Date post: | 03-Jun-2018 |
Category: |
Documents |
Upload: | eduardo-aranguiz |
View: | 228 times |
Download: | 0 times |
of 85
8/13/2019 12Sep Longoria
1/85
NAVAL
POSTGRADUATE
SCHOOLMONTEREY, CALIFORNIA
THESIS
Approved for public release; distribution is unlimited
SCALABILITY ASSESSMENTS FOR THE MALICIOUS
ACTIVITY SIMULATION TOOL (MAST)
by
Ray Longor i a J r .
Sept ember 2012
Thesi s Co- Advi sor s: Gurmi nder Si ngh
J ohn H. Gi bson
8/13/2019 12Sep Longoria
2/85
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
3/85
i
REPORT DOCUMENTATION PAGEForm Approved OMB No. 0704-0188
Publ i c report i ng bur den f or t hi s col l ect i on of i nf ormati on i s est i mated t o average 1 hour perr esponse, i ncl udi ng the t i me f or r evi ewi ng i nst r ucti on, sear chi ng exi st i ng dat a sour ces, gat her i ngand mai ntai ni ng the data needed, and compl et i ng and revi ewi ng the col l ect i on of i nf ormat i on. Sendcomment s r egardi ng thi s bur den esti mate or any ot her aspect of t hi s col l ect i on of i nf ormati on,i ncl udi ng suggesti ons f or r educi ng thi s bur den, t o Washi ngt on headquart ers Servi ces, Di r ect orat ef or I nf ormati on Oper ati ons and Report s, 1215 J ef f erson Davi s Hi ghway, Sui t e 1204, Arl i ngt on, VA
22202- 4302, and t o t he Of f i ce of Management and Budget , Paperwork Reduct i on Pr oj ect ( 0704- 0188)Washi ngt on DC 20503.
1. AGENCY USE ONLY (Leave blank) 2. REPORT DATESept ember 2012
3. REPORT TYPE AND DATES COVEREDMaster s Thesi s
4. TITLE AND SUBTITLE Sca a i i ty Assessments or t eMal i ci ous Act i vi t y Si mul at i on Tool ( MAST)
5. FUNDING NUMBERS
6. AUTHOR(S) Ray Longor i a J r .
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
Naval Post graduate SchoolMonter ey, CA 93943- 5000
8. PERFORMING ORGANIZATION
REPORT NUMBER
9. SPONSORING /MONITORING AGENCY NAME(S) AND
ADDRESS(ES)
N/ A
10. SPONSORING/MONITORING
AGENCY REPORT NUMBER
11. SUPPLEMENTARY NOTES T e vi ews expr esse i n t i s t esi s ar e t ose o t e aut or ando not r ef l ect t he of f i ci al pol i cy or posi t i on of t he Depar t ment of Def ense or t he U. S.Gover nment . I RB Protocol number : N/ A.
12a. DISTRIBUTION / AVAILABILITY STATEMENTAppr oved f or publ i c r el ease; di st r i but i on i s unl i mi t ed
12b. DISTRIBUTION CODEA
13. ABSTRACT (maximum 200 words)
MAST Mal i ci ous Act i vi t y Si mul at i on Tool ai ms t o support t he conduct ofnet work admi ni st r at or secur i t y t r ai ni ng on t he ver y network t hat t headmi ni st r ator i s supposed t o manage. A key el ement of MAST i s t o use mal waremi mi cs t o si mul ate mal ware behavi or . Mal ware mi mi cs l ook and behave l i ke r ealmal ware except f or t he damage t hat r eal mal ware causes. MAST enhances t r ai ni ngby pr ovi di ng r eal i st i c scenar i os t hat ar e dynami c, r epeat abl e, and pr ovi der el evant f eedback.
Thi s t hesi s i s meant t o t est t he scal abi l i t y char act er i st i cs of MAST.Speci f i cal l y, we show t hat an exponent i al i ncr ease i n cl i ent s usi ng t he MASTsof t war e does not i mpact net wor k and syst em r esour ces si gni f i cant l y.Addi t i onal l y, we demonst r ate and di scuss how MAST i s i nst al l ed on a newnet wor k, and del i ver s f eedback t o t he or gani zat i on bei ng t r ai ned.
14. SUBJECT TERMS Re Teams, Ma war e, Net wor Secur i t y, Trai ni ng,Comput er Network Def ense, Si mul at i on, Scal abi l i t y
15. NUMBER OF
PAGES85
16. PRICE CODE
17. SECURITY
CLASSIFICATION OF
REPORTUncl assi f i ed
18. SECURITY
CLASSIFICATION OF THIS
PAGE
Uncl assi f i ed
19. SECURITY
CLASSIFICATION OF
ABSTRACT
Uncl assi f i ed
20. LIMITATION OF
ABSTRACT
UU
NSN 7540- 01- 280- 5500 St andar d Form 298 ( Rev. 2- 89)Prescr i bed by ANSI Std. 239- 18
8/13/2019 12Sep Longoria
4/85
i i
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
5/85
i i i
Approved for public release; distribution is unlimited
SCALABILITY ASSESSMENTS FOR THE MALICIOUS ACTIVITY
SIMULATION TOOL (MAST)
Ray Longor i a J r .Capt ai n, Uni t ed St at es Mar i ne Cor ps
B. A. , The Ci t adel , Mi l i t ar y Col l ege of Sout h Car ol i na, 2006
Submi t t ed i n par t i al f ul f i l l ment of t her equi r ement s f or t he degr ee of
MASTER OF SCIENCE IN COMPUTER SCIENCE
f r om t he
NAVAL POSTGRADUATE SCHOOL
September 2012
Aut hor : Ray Longor i a J r .
Appr oved by: Gurmi nder Si nghThesi s Co- Advi sor
J ohn H. Gi bsonThesi s Co- Advi sor
Pet er J . Denni ngChai r , Depar t ment of Comput er Sci ence
8/13/2019 12Sep Longoria
6/85
i v
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
7/85
v
ABSTRACT
MAST Mal i ci ous Act i vi t y Si mul at i on Tool ai ms t o suppor t
t he conduct of net wor k admi ni st r at or secur i t y t r ai ni ng on
t he ver y net wor k that t he admi ni st r at or i s supposed t o
manage. A key el ement of MAST i s t o use mal war e mi mi cs t o
si mul at e mal war e behavi or . Mal ware mi mi cs l ook and behave
l i ke r eal mal ware except f or t he damage that r eal mal ware
causes. MAST enhances t r ai ni ng by pr ovi di ng r eal i st i c
scenar i os t hat ar e dynami c, r epeat abl e, and pr ovi de
r el evant f eedback.
Thi s t hesi s i s meant t o t est t he scal abi l i t y
char act er i st i cs of MAST. Speci f i cal l y, we show t hat an
exponent i al i ncr ease i n cl i ent s usi ng t he MAST sof t war e
does not i mpact net wor k and system r esour ces s i gni f i cant l y.
Addi t i onal l y, we demonst r ate and di scuss how MAST i s
i nst al l ed on a new net wor k, and del i ver s f eedback t o t he
or gani zat i on bei ng t r ai ned.
8/13/2019 12Sep Longoria
8/85
vi
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
9/85
vi i
TABLE OF CONTENTS
I. INTRODUCTION ............................................1A. NETWORK SECURITY AND INFORMATION ASSURANCE
TRAINING ...........................................1B. SHORTFALLS WITH CURRENT TRAINING METHODS ...........2C. MALICIOUS ACTIVITY SIMULATION TOOL (MAST) ..........3D. OBJECTIVES .........................................3E. ORGANIZATION .......................................4
II. BACKGROUND ..............................................7A. TRAINING METHODS FOR DOD NETWORK ADMINISTRATORS ....7
1. Red Teams .....................................7a. Contemporary Example of a Red Team
Implementation ...........................8b. Historical Example of a Red Team
Implementation ...........................9c. Red Team Implementation within a Cyber
Domain ...................................92. Defense Information Systems Agency (DISA)
Training Programs ............................103. USMC Communication Training Centers (CTCs) ...11
B. MALWARE ...........................................121. Worms ........................................132. Viruses ......................................143. Botnets ......................................15
C. PROOF OF CONCEPT FOR A MALICIOUS ACTIVITYSIMULATION TOOL ...................................16D. SUMMARY ...........................................17
III. DESIGN CONSIDERATIONS AND TEST PLATFORM ................19A. TRAINING ..........................................19
1. Training Objectives and Environment ..........192. Shortfalls of Current Training Methods .......20
a. Finite Resources ........................20b. Non-standardized Training Methods .......20c. Inconsistent Feedback ...................21d. Different Training Platform .............21
3. Benefits of Implementing MAST ................22B. MALICIOUS ACTIVITY SIMULATION TOOL (MAST) .........22
1. System Functionality .........................23a. Scenario Generation .....................24b. Scenario Distribution ...................24c. Scenario Execution ......................25d. Reporting and Archiving .................25
2. System Architecture ..........................26
8/13/2019 12Sep Longoria
10/85
vi i i
3. Safety Features ..............................27a. Client Check-in .........................27b. Kill Switch .............................28c. Roll-Back Module ........................28
4. Modular Features .............................285. A Scenario Example ...........................29
C. TESTING PLATFORM ..................................311. Hardware .....................................312. Software .....................................323. Common PC Operating System Environment
(COMPOSE) CG-71 Virtual Machines .............33a. Integrated Shipboard Network System
(ISNS) Domain Controller One and Two ....34b. Integrated Shipboard Network System
(ISNS) Exchange Server ..................34c. Integrated Shipboard Network System
(ISNS) System Management Server .........34d. Computer Network Defense-Operating
system Environment (CND-OSE) Host-Based
Security System (HBSS) Server ...........35e. Computer Network Defense-Operating
system Environment (CND-OSE) Microsoft
Structured Query Language (MSSQL)
Server ..................................35f. CG-71 Common PC Operating System
Environment (COMPOSE) Server ............35g. CG-71 Common PC Operating System
Environment (COMPOSE) Secure
Configuration Compliance ValidationInitiative (SCCVI) Host .................35
h. CG-71 Common PC Operating SystemEnvironment (COMPOSE) Workstation .......36
D. HOST-BASED SECURITY SYSTEM (HBSS) .................361. McAfee ePolicy Orchestrator (ePO) ............372. McAfee Agent .................................373. McAfee Host Intrusion Prevention System
(HIPS) .......................................37a. Intrusion Prevention System (IPS) .......37b. Host Intrusion Prevention System (HIPS)
Firewall ................................37c. Host Intrusion Prevention System (HIPS)Application Blocking ....................38
4. Device Control Module (DCM) ..................385. McAfee Asset Baseline Module (ABM) ...........386. McAfee Policy Auditor (PA) ...................387. McAfee Virus Scan Enterprise (VSE) ...........38
8/13/2019 12Sep Longoria
11/85
i x
8. McAfee Rogue System Detection (RSD) ..........38E. SUMMARY ...........................................39
IV. SCALABILITY ASSESSMENT METHODOLOGY AND RESULTS .........41A. MAST DEPLOYMENT AND INSTALLATION ..................41
1. Over-The-Air (OTA) Deployment ................412. Local distribution and Installation ..........42
B. SCENARIO EXECUTION ................................431. System Resources .............................432. Network Resources ............................443. Experiment Design ............................444. Experiment Methodology .......................475. Results ......................................50
a. System Resources ........................50b. Network Resources .......................52
C. TRAINING FEEDBACK AND DISTRIBUTION ................55D. SUMMARY ...........................................56
V. CONCLUSIONS AND FUTURE WORK ............................59A. CONCLUSIONS .......................................59B. FUTURE WORK .......................................60
1. Continued Development of Module Library ......602. Graphical User Interface .....................613. Test and Evaluation on Operational Network ...61
LIST OF REFERENCES ..........................................63INITIAL DISTRIBUTION LIST ...................................65
8/13/2019 12Sep Longoria
12/85
x
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
13/85
xi
LIST OF FIGURES
Fi gur e 1. The MAST Ar chi t ect ure Over vi ew. . . . . . . . . . . . . . . . . . 23Fi gur e 2. Logi cal Vi ew of MAST Ar chi t ect ur e ( From Gr eg
Bel l i and Er i k Lowney) . . . . . . . . . . . . . . . . . . . . . . . . . . 27Fi gur e 3. Exampl e of a MAST Scenar i o. . . . . . . . . . . . . . . . . . . . . . 30Fi gur e 4. MAST Physi cal Equi pment Set up ( Fr om Gr eg Bel l i
and Er i k Lowney) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Fi gur e 5. Ar chi t ect ure f or MAST depl oyment and
i nst al l at i on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Fi gur e 6. Vi r t ual t est bed conf i gur at i on. . . . . . . . . . . . . . . . . . 45Fi gur e 7. MAST Scenar i o sel ect i on wi ndow. . . . . . . . . . . . . . . . . . 46Fi gur e 8. Br eakdown of MAST cl i ent s f or exper i ment at i on. . . 48Fi gur e 9. Exper i ment pr ocedur e. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Fi gur e 10. Per cent age of CPU r esour ces used f or
exper i ment s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Fi gur e 11. Percent age of CPU used compar ed t o number ofcl i ent s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Fi gur e 12. Char act er i st i cs of net wor k dur i ng exper i ment s. . . 53Fi gur e 13. Net wor k t r af f i c st at i st i cs capt ur ed by
Wi r eshar k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Fi gur e 14. Per cent age of net wor k resour ces used. . . . . . . . . . . . 55
8/13/2019 12Sep Longoria
14/85
xi i
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
15/85
xi i i
LIST OF ACRONYMS AND ABBREVIATIONS
AdWare Adver t i si ng Sof t ware
CND Computer Net wor k Def ense
CNSS Commi t t ee on Nat i onal Secur i t y Syst ems
COMPOSE Common PC Oper at i ng Syst em Envi r onment
COTS Commerci al Of f The Shel f
CPU Cent r al Processi ng Uni t
CTC Communi cat i on Tr ai ni ng Cent er
DC Domai n Cont r ol l er
DCM Devi ce Cont r ol Modul e
DDoS Di st r i but ed Deni al of Ser vi ce
DHCP Dynami c Host Conf i gur at i on Protocol
DHS Depar t ment of Homel and Secur i t y
DI SA Def ense I nf ormat i on Syst ems Agenct
DNS Domai n Name Syst em
DoD Depart ment of Def ense
ePO ePol i cy Or chest r at or
ExComm Execut i ve Commi t t ee
FOC Ful l Oper at i ng Capabi l i t y
Gb Gi gabi t
GB Gi gabyt e
GHz Gi gaher t z
GUI Gr aphi cal User I nt er f ace
HBSS Host Based Secur i t y Syst em
8/13/2019 12Sep Longoria
16/85
xi v
HI PS Host I nt r usi on Prevent i on Syst em
I A I nf or mat i on Assur ance
I CMP I nt er net Cont r ol Message Prot ocol
I DS I nt r usi on Det ect i on Syst em
I I S I nt er net I nf or mat i on Ser ver
I I T I nf ant r y I mmer si on Tr ai ner
I OC I ni t i al Oper at i onal Capabi l i t y
I P I nt er net Pr ot ocol
I PS I nt r usi on Pr event i on Syst em
I SNS I nt egr ated Shi pboar d Network Syst em
Mal war e Mal i ci ous Sof t ware
MAST Mal i ci ous Act i vi t y Si mul at i on Tool
MEF Mar i ne Expedi t i onary For ce
NNTP Network News Transf er Protocol
NSA Nat i onal Secur i t y Agency
OPFOR Opposi ng For ces
OTA Over The Ai r
RaD- X Rapi d Exper i ence Bui l der
RAM Random Access Memor y
SMTP Si mpl e Mai l Tr ansf er Prot ocol
TB Terabyt e
TCP Tr ansmi ssi on Cont r ol Pr ot ocol
TTP Tact i cs , Techni ques and Pr ocedur es
UPS Uni nt er r upt abl e Power Suppl y
USCYBERCOM Uni t ed St at es Cyber Command
8/13/2019 12Sep Longoria
17/85
xv
USMC Uni t ed Stat es Mar i ne Corps
VM Vi r t ual Machi ne
8/13/2019 12Sep Longoria
18/85
xvi
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
19/85
xvi i
ACKNOWLEDGMENTS
Fi r st and f or emost , I gi ve t hanks t o my Heavenl y
Fat her , Hi s Gr ace, and al l t he bl essi ngs I am so l ucky t o
have.
Thi s t hesi s woul d not have been possi bl e wi t hout t he
gui dance, pat i ence, and suppor t of my thesi s advi sor ,
Prof essor Gur mi nder Si ngh. Thank you f or your t i me and t he
oppor t uni t y t o wor k wi t h you. My t hesi s co- advi sor , Mr .
J ohn Gi bson, provi ded gui dance and ment or shi p not onl y f or
t hi s thesi s, but t hr oughout my NPS car eer as wel l . Thank
you.
I woul d be r emi ss i f I di d not of f er my hear t f el t
t hanks and appr eci at i on t o CDR J i m Hammond and LT J ust i n
Nef f . I cannot say enough about J i m s ef f or t , har d wor k,
and l eader shi p whi l e wor ki ng on t he MAST pr oj ect . I t hank
J ust i n f or hi s dedi cat i on and mot i vat i on t o not onl y t he
MAST pr oj ect , but t o al l our endeavor s t oget her . Al so, I
woul d l i ke t o t hank Mr . Ar i j i t Das, Mr . Er i k Lowney, and
Mr . Gr eg Bel l i . Thei r har d wor k and cont r i but i ons advanced
and el evat ed t hi s pr oj ect t o l evel s we hadn t consi der ed
possi bl e wi t hi n our t i mel i ne. Thank you gent l emen.
Addi t i onal l y, I want t o t hank Ms. Susan Hood f r om
SPAWARSYSCEN- PACI FI C and Mr . Qui ncy Tai t t f r om Man Tech
Syst ems f or pr ovi di ng t he sof t war e and t r ai ni ng t hat
al l owed us t o t est MAST i n our shi pboar d si mul at edenvi r onment .
I woul d al so l i ke t o acknowl edge and thank al l my
pr of essor s and f el l ow cohort members over t he l ast t wo
year s. Speci f i cal l y, I woul d l i ke t o acknowl edge, CDR Al
8/13/2019 12Sep Longoria
20/85
xvi i i
Shaf f er , J . D. Ful p, Scot t Cot e, Pr of essor Rob Bever l y, LT
J oey Car t er , and of cour se al l my f el l ow Mar i nes. Semper
Fi br ot her s.
Fi nal l y, t o my amazi ng wi f e Tar a, I t hank you f r om t he
bot t om of my hear t . I coul d not have done t hi s wi t hout
your l ove and suppor t . I am f or ever gr at ef ul and t hankf ul
t hat God br ought us t oget her . I l ove you. To my beaut i f ul
chi l dr en, Emel i ne, Ever et t , El i anna, and t he t wi ns, you al l
ar e my dr i ve and mot i vat i on. Thank you f or your l ove,
suppor t , sacr i f i ces, and occasi onal dr ama. I woul dn t have
i t any ot her way.
8/13/2019 12Sep Longoria
21/85
1
I. INTRODUCTION
Dur i ng the summer of 2009, t hen Secr etary of Def ense
Rober t Gat es di r ect ed t he est abl i shment of Uni t ed St at es
Cyber Command ( USCYBERCOM) . The new command achi eved
I ni t i al Oper at i onal Capabi l i t y ( I OC) t he f ol l owi ng summer ,
f ol l owed by Ful l Oper at i ng Capabi l i t y ( FOC) on Oct ober 31,
2010. USCYBEROM i s:
Responsi bl e f or pl anni ng, coor di nat i ng, i nt egr at i ng,
synchr oni zi ng, and di r ect i ng act i vi t i es t o oper at e and
def end the Depar t ment of Def ense i nf ormat i on net works and
when di r ect ed, conduct s f ul l - spect r um mi l i t ar y cyber space
oper at i ons ( i n accor dance wi t h al l appl i cabl e l aws and
r egul at i ons) i n or der t o ensur e U. S. and al l i ed f r eedom of
act i on i n cyberspace, whi l e denyi ng the same t o our
adver sar i es. [ 1]
A key di r ect i ve i n USCYBERCOM s mi ss i on st atement i s
t o def end t he DoD i nf ormat i on network. Whi l e t here are
many methods and t echni ques used t o execute thi s t ask, t he
under l yi ng f oundat i on f or each of t hose met hods i s
t r ai ni ng. Tr ai ni ng occur s at al l l evel s and st ages. I t
must be r el evant , cont i nuous, and above al l ef f ect i ve.
A. NETWORK SECURITY AND INFORMATION ASSURANCE TRAINING
As t he use of comput i ng devi ces, I nt er net
connect i vi t y, and cl oud- based ser vi ces r i ses, t he need f or
mor e per sonnel t r ai ned t o i nst al l , mai nt ai n, and pr ot ect
t hese servi ces al so r i ses. These devel opment s ar e not
i sol at ed t o busi ness, gover nment , or pr i vat e communi t i es.
These same t echnol ogi cal devel opment s ar e al so i n demand
8/13/2019 12Sep Longoria
22/85
2
and i n use by t he U. S. mi l i t ar y. However , a key di f f er ence
bet ween mi l i t ar y use and al l ot her i s t he cr i t i cal need t o
pr otect t hose ser vi ces and t he network they pr opagate over
due t o mi l i t ar y s nat i onal def ense mi ssi on.
Tr ai ni ng f or U. S. ser vi ce members and DoD per sonnel
var i es based on l ocat i on, exper i ence, l evel of exper t i se
r equi r ed, and mi ssi on. Opt i ons f or t r ai ni ng r ange f r om
cl assr oom- t ype t r ai ni ng, comput er - based t r ai ni ng, and r ed
t eam t r ai ni ng. Cl assroom t r ai ni ng of f er s a l ot of hands-
on exper i ence i n a cont r ol l ed set t i ng, whi l e r ed t eams
pr ovi de a mor e r eal i st i c exper i ence, as t hei r t r ai ni ng i s
conduct ed on t he act ual net wor k t he admi ni st r at or s
mai nt ai n.
B. SHORTFALLS WITH CURRENT TRAINING METHODS
Whi l e our cur r ent t r ai ni ng met hods ar e ef f ect i ve,
t her e ar e a f ew key shor t f al l s we wi sh t o addr ess wi t h t hi s
t hesi s. Red t eams, f or exampl e, ar e f i ni t e r esour ces t hat
ar e i n ver y hi gh demand. As mor e commander s under st and t he
t hr eat i n t he cyber domai n, t hey want t o ensure t hei r
uni t s pr epar edness by pr ovi di ng r el evant and ef f ect i ve
t r ai ni ng. Whi l e r ed t eams ar e capabl e of pr ovi di ng t hi s,
t he r eal i t y i s t her e ar e not enough of t hem. Addi t i onal l y,
t he t r ai ni ng of f er ed t hr ough t he use of r ed t eams i s
dynami c i n nat ur e, whi ch i n t ur n can l ead t o i nconsi st ent
t r ai ni ng r esul t s and f eedback f or t he uni t or or gani zat i on
bei ng t r ai ned or eval uat ed.
Cl assr oom or l abor at or y t r ai ni ng can al so be ef f ect i ve
and r el evant . However , a pot ent i al shor t f al l i s t he
oper at i ng envi r onment i n whi ch a t r ai nee wi l l t r ai n. The
comput er syst ems and net work t o whi ch t hey are connect ed
8/13/2019 12Sep Longoria
23/85
8/13/2019 12Sep Longoria
24/85
4
i mpor t ant we underst and how MAST uses syst em and net work
r esour ces whi l e conduct i ng t r ai ni ng. MAST must be abl e t o
t r ai n hundr eds of cl i ent s whi l e ut i l i zi ng mi ni mal
r esour ces.
E. ORGANIZATION
Chapt er I pr ovi des a br i ef descr i pt i on of cur r ent
shor t f al l s i n net wor k secur i t y and I A t r ai ni ng.
Addi t i onal l y, a gener al descr i pt i on of MAST and i t s
f unct i onal i t y i s det ai l ed al ong wi t h t he obj ect i ves of t hi s
t hes i s .
Chapt er I I out l i nes pr evi ous r esear ch, cur r entt r ai ni ng met hods and t he wor k of Taf f , Sal evski , and Nef f .
Addi t i onal l y, we pr ovi de a det ai l descr i pt i on of r ed t eams
and some hi st or i cal exampl es of t hei r use. We concl ude t he
chapt er wi t h a di scussi on of var yi ng t ypes of mal i ci ous
sof t war e ( Mal war e) .
Chapt er I I I di scusses our desi gn consi der at i ons wi t h
r espect t o MAST and t he t est pl at f or m. Speci f i cal l y, wedet ai l MAST s f unct i onal i t y and ar chi t ect ur e, and pr ovi de
an exampl e of a t r ai ni ng scenar i o. We pr ovi de det ai l s of
t he t est pl at f or m s har dwar e and sof t war e f eat ur es al ong
wi t h a det ai l ed di scussi on of t r ai ni ng and t he aspect s
i nvol ved i n conduct i ng t r ai ni ng. We concl ude t he chapt er
wi t h an over vi ew of t he Host - Based Secur i t y Syst em ( HBSS)
sof t war e sui t e.
Chapt er I V pr ovi des a det ai l ed descr i pt i on of t he
assessment s r equi r ed t o det er mi ne MAST s scal abi l i t y
char acter i st i cs. We di scuss t he i nst al l at i on of t he
sof t war e f r om a r emot e l ocat i on on a net wor k that does not
8/13/2019 12Sep Longoria
25/85
5
have MAST. Addi t i onal l y, we show how MAST uses syst em and
network r esour ces when execut i ng a t r ai ni ng scenar i o. We
concl ude t he chapt er wi t h a di scussi on of MAST s f eedback
and r epor t i ng capabi l i t i es.
Chapt er V pr ovi des concl usi ons and recommendat i ons as
a r esul t of t hi s exper i ment . We gi ve our assessment of
MAST s i mpl ement at i on of a l arge network and t he
ut i l i zat i on of r esour ces by t he t ool . We concl ude t he
chapt er wi t h a di scussi on of f ut ur e wor k t o be conduct ed t o
pr epare MAST f or i mpl ement at i on i n an operat i onal
envi r onment .
8/13/2019 12Sep Longoria
26/85
6
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
27/85
7
II. BACKGROUND
Thi s chapter det ai l s some of t he var yi ng cyber
secur i t y and I nf or mat i on Assurance ( I A) t r ai ni ng met hods
ut i l i zed by t he Uni t ed St at es ( U. S. ) uni f or med ser vi ce
member s and Depar t ment of Def ense ( DoD) per sonnel .
Speci f i cal l y, we pr ovi de some i nsi ght i nt o r ed t eams, who
t hey are, and how t hey operate, and other sour ces of
t r ai ni ng wi t hi n t he DoD. Addi t i onal l y, we di scuss some
mal i ci ous t hr eat si gnat ur es and behavi or s, and t he pr oof of
concept f or our syst em, cal l ed Mal i ci ous Act i vi t y
Si mul at i on Tool ( MAST) .
A. TRAINING METHODS FOR DOD NETWORK ADMINISTRATORS
1. Red Teams
I n a 2008 i nt ervi ew, Popul ar Mechani cs was gi ven
unpr ecedent ed access t o a Nat i onal Secur i t y Agency ( NSA)
r ed t eam member. The i nt ervi ewee r eveal ed t hat t he mai n
t ask of t he r ed t eams was t o pr ovi de adver sar i al net wor kser vi ces t o al l uni t s and per sonal wi t hi n t he DoD whi l e
ensur i ng st r i ct adher ence t o t hei r f i r st r ul e of oper at i on:
do no har m [ 4] . Wi t hi n t hi s cont ext , and i n gener al , a
r ed t eam i s made up of hi ghl y ski l l ed and exper i enced
per sonnel whose mi ssi on i s t o ant i ci pat e and si mul at e the
deci si on- maki ng and behavi or s of pot ent i al adver sar i es
[ 5] . Red t eams al l ow uni t s t o t r ai n as [ t hey] f i ght by
conduct i ng t hei r act i ons i n t he act ual oper at i onal
envi r onment , whi l e ut i l i zi ng t he same tact i cs, t echni ques,
and pr ocedur es ( TTPs) of a real enemy.
8/13/2019 12Sep Longoria
28/85
8
Accordi ng t o t he Commi t t ee on Nat i onal Secur i t y
Syst ems ( CNSS) , a red t eam i s def i ned as:
A gr oup of peopl e aut hor i zed and organi zed t oemul at e a pot ent i al adver sary s at t ack or
expl oi t at i on capabi l i t i es agai nst an ent er pr i se ssecur i t y post ur e. The Red Team s obj ect i ve i s t oi mpr ove ent er pr i se I nf or mat i on Assur ance bydemonst r at i ng t he i mpact s of successf ul at t acksand by demonst r at i ng what works f or t he def enders( i . e. , t he Bl ue Team) i n an oper at i onalenvi r onment al . [ 6]
The use of r ed t eams i s not l i mi t ed t o t he comput er
secur i t y or comput er net work domai n. Red t eams, who are
somet i mes r ef er r ed t o as an Opposi ng Force (OPFOR) , areut i l i zed f or t r ai ni ng, pl anni ng, and eval uat i ng at t he
st r at egi c l evel down t o t he t act i cal l evel .
a. Contemporary Example of a Red Team
Implementation
One way i n whi ch U. S. Mar i ne Cor ps i nf ant r y uni t s
pr epar e f or oper at i ons i n a host i l e ur ban envi r onment i s t o
send t hei r members t hr ough t he I nf ant r y I mmersi on Trai ner( I I T) f aci l i t y l ocat ed on Mar i ne Cor ps Base Camp Pendl et on,
Cal i f or ni a. I I T i s a physi cal t r ai ni ng envi r onment t hat
i ncor por at es comput er si mul at i on t echnol ogy t o pr ovi de a
vi vi d and r eal i st i c vi r t ual envi r onment t o pr epar e
war f i ght er s f or a r ange of possi bl e scenar i os [ 7] . The
scenar i os and si mul at i ons i ncor por at ed i nt o t he t r ai ni ng
pr ogr am, known as TTPs, ar e i nt egr at ed by a r ed- t eam- l i ke
ent i t y.
8/13/2019 12Sep Longoria
29/85
8/13/2019 12Sep Longoria
30/85
10
are varyi ng l evel s of competency and exper i ence among t he
i ndi vi dual members of t he t eam. The amount of r ed- t eami ng
or dept h of penet r at i on a t eam can make on a respect i ve
net wor k i s unpr edi ct abl e and not st andar di zed due t o
var i abl es associ at ed wi t h t he par t i cul ar r ed t eam, t he
net wor k bei ng pr obed, and the per sonnel admi ni st er i ng that
net wor k. Addi t i onal l y, f eedback t o t he r espect i ve uni t
bei ng t est ed or t r ai ned i s cr i t i cal t o i t s secur i t y
enhancement s, oper at i onal secur i t y post ur e, and most
i mpor t ant l y mi ssi on accompl i shment but i t i s of t en
i nconsi st ent and negl ect ed.
2. Defense Information Systems Agency (DISA)
Training Programs
Anot her r esour ce f or cyber secur i t y and I A t r ai ni ng
f or net wor k admi ni st r at or s i s t he t r ai ni ng pr oduct s of f er ed
by t he Def ense I nf ormat i on Syst ems Agency ( DI SA) . DI SA
of f er s a var i ety of comput er - based and web- based t r ai ni ng
pr ogr ams; i nst r uct or l ed t r ai ni ng pr ogr ams; and vi r t ual
t r ai ni ng envi r onment s. One cour se i n par t i cul ar , t he Rapi dExper i ence Bui l der ( RaD- X) cour se, i s desi gned t o expose
st udent s t o mal i ci ous sof t ware ( mal ware) and pr ovi de hands-
on t r ai ni ng wi t h f i r ewal l l og r evi ews, i nt r usi on det ect i on
syst em ( I DS) anal ysi s and conf i gur at i on, and anomal y
det ect i on usi ng comput er net wor k def ense ( CND) t ool s [ 10] .
Tr ai nees i n t hi s cour se ar e abl e t o obser ve and i nter act
wi t h a var i et y of r eal mal war e i n a l abor at or y set t i ng.
The l abor at or y envi r onment i s ai r - gapped, or i sol at ed f r om
al l ot her net wor ks and t he I nt er net . Whi l e t her e ar e many
posi t i ve aspect s t o t hi s hands- on, i nst r uctor - l ed t r ai ni ng,
t her e ar e a f ew shor t f al l s. Fi r st , t he cost of
8/13/2019 12Sep Longoria
31/85
11
t r anspor t i ng t he l abor at or y f or t r ai ni ng or sendi ng
per sonnel t o be t r ai ned can be ver y hi gh. Second, t her e i s
a very hi gh mai nt enance cost associ ated wi t h managi ng and
mai nt ai ni ng t he syst ems. Af t er each cl ass, each syst em
wi t hi n the RaD- X envi r onment must be wi ped, t hat i s,
el ect r oni cal l y cl ear ed, and r e- i maged t o pr epar e f or t he
next sessi on. Fi nal l y, f or t he t r ai nee, t her e i s no
guarant ee that t he RaD- X comput er syst ems and net work
t opol ogy mi r r or t he operat i onal net wor k wi t h whi ch t hey ar e
f ami l i ar .
3. USMC Communication Training Centers (CTCs)
Wi t hi n t he Mar i ne Cor ps t her e exi st t hr ee
Communi cat i on Tr ai ni ng Cent er s ( CTCs) , l ocat ed respect i vel y
wi t hi n each Mar i ne Expedi t i onar y For ce ( MEF) . The cl asses
avai l abl e t hr ough one of t hese CTCs r ange f r om t act i cal
r adi os t o Ci sco r out i ng pr ot ocol s and concept s. The dept h
of i nst r uct i on on cyber secur i t y and I A i s l i mi t ed due t o
t he l i mi t ed r esour ces avai l abl e at each l ocat i on and t he
addi t i onal mi l i t ar y commi t ment s f or al l servi ce member s.
Li ke t he RaD- X archi t ectur e ment i oned above, t he
conf i gur at i on and system desi gn used i n t r ai ni ng of t en does
not mi r r or what t he act ual ser vi ce member wi l l admi ni st er
dur i ng an exer ci se or whi l e depl oyed.
Al l t he t r ai ni ng methods ment i oned above ar e
undoubt edl y benef i ci al and cr i t i cal t o t he cont i nued
secur i t y of our comput er net wor k i nf r ast r uct ur e. We
pr opose t hat t he i ncor por at i on of MAST wi l l enhance net wor k
admi ni st r at or t r ai ni ng by al l owi ng uni t s t o t r ai n on t hei r
ver y own oper at i onal net wor k i n a saf e and cont r ol l ed
8/13/2019 12Sep Longoria
32/85
12
envi r onment . MAST wi l l pr ovi de consi st ent t r ai ni ng and,
most i mpor t ant l y, pr ovi de consi st ent f eedback t o t he users.
B. MALWARE
Mal i ci ous sof t war e, or mal war e, i s a gener al t er m used
t o descr i be sof t war e t hat i s speci f i cal l y desi gned t o cause
a comput er syst em, i t s net wor k, or per i pher al s t o per f or m
act i ons not i nt ended by t he user , or deny t he user a
r esour ce r esi dent wi t hi n t he comput er or net wor k. I n a
2005 case st udy descr i bi ng at t acks agai nst cr i t i cal
i nf r ast r uct ur e, t he U. S. Depar t ment of Homel and Secur i t y
( DHS) def i ned mal ware as:Pr ogr ammi ng ( code, scr i pt s, act i ve cont ent , andot her sof t war e) desi gned t o di sr upt or denyoper at i on, gat her i nf or mat i on t hat l eads t o l ossof pr i vacy or expl oi t at i on, gai n unaut hor i zedaccess t o system r esour ces, and ot her abusi vebehavi or . Exampl es i ncl ude var i ous f orms ofadwar e, di al er s, hi j ackwar e, sl ag code ( l ogi cbombs) , spywar e, Tr oj an hor ses, vi r uses, webbugs, and worms. [ 11]
The i mpact of mal war e on a comput er syst em can r ange f r om
harml ess and annoyi ng t o severel y devast at i ng and damagi ng.
Adver t i si ng sof t war e ( adwar e) or spam e- mai l s, whi l e
i nconveni ent , wi l l have l i t t l e t o no i mpact on t he system s
r esour ces and servi ces. A Tr oj an hor se, conver sel y, coul d
gi ve a hacker compl et e access t o a system at t he
admi ni st r at or l evel , t her eby compr omi si ng t he
conf i dent i al i t y, i nt egr i t y, or accessi bi l i t y of f i l es and
r esour ces l ocat ed wi t hi n t he syst em.
For t he scope of t hi s t hesi s, and MAST i n gener al , t he
t er m mal war e wi l l r ef er t o t hose expl oi t s and t hei r
behavi ors t hat can cause cat ast r ophi c damages or deny t he
8/13/2019 12Sep Longoria
33/85
13
end user t he abi l i t y t o accompl i sh t he mi ssi on. Speci f i c
t ypes of mal war e behavi or MAST wi l l si mul at e i ncl ude, but
may not be l i mi t ed t o, wor ms, bot net s, and vi r uses.
1. Worms
Accor di ng t o t he Froehl i ch/ Kent Encycl opedi a of
Tel ecommuni cat i ons, a wor m i s def i ned as sel f - r epl i cat i ng
pr ogr ams t hat spread wi t h no human i nt ervent i on af t er t hey
ar e st ar t ed [ 9] . Gu et al . i dent i f y t hr ee char acter i st i cs
common t o most I nternet worms [ 12] :
The f i r st char act er i st i c deal s wi t h t he vol umeand t ype of t r af f i c gener at ed by an I nt er net
wor m. A wor m i s mor e suscept i bl e t oi dent i f i cat i on based on i t s pat t er ns andsi gnat ur es. Si nce wor ms ar e sel f - r epl i cat i ng,t hey do not evol ve or change as t hey pr opagate.A wor m s uni f or m char act er i st i cs make i t easi ert o det ect wi t h net wor k t r af f i c anal ysi s sof t war e,such as Wi r eshark and TCPDump.
A second char act er i st i c deal s wi t h t he wor m sscanni ng behavi or . Most I nt er net wor ms wi l l usea pseudo- r andom sear ch al gor i t hm t o di scover open
por t s on a vul ner abl e syst em. A wor m wi t h t hi sbehavi or wi l l at t empt t o connect t o numerouscl osed por t s, whi ch wi l l r esul t i n t he samenumber of f ai l ed connect i ons. A br i ef anal ysi sof t hese f ai l ed connect i ons coul d r eveal t hepresence of a worm.
The f i nal char act er i st i c i s a not i ceabl e i ncr easei n syst em r esour ce ut i l i zat i on. The host uses al ot of r esour ces r espondi ng t o t he i ni t i alscanni ng done by a worm, f ol l owed by a f ur t herdepl et i on of r esour ces t o f i nd mor e vul ner abl e
syst ems.The scanni ng and propagat i on f eatures of an I nter net
wor m ar e nor mal l y onl y par t of i t s behavi or . Most mal war e
car r y or del i ver some sort of mal i ci ous payl oad t hat can be
8/13/2019 12Sep Longoria
34/85
14
used t o capt ur e sensi t i ve i nf or mat i on, r epor t back t o a
base st at i on, or i n t he wor st case, cor r upt or del et e
essent i al system f i l es .
Cor nel l Uni ver si t y student , Rober t Mor r i s, r el eased
t he f i r st known i nst ance of an I nt er net wor m i n 1988. The
Mor r i s wor m, whi ch was i ni t i al l y desi gned t o measure the
si ze of t he I nt er net - ancest or , ARPANET, had a sel f -
r epl i cat i ng and sel f - pr opagat i ng f eat ur e t hat caused 10% of
al l comput er s connect ed to t he ARPANET t o become
i nef f ect i ve due to t he al l ocat i on of r esour ces dedi cat ed t o
t he Mor r i s wor m [ 13] .
2. Viruses
Li ke I nt er net wor ms, vi r uses ar e al so sel f - r epl i cat i ng
sof t war e t hat can car r y a mal i ci ous payl oad. The
di st i ngui shi ng char act er i st i c bet ween wor ms and vi r uses i s
t hat vi r uses r equi r e some sor t of act i on on t he par t of t he
end- user t o i ni t i at e i t s behavi or . Vi r uses pr opagat e
t hr ough e- mai l s or mal i ci ous at t achment s, not t hr ough
syst em vul ner abi l i t i es as a wor m does. Pet er Szor , aut hor
of The Art of Virus Research and Defense, def i nes a
comput er vi r us as:
Code t hat r ecur si vel y repl i cat es a possi bl yevol ved copy of i t sel f . Vi r uses i nf ect a hostf i l e or syst em ar ea, or t hey si mpl y modi f y ar ef er ence t o such obj ect s t o t ake cont r ol andt hen mul t i pl y agai n t o f or m new gener at i ons. [ 14]
Vi r uses, l i ke wor ms, have di st i nct char act er i st i cs and
si gnat ur es t hat can be det ect ed wi t h an I nt r usi on Det ect i on
Syst em ( I DS) . Unf or t unat el y, t hese combat i ve met hods t end
t o be r eact i ve i n nat ur e due t o t he vi r us st eal t h nat ur e
and var i ous i nf ect i on methods. Vi r uses can be pr ogr ammed
8/13/2019 12Sep Longoria
35/85
15
t o at t ach t hemsel ves t o ot her execut abl e f i l es, sel f -
modi f y, and r epl i cat e. The si gnat ur e dat abase associ at ed
wi t h t he I DS must be updated const ant l y and r evi ewed t o
ensure maxi mum pr otect i on.
3. Botnets
Another f orm of mal ware that has become more wi del y
used, due t o t he i ncr ease i n comput i ng syst ems connected t o
t he I nt er net , i s a bot net . A bot i s a comput er syst em
t hat has been compr omi sed wi t h mal i ci ous sof t ware and t he
net i s t he net wor k on whi ch t he i nf ect ed host
communi cat es. Whi l e t here are many common char act er i st i csamong vi r uses, worms, and bot net s, t he di st i ngui shi ng
f act or f or bot net s i s i t s command and cont r ol ar chi t ect ur e.
I n t hi s command and cont r ol ar chi t ect ur e t her e i s nor mal l y
one bot t hat act s as t he mast er whi l e the ot her bot s
execute t he commands gi ven by the mast er .
As st at ed ear l i er , t he r i se i n comput er usage and
I nt er net connect i vi t y has l ed t o t he i ncr ease i n bot net
at t acks. The most common at t ack associ ated wi t h botnets i s
t he Di st r i but ed Deni al of Ser vi ce ( DDoS) at t ack. A DDoS
at t ack i s desi gned t o over whel m t he r esour ces of a si ngl e
ent i t y by sendi ng i t mor e r equest s t han i t can handl e.
These r equest normal l y come f r om mul t i pl e machi nes at t he
same t i me, whi ch ar e al l a par t of a bot net . However ,
botnets can be used f or more t han j ust a DDoS at t ack.
Accor di ng t o El l en Messmer , who publ i shed an ar t i cl e on t he
gr owt h of botnet usage:
8/13/2019 12Sep Longoria
36/85
8/13/2019 12Sep Longoria
37/85
17
The t ool i s desi gned t o al l ow user s t o t r ai n asyou f i ght by execut i ng t he t r ai ni ng on t heuser s oper at i onal net wor k. Al l act i ons andbehavi or s ar e beni gn i n nat ur e, t her eby causi ngno t hr eat s t o t he net wor k or end- host s. Al so,
t he net wor k t r af f i c gener at ed by t he syst em doesnot overwhel m network resour ces and i mpact user snot i nvol ved i n t he t r ai ni ng.
Fi nal l y, t he t ool i s desi gned t o capt ur e al lcommands and act i ons so t hat a repor t coul d begener at ed t o pr of i l e t he t r ai ni ng. Thi s i s ani mpor t ant char act er i st i c t hat i s f undament al t oany t r ai ni ng scenar i o.
Nef f f ur t her ed Taf f and Sal evski s r esear ch by
ver i f yi ng and val i dat i ng t hei r pr oposed appr oach t o net wor k
secur i t y t r ai ni ng. Speci f i cal l y, Nef f def i ned var i ous
met r i cs t hat were used to compare MAST t r ai ni ng appr oach t o
ot her met hods of t r ai ni ng cur r ent l y avai l abl e. Hi s
r esear ch assert ed t hat t he MAST syst em i s a vi abl e appr oach
and can i mpr ove network secur i t y and t he I A post ur e of a
uni t when augment ed t o the ot her r esour ces curr ent l y
avai l abl e [ 3] .
The t heses aut hor ed by Taf f , Sal evski , and Nef f ar e
t he pr oof - of - concept and f oundat i on upon whi ch MAST has
been bui l t . I t i s t hei r wor k t hat we i nt end t o expand and
f ur t her devel op.
D. SUMMARY
I n t hi s chapt er , we di scussed var yi ng met hods used t o
t r ai n comput er net wor k admi ni st r at or s. Speci f i cal l y, we
detai l ed who and what r ed t eams ar e, and exampl es of t hei r
i mpl ement at i on, al ong wi t h other f orms of DoD- sour ced
t r ai ni ng. We al so di scussed t he mal ware domai n and some of
t he cat egor i es of mal war e t hat f al l wi t hi n t hat domai n.
8/13/2019 12Sep Longoria
38/85
18
Fi nal l y, we di scussed t he resear ch and devel opment of a
sof t war e- based appr oach t o t r ai ni ng net wor k admi ni st r at or s.
I n t he f ol l owi ng chapt er we wi l l expand on t hi s sof t war e-
based appr oach by det ai l i ng how t hi s appr oach can augment
cur r ent t r ai ni ng met hods. Addi t i onal l y, we wi l l pr ovi de an
overvi ew of MAST and descr i be t he i mpl ement at i on pl at f orm
f or exper i ment at i on.
8/13/2019 12Sep Longoria
39/85
19
III. DESIGN CONSIDERATIONS AND TEST PLATFORM
I n t hi s chapt er , we det ai l our assumpt i ons about t he
t r ai ni ng obj ect i ves and t r ai ni ng envi r onment f or whi ch t he
Mal i ci ous Act i vi t y Si mul at i on Tool ( MAST) i s t o be
i mpl ement ed. Al ong wi t h t hese assumpt i ons, we pr ovi de a
det ai l ed over vi ew of MAST s f unct i onal i t y, ar chi t ect ur e,
benef i t s over cur r ent t r ai ni ng met hods, and an exampl e
t r ai ni ng scenar i o MAST coul d i mpl ement . We concl ude t he
chapt er wi t h a di scussi on on t he Host - Based Secur i t y Syst em
( HBSS) and t he vi r t ual shi pboar d net wor k we ar e usi ng f or
t est i ng and eval uat i ng.
A. TRAINING
1. Training Objectives and Environment
As st at ed i n t he pr evi ous chapt er s, t he f oundat i on f or
t hi s t hesi s l i es i n t he pr evi ous wor k, r esear ch, and
devel opment by Taf t , Sal evski , and Nef f [ 2] [ 3] . An
i mpor t ant t opi c t hey hel ped def i ne and scope f or t hi spr oj ect i s t he t r ai ni ng par adi gm. Speci f i cal l y, t hey
def i ned a t r ai ni ng obj ect i ve as t he ski l l or behavi or t hat
we wi sh t o r ei nf or ce [ 2] . Thi s def i ni t i on i s a
f oundat i onal pr i nci pl e of t he MAST desi gn. Si nce t r ai ni ng
obj ect i ves var y by uni t , si ze, l ocat i on, exper i ence, and
numerous other f actors, MAST i s desi gned t o be modul ar i n
nat ur e. MAST can be cust omi zed to f i t var yi ng t r ai ni ng
obj ecti ves.
The i mpl ement at i on of MAST assumes a t r ai ni ng
envi r onment wher e t her e i s a t r ai ner , t r ai nee, saf et y
observer , and comput er net wor k t hat i s i nt er - connect ed and
8/13/2019 12Sep Longoria
40/85
20
accessi bl e by al l t hese i ndi vi dual s. The per son( s) or
or gani zat i on r esponsi bl e f or devel opi ng t r ai ni ng obj ect i ves
and over seei ng t he t r ai ni ng i s the t r ai ner . The i ndi vi dual
or or gani zat i on r ecei vi ng t he t r ai ni ng and t r yi ng t o meet
t he obj ect i ves i s t he t r ai nee. The per son or or gani zat i on
r esponsi bl e f or t he saf et y of t he t r ai ni ng and t he
adher ence t o any const r ai nt s or r est r ai nt s i s t he saf et y
obser ver . Fi nal l y, t he pl at f or m upon whi ch t he t r ai ni ng i s
conduct ed i s an i nt er - connected network of comput ers on an
appr oved DoD comput er networ k. The comput er syst ems
at t ached t o t hi s network have a basel i ne comput er i mage
appr oved by i t s r espect i ve servi ce or agency, and i ncl udest he i nst al l at i on of HBSS.
2. Shortfalls of Current Training Methods
As st at ed i n t he pr evi ous chapt er , t her e ar e var yi ng
t r ai ni ng met hods avai l abl e t o net wor k admi ni st r at or s f or
net wor k secur i t y and I A. We bel i eve t here ar e f our maj or
shor t f al l s wi t h t hese met hods t hat t he MAST addr esses:
a. Finite Resources
Taf t and Sal evski st at ed t hat t he use of r ed
t eams f or t r ai ni ng i s t he pi nnacl e of a uni t s t r ai ni ng
[ 13] . But unf or t unat el y, r ed t eams ar e a f i ni t e r esour ce
t hat ar e over - t axed and i n hi gh demand. I f a uni t i s l ucky,
t hey may have an oppor t uni t y t o t r ai n wi t h a red t eam j ust
pr i or t o a depl oyment or commencement of an exerci se.
b. Non-standardized Training Methods
As s t at ed i n t he pr evi ous chapt er , t he at t ack
met hods and probi ng t echni ques used by r ed teams vary due
8/13/2019 12Sep Longoria
41/85
21
t o f act or s such as exper i ence, t i me avai l abl e, compl exi t y
of t he net wor k, di scover ed vul ner abi l i t i es, and many mor e.
These var i abl es make st andar di zed t r ai ni ng wi t h r espect t o
r ed t eams vi r t ual l y i mpossi bl e.
c. Inconsistent Feedback
The dynami c t r ai ni ng approach and non-
st andardi zed t r ai ni ng methods of f ered by r ed t eams can l ead
t o i nconsi st ent f eedback f or t he uni t bei ng t r ai ned. The
t ask of capt ur i ng al l event s and act i ons i s ver y manpower
i ntensi ve and t i me- consumi ng. Ti me and manpower ar e t wo
r esour ces of whi ch t he r ed t eams do not have enough. I fdet ai l ed f eedback i s desi r ed, t hen the amount and qual i t y
of t r ai ni ng pr ovi ded by t he r ed t eam wi l l be di mi ni shed.
d. Different Training Platform
Whi l e l abor at or y or school house t ype t r ai ni ng can
mi t i gat e some of t he i ssues wi t h st andar di zat i on and
f eedback, t her e ar e t wo i ssues ot her i ssues wi t h t hi s t ype
of t rai ni ng:
Fi r st , t he cost of sendi ng per sonnel t o bet r ai ned or t r anspor t i ng t he l abor at or y t o t het r ai ni ng l ocat i on can be ver y hi gh.Addi t i onal l y, t he cost s f or managi ng andmai nt ai ni ng t he l abor at or i es can be ver yexpensi ve.
Second, t her e i s no guar ant ee t hat t he syst em andnet wor k set t i ngs and conf i gur at i on wi l l mi r r ort hat of t he act ual net wor k t he t r ai nees wi l l use
f or t hei r exer ci se or depl oyment .
I n t he f ol l owi ng sect i ons we wi l l di scuss t he benef i t s
and det ai l s of t he MAST and i t s r ol e i n t he t r ai ni ng
domai n.
8/13/2019 12Sep Longoria
42/85
22
3. Benefits of Implementing MAST
MAST i s desi gned t o addr ess t he shor t f al l s ment i oned
i n t he pr evi ous sect i on by pr ovi di ng a sof t war e- based
sol ut i on t hat i s r eal i st i c, r epeat abl e, modul ar and
dynami c. MAST i s desi gned t o si mul at e and aut omat e some of
t he t r ai ni ng methods conduct ed by r ed t eams. MAST s
t r ai ni ng met hods, whi ch woul d be avai l abl e t o al l DoD
personnel , can be repeat ed an unl i mi t ed number of t i mes t o
ensure t he t r ai ni ng obj ect i ves ar e met . One of t he MAST s
key f unct i ons i s t o pr ovi de r epor t s on t he event s
sur r oundi ng a t r ai ni ng scenar i o. The r epor t s wi l l hel p a
uni t i dent i f y i t s st r engt hs and weaknesses, whi ch i n t ur n
wi l l al l ow i t t o bet t er f ocus i t s tr ai ni ng r esour ces.
Fi nal l y, MAST i s desi gned t o be used on t he same network
t he t r ai nees use f or t hei r day- t o- day oper at i ons. The
command and cont r ol desi gn of MAST al l ows t he t r ai ner t o
scal e t he t r ai ni ng onl y t o t hose desi r ed host s and, most
i mpor t ant l y, t he t r ai ni ng can be ceased expedi t i ousl y t o
al l ow t r ai nees t he abi l i t y t o r esume t hei r oper at i onal
commi t ment s. Fi nal l y, MAST i s desi gned t o do no harm to
t he net wor k or t he host s at t ached t o the net wor k.
B. MALICIOUS ACTIVITY SIMULATION TOOL (MAST)
Dur i ng Taf f and Sal evski s i ni t i al r esear ch and
prot ot ype devel opment of MAST, f ormer l y known as Mal ware
Mi mi cs, i t was det ermi ned t hat MAST be i mpl ement ed
accor di ng t o a cl i ent - ser ver par adi gm [ 2] . As shown i nFi gur e 1, t he cl i ent - ser ver par adi gm al l ows f or t he t r ai ner
t o conduct t he t r ai ni ng f r om a l ocal or r emot e l ocat i on
usi ng a command- and- cont r ol archi t ect ur e. Addi t i onal l y,
8/13/2019 12Sep Longoria
43/85
8/13/2019 12Sep Longoria
44/85
24
a. Scenario Generation
Scenar i o gener at i on i s an i mpor t ant f unct i on t hat
al l ows f or dynami c and r el evant t r ai ni ng. As new t hr eat s
devel op, or exi st i ng t hr eat s r emai n per si st ent , i t i s
cri t i cal t hat t r ai ner s have t he abi l i t y t o creat e uni que
si t uat i ons t hat enf or ce a cer t ai n t r ai ni ng obj ect i ve. A
scenar i o i s made up of commands, whi ch are execut ed by the
MAST cl i ent , and modul es, whi ch ar e pr e- progr ammed
behavi or s t he cl i ent wi l l execut e. A l i br ar y of modul es
wi l l exi st at al l l evel s of t he MAST and can be combi ned or
used i nt er changeabl y t o creat e uni que scenar i os.
For exampl e, i f t he si gnat ur e of a cer t ai n pi ece
of mal war e i s t o per f or m a net wor k scan f ol l owed by an
I nt er net Cont r ol Message Pr ot ocol ( I CMP) echo- r equest
( pi ng) out of a speci f i c net wor k por t t o a speci f i c
I nt er net Pr ot ocol ( I P) addr ess, t hi s act i on can be
r ecr eat ed i nt o mul t i pl e modul es f or r e- use i n ot her
scenar i os. The scanni ng behavi or i s one modul e whi l e t he
pi ng r equest i s anot her modul e.
I deal l y, t he cr eat i on of new modul es and
scenar i os i s done by the r emote t r ai ner whose exper i ence
and ski l l s ar e equi val ent t o t hat of an et hi cal hacker or a
member of a r ed t eam.
b. Scenario Distribution
The next i mpor t ant syst em f unct i on i s scenar i o
di st r i but i on. Thi s f unct i on i s accompl i shed usi ng a t op-
down appr oach. The t r ai ner , f r om a r emot e l ocat i on, pushes
new scenar i os, modul es, or updat es f r om t he remot e ser ver ,
known as t he Scenar i o Generat i on Server ( SG Server ) t o t he
8/13/2019 12Sep Longoria
45/85
25
MAST- ser ver l ocat ed l ocal l y wher e t he t r ai ni ng i s t o be
conduct ed. The l ocal ser ver , known as t he Scenar i o
Execut i on Ser ver ( SE Ser ver ) , t hen pushes t he updat es t o
t he cl i ent s as needed.
The di st r i but i on of new scenar i os or updat es can
be pul l ed or pushed f r om t he r espect i ve server . The SG
Server can push t he updates down t o t he SE Server , or t he
SE Server can check- i n wi t h t he SG Server and determi ne i f
any update needs t o be pul l ed. The same pr ocess appl i es to
t he SE Ser ver and t he cl i ent s i t ser ves.
c. Scenario Execution
Scenar i o execut i on occur s at al l l evel s of t he
MAST syst em. A r emote t r ai ner can execut e a scenar i o f r om
t he SG Ser ver vi a t he SE Ser ver co- l ocat ed wi t h t he
t r ai ni ng uni t . For l ocal i zed t r ai ni ng, a scenar i o can be
execut ed di r ect l y by ut i l i zi ng onl y t he SE Ser ver . Upon
r ecei pt of an execut i on command, t he MAST Cl i ent execut es
t he speci f i ed scenar i o.
d. Reporting and Archiving
Fol l owi ng a bot t om- up appr oach, r epor t i ng begi ns
when a MAST Cl i ent compl et es a gi ven modul e or scenar i o and
r epor t s i t s act i ons and event s t o t he SE Ser ver . The SE
Ser ver , wi t h a l i mi t ed dat abase capabi l i t y, ar chi ves t he
i nf or mat i on i n or der t o gener at e r epor t s f or t he l ocal or
r emot e t r ai ner s. The r emot e t r ai ner , who can l ever age t heSG Server t o manage mul t i pl e SE Server s, determi nes t he
l evel of gr anul ar i t y desi r ed f r om t he SE ser ver s. These
r epor t s gi ve t he t r ai ner s and l eader s of t he uni t bei ng
t r ai ned a snapshot of how t he t r ai nees per f or med, whi ch i n
8/13/2019 12Sep Longoria
46/85
26
t ur n can be used t o cr eat e a pr of i l e of st r engt hs and
weaknesses. Thi s wi l l al l ow f or a bet t er and mor e
ef f i ci ent use of t r ai ni ng r esour ces.
The SE Ser ver and t he SG Server have access t o a
dat abase f or dat a ar chi vi ng. The dat abase i s used t o st or e
scenar i os, modul es, and r epor t s f r om al l cl i ent s and
server s i n t he syst em.
2. System Architecture
The MAST syst em f unct i ons ment i oned above ar e
i mpl ement ed wi t h t he use of t hree mai n component s:
Scenar i o Gener at i on Ser ver ( SG Ser ver ) Scenar i o Execut i on Server ( SE Ser ver ) MAST Cl i ent ( s)Al l t hr ee component s ar e J ava- based sof t ware pr ogr ams
consi st i ng of mul t i pl e cl asses or f i l es desi gned t o r un on
a var i et y of Mi cr osof t Wi ndows- based oper at i ng syst ems.
Fi gur e 2 pr ovi des a not i onal i mpl ement at i on vi ew of t he
syst em desi gn.
8/13/2019 12Sep Longoria
47/85
27
Fi gur e 2. Logi cal Vi ew of MAST Ar chi t ect ur e( From Gr eg Bel l i and Er i k Lowney)
3. Safety Features
Li ke any mi l i t ar y tr ai ni ng exer ci se, saf et y i s al ways
a pr i or i t y. MAST pr ovi des numer ous saf et y f eat ur es t o
ensure t he i nt egr i t y of t he net wor k and host s connect ed t o
t he net wor k.
a. Client Check-in
Pr i or t o the commencement of t r ai ni ng, each
cl i ent or end- host par t i ci pat i ng i n t he t r ai ni ng must
check- i n wi t h t he SE Server . When t he execut i on of ascenar i o begi ns, t he SE Server communi cates onl y wi t h t hose
cl i ent s on i t s checked- i n l i st . Thi s ensur es non- t r ai ni ng
user s and end- host syst ems ar e not af f ected by t he ongoi ng
t r ai ni ng and can per f or m t hei r dut i es as nor mal .
8/13/2019 12Sep Longoria
48/85
28
b. Kill Switch
The ki l l swi t ch i s a si mpl e mechani sm or
command l ocat ed at bot h t he SG Ser ver and SE Ser ver . Thi s
command, i f execut ed, wi l l cease al l t r ai ni ng and begi n t he
r ol l - back modul e. The ki l l swi t ch ensur es i mmedi at e and
f ul l access t o t he net wor k and end- host s i n t he event t he
user s t hat ar e par t i ci pat i ng i n t he t r ai ni ng need t o
i mmedi at el y resume t hei r oper at i onal dut i es.
c. Roll-Back Module
The r ol l - back modul e i s si mi l ar i n desi gn t o
ot her t r ai ni ng modul es i n t hat i t i s desi gned t o r un on t heMAST Cl i ent s. The mai n pur pose i s t o ensur e t he end- host
syst em bei ng used as a MAST Cl i ent i s r et ur ned t o t he st at e
i n whi ch i t was pr i or t o the commencement of t r ai ni ng.
For exampl e, i f a t r ai ni ng scenar i o cal l ed f or
t he creat i on of a t ext f i l e on t he user s deskt op, t he
r ol l - back modul e, whi ch i s execut ed af t er t he SE Ser ver
r ecei ves i t s r epor t s, wi l l r emove or r ever t t o or i gi nalconst r uct t he t ext f i l e and any ot her f i l es creat ed or
modi f i ed, r espect i vel y, dur i ng t he t r ai ni ng.
4. Modular Features
A f i nal char act er i st i c about t he MAST that makes i t an
ext ensi bl e t r ai ni ng t ool i s i t s modul ar i t y. As st at ed
ear l i er , scenar i os are a combi nat i on of comput er commands
and modul es. The modul es are desi gned t o execut e a si ngl e
behavi or and i nt er act ef f ect i vel y wi t h ot her modul es. For
exampl e, i f a pi ece of mal war e per f or ms mul t i pl e behavi or s,
t hen t hose i ndi vi dual behavi or s are br oken down i nt o
8/13/2019 12Sep Longoria
49/85
29
i ndi vi dual modul es. The scenar i o cr eat ed t o si mul at e t hi s
mal i ci ous behavi or woul d consi st of mul t i pl e modul es.
5. A Scenario Example
Now t hat we have di scussed t he character i st i cs and
component s of MAST, we can vi ew an exampl e of a scenar i o
t hat can be used f or t r ai ni ng. Fi gur e 3 over vi ews t he
act i ons t hat occur when t he Dr i ve- by Downl oad scenar i o i s
execut ed.
I n thi s scenar i o, a pop- up wi ndow appear s on the
user s deskt op. The wi ndow i s a si mpl e i mage t hat per f orms
no act i on ot her t han r ecor di ng t he user s r esponse. Thepop- up wi ndow asks t he user i f t hey woul d l i ke t o execut e
or downl oad a speci f i c f i l e. The user s act i ons ar e
r ecor ded i n t he SE Ser ver s dat abase.
The obj ect i ves of t hi s scenar i o ar e t o see how t he
user s r espond t o t he downl oad quest i on and i f any user s
r epor t t he event s t o a system or net wor k admi ni st r at or .
Such event s may be char act er i st i c of a phi shi ng at t ack. Ther esul t s of t he t r ai ni ng can l et a uni t know wher e t o f ocus
f ut ur e t r ai ni ng r esour ces.
8/13/2019 12Sep Longoria
50/85
30
Fi gur e 3. Exampl e of a MAST Scenar i o
8/13/2019 12Sep Longoria
51/85
8/13/2019 12Sep Longoria
52/85
32
Fi gur e 4. MAST Physi cal Equi pment Setup( From Gr eg Bel l i and Er i k Lowney)
Addi t i onal l y, a Ci sco 2811 r out er i s used as an access
poi nt f or r emot e host s t o connect t o t he VMs. Fi nal l y, al lphysi cal r esour ces ar e connected t o a Del l 1920
Uni nt er r upt abl e Power Suppl y ( UPS) t o ensure pr ot ect i on of
t he hardware and sof t ware i n t he event of a power l oss.
2. Software
The r esour ces r equi r ed t o act ual l y r epl i cat e a
shi pboar d network are l arge and ver y expensi ve. A more
ef f i ci ent way t o val i dat e t he MASTs capabi l i t i es i s t o t est
t he syst em on a vi r t ual i zed net wor k. By usi ng
vi r t ual i zat i on, we wer e abl e t o reduce the amount of
physi cal r esour ces r equi r ed t o mock t he shi pboar d net wor k.
ESXi 5. 0 i s a speci al i zed oper at i ng system devel oped by
8/13/2019 12Sep Longoria
53/85
33
VMware to manage the physi cal r esour ces avai l abl e on a
ser ver . I n our set up, we use VMware sof t ware t o manage and
cr eat e vi r t ual machi nes f or t est i ng. A vi r t ual machi ne
( VM) , accor di ng t o VMwar e, i s a t i ght l y i sol at ed sof t war e
cont ai ner t hat can r un i t s own oper at i ng syst em and
appl i cat i ons as i f i t wer e a physi cal comput er [ 17] .
A key el ement i n cr eat i ng and managi ng VMs i s t o
ensur e you have t he appr opr i ate amount of r esour ces
avai l abl e f or t hat vi r t ual machi ne. For exampl e, i f you
cr eat e a Wi ndows XP VM and al l ocat e 2GB of RAM and 50GB of
st or age, t hen t hose r esour ces wi l l be r eser ved f or t hat
machi ne on t he physi cal ser ver i t sel f . Ther e i s a one- t o-
one mappi ng wi t h respect t o a VM s al l ocat ed memory and
st orage and t he act ual memory and st orage on t he ser ver on
whi ch t he VM r esi des.
I n t he f ol l owi ng sect i on we di scuss t he act ual VMs
used f or t est i ng. These VMs are managed by t he VMwar e
sof t war e and r esi de on t he thr ee physi cal server s ment i oned
above.
3. Common PC Operating System Environment (COMPOSE)
CG-71 Virtual Machines
The vi r t ual machi nes used t o t est and devel op MAST ar e
a r epl i ca of t he U. S. Navy cr ui ser , U. S. S. Cape St . Geor ge,
al so known as CG- 71. The VMs, whi ch wer e devel oped by
Space and Naval War f are Syst em Cent er ( SPAWARSYSCEN)
Paci f i c cont r act or , ManTech, ar e uncl assi f i ed and have theCommon PC Oper at i ng Syst em Envi r onment ( COMPOSE) i nst al l ed.
COMPOSE i s a st andardi zed l oad f or al l comput ers t o ensure
8/13/2019 12Sep Longoria
54/85
8/13/2019 12Sep Longoria
55/85
35
I nt er net I nf or mat i on Ser ver ( I I S) f or Si mpl e mai lTr ansf er Pr ot ocol ( SMTP)
Network News Transf er Protocol ( NNTP)d. Computer Network Defense-Operating System
Environment (CND-OSE) Host-Based SecuritySystem (HBSS) Server
The vi r t ual i zed HBSS Ser ver has Mi cr osof t Wi ndows
Ser ver 2003 St andar d Edi t i on i nst al l ed. The f ol l owi ng
ser vi ces ar e i nst al l ed as wel l :
Host - Based Secur i t y Syst em ( HBSS) Ser ver whi chi ncl udes t he ePol i cy Or chest r at or ( ePO)
e. Computer Network Defense-Operating system
Environment (CND-OSE) Microsoft Structured
Query Language (MSSQL) Server
The vi r t ual i zed MSSQL Ser ver has Mi cr osof t
Wi ndows Server 2003 St andar d Edi t i on i nst al l ed. The server
pr ovi des a database f or HBSS and Secur e Conf i gur at i on
Compl i ance Val i dat i on I ni t i at i ve ( SCCVI ) .
f. CG-71 Common PC Operating System Environment
(COMPOSE) Server
The vi r t ual i zed COMPOSE Ser ver has Mi cr osof t
Wi ndows Server 2003 ( 32 bi t ) i nst al l ed. The ser ver manages
t he COMPOSE envi r onment .
g. CG-71 Common PC Operating System Environment
(COMPOSE) Secure Configuration Compliance
Validation Initiative (SCCVI) Host
The vi r t ual i zed SCCVI Host has Mi cr osof t Wi ndowsXP Pr of essi onal ( 32 bi t ) i nst al l ed. The ser ver ensur es the
COMPOSE workst at i ons ar e i n compl i ance wi t h HBSS.
8/13/2019 12Sep Longoria
56/85
36
h. CG-71 Common PC Operating System Environment
(COMPOSE) Workstation
The vi r t ual i zed COMPOSE Wor kst at i on has Mi cr osof t
Wi ndows XP Pr of essi onal ( 32 bi t ) i nst al l ed. The
wor kst at i on i s used by al l users and i nt er act s wi t h HBSS
t hr ough t he McAf ee Agent i nst al l ed on t he syst em.
D. HOST-BASED SECURITY SYSTEM (HBSS)
Accor di ng t o the Def ense I nf ormat i on Syst ems Agency
( DI SA) HBSS websi t e:
The Host Based Secur i t y Syst em ( HBSS) basel i ne i sa f l exi bl e, commer ci al - of f - t he- shel f ( COTS) based appl i cat i on. I t moni t or s, det ect s, andcount er s agai nst known cyber - t hr eat s t oDepart ment of Def ense ( DoD) Ent erpr i se. Under t hesponsor shi p of t he Ent er pr i se- wi de I nf or mat i onAssurance and Comput er Net work Def ense Sol ut i onsSt eer i ng Gr oup ( ESSG) , t he HBSS sol ut i on wi l l beat t ached t o each host ( server , deskt op, andl apt op) i n DoD. The syst em wi l l be managed byl ocal admi ni st r at or s and conf i gur ed t o addr essknown expl oi t t r af f i c usi ng an I nt r usi onPr event i on Syst em ( I PS) and host f i r ewal l . DI SA
PEO- MA i s pr ovi di ng t he pr ogr am management andsuppor t i ng t he depl oyment of t hi s sol ut i on. [ 16]
HBSS i s cur r ent l y bei ng depl oyed by t he DoD t o
st andar di ze t he way DoD manages net wor ks wi t h r espect t o
secur i t y and I A. Li ke t he use of t he COMPOSE CG- 71 VMs
ment i oned i n t he pr evi ous sect i on, i t was i mpor t ant t o
i mpl ement HBSS i nt o our t est i ng and eval uat i on of t he MAST.
I n hi s t hesi s, Ver i f i cat i on and Val i dat i on of t he
Mal i ci ous Act i vi t y Si mul at i on Tool ( MAST) f or Net wor k
Admi ni st r at or Tr ai ni ng and Eval uat i on, Nef f pr ovi des a
det ai l ed descr i pt i on of HBSS and i t s i nt er act i on wi t h t he
MAST [ 14] .
8/13/2019 12Sep Longoria
57/85
37
1. McAfee ePolicy Orchestrator (ePO)
Ser ves as the cent r al pol i cy management poi nt f or al l
of t he syst ems HBSS manages.
2. McAfee Agent
The agent i s t he di st r i but ed cl i ent - si de sof t war e t hat
communi cat es di r ect l y wi t h t he ePO server . I t al so
enf or ces al l HBSS pol i ci es on t he r espect i ve wor kstat i on.
3. McAfee Host Intrusion Prevention System (HIPS)
The HI PS i s t he component of HBSS t hat provi des
sever al f undament al secur i t y f eat ur es, such as appl i cat i onbl ocki ng or f i r ewal l s. The syst em s f unct i onal i t y i s
i mpl ement ed usi ng t he f ol l owi ng f eat ur es:
a. Intrusion Prevention System (IPS)
The I PS moni t or s al l syst em and Appl i cat i on
Pr ogr am I nt er f ace ( API ) cal l s. I t bl ocks t he execut i on of
any pr ogr am whose si gnatur e matches one of t he mal i ci ous
si gnat ur es i n i t s dat abase.
b. Host Intrusion Prevention System (HIPS)
Firewall
The HI PS f i r ewal l prot ect s managed host s by
anal yzi ng net wor k t r af f i c f or mal i ci ous cont ent and
pr event i ng i t f r om compr omi si ng any dat a, appl i cat i ons, or
host oper at i ng syst ems.
8/13/2019 12Sep Longoria
58/85
8/13/2019 12Sep Longoria
59/85
8/13/2019 12Sep Longoria
60/85
40
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
61/85
8/13/2019 12Sep Longoria
62/85
42
modul es sof t war e, i s l ess t han 700KB. These packaged f i l es
ar e t r ansmi t t ed once t o t he SE ser ver , or l ocal ser ver ,
whi ch i n t ur n handl es t he di st r i but i on t o al l cl i ent s
associ at ed wi t h t he t r ai ni ng net wor k.
Fut ur e OTA t r ansmi ssi ons wi l l be l i mi t ed t o updat es or
f eedback i n t he f or m of r epor t s and st at i st i cs per t i nent t o
t he t r ai ni ng conduct ed.
Fi gur e 5. Ar chi t ectur e f or MAST depl oyment andi ns tal l at i on.
2. Local distribution and Installation
Once t he l ocal ( SE) ser ver r ecei ves t he sof t war e f r om
t he r emot e l ocat i on, i t can di st r i but e t he cl i ent sof t war e
t o al l host s on t he t r ai ni ng net wor k. The cl i ent sof t war e
and t r ai ni ng modul es ar e l ess t han 400KB i n si ze. The SE
8/13/2019 12Sep Longoria
63/85
43
server can easi l y depl oy t hi s sof t war e dur i ng any of
st andar d updat es t hat occur wi t h HBSS, Mi cr osof t sof t war e,
or any ot her DoD aut hor i zed updates.
I nst al l at i on of t he sof t war e on l ocal host s i s as
si mpl e as pl aci ng a f i l e on t he deskt op. MAST cl i ent
sof t war e i s desi gned t o r un, or execut e, onl y when t he
r espect i ve host i s par t i ci pat i ng i n t r ai ni ng. The sof t war e
i s r esi dent on al l host s, but t akes up ver y l i t t l e space
and zer o syst em r esour ces when not i n use. The f ol l owi ng
sect i on di scusses the i mpact on syst em r esour ces when a
scenar i o i s execut ed and t he sof t war e i s ut i l i zed.
B. SCENARIO EXECUTION
The overal l goal of t hi s exper i ment was t o det er mi ne
how MAST uses and i mpact s syst em and network r esour ces.
Thr ough a st andar di zed set of i nput and procedur es, we wi sh
t o show t hat MAST per f orms as expect ed when ut i l i zed i n an
envi r onment si mul at i ng an oper at i onal net wor k t hat consi st s
of mul t i pl e cl i ent s i n a r emot e l ocat i on.
1. System Resources
For t hi s obj ect i ve, our goal was t o moni t or and r epor t
t he pr ocessi ng r esour ces ut i l i zed by t he SE ser ver . I t was
cr i t i cal t hat we under st ood how much of t he server s
cent r al pr ocess i ng uni t ( CPU) was used t o ser ve as f ew as
f i ve cl i ent s and as many as 80 cl i ent s. These observat i ons
woul d hel p us est i mat e and pl an f or t est i ng and eval uat i ngon a non- vi r t ual oper at i onal net wor k consi st i ng of hundr eds
of cl i ent s .
8/13/2019 12Sep Longoria
64/85
8/13/2019 12Sep Longoria
65/85
45
more VMs woul d have been count er - product i ve t o the
exper i ment due t o the wor kl oad on t he physi cal server s
CPU.
Fi gur e 6. Vi r t ual t est bed conf i gur at i on
I n order t o cr eat e 75 COMPOSE workst at i ons, we cr eat ed
a t empl ate f r om t he CG71 COMPOSE workst at i on VM. That
t empl ate was t hen depl oyed 75 t i mes t o cr eat e 75 i ndi vi dual
machi nes. Once al l 75 were cr eat ed and depl oyed, we
manual l y updat ed the I nt er net Pr ot ocol ( I P) addr ess and
comput er name f or each workst at i on. Thi s ensur ed t here
wer e no conf l i ct s on t he net wor k and ease of r egi st r at i on
wi t h t he net wor k s domai n cont r ol l er s. Connect i vi t y among
8/13/2019 12Sep Longoria
66/85
46
al l t he syst ems was conf i r med wi t h pi ng r equest s t o
nei ghbor i ng syst ems and syst ems l ocat ed on other sub-
net wor ks.
The f i nal st ep i n compl et i ng t he exper i ment set up was
t o t est t he pr e- i nst al l ed scenar i os f unct i onal i t y and
cor r ect ness. A t r ai ni ng scenar i o i s execut ed by st ar t i ng
t he SE ser ver f i r st , f ol l owed by al l of t he cl i ent s
par t i ci pat i ng i n t he t r ai ni ng. Thi s or der i s cr i t i cal as
t he ser ver must be oper at i onal i n or der f or t he cl i ent s t o
check- i n. Once al l t he cl i ent s par t i ci pat i ng i n t he
t r ai ni ng ar e l ogged ont o t he SE ser ver , a t r ai ni ng scenar i o
i s sel ect ed f r om t he SE ser ver menu. The scenar i o
cont i nues unt i l t he st op, hal t , or qui t command i s i ssued.
Fi gur e 7. MAST Scenar i o sel ect i on wi ndow
8/13/2019 12Sep Longoria
67/85
47
4. Experiment Methodology
I n or der t o det er mi ne MAST s scal abi l i t y
char act er i st i cs, we conduct ed f i ve di f f er ent exper i ment s
usi ng t he same scenar i o f or each evol ut i on. Fi gur e 8 shows
how we di vi ded t he MAST cl i ent s.
8/13/2019 12Sep Longoria
68/85
48
Fi gur e 8. Br eakdown of MAST cl i ent s f or exper i ment at i on
8/13/2019 12Sep Longoria
69/85
49
Each exper i ment f ol l owed t he pr ocedur es shown i n
Fi gur e 9. The onl y di f f erence between each exper i ment was
t he number of cl i ent s i nvol ved i n t he t r ai ni ng.
Fi gur e 9. Exper i ment pr ocedur e
For CPU ut i l i zat i on anal ysi s, we used t he
per f ormance t ab of f ered by t he vSphere Cl i ent wi ndow.
Addi t i onal l y, t hi s same t ab was used t o gat her data on t he
net wor k r esour ces used dur i ng t r ai ni ng. A f i nal t ool used
f or anal ysi s was Wi r eshar k. Wi r eshar k capt ur ed al l t r af f i c
t r aver si ng t he net wor k dur i ng al l exper i ment s. We t hen
appl i ed a f i l t er t o each capt ur e t o i sol at e and vi ew onl y
t he t r af f i c t o and f r om t he SE ser ver .
The f i nal anal ysi s used al l t he above r esour ces t o
compare the amount of network t r af f i c generated by each
exper i ment al ong wi t h t he SE ser ver s CPU ut i l i zat i on f or
each exper i ment .
8/13/2019 12Sep Longoria
70/85
50
5. Results
Over al l , t he exper i ment ver i f i ed system per f or mance
wi t h r espect t o scal abi l i t y. An i ncr ease i n t he number of
cl i ent s t est ed di d not r esul t i n a si mi l ar pr opor t i onal
i ncrease i n ut i l i zat i on of pr ocessi ng r esour ces.
Addi t i onal l y, an i ncr ease i n t he number of cl i ent s and
net wor k t r af f i c gener at ed t o cont r ol t hose cl i ent s r esul t ed
i n ver y mi ni mal use of net wor k r esour ces.
a. System Resources
The per f or mance of t he comput er host i ng MAST
showed l i mi t ed i mpact as t he number cl i ent s i nvol ved i n t heexper i ment gr ew exponent i al l y.
Fi gur e 10 gr aphs shows CPU ut i l i zat i on f or each
exper i ment when a scenar i o was execut ed. Speci f i cal l y, t he
r ectangl es l abel ed wi t h numbers show t he percent age of t he
CPU s r esour ces used dur i ng t hat r espect i ve exper i ment .
Exper i ment f i ve f or exampl e, whi ch connect ed t o 80 cl i ent s
si mul t aneousl y, ut i l i zed j ust over 15% of t he syst ems CPUr esour ces.
Ther e wer e some spi kes and l ul l s depi ct ed i n t he
gr aph t hat ar e not associ at ed t o t he exper i ment ( 3: 30
3: 40 PM) . Anal ysi s of t he net wor k t r af f i c dur i ng t hese
per i ods shows admi ni st r at i ve communi cat i on between t he
vi r t ual machi ne and t he vSpher e cl i ent .
8/13/2019 12Sep Longoria
71/85
51
Fi gur e 10. Per cent age of CPU r esour ces used f orexper i ment s
8/13/2019 12Sep Longoria
72/85
52
As Fi gur e 11 depi ct s, an exponent i al i ncr ease i n
cl i ent s does not exponent i al l y i ncr ease the amount of
r esour ces needed t o conduct t r ai ni ng. MAST s per f ormance
demonst r at es t he mi ni mal i mpact on CPU r esources and t he
capabi l i t y t o ser ve mor e cl i ent s wi t h ease.
Fi gur e 11. Percentage of CPU used compar ed t o number ofcl i ents .
b. Network Resources
The ut i l i zat i on of net wor k r esour ces dur i ng t he
execut i on of al l scenar i os was ext r emel y mi ni mal . Fi gur e
12 det ai l s t he st at i st i cs of t he net wor k t r af f i c gener at eddur i ng al l f i ve exper i ment s.
8/13/2019 12Sep Longoria
73/85
53
Fi gur e 12. Char act er i st i cs of net wor k dur i ngexper i ment s
The exponent i al i ncr ease among t hese
char act er i st i cs dur i ng al l exper i ment s was expect ed.
Unl i ke t he use of CPU r esour ces, t her e i s a di r ect
cor r el at i on between t he number of cl i ent s and t he amount of
t r af f i c gener at ed. An exponent i al i ncrease i n cl i ent s
means a mi r r or ed i ncr ease i n net wor k t r af f i c t o cont r ol
t hose cl i ent s.
Despi t e t hi s i ncrease i n net wor k tr af f i c, t he
percent age of network resour ces used t o support t he
t r ai ni ng was ver y mi ni mal . The exper i ment al network was
conf i gur ed t o suppor t a Gbi t / sec t hr oughput bet ween al l
syst ems.
Fi gure 13 pr ovi des a summary of t he network
st at i st i cs capt ur ed by Wi r eshar k f or al l exper i ment s. The
8/13/2019 12Sep Longoria
74/85
54
capt ur ed col umn det ai l s al l packet s capt ur ed dur i ng t he
exper i ment whi l e t he di spl ayed col umn shows t he det ai l s
of net wor k t r af f i c di r ect l y associ at ed wi t h t he SE ser ver
and our exper i ment s.
Fi gur e 13. Net wor k t r af f i c st at i st i cs capt ur ed byWi r eshark
8/13/2019 12Sep Longoria
75/85
55
Fi gur e 14 det ai l s t he per cent age of net wor k
r esour ces used dur i ng each exper i ment . The amount of
t r af f i c gener at ed f or al l exper i ment s was so l ow, i t was
not r eport ed by t he vSphere cl i ent . We used our Wi r eshark
capt ur es t o determi ne t he amount and si ze of packets
gener at ed dur i ng al l exper i ment s.
Fi gur e 14. Per cent age of network r esour ces used
As t he anal ysi s of t he net wor k t r af f i c has shown,
an exponent i al i ncr ease does not si gni f i cant l y i mpact t he
r esour ces avai l abl e. A cor r el at i on bet ween t he t wo does
not exi st . The demonst r at i on of t he MAST desi gn and
i mpl ement at i on and t he scenar i os ut i l i zed asser t i t s
abi l i t y t o have ver y mi ni mal i mpact on a net wor k.
C. TRAINING FEEDBACK AND DISTRIBUTION
The f i nal scal abi l i t y f act or t hat we anal yzed was t he
di st r i but i on of f eedback and r esul t s t o the SE ser ver and
t he SG server . As st at ed i n t he pr evi ous chapt er , one of
MASTs key f unct i onal i t i es i s i t s repor t i ng capabi l i t y.
8/13/2019 12Sep Longoria
76/85
8/13/2019 12Sep Longoria
77/85
8/13/2019 12Sep Longoria
78/85
58
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
79/85
59
V. CONCLUSIONS AND FUTURE WORK
A. CONCLUSIONS
I n t hi s t hesi s, we showed t hat MAST s use of syst emand net wor k resour ces i s mi ni mal and t he abi l i t y t o scal e
up t o t r ai n mor e cl i ent s wi l l not i mpact ot her users and
pr ocesses not par t i ci pat i ng i n t he t r ai ni ng. We al so
di scussed and anal yzed t he met hod i n whi ch MAST woul d be
i nst al l ed on a net wor k and t he pr ocess and pr ocedur es f or
pr ovi di ng r epor t s on al l event s and act i ons.
I n Chapt er I I I , we out l i ned our assumpt i ons about
t r ai ni ng obj ect i ves and t he t r ai ni ng envi r onment i n whi ch
MAST woul d be i mpl ement ed. We di scussed t he short f al l s
wi t h cur r ent networ k secur i t y and I A t r ai ni ng met hods and
t he benef i t s of i mpl ement i ng MAST to addr ess t hose
shor t f al l s. We det ai l ed MAST s ar chi t ect ur e and
f unct i onal i t y al ong wi t h an exampl e t r ai ni ng scenar i o usi ng
MAST. We descr i bed and def i ned t he har dware and sof t ware
conf i gur at i ons used t o t est MAST s scal abi l i t y pr oper t i es.
I n Chapt er I V, we di scussed t hr ee f actor s of MAST t hat
ar e cr i t i cal t o scal abi l i t y. Fi r st , we di scussed how MAST
woul d be i nst al l ed on a new network and the i mpact of t hat
i nst al l at i on f r om a r emot e l ocat i on. We f ol l owed t hat
anal ysi s wi t h a set of exper i ment s of MAST on a si mul ated
shi pboar d net wor k. The r esul t s showed t hat an exponent i al
i ncr ease i n host systems bei ng t r ai ned di d not r esul t i n anexponent i al i ncrease i n ut i l i zat i on of pr ocessi ng
r esour ces. Addi t i onal l y, we showed t hat t he net wor k
t r af f i c gener at ed t o cont r ol al l t he cl i ent s bei ng t r ai ned
8/13/2019 12Sep Longoria
80/85
60
was mi ni mal i n si ze and barel y not i ceabl e when moni t or i ng
al l net wor k t r af f i c. We concl uded t he chapt er wi t h a
demonst r at i on of MAST s r epor t i ng capabi l i t i es.
We demonst r at ed t hat MAST can scal e up t o t r ai n more
cl i ent s whi l e mi ni mi zi ng t he use of system and net wor k
r esour ces. Addi t i onal l y, we demonst r ated t hat MAST can be
ef f ect i vel y and ef f i ci ent l y i nst al l ed on a new net wor k and
pr ovi de r eport s and f eedback as needed t o meet pr oj ected
t r ai ni ng goal s and obj ect i ves.
B. FUTURE WORK
1. Continued Development of Module Library
A cr i t i cal component of MAST i s t he modul es used t o
cr eat e scenar i os. Cur r ent l y, t her e ar e a l i mi t ed number of
modul es t hat can be used f or cr eat i ng scenar i os. As
di scussed i n Chapt er I I , modul es ar e t he act i ons or
behavi or s we pr ogr am t hat si mul at e a r eal wor l d t hr eat .
Varyi ng t ypes of modul es ar e needed t o ensur e t he t r ai ni ng
pr ovi ded i s r eal i st i c and r el evant . As mal war e i s cr eat edor evol ves, i t i s i mpor t ant t o devel op modul es t hat
si mul ate t hei r behavi or t o ensur e new and updated scenar i os
can be cr eated and used. The devel opment of such may be
appr opr i at e f or smal l st udent pr oj ect s i n a net wor k
secur i t y cour se. Devel opi ng a met hodol ogy f or devel opi ng
t he modul es t hat coul d be expor t ed t o ot her or gani zat i ons,
such as t he r ed t eams uni t s. Thi s methodol ogy coul d al so be
used t o capt ur e l essons- l ear ned at Cyber Def ense Exer ci ses
( CDX) .
8/13/2019 12Sep Longoria
81/85
61
2. Graphical User Interface
As t he r epor t i ng f unct i onal i t y of MAST i mpr oves, i t i s
i mpor t ant t o maxi mi ze t hi s val ue by pr ovi di ng a gr aphi cal
user i nt er f ace ( GUI ) t hat i s i nf or mat i ve and user f r i endl y.
Cur r ent l y, t he GUI f or i nt er act i on, f eedback, and r esul t s
i s l i mi t ed. Areas t hat wi l l benef i t f rom t he
i mpl ement at i on of a GUI i ncl ude t he scenar i o gener at i on
f unct i on and t he r epor t i ng f unct i on.
As t he modul e l i br ary becomes more popul ated, t he
t r ai ner wi l l have t he abi l i t y to creat e mor e scenar i os t hat
are uni que or r obust . The manner i n whi ch t hese scenar i os
are creat ed and t est ed can be expedi t ed wi t h t he use of a
GUI . Addi t i onal l y, t he r epor t i ng f unct i onal i t y of MAST i s
cr i t i cal t o t he f eedback r equi r ed f or any t r ai ni ng
evol ut i on. A r epor t GUI woul d al l ow f or i mmedi at e
f eedback, whi ch i n t ur n can hel p pr i or i t i ze and ut i l i ze
t r ai ni ng r esour ces f or f ut ur e evol ut i ons.
3. Test and Evaluation on Operational Network
Fi nal l y, as MAST cont i nues t o evol ve, devel op, and
per f or m as expect ed i n a si mul at ed t r ai ni ng envi r onment , i t
i s i mport ant t o begi n some assessment s on a physi cal
net wor k. Cur r ent l y, al l assessment s on per f or med i n a
vi r t ual envi r onment . Ut i l i zi ng a physi cal envi r onment wi l l
hel p f ur t her t est and eval uat e MAST s syst em pr oper t i es and
scal abi l i t y charact er i s t i cs . Addi t i onal l y, i t wi l l al l ow
f or assessment s of t he modul e l i br ar y and t hei r per f or mance
on host syst ems wi t h var yi ng operat i ng syst ems. Such
assessment s and demonst r at i ons are cr i t i cal t o i t s
accept ance by t he operat i onal communi t y and i t s subsequent
por t i ng t o t he t ar get obj ect i ve: oper at i onal net wor ks.
8/13/2019 12Sep Longoria
82/85
62
THI S PAGE I NTENTI ONALLY LEFT BLANK
8/13/2019 12Sep Longoria
83/85
63
LIST OF REFERENCES
[ 1] U. S. Depart ment of Def ense. Cyber Command Fact Sheet[ Onl i ne] . Avai l abl e:
ht t p: / / www. def ense. gov/ home/ f eat ur es/ 2010/ 0410_cyber sec/ docs/ cyber f act sheet%20updat ed%20r epl aces%20may%2021%
20f act%20sheet . pdf
[ 2] W. R. Taf f J r . and P. M. Sal evski , Mal war e Mi mi cs f orNet wor k Secur i t y Assessment , M. S. t hesi s, Dept .Comput . Sci . , Naval Post gr aduat e School , Mont er ey,Cal i f or ni a, 2011.
[ 3] J . M. Nef f , Ver i f i cat i on and Val i dat i on of t heMal i ci ous Act i vi t y Si mul at i on Tool ( MAST) f or Net wor k
Admi ni st r at or Tr ai ni ng and Eval uat i on, M. S. t hesi s,Dept . Comput . Sci . , Naval Post gr aduat e School ,Mont er ey, Cal i f or ni a, 2012.
[ 4] G. Derene, I nsi de NSA Red TeamSecret Ops Wi t hGovernment s Top Hacker s, Popular Mechanics, 30- J un-2008. [ Onl i ne] . Avai l abl e:ht t p: / / www. popul armechani cs. com/ t echnol ogy/ how-t o/ comput er - secur i t y/ 4270420. [ Accessed: 02- Apr -2012] .
[ 5] J . F. Sandoz, Red Teami ng: A Means t o Mi l i