t he l abor at or y f or t r ai ni ng or sendi ng

per sonnel t o be t r ai ned can be ver y hi gh. Second, t her e i s

a very hi gh mai nt enance cost associ ated wi t h managi ng and

mai nt ai ni ng t he syst ems. Af t er each cl ass, each syst em

wi t hi n the RaD- X envi r onment must be wi ped, t hat i s,

el ect r oni cal l y cl ear ed, and r e- i maged t o pr epar e f or t he

next sessi on. Fi nal l y, f or t he t r ai nee, t her e i s no

guarant ee that t he RaD- X comput er syst ems and net work

t opol ogy mi r r or t he operat i onal net wor k wi t h whi ch t hey ar e

f ami l i ar .

3. USMC Communication Training Centers (CTCs)

Wi t hi n t he Mar i ne Cor ps t her e exi st t hr ee

Communi cat i on Tr ai ni ng Cent er s ( CTCs) , l ocat ed respect i vel y

wi t hi n each Mar i ne Expedi t i onar y For ce ( MEF) . The cl asses

avai l abl e t hr ough one of t hese CTCs r ange f r om t act i cal

r adi os t o Ci sco r out i ng pr ot ocol s and concept s. The dept h

of i nst r uct i on on cyber secur i t y and I A i s l i mi t ed due t o

t he l i mi t ed r esour ces avai l abl e at each l ocat i on and t he

addi t i onal mi l i t ar y commi t ment s f or al l servi ce member s.

Li ke t he RaD- X archi t ectur e ment i oned above, t he

conf i gur at i on and system desi gn used i n t r ai ni ng of t en does

not mi r r or what t he act ual ser vi ce member wi l l admi ni st er

dur i ng an exer ci se or whi l e depl oyed.

Al l t he t r ai ni ng methods ment i oned above ar e

undoubt edl y benef i ci al and cr i t i cal t o t he cont i nued

secur i t y of our comput er net wor k i nf r ast r uct ur e. We

pr opose t hat t he i ncor por at i on of MAST wi l l enhance net wor k

admi ni st r at or t r ai ni ng by al l owi ng uni t s t o t r ai n on t hei r

ver y own oper at i onal net wor k i n a saf e and cont r ol l ed


32/85

12

envi r onment . MAST wi l l pr ovi de consi st ent t r ai ni ng and,

most i mpor t ant l y, pr ovi de consi st ent f eedback t o t he users.

B. MALWARE

Mal i ci ous sof t war e, or mal war e, i s a gener al t er m used

t o descr i be sof t war e t hat i s speci f i cal l y desi gned t o cause

a comput er syst em, i t s net wor k, or per i pher al s t o per f or m

act i ons not i nt ended by t he user , or deny t he user a

r esour ce r esi dent wi t hi n t he comput er or net wor k. I n a

2005 case st udy descr i bi ng at t acks agai nst cr i t i cal

i nf r ast r uct ur e, t he U. S. Depar t ment of Homel and Secur i t y

( DHS) def i ned mal ware as:Pr ogr ammi ng ( code, scr i pt s, act i ve cont ent , andot her sof t war e) desi gned t o di sr upt or denyoper at i on, gat her i nf or mat i on t hat l eads t o l ossof pr i vacy or expl oi t at i on, gai n unaut hor i zedaccess t o system r esour ces, and ot her abusi vebehavi or . Exampl es i ncl ude var i ous f orms ofadwar e, di al er s, hi j ackwar e, sl ag code ( l ogi cbombs) , spywar e, Tr oj an hor ses, vi r uses, webbugs, and worms. [ 11]

The i mpact of mal war e on a comput er syst em can r ange f r om

harml ess and annoyi ng t o severel y devast at i ng and damagi ng.

Adver t i si ng sof t war e ( adwar e) or spam e- mai l s, whi l e

i nconveni ent , wi l l have l i t t l e t o no i mpact on t he system s

r esour ces and servi ces. A Tr oj an hor se, conver sel y, coul d

gi ve a hacker compl et e access t o a system at t he

admi ni st r at or l evel , t her eby compr omi si ng t he

conf i dent i al i t y, i nt egr i t y, or accessi bi l i t y of f i l es and

r esour ces l ocat ed wi t hi n t he syst em.

For t he scope of t hi s t hesi s, and MAST i n gener al , t he

t er m mal war e wi l l r ef er t o t hose expl oi t s and t hei r

behavi ors t hat can cause cat ast r ophi c damages or deny t he


33/85

13

end user t he abi l i t y t o accompl i sh t he mi ssi on. Speci f i c

t ypes of mal war e behavi or MAST wi l l si mul at e i ncl ude, but

may not be l i mi t ed t o, wor ms, bot net s, and vi r uses.

1. Worms

Accor di ng t o t he Froehl i ch/ Kent Encycl opedi a of

Tel ecommuni cat i ons, a wor m i s def i ned as sel f - r epl i cat i ng

pr ogr ams t hat spread wi t h no human i nt ervent i on af t er t hey

ar e st ar t ed [ 9] . Gu et al . i dent i f y t hr ee char acter i st i cs

common t o most I nternet worms [ 12] :

The f i r st char act er i st i c deal s wi t h t he vol umeand t ype of t r af f i c gener at ed by an I nt er net

wor m. A wor m i s mor e suscept i bl e t oi dent i f i cat i on based on i t s pat t er ns andsi gnat ur es. Si nce wor ms ar e sel f - r epl i cat i ng,t hey do not evol ve or change as t hey pr opagate.A wor m s uni f or m char act er i st i cs make i t easi ert o det ect wi t h net wor k t r af f i c anal ysi s sof t war e,such as Wi r eshark and TCPDump.

A second char act er i st i c deal s wi t h t he wor m sscanni ng behavi or . Most I nt er net wor ms wi l l usea pseudo- r andom sear ch al gor i t hm t o di scover open

por t s on a vul ner abl e syst em. A wor m wi t h t hi sbehavi or wi l l at t empt t o connect t o numerouscl osed por t s, whi ch wi l l r esul t i n t he samenumber of f ai l ed connect i ons. A br i ef anal ysi sof t hese f ai l ed connect i ons coul d r eveal t hepresence of a worm.

The f i nal char act er i st i c i s a not i ceabl e i ncr easei n syst em r esour ce ut i l i zat i on. The host uses al ot of r esour ces r espondi ng t o t he i ni t i alscanni ng done by a worm, f ol l owed by a f ur t herdepl et i on of r esour ces t o f i nd mor e vul ner abl e

syst ems.The scanni ng and propagat i on f eatures of an I nter net

wor m ar e nor mal l y onl y par t of i t s behavi or . Most mal war e

car r y or del i ver some sort of mal i ci ous payl oad t hat can be


34/85

14

used t o capt ur e sensi t i ve i nf or mat i on, r epor t back t o a

base st at i on, or i n t he wor st case, cor r upt or del et e

essent i al system f i l es .

Cor nel l Uni ver si t y student , Rober t Mor r i s, r el eased

t he f i r st known i nst ance of an I nt er net wor m i n 1988. The

Mor r i s wor m, whi ch was i ni t i al l y desi gned t o measure the

si ze of t he I nt er net - ancest or , ARPANET, had a sel f -

r epl i cat i ng and sel f - pr opagat i ng f eat ur e t hat caused 10% of

al l comput er s connect ed to t he ARPANET t o become

i nef f ect i ve due to t he al l ocat i on of r esour ces dedi cat ed t o

t he Mor r i s wor m [ 13] .

2. Viruses

Li ke I nt er net wor ms, vi r uses ar e al so sel f - r epl i cat i ng

sof t war e t hat can car r y a mal i ci ous payl oad. The

di st i ngui shi ng char act er i st i c bet ween wor ms and vi r uses i s

t hat vi r uses r equi r e some sor t of act i on on t he par t of t he

end- user t o i ni t i at e i t s behavi or . Vi r uses pr opagat e

t hr ough e- mai l s or mal i ci ous at t achment s, not t hr ough

syst em vul ner abi l i t i es as a wor m does. Pet er Szor , aut hor

of The Art of Virus Research and Defense, def i nes a

comput er vi r us as:

Code t hat r ecur si vel y repl i cat es a possi bl yevol ved copy of i t sel f . Vi r uses i nf ect a hostf i l e or syst em ar ea, or t hey si mpl y modi f y ar ef er ence t o such obj ect s t o t ake cont r ol andt hen mul t i pl y agai n t o f or m new gener at i ons. [ 14]

Vi r uses, l i ke wor ms, have di st i nct char act er i st i cs and

si gnat ur es t hat can be det ect ed wi t h an I nt r usi on Det ect i on

Syst em ( I DS) . Unf or t unat el y, t hese combat i ve met hods t end

t o be r eact i ve i n nat ur e due t o t he vi r us st eal t h nat ur e

and var i ous i nf ect i on methods. Vi r uses can be pr ogr ammed


35/85

15

t o at t ach t hemsel ves t o ot her execut abl e f i l es, sel f -

modi f y, and r epl i cat e. The si gnat ur e dat abase associ at ed

wi t h t he I DS must be updated const ant l y and r evi ewed t o

ensure maxi mum pr otect i on.

3. Botnets

Another f orm of mal ware that has become more wi del y

used, due t o t he i ncr ease i n comput i ng syst ems connected t o

t he I nt er net , i s a bot net . A bot i s a comput er syst em

t hat has been compr omi sed wi t h mal i ci ous sof t ware and t he

net i s t he net wor k on whi ch t he i nf ect ed host

communi cat es. Whi l e t here are many common char act er i st i csamong vi r uses, worms, and bot net s, t he di st i ngui shi ng

f act or f or bot net s i s i t s command and cont r ol ar chi t ect ur e.

I n t hi s command and cont r ol ar chi t ect ur e t her e i s nor mal l y

one bot t hat act s as t he mast er whi l e the ot her bot s

execute t he commands gi ven by the mast er .

As st at ed ear l i er , t he r i se i n comput er usage and

I nt er net connect i vi t y has l ed t o t he i ncr ease i n bot net

at t acks. The most common at t ack associ ated wi t h botnets i s

t he Di st r i but ed Deni al of Ser vi ce ( DDoS) at t ack. A DDoS

at t ack i s desi gned t o over whel m t he r esour ces of a si ngl e

ent i t y by sendi ng i t mor e r equest s t han i t can handl e.

These r equest normal l y come f r om mul t i pl e machi nes at t he

same t i me, whi ch ar e al l a par t of a bot net . However ,

botnets can be used f or more t han j ust a DDoS at t ack.

Accor di ng t o El l en Messmer , who publ i shed an ar t i cl e on t he

gr owt h of botnet usage:


36/85


37/85

17

The t ool i s desi gned t o al l ow user s t o t r ai n asyou f i ght by execut i ng t he t r ai ni ng on t heuser s oper at i onal net wor k. Al l act i ons andbehavi or s ar e beni gn i n nat ur e, t her eby causi ngno t hr eat s t o t he net wor k or end- host s. Al so,

t he net wor k t r af f i c gener at ed by t he syst em doesnot overwhel m network resour ces and i mpact user snot i nvol ved i n t he t r ai ni ng.

Fi nal l y, t he t ool i s desi gned t o capt ur e al lcommands and act i ons so t hat a repor t coul d begener at ed t o pr of i l e t he t r ai ni ng. Thi s i s ani mpor t ant char act er i st i c t hat i s f undament al t oany t r ai ni ng scenar i o.

Nef f f ur t her ed Taf f and Sal evski s r esear ch by

ver i f yi ng and val i dat i ng t hei r pr oposed appr oach t o net wor k

secur i t y t r ai ni ng. Speci f i cal l y, Nef f def i ned var i ous

met r i cs t hat were used to compare MAST t r ai ni ng appr oach t o

ot her met hods of t r ai ni ng cur r ent l y avai l abl e. Hi s

r esear ch assert ed t hat t he MAST syst em i s a vi abl e appr oach

and can i mpr ove network secur i t y and t he I A post ur e of a

uni t when augment ed t o the ot her r esour ces curr ent l y

avai l abl e [ 3] .

The t heses aut hor ed by Taf f , Sal evski , and Nef f ar e

t he pr oof - of - concept and f oundat i on upon whi ch MAST has

been bui l t . I t i s t hei r wor k t hat we i nt end t o expand and

f ur t her devel op.

D. SUMMARY

I n t hi s chapt er , we di scussed var yi ng met hods used t o

t r ai n comput er net wor k admi ni st r at or s. Speci f i cal l y, we

detai l ed who and what r ed t eams ar e, and exampl es of t hei r

i mpl ement at i on, al ong wi t h other f orms of DoD- sour ced

t r ai ni ng. We al so di scussed t he mal ware domai n and some of

t he cat egor i es of mal war e t hat f al l wi t hi n t hat domai n.


38/85

18

Fi nal l y, we di scussed t he resear ch and devel opment of a

sof t war e- based appr oach t o t r ai ni ng net wor k admi ni st r at or s.

I n t he f ol l owi ng chapt er we wi l l expand on t hi s sof t war e-

based appr oach by det ai l i ng how t hi s appr oach can augment

cur r ent t r ai ni ng met hods. Addi t i onal l y, we wi l l pr ovi de an

overvi ew of MAST and descr i be t he i mpl ement at i on pl at f orm

f or exper i ment at i on.


39/85

19

III. DESIGN CONSIDERATIONS AND TEST PLATFORM

I n t hi s chapt er , we det ai l our assumpt i ons about t he

t r ai ni ng obj ect i ves and t r ai ni ng envi r onment f or whi ch t he

Mal i ci ous Act i vi t y Si mul at i on Tool ( MAST) i s t o be

i mpl ement ed. Al ong wi t h t hese assumpt i ons, we pr ovi de a

det ai l ed over vi ew of MAST s f unct i onal i t y, ar chi t ect ur e,

benef i t s over cur r ent t r ai ni ng met hods, and an exampl e

t r ai ni ng scenar i o MAST coul d i mpl ement . We concl ude t he

chapt er wi t h a di scussi on on t he Host - Based Secur i t y Syst em

( HBSS) and t he vi r t ual shi pboar d net wor k we ar e usi ng f or

t est i ng and eval uat i ng.

A. TRAINING

1. Training Objectives and Environment

As st at ed i n t he pr evi ous chapt er s, t he f oundat i on f or

t hi s t hesi s l i es i n t he pr evi ous wor k, r esear ch, and

devel opment by Taf t , Sal evski , and Nef f [ 2] [ 3] . An

i mpor t ant t opi c t hey hel ped def i ne and scope f or t hi spr oj ect i s t he t r ai ni ng par adi gm. Speci f i cal l y, t hey

def i ned a t r ai ni ng obj ect i ve as t he ski l l or behavi or t hat

we wi sh t o r ei nf or ce [ 2] . Thi s def i ni t i on i s a

f oundat i onal pr i nci pl e of t he MAST desi gn. Si nce t r ai ni ng

obj ect i ves var y by uni t , si ze, l ocat i on, exper i ence, and

numerous other f actors, MAST i s desi gned t o be modul ar i n

nat ur e. MAST can be cust omi zed to f i t var yi ng t r ai ni ng

obj ecti ves.

The i mpl ement at i on of MAST assumes a t r ai ni ng

envi r onment wher e t her e i s a t r ai ner , t r ai nee, saf et y

observer , and comput er net wor k t hat i s i nt er - connect ed and


40/85

20

accessi bl e by al l t hese i ndi vi dual s. The per son( s) or

or gani zat i on r esponsi bl e f or devel opi ng t r ai ni ng obj ect i ves

and over seei ng t he t r ai ni ng i s the t r ai ner . The i ndi vi dual

or or gani zat i on r ecei vi ng t he t r ai ni ng and t r yi ng t o meet

t he obj ect i ves i s t he t r ai nee. The per son or or gani zat i on

r esponsi bl e f or t he saf et y of t he t r ai ni ng and t he

adher ence t o any const r ai nt s or r est r ai nt s i s t he saf et y

obser ver . Fi nal l y, t he pl at f or m upon whi ch t he t r ai ni ng i s

conduct ed i s an i nt er - connected network of comput ers on an

appr oved DoD comput er networ k. The comput er syst ems

at t ached t o t hi s network have a basel i ne comput er i mage

appr oved by i t s r espect i ve servi ce or agency, and i ncl udest he i nst al l at i on of HBSS.

2. Shortfalls of Current Training Methods

As st at ed i n t he pr evi ous chapt er , t her e ar e var yi ng

t r ai ni ng met hods avai l abl e t o net wor k admi ni st r at or s f or

net wor k secur i t y and I A. We bel i eve t here ar e f our maj or

shor t f al l s wi t h t hese met hods t hat t he MAST addr esses:

a. Finite Resources

Taf t and Sal evski st at ed t hat t he use of r ed

t eams f or t r ai ni ng i s t he pi nnacl e of a uni t s t r ai ni ng

[ 13] . But unf or t unat el y, r ed t eams ar e a f i ni t e r esour ce

t hat ar e over - t axed and i n hi gh demand. I f a uni t i s l ucky,

t hey may have an oppor t uni t y t o t r ai n wi t h a red t eam j ust

pr i or t o a depl oyment or commencement of an exerci se.

b. Non-standardized Training Methods

As s t at ed i n t he pr evi ous chapt er , t he at t ack

met hods and probi ng t echni ques used by r ed teams vary due


41/85

21

t o f act or s such as exper i ence, t i me avai l abl e, compl exi t y

of t he net wor k, di scover ed vul ner abi l i t i es, and many mor e.

These var i abl es make st andar di zed t r ai ni ng wi t h r espect t o

r ed t eams vi r t ual l y i mpossi bl e.

c. Inconsistent Feedback

The dynami c t r ai ni ng approach and non-

st andardi zed t r ai ni ng methods of f ered by r ed t eams can l ead

t o i nconsi st ent f eedback f or t he uni t bei ng t r ai ned. The

t ask of capt ur i ng al l event s and act i ons i s ver y manpower

i ntensi ve and t i me- consumi ng. Ti me and manpower ar e t wo

r esour ces of whi ch t he r ed t eams do not have enough. I fdet ai l ed f eedback i s desi r ed, t hen the amount and qual i t y

of t r ai ni ng pr ovi ded by t he r ed t eam wi l l be di mi ni shed.

d. Different Training Platform

Whi l e l abor at or y or school house t ype t r ai ni ng can

mi t i gat e some of t he i ssues wi t h st andar di zat i on and

f eedback, t her e ar e t wo i ssues ot her i ssues wi t h t hi s t ype

of t rai ni ng:

Fi r st , t he cost of sendi ng per sonnel t o bet r ai ned or t r anspor t i ng t he l abor at or y t o t het r ai ni ng l ocat i on can be ver y hi gh.Addi t i onal l y, t he cost s f or managi ng andmai nt ai ni ng t he l abor at or i es can be ver yexpensi ve.

Second, t her e i s no guar ant ee t hat t he syst em andnet wor k set t i ngs and conf i gur at i on wi l l mi r r ort hat of t he act ual net wor k t he t r ai nees wi l l use

f or t hei r exer ci se or depl oyment .

I n t he f ol l owi ng sect i ons we wi l l di scuss t he benef i t s

and det ai l s of t he MAST and i t s r ol e i n t he t r ai ni ng

domai n.


42/85

22

3. Benefits of Implementing MAST

MAST i s desi gned t o addr ess t he shor t f al l s ment i oned

i n t he pr evi ous sect i on by pr ovi di ng a sof t war e- based

sol ut i on t hat i s r eal i st i c, r epeat abl e, modul ar and

dynami c. MAST i s desi gned t o si mul at e and aut omat e some of

t he t r ai ni ng methods conduct ed by r ed t eams. MAST s

t r ai ni ng met hods, whi ch woul d be avai l abl e t o al l DoD

personnel , can be repeat ed an unl i mi t ed number of t i mes t o

ensure t he t r ai ni ng obj ect i ves ar e met . One of t he MAST s

key f unct i ons i s t o pr ovi de r epor t s on t he event s

sur r oundi ng a t r ai ni ng scenar i o. The r epor t s wi l l hel p a

uni t i dent i f y i t s st r engt hs and weaknesses, whi ch i n t ur n

wi l l al l ow i t t o bet t er f ocus i t s tr ai ni ng r esour ces.

Fi nal l y, MAST i s desi gned t o be used on t he same network

t he t r ai nees use f or t hei r day- t o- day oper at i ons. The

command and cont r ol desi gn of MAST al l ows t he t r ai ner t o

scal e t he t r ai ni ng onl y t o t hose desi r ed host s and, most

i mpor t ant l y, t he t r ai ni ng can be ceased expedi t i ousl y t o

al l ow t r ai nees t he abi l i t y t o r esume t hei r oper at i onal

commi t ment s. Fi nal l y, MAST i s desi gned t o do no harm to

t he net wor k or t he host s at t ached t o the net wor k.

B. MALICIOUS ACTIVITY SIMULATION TOOL (MAST)

Dur i ng Taf f and Sal evski s i ni t i al r esear ch and

prot ot ype devel opment of MAST, f ormer l y known as Mal ware

Mi mi cs, i t was det ermi ned t hat MAST be i mpl ement ed

accor di ng t o a cl i ent - ser ver par adi gm [ 2] . As shown i nFi gur e 1, t he cl i ent - ser ver par adi gm al l ows f or t he t r ai ner

t o conduct t he t r ai ni ng f r om a l ocal or r emot e l ocat i on

usi ng a command- and- cont r ol archi t ect ur e. Addi t i onal l y,


43/85


44/85

24

a. Scenario Generation

Scenar i o gener at i on i s an i mpor t ant f unct i on t hat

al l ows f or dynami c and r el evant t r ai ni ng. As new t hr eat s

devel op, or exi st i ng t hr eat s r emai n per si st ent , i t i s

cri t i cal t hat t r ai ner s have t he abi l i t y t o creat e uni que

si t uat i ons t hat enf or ce a cer t ai n t r ai ni ng obj ect i ve. A

scenar i o i s made up of commands, whi ch are execut ed by the

MAST cl i ent , and modul es, whi ch ar e pr e- progr ammed

behavi or s t he cl i ent wi l l execut e. A l i br ar y of modul es

wi l l exi st at al l l evel s of t he MAST and can be combi ned or

used i nt er changeabl y t o creat e uni que scenar i os.

For exampl e, i f t he si gnat ur e of a cer t ai n pi ece

of mal war e i s t o per f or m a net wor k scan f ol l owed by an

I nt er net Cont r ol Message Pr ot ocol ( I CMP) echo- r equest

( pi ng) out of a speci f i c net wor k por t t o a speci f i c

I nt er net Pr ot ocol ( I P) addr ess, t hi s act i on can be

r ecr eat ed i nt o mul t i pl e modul es f or r e- use i n ot her

scenar i os. The scanni ng behavi or i s one modul e whi l e t he

pi ng r equest i s anot her modul e.

I deal l y, t he cr eat i on of new modul es and

scenar i os i s done by the r emote t r ai ner whose exper i ence

and ski l l s ar e equi val ent t o t hat of an et hi cal hacker or a

member of a r ed t eam.

b. Scenario Distribution

The next i mpor t ant syst em f unct i on i s scenar i o

di st r i but i on. Thi s f unct i on i s accompl i shed usi ng a t op-

down appr oach. The t r ai ner , f r om a r emot e l ocat i on, pushes

new scenar i os, modul es, or updat es f r om t he remot e ser ver ,

known as t he Scenar i o Generat i on Server ( SG Server ) t o t he


45/85

25

MAST- ser ver l ocat ed l ocal l y wher e t he t r ai ni ng i s t o be

conduct ed. The l ocal ser ver , known as t he Scenar i o

Execut i on Ser ver ( SE Ser ver ) , t hen pushes t he updat es t o

t he cl i ent s as needed.

The di st r i but i on of new scenar i os or updat es can

be pul l ed or pushed f r om t he r espect i ve server . The SG

Server can push t he updates down t o t he SE Server , or t he

SE Server can check- i n wi t h t he SG Server and determi ne i f

any update needs t o be pul l ed. The same pr ocess appl i es to

t he SE Ser ver and t he cl i ent s i t ser ves.

c. Scenario Execution

Scenar i o execut i on occur s at al l l evel s of t he

MAST syst em. A r emote t r ai ner can execut e a scenar i o f r om

t he SG Ser ver vi a t he SE Ser ver co- l ocat ed wi t h t he

t r ai ni ng uni t . For l ocal i zed t r ai ni ng, a scenar i o can be

execut ed di r ect l y by ut i l i zi ng onl y t he SE Ser ver . Upon

r ecei pt of an execut i on command, t he MAST Cl i ent execut es

t he speci f i ed scenar i o.

d. Reporting and Archiving

Fol l owi ng a bot t om- up appr oach, r epor t i ng begi ns

when a MAST Cl i ent compl et es a gi ven modul e or scenar i o and

r epor t s i t s act i ons and event s t o t he SE Ser ver . The SE

Ser ver , wi t h a l i mi t ed dat abase capabi l i t y, ar chi ves t he

i nf or mat i on i n or der t o gener at e r epor t s f or t he l ocal or

r emot e t r ai ner s. The r emot e t r ai ner , who can l ever age t heSG Server t o manage mul t i pl e SE Server s, determi nes t he

l evel of gr anul ar i t y desi r ed f r om t he SE ser ver s. These

r epor t s gi ve t he t r ai ner s and l eader s of t he uni t bei ng

t r ai ned a snapshot of how t he t r ai nees per f or med, whi ch i n


46/85

26

t ur n can be used t o cr eat e a pr of i l e of st r engt hs and

weaknesses. Thi s wi l l al l ow f or a bet t er and mor e

ef f i ci ent use of t r ai ni ng r esour ces.

The SE Ser ver and t he SG Server have access t o a

dat abase f or dat a ar chi vi ng. The dat abase i s used t o st or e

scenar i os, modul es, and r epor t s f r om al l cl i ent s and

server s i n t he syst em.

2. System Architecture

The MAST syst em f unct i ons ment i oned above ar e

i mpl ement ed wi t h t he use of t hree mai n component s:

Scenar i o Gener at i on Ser ver ( SG Ser ver ) Scenar i o Execut i on Server ( SE Ser ver ) MAST Cl i ent ( s)Al l t hr ee component s ar e J ava- based sof t ware pr ogr ams

consi st i ng of mul t i pl e cl asses or f i l es desi gned t o r un on

a var i et y of Mi cr osof t Wi ndows- based oper at i ng syst ems.

Fi gur e 2 pr ovi des a not i onal i mpl ement at i on vi ew of t he

syst em desi gn.


47/85

27

Fi gur e 2. Logi cal Vi ew of MAST Ar chi t ect ur e( From Gr eg Bel l i and Er i k Lowney)

3. Safety Features

Li ke any mi l i t ar y tr ai ni ng exer ci se, saf et y i s al ways

a pr i or i t y. MAST pr ovi des numer ous saf et y f eat ur es t o

ensure t he i nt egr i t y of t he net wor k and host s connect ed t o

t he net wor k.

a. Client Check-in

Pr i or t o the commencement of t r ai ni ng, each

cl i ent or end- host par t i ci pat i ng i n t he t r ai ni ng must

check- i n wi t h t he SE Server . When t he execut i on of ascenar i o begi ns, t he SE Server communi cates onl y wi t h t hose

cl i ent s on i t s checked- i n l i st . Thi s ensur es non- t r ai ni ng

user s and end- host syst ems ar e not af f ected by t he ongoi ng

t r ai ni ng and can per f or m t hei r dut i es as nor mal .


48/85

28

b. Kill Switch

The ki l l swi t ch i s a si mpl e mechani sm or

command l ocat ed at bot h t he SG Ser ver and SE Ser ver . Thi s

command, i f execut ed, wi l l cease al l t r ai ni ng and begi n t he

r ol l - back modul e. The ki l l swi t ch ensur es i mmedi at e and

f ul l access t o t he net wor k and end- host s i n t he event t he

user s t hat ar e par t i ci pat i ng i n t he t r ai ni ng need t o

i mmedi at el y resume t hei r oper at i onal dut i es.

c. Roll-Back Module

The r ol l - back modul e i s si mi l ar i n desi gn t o

ot her t r ai ni ng modul es i n t hat i t i s desi gned t o r un on t heMAST Cl i ent s. The mai n pur pose i s t o ensur e t he end- host

syst em bei ng used as a MAST Cl i ent i s r et ur ned t o t he st at e

i n whi ch i t was pr i or t o the commencement of t r ai ni ng.

For exampl e, i f a t r ai ni ng scenar i o cal l ed f or

t he creat i on of a t ext f i l e on t he user s deskt op, t he

r ol l - back modul e, whi ch i s execut ed af t er t he SE Ser ver

r ecei ves i t s r epor t s, wi l l r emove or r ever t t o or i gi nalconst r uct t he t ext f i l e and any ot her f i l es creat ed or

modi f i ed, r espect i vel y, dur i ng t he t r ai ni ng.

4. Modular Features

A f i nal char act er i st i c about t he MAST that makes i t an

ext ensi bl e t r ai ni ng t ool i s i t s modul ar i t y. As st at ed

ear l i er , scenar i os are a combi nat i on of comput er commands

and modul es. The modul es are desi gned t o execut e a si ngl e

behavi or and i nt er act ef f ect i vel y wi t h ot her modul es. For

exampl e, i f a pi ece of mal war e per f or ms mul t i pl e behavi or s,

t hen t hose i ndi vi dual behavi or s are br oken down i nt o


49/85

29

i ndi vi dual modul es. The scenar i o cr eat ed t o si mul at e t hi s

mal i ci ous behavi or woul d consi st of mul t i pl e modul es.

5. A Scenario Example

Now t hat we have di scussed t he character i st i cs and

component s of MAST, we can vi ew an exampl e of a scenar i o

t hat can be used f or t r ai ni ng. Fi gur e 3 over vi ews t he

act i ons t hat occur when t he Dr i ve- by Downl oad scenar i o i s

execut ed.

I n thi s scenar i o, a pop- up wi ndow appear s on the

user s deskt op. The wi ndow i s a si mpl e i mage t hat per f orms

no act i on ot her t han r ecor di ng t he user s r esponse. Thepop- up wi ndow asks t he user i f t hey woul d l i ke t o execut e

or downl oad a speci f i c f i l e. The user s act i ons ar e

r ecor ded i n t he SE Ser ver s dat abase.

The obj ect i ves of t hi s scenar i o ar e t o see how t he

user s r espond t o t he downl oad quest i on and i f any user s

r epor t t he event s t o a system or net wor k admi ni st r at or .

Such event s may be char act er i st i c of a phi shi ng at t ack. Ther esul t s of t he t r ai ni ng can l et a uni t know wher e t o f ocus

f ut ur e t r ai ni ng r esour ces.


50/85

30

Fi gur e 3. Exampl e of a MAST Scenar i o


51/85


52/85

32

Fi gur e 4. MAST Physi cal Equi pment Setup( From Gr eg Bel l i and Er i k Lowney)

Addi t i onal l y, a Ci sco 2811 r out er i s used as an access

poi nt f or r emot e host s t o connect t o t he VMs. Fi nal l y, al lphysi cal r esour ces ar e connected t o a Del l 1920

Uni nt er r upt abl e Power Suppl y ( UPS) t o ensure pr ot ect i on of

t he hardware and sof t ware i n t he event of a power l oss.

2. Software

The r esour ces r equi r ed t o act ual l y r epl i cat e a

shi pboar d network are l arge and ver y expensi ve. A more

ef f i ci ent way t o val i dat e t he MASTs capabi l i t i es i s t o t est

t he syst em on a vi r t ual i zed net wor k. By usi ng

vi r t ual i zat i on, we wer e abl e t o reduce the amount of

physi cal r esour ces r equi r ed t o mock t he shi pboar d net wor k.

ESXi 5. 0 i s a speci al i zed oper at i ng system devel oped by


53/85

33

VMware to manage the physi cal r esour ces avai l abl e on a

ser ver . I n our set up, we use VMware sof t ware t o manage and

cr eat e vi r t ual machi nes f or t est i ng. A vi r t ual machi ne

( VM) , accor di ng t o VMwar e, i s a t i ght l y i sol at ed sof t war e

cont ai ner t hat can r un i t s own oper at i ng syst em and

appl i cat i ons as i f i t wer e a physi cal comput er [ 17] .

A key el ement i n cr eat i ng and managi ng VMs i s t o

ensur e you have t he appr opr i ate amount of r esour ces

avai l abl e f or t hat vi r t ual machi ne. For exampl e, i f you

cr eat e a Wi ndows XP VM and al l ocat e 2GB of RAM and 50GB of

st or age, t hen t hose r esour ces wi l l be r eser ved f or t hat

machi ne on t he physi cal ser ver i t sel f . Ther e i s a one- t o-

one mappi ng wi t h respect t o a VM s al l ocat ed memory and

st orage and t he act ual memory and st orage on t he ser ver on

whi ch t he VM r esi des.

I n t he f ol l owi ng sect i on we di scuss t he act ual VMs

used f or t est i ng. These VMs are managed by t he VMwar e

sof t war e and r esi de on t he thr ee physi cal server s ment i oned

above.

3. Common PC Operating System Environment (COMPOSE)

CG-71 Virtual Machines

The vi r t ual machi nes used t o t est and devel op MAST ar e

a r epl i ca of t he U. S. Navy cr ui ser , U. S. S. Cape St . Geor ge,

al so known as CG- 71. The VMs, whi ch wer e devel oped by

Space and Naval War f are Syst em Cent er ( SPAWARSYSCEN)

Paci f i c cont r act or , ManTech, ar e uncl assi f i ed and have theCommon PC Oper at i ng Syst em Envi r onment ( COMPOSE) i nst al l ed.

COMPOSE i s a st andardi zed l oad f or al l comput ers t o ensure


54/85


55/85

35

I nt er net I nf or mat i on Ser ver ( I I S) f or Si mpl e mai lTr ansf er Pr ot ocol ( SMTP)

Network News Transf er Protocol ( NNTP)d. Computer Network Defense-Operating System

Environment (CND-OSE) Host-Based SecuritySystem (HBSS) Server

The vi r t ual i zed HBSS Ser ver has Mi cr osof t Wi ndows

Ser ver 2003 St andar d Edi t i on i nst al l ed. The f ol l owi ng

ser vi ces ar e i nst al l ed as wel l :

Host - Based Secur i t y Syst em ( HBSS) Ser ver whi chi ncl udes t he ePol i cy Or chest r at or ( ePO)

e. Computer Network Defense-Operating system

Environment (CND-OSE) Microsoft Structured

Query Language (MSSQL) Server

The vi r t ual i zed MSSQL Ser ver has Mi cr osof t

Wi ndows Server 2003 St andar d Edi t i on i nst al l ed. The server

pr ovi des a database f or HBSS and Secur e Conf i gur at i on

Compl i ance Val i dat i on I ni t i at i ve ( SCCVI ) .

f. CG-71 Common PC Operating System Environment

(COMPOSE) Server

The vi r t ual i zed COMPOSE Ser ver has Mi cr osof t

Wi ndows Server 2003 ( 32 bi t ) i nst al l ed. The ser ver manages

t he COMPOSE envi r onment .

g. CG-71 Common PC Operating System Environment

(COMPOSE) Secure Configuration Compliance

Validation Initiative (SCCVI) Host

The vi r t ual i zed SCCVI Host has Mi cr osof t Wi ndowsXP Pr of essi onal ( 32 bi t ) i nst al l ed. The ser ver ensur es the

COMPOSE workst at i ons ar e i n compl i ance wi t h HBSS.


56/85

36

h. CG-71 Common PC Operating System Environment

(COMPOSE) Workstation

The vi r t ual i zed COMPOSE Wor kst at i on has Mi cr osof t

Wi ndows XP Pr of essi onal ( 32 bi t ) i nst al l ed. The

wor kst at i on i s used by al l users and i nt er act s wi t h HBSS

t hr ough t he McAf ee Agent i nst al l ed on t he syst em.

D. HOST-BASED SECURITY SYSTEM (HBSS)

Accor di ng t o the Def ense I nf ormat i on Syst ems Agency

( DI SA) HBSS websi t e:

The Host Based Secur i t y Syst em ( HBSS) basel i ne i sa f l exi bl e, commer ci al - of f - t he- shel f ( COTS) based appl i cat i on. I t moni t or s, det ect s, andcount er s agai nst known cyber - t hr eat s t oDepart ment of Def ense ( DoD) Ent erpr i se. Under t hesponsor shi p of t he Ent er pr i se- wi de I nf or mat i onAssurance and Comput er Net work Def ense Sol ut i onsSt eer i ng Gr oup ( ESSG) , t he HBSS sol ut i on wi l l beat t ached t o each host ( server , deskt op, andl apt op) i n DoD. The syst em wi l l be managed byl ocal admi ni st r at or s and conf i gur ed t o addr essknown expl oi t t r af f i c usi ng an I nt r usi onPr event i on Syst em ( I PS) and host f i r ewal l . DI SA

PEO- MA i s pr ovi di ng t he pr ogr am management andsuppor t i ng t he depl oyment of t hi s sol ut i on. [ 16]

HBSS i s cur r ent l y bei ng depl oyed by t he DoD t o

st andar di ze t he way DoD manages net wor ks wi t h r espect t o

secur i t y and I A. Li ke t he use of t he COMPOSE CG- 71 VMs

ment i oned i n t he pr evi ous sect i on, i t was i mpor t ant t o

i mpl ement HBSS i nt o our t est i ng and eval uat i on of t he MAST.

I n hi s t hesi s, Ver i f i cat i on and Val i dat i on of t he

Mal i ci ous Act i vi t y Si mul at i on Tool ( MAST) f or Net wor k

Admi ni st r at or Tr ai ni ng and Eval uat i on, Nef f pr ovi des a

det ai l ed descr i pt i on of HBSS and i t s i nt er act i on wi t h t he

MAST [ 14] .


57/85

37

1. McAfee ePolicy Orchestrator (ePO)

Ser ves as the cent r al pol i cy management poi nt f or al l

of t he syst ems HBSS manages.

2. McAfee Agent

The agent i s t he di st r i but ed cl i ent - si de sof t war e t hat

communi cat es di r ect l y wi t h t he ePO server . I t al so

enf or ces al l HBSS pol i ci es on t he r espect i ve wor kstat i on.

3. McAfee Host Intrusion Prevention System (HIPS)

The HI PS i s t he component of HBSS t hat provi des

sever al f undament al secur i t y f eat ur es, such as appl i cat i onbl ocki ng or f i r ewal l s. The syst em s f unct i onal i t y i s

i mpl ement ed usi ng t he f ol l owi ng f eat ur es:

a. Intrusion Prevention System (IPS)

The I PS moni t or s al l syst em and Appl i cat i on

Pr ogr am I nt er f ace ( API ) cal l s. I t bl ocks t he execut i on of

any pr ogr am whose si gnatur e matches one of t he mal i ci ous

si gnat ur es i n i t s dat abase.

b. Host Intrusion Prevention System (HIPS)

Firewall

The HI PS f i r ewal l prot ect s managed host s by

anal yzi ng net wor k t r af f i c f or mal i ci ous cont ent and

pr event i ng i t f r om compr omi si ng any dat a, appl i cat i ons, or

host oper at i ng syst ems.


58/85


59/85


60/85

40



61/85


62/85

42

modul es sof t war e, i s l ess t han 700KB. These packaged f i l es

ar e t r ansmi t t ed once t o t he SE ser ver , or l ocal ser ver ,

whi ch i n t ur n handl es t he di st r i but i on t o al l cl i ent s

associ at ed wi t h t he t r ai ni ng net wor k.

Fut ur e OTA t r ansmi ssi ons wi l l be l i mi t ed t o updat es or

f eedback i n t he f or m of r epor t s and st at i st i cs per t i nent t o

t he t r ai ni ng conduct ed.

Fi gur e 5. Ar chi t ectur e f or MAST depl oyment andi ns tal l at i on.

2. Local distribution and Installation

Once t he l ocal ( SE) ser ver r ecei ves t he sof t war e f r om

t he r emot e l ocat i on, i t can di st r i but e t he cl i ent sof t war e

t o al l host s on t he t r ai ni ng net wor k. The cl i ent sof t war e

and t r ai ni ng modul es ar e l ess t han 400KB i n si ze. The SE


63/85

43

server can easi l y depl oy t hi s sof t war e dur i ng any of

st andar d updat es t hat occur wi t h HBSS, Mi cr osof t sof t war e,

or any ot her DoD aut hor i zed updates.

I nst al l at i on of t he sof t war e on l ocal host s i s as

si mpl e as pl aci ng a f i l e on t he deskt op. MAST cl i ent

sof t war e i s desi gned t o r un, or execut e, onl y when t he

r espect i ve host i s par t i ci pat i ng i n t r ai ni ng. The sof t war e

i s r esi dent on al l host s, but t akes up ver y l i t t l e space

and zer o syst em r esour ces when not i n use. The f ol l owi ng

sect i on di scusses the i mpact on syst em r esour ces when a

scenar i o i s execut ed and t he sof t war e i s ut i l i zed.

B. SCENARIO EXECUTION

The overal l goal of t hi s exper i ment was t o det er mi ne

how MAST uses and i mpact s syst em and network r esour ces.

Thr ough a st andar di zed set of i nput and procedur es, we wi sh

t o show t hat MAST per f orms as expect ed when ut i l i zed i n an

envi r onment si mul at i ng an oper at i onal net wor k t hat consi st s

of mul t i pl e cl i ent s i n a r emot e l ocat i on.

1. System Resources

For t hi s obj ect i ve, our goal was t o moni t or and r epor t

t he pr ocessi ng r esour ces ut i l i zed by t he SE ser ver . I t was

cr i t i cal t hat we under st ood how much of t he server s

cent r al pr ocess i ng uni t ( CPU) was used t o ser ve as f ew as

f i ve cl i ent s and as many as 80 cl i ent s. These observat i ons

woul d hel p us est i mat e and pl an f or t est i ng and eval uat i ngon a non- vi r t ual oper at i onal net wor k consi st i ng of hundr eds

of cl i ent s .


64/85


65/85

45

more VMs woul d have been count er - product i ve t o the

exper i ment due t o the wor kl oad on t he physi cal server s

CPU.

Fi gur e 6. Vi r t ual t est bed conf i gur at i on

I n order t o cr eat e 75 COMPOSE workst at i ons, we cr eat ed

a t empl ate f r om t he CG71 COMPOSE workst at i on VM. That

t empl ate was t hen depl oyed 75 t i mes t o cr eat e 75 i ndi vi dual

machi nes. Once al l 75 were cr eat ed and depl oyed, we

manual l y updat ed the I nt er net Pr ot ocol ( I P) addr ess and

comput er name f or each workst at i on. Thi s ensur ed t here

wer e no conf l i ct s on t he net wor k and ease of r egi st r at i on

wi t h t he net wor k s domai n cont r ol l er s. Connect i vi t y among


66/85

46

al l t he syst ems was conf i r med wi t h pi ng r equest s t o

nei ghbor i ng syst ems and syst ems l ocat ed on other sub-

net wor ks.

The f i nal st ep i n compl et i ng t he exper i ment set up was

t o t est t he pr e- i nst al l ed scenar i os f unct i onal i t y and

cor r ect ness. A t r ai ni ng scenar i o i s execut ed by st ar t i ng

t he SE ser ver f i r st , f ol l owed by al l of t he cl i ent s

par t i ci pat i ng i n t he t r ai ni ng. Thi s or der i s cr i t i cal as

t he ser ver must be oper at i onal i n or der f or t he cl i ent s t o

check- i n. Once al l t he cl i ent s par t i ci pat i ng i n t he

t r ai ni ng ar e l ogged ont o t he SE ser ver , a t r ai ni ng scenar i o

i s sel ect ed f r om t he SE ser ver menu. The scenar i o

cont i nues unt i l t he st op, hal t , or qui t command i s i ssued.

Fi gur e 7. MAST Scenar i o sel ect i on wi ndow


67/85

47

4. Experiment Methodology

I n or der t o det er mi ne MAST s scal abi l i t y

char act er i st i cs, we conduct ed f i ve di f f er ent exper i ment s

usi ng t he same scenar i o f or each evol ut i on. Fi gur e 8 shows

how we di vi ded t he MAST cl i ent s.


68/85

48

Fi gur e 8. Br eakdown of MAST cl i ent s f or exper i ment at i on


69/85

49

Each exper i ment f ol l owed t he pr ocedur es shown i n

Fi gur e 9. The onl y di f f erence between each exper i ment was

t he number of cl i ent s i nvol ved i n t he t r ai ni ng.

Fi gur e 9. Exper i ment pr ocedur e

For CPU ut i l i zat i on anal ysi s, we used t he

per f ormance t ab of f ered by t he vSphere Cl i ent wi ndow.

Addi t i onal l y, t hi s same t ab was used t o gat her data on t he

net wor k r esour ces used dur i ng t r ai ni ng. A f i nal t ool used

f or anal ysi s was Wi r eshar k. Wi r eshar k capt ur ed al l t r af f i c

t r aver si ng t he net wor k dur i ng al l exper i ment s. We t hen

appl i ed a f i l t er t o each capt ur e t o i sol at e and vi ew onl y

t he t r af f i c t o and f r om t he SE ser ver .

The f i nal anal ysi s used al l t he above r esour ces t o

compare the amount of network t r af f i c generated by each

exper i ment al ong wi t h t he SE ser ver s CPU ut i l i zat i on f or

each exper i ment .


70/85

50

5. Results

Over al l , t he exper i ment ver i f i ed system per f or mance

wi t h r espect t o scal abi l i t y. An i ncr ease i n t he number of

cl i ent s t est ed di d not r esul t i n a si mi l ar pr opor t i onal

i ncrease i n ut i l i zat i on of pr ocessi ng r esour ces.

Addi t i onal l y, an i ncr ease i n t he number of cl i ent s and

net wor k t r af f i c gener at ed t o cont r ol t hose cl i ent s r esul t ed

i n ver y mi ni mal use of net wor k r esour ces.

a. System Resources

The per f or mance of t he comput er host i ng MAST

showed l i mi t ed i mpact as t he number cl i ent s i nvol ved i n t heexper i ment gr ew exponent i al l y.

Fi gur e 10 gr aphs shows CPU ut i l i zat i on f or each

exper i ment when a scenar i o was execut ed. Speci f i cal l y, t he

r ectangl es l abel ed wi t h numbers show t he percent age of t he

CPU s r esour ces used dur i ng t hat r espect i ve exper i ment .

Exper i ment f i ve f or exampl e, whi ch connect ed t o 80 cl i ent s

si mul t aneousl y, ut i l i zed j ust over 15% of t he syst ems CPUr esour ces.

Ther e wer e some spi kes and l ul l s depi ct ed i n t he

gr aph t hat ar e not associ at ed t o t he exper i ment ( 3: 30

3: 40 PM) . Anal ysi s of t he net wor k t r af f i c dur i ng t hese

per i ods shows admi ni st r at i ve communi cat i on between t he

vi r t ual machi ne and t he vSpher e cl i ent .


71/85

51

Fi gur e 10. Per cent age of CPU r esour ces used f orexper i ment s


72/85

52

As Fi gur e 11 depi ct s, an exponent i al i ncr ease i n

cl i ent s does not exponent i al l y i ncr ease the amount of

r esour ces needed t o conduct t r ai ni ng. MAST s per f ormance

demonst r at es t he mi ni mal i mpact on CPU r esources and t he

capabi l i t y t o ser ve mor e cl i ent s wi t h ease.

Fi gur e 11. Percentage of CPU used compar ed t o number ofcl i ents .

b. Network Resources

The ut i l i zat i on of net wor k r esour ces dur i ng t he

execut i on of al l scenar i os was ext r emel y mi ni mal . Fi gur e

12 det ai l s t he st at i st i cs of t he net wor k t r af f i c gener at eddur i ng al l f i ve exper i ment s.


73/85

53

Fi gur e 12. Char act er i st i cs of net wor k dur i ngexper i ment s

The exponent i al i ncr ease among t hese

char act er i st i cs dur i ng al l exper i ment s was expect ed.

Unl i ke t he use of CPU r esour ces, t her e i s a di r ect

cor r el at i on between t he number of cl i ent s and t he amount of

t r af f i c gener at ed. An exponent i al i ncrease i n cl i ent s

means a mi r r or ed i ncr ease i n net wor k t r af f i c t o cont r ol

t hose cl i ent s.

Despi t e t hi s i ncrease i n net wor k tr af f i c, t he

percent age of network resour ces used t o support t he

t r ai ni ng was ver y mi ni mal . The exper i ment al network was

conf i gur ed t o suppor t a Gbi t / sec t hr oughput bet ween al l

syst ems.

Fi gure 13 pr ovi des a summary of t he network

st at i st i cs capt ur ed by Wi r eshar k f or al l exper i ment s. The


74/85

54

capt ur ed col umn det ai l s al l packet s capt ur ed dur i ng t he

exper i ment whi l e t he di spl ayed col umn shows t he det ai l s

of net wor k t r af f i c di r ect l y associ at ed wi t h t he SE ser ver

and our exper i ment s.

Fi gur e 13. Net wor k t r af f i c st at i st i cs capt ur ed byWi r eshark


75/85

55

Fi gur e 14 det ai l s t he per cent age of net wor k

r esour ces used dur i ng each exper i ment . The amount of

t r af f i c gener at ed f or al l exper i ment s was so l ow, i t was

not r eport ed by t he vSphere cl i ent . We used our Wi r eshark

capt ur es t o determi ne t he amount and si ze of packets

gener at ed dur i ng al l exper i ment s.

Fi gur e 14. Per cent age of network r esour ces used

As t he anal ysi s of t he net wor k t r af f i c has shown,

an exponent i al i ncr ease does not si gni f i cant l y i mpact t he

r esour ces avai l abl e. A cor r el at i on bet ween t he t wo does

not exi st . The demonst r at i on of t he MAST desi gn and

i mpl ement at i on and t he scenar i os ut i l i zed asser t i t s

abi l i t y t o have ver y mi ni mal i mpact on a net wor k.

C. TRAINING FEEDBACK AND DISTRIBUTION

The f i nal scal abi l i t y f act or t hat we anal yzed was t he

di st r i but i on of f eedback and r esul t s t o the SE ser ver and

t he SG server . As st at ed i n t he pr evi ous chapt er , one of

MASTs key f unct i onal i t i es i s i t s repor t i ng capabi l i t y.


76/85


77/85


78/85

58



79/85

59

V. CONCLUSIONS AND FUTURE WORK

A. CONCLUSIONS

I n t hi s t hesi s, we showed t hat MAST s use of syst emand net wor k resour ces i s mi ni mal and t he abi l i t y t o scal e

up t o t r ai n mor e cl i ent s wi l l not i mpact ot her users and

pr ocesses not par t i ci pat i ng i n t he t r ai ni ng. We al so

di scussed and anal yzed t he met hod i n whi ch MAST woul d be

i nst al l ed on a net wor k and t he pr ocess and pr ocedur es f or

pr ovi di ng r epor t s on al l event s and act i ons.

I n Chapt er I I I , we out l i ned our assumpt i ons about

t r ai ni ng obj ect i ves and t he t r ai ni ng envi r onment i n whi ch

MAST woul d be i mpl ement ed. We di scussed t he short f al l s

wi t h cur r ent networ k secur i t y and I A t r ai ni ng met hods and

t he benef i t s of i mpl ement i ng MAST to addr ess t hose

shor t f al l s. We det ai l ed MAST s ar chi t ect ur e and

f unct i onal i t y al ong wi t h an exampl e t r ai ni ng scenar i o usi ng

MAST. We descr i bed and def i ned t he har dware and sof t ware

conf i gur at i ons used t o t est MAST s scal abi l i t y pr oper t i es.

I n Chapt er I V, we di scussed t hr ee f actor s of MAST t hat

ar e cr i t i cal t o scal abi l i t y. Fi r st , we di scussed how MAST

woul d be i nst al l ed on a new network and the i mpact of t hat

i nst al l at i on f r om a r emot e l ocat i on. We f ol l owed t hat

anal ysi s wi t h a set of exper i ment s of MAST on a si mul ated

shi pboar d net wor k. The r esul t s showed t hat an exponent i al

i ncr ease i n host systems bei ng t r ai ned di d not r esul t i n anexponent i al i ncrease i n ut i l i zat i on of pr ocessi ng

r esour ces. Addi t i onal l y, we showed t hat t he net wor k

t r af f i c gener at ed t o cont r ol al l t he cl i ent s bei ng t r ai ned


80/85

60

was mi ni mal i n si ze and barel y not i ceabl e when moni t or i ng

al l net wor k t r af f i c. We concl uded t he chapt er wi t h a

demonst r at i on of MAST s r epor t i ng capabi l i t i es.

We demonst r at ed t hat MAST can scal e up t o t r ai n more

cl i ent s whi l e mi ni mi zi ng t he use of system and net wor k

r esour ces. Addi t i onal l y, we demonst r ated t hat MAST can be

ef f ect i vel y and ef f i ci ent l y i nst al l ed on a new net wor k and

pr ovi de r eport s and f eedback as needed t o meet pr oj ected

t r ai ni ng goal s and obj ect i ves.

B. FUTURE WORK

1. Continued Development of Module Library

A cr i t i cal component of MAST i s t he modul es used t o

cr eat e scenar i os. Cur r ent l y, t her e ar e a l i mi t ed number of

modul es t hat can be used f or cr eat i ng scenar i os. As

di scussed i n Chapt er I I , modul es ar e t he act i ons or

behavi or s we pr ogr am t hat si mul at e a r eal wor l d t hr eat .

Varyi ng t ypes of modul es ar e needed t o ensur e t he t r ai ni ng

pr ovi ded i s r eal i st i c and r el evant . As mal war e i s cr eat edor evol ves, i t i s i mpor t ant t o devel op modul es t hat

si mul ate t hei r behavi or t o ensur e new and updated scenar i os

can be cr eated and used. The devel opment of such may be

appr opr i at e f or smal l st udent pr oj ect s i n a net wor k

secur i t y cour se. Devel opi ng a met hodol ogy f or devel opi ng

t he modul es t hat coul d be expor t ed t o ot her or gani zat i ons,

such as t he r ed t eams uni t s. Thi s methodol ogy coul d al so be

used t o capt ur e l essons- l ear ned at Cyber Def ense Exer ci ses

( CDX) .


81/85

61

2. Graphical User Interface

As t he r epor t i ng f unct i onal i t y of MAST i mpr oves, i t i s

i mpor t ant t o maxi mi ze t hi s val ue by pr ovi di ng a gr aphi cal

user i nt er f ace ( GUI ) t hat i s i nf or mat i ve and user f r i endl y.

Cur r ent l y, t he GUI f or i nt er act i on, f eedback, and r esul t s

i s l i mi t ed. Areas t hat wi l l benef i t f rom t he

i mpl ement at i on of a GUI i ncl ude t he scenar i o gener at i on

f unct i on and t he r epor t i ng f unct i on.

As t he modul e l i br ary becomes more popul ated, t he

t r ai ner wi l l have t he abi l i t y to creat e mor e scenar i os t hat

are uni que or r obust . The manner i n whi ch t hese scenar i os

are creat ed and t est ed can be expedi t ed wi t h t he use of a

GUI . Addi t i onal l y, t he r epor t i ng f unct i onal i t y of MAST i s

cr i t i cal t o t he f eedback r equi r ed f or any t r ai ni ng

evol ut i on. A r epor t GUI woul d al l ow f or i mmedi at e

f eedback, whi ch i n t ur n can hel p pr i or i t i ze and ut i l i ze

t r ai ni ng r esour ces f or f ut ur e evol ut i ons.

3. Test and Evaluation on Operational Network

Fi nal l y, as MAST cont i nues t o evol ve, devel op, and

per f or m as expect ed i n a si mul at ed t r ai ni ng envi r onment , i t

i s i mport ant t o begi n some assessment s on a physi cal

net wor k. Cur r ent l y, al l assessment s on per f or med i n a

vi r t ual envi r onment . Ut i l i zi ng a physi cal envi r onment wi l l

hel p f ur t her t est and eval uat e MAST s syst em pr oper t i es and

scal abi l i t y charact er i s t i cs . Addi t i onal l y, i t wi l l al l ow

f or assessment s of t he modul e l i br ar y and t hei r per f or mance

on host syst ems wi t h var yi ng operat i ng syst ems. Such

assessment s and demonst r at i ons are cr i t i cal t o i t s

accept ance by t he operat i onal communi t y and i t s subsequent

por t i ng t o t he t ar get obj ect i ve: oper at i onal net wor ks.


82/85

62



83/85

63

LIST OF REFERENCES

[ 1] U. S. Depart ment of Def ense. Cyber Command Fact Sheet[ Onl i ne] . Avai l abl e:

ht t p: / / www. def ense. gov/ home/ f eat ur es/ 2010/ 0410_cyber sec/ docs/ cyber f act sheet%20updat ed%20r epl aces%20may%2021%

20f act%20sheet . pdf

[ 2] W. R. Taf f J r . and P. M. Sal evski , Mal war e Mi mi cs f orNet wor k Secur i t y Assessment , M. S. t hesi s, Dept .Comput . Sci . , Naval Post gr aduat e School , Mont er ey,Cal i f or ni a, 2011.

[ 3] J . M. Nef f , Ver i f i cat i on and Val i dat i on of t heMal i ci ous Act i vi t y Si mul at i on Tool ( MAST) f or Net wor k

Admi ni st r at or Tr ai ni ng and Eval uat i on, M. S. t hesi s,Dept . Comput . Sci . , Naval Post gr aduat e School ,Mont er ey, Cal i f or ni a, 2012.

[ 4] G. Derene, I nsi de NSA Red TeamSecret Ops Wi t hGovernment s Top Hacker s, Popular Mechanics, 30- J un-2008. [ Onl i ne] . Avai l abl e:ht t p: / / www. popul armechani cs. com/ t echnol ogy/ how-t o/ comput er - secur i t y/ 4270420. [ Accessed: 02- Apr -2012] .

[ 5] J . F. Sandoz, Red Teami ng: A Means t o Mi l i

Date post:	03-Jun-2018
Category:	Documents
Upload:	eduardo-aranguiz
View:	228 times
Download:	0 times

12Sep Longoria

Documents