SlideShare una empresa de Scribd logo

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

Descargar como PPTX, PDF
Adam Doupe
Adam Doupe

Talk I gave at ACSAC 2011 on the paper: "Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness" which describes the 2010 international Capture the Flag (iCTF) competition. Paper is located here: http://cs.ucsb.edu/~adoupe/static/hit-em-where-it-hurts-acsac2011.pdf

Tecnología
1 de 34
Hit „em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness Adam Doupé, Manuel Egele, Benjamin Caillat, Gianluca Stringhini, Gorkem Yakin, Ali Zand, Ludovico Cavedon, and Giovanni Vigna University of California, Santa Barbara ACSAC 2011 – 7/12/11
What Are Live Security Competitions? • AKA Hacking Competitions • Useful educational tool for teaching computer security • Born as a way to showcase security skills – DefCon‟s CTF • Various forms – Challenge set (DefCon quals, iCTF challenges, CMU‟s competition, DIMVA competition, RuCTF) – Capture the flag (DefCon, iCTF 2003-2007, CIPHER) – Other designs • Attack-only (e.g., iCTF 2008) • Defense-only (e.g., Cyber Defense eXercise)
Why Live Security Competitions? • Real-time factor enhances understanding • Forces teams to: – Analyze unknown services/binaries – Defend systems from attack – Utilize different security skills – Work as a team – Create novel tools Doupé - 7/12/11
Key Insight • Security competitions can be designed to generate datasets for research • In the 2010 international Capture The Flag (iCTF), we structured the competition to create a Cyber Situational Awareness dataset Doupé - 7/12/11
Situational Awareness • By putting perceived events into the context of the currently executing mission, one can improve decision making • Mission – Series of tasks that an organization wishes to carry out • Task – Discrete step that is carried out using a service • Service – Provided to users to accomplish a task Doupé - 7/12/11
Cyber Situational Awareness • Situational awareness extended to the cyber domain • Large organizations constantly under attack – Which attacks are important? – Which assets are important? • “What if” scenarios Doupé - 7/12/11
Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
The 2010 iCTF: A Cyber SA Competition • Introduced the concept of cyber-mission • “Not all attacks are created equal” • Participants must be aware of cyber- missions and cyber-assets • Attackers must time their attacks to cause the maximum amount of damage
The Setting • Teams are part of a coalition to bring down the rogue nation of Litya • LityaLeaks site used to leak description of Litya‟s cyber-missions • Litya‟s network protected by a firewall and an IDS – If an attack is detected, nation‟s access is shut off – Nations can bribe network administrator • Litya has a botnet in each nation, stealing their money – If botnet is disabled, nation‟s access shut off • Money made by solving side challenges.
CARGODSTR-TQ-1442
COMSAT-WK-1127
SEDAFER-GOT-BKT-8217
DRIVEBY-DEPLOY-QFK-9751
Petri-net Representation of Mission T8 T13 T2 T12 Failure Analysis Establish Drive-by Detect Clean-up T10 Attack Failed T7 T11 Reeval Deliver Attack T9 T1 Start T4 T5 Blackhat SEO Search Engine Result Analysis End T3 Doupé - 7/12/11
. . . . Service 1 Service 2 … Service 10
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network VPN server …
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network Firewall/IDS Briber Flag Submission VPN server …
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
Competition Overview • December 3rd 2010 ~8 hours • 72 teams • ~900 participants (largest at the time) • 7 of 10 services compromised • 39 teams submitted 872 flags • 69 of 72 teams solved at least 1 challenge • 37 GB of traffic Doupé - 7/12/11
Analysis of iCTF Data • Use the data to validate models and theories • We introduce two Situational Awareness metrics: – Toxicity • Capture the amount of damage an attacker has caused – Effectiveness • Capture how effective the attacker was at causing damage Doupé - 7/12/11
Analysis – CAD - Criticality • C(s, t): service criticality [0,1] – Expresses the criticality of service s at time t – Function can have any shape • iCTF: 1 when service active, 0 otherwise Service: MostWanted
Analysis – CAD - Attacker • A(a, s, t): attacker activity [0, 1] – Represent the attacker‟s activity with respect to a service – Can have any shape • iCTF: 1 when team attacked a service, 0 if no attack Team: PPP Service: MostWanted
Analysis – CAD - Damage • D(s, t): Damage to the attacker [0, 1] – Represents the penalty for performing an attack against service s at time t – Can have any shape • iCTF: 1 when service is inactive, 0 when active Service: MostWanted
Analysis – Toxicity ò t2 Toxicity(a, s, t1, t2 ) = A(a, s, t)× (C(s, t) - D(s, t)) dt t1 ì 1 if C(s, t) - D(s, t) > 0 ï OptimalAttacker(s, t) = í ï 0 î otherwise
Analysis – Effectiveness ò t2 MaxToxicity(s, t1, t2 ) = OptimalAttacker(s, t)× (C(s, t) - D(s, t)) dt t1 Toxicity(a, s, t1, t2 ) Effectiveness(a, s, t1, t2 ) = MaxToxicity(s, t1, t2 )
Analysis – Toxicity of PPP Team: PPP Service: OvertCovert
Analysis – Toxicity and Effectiveness
Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
Lessons Learned • The Good – Pre-competition information prepared teams who took advantage – Winning team automatically qualified for DefCon • The Bad – Structure of the competition was complex and was understood by a subset of the teams – Services too hard • The Ugly – Intentionally put a root backdoor into bot – Losing points sucks Doupé - 7/12/11
Conclusions • Live security exercises great for learning and security education • They can be designed to create a research dataset • Designed the 2010 iCTF to produce the first publically available dataset on CSA • Presented SA metrics: toxicity and effectiveness
Questions? Data: http://ictf.cs.ucsb.edu/data/ictf2010/ Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe Doupé - 7/12/11
Service Exploitation

Recomendados

водород
водородводород
водородСтојан Ѓоревски
 
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...Adam Doupe
 
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...Adam Doupe
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
 
Writing Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsWriting Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsAdam Doupe
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
IT FUTURE 2011 - Présentation d'Intel
IT FUTURE 2011 - Présentation d'IntelIT FUTURE 2011 - Présentation d'Intel
IT FUTURE 2011 - Présentation d'IntelFujitsu France
 

Recomendados

водород
водородводород
водородСтојан Ѓоревски
 
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...Adam Doupe
 
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...Adam Doupe
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
 
Writing Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsWriting Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsAdam Doupe
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
IT FUTURE 2011 - Présentation d'Intel
IT FUTURE 2011 - Présentation d'IntelIT FUTURE 2011 - Présentation d'Intel
IT FUTURE 2011 - Présentation d'IntelFujitsu France
 
Mega & micro technology trends
Mega & micro technology trendsMega & micro technology trends
Mega & micro technology trendsUniversity of Hertfordshire
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceresearchinventy
 
Green Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker KeynoteGreen Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker KeynoteBellLabs
 
The Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyThe Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyServiceMesh
 
Ns2
Ns2Ns2
Ns2Rizwan Pasha M
 
Zero Visibility: Critcality of Centralized Log Management - v1
Zero Visibility: Critcality of Centralized Log Management - v1Zero Visibility: Critcality of Centralized Log Management - v1
Zero Visibility: Critcality of Centralized Log Management - v1asherad
 
Intel open stack v1
Intel open stack v1Intel open stack v1
Intel open stack v1OpenCity Community
 
Intel open stack v1
Intel open stack v1Intel open stack v1
Intel open stack v1benbenhappy
 
The Network After SONET
The Network After SONETThe Network After SONET
The Network After SONETCisco Service Provider
 
What's Next In An On Demand World
What's Next In An On Demand WorldWhat's Next In An On Demand World
What's Next In An On Demand WorldBertram Gugel
 
Michael S Sutton
Michael S SuttonMichael S Sutton
Michael S SuttonMikiwis
 
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication ChannelsBNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channelsclaudijd
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012Agora Group
 
Twilio Web Service API for building Voice Applications
Twilio Web Service API for building Voice ApplicationsTwilio Web Service API for building Voice Applications
Twilio Web Service API for building Voice ApplicationsTwilio Inc
 
Tc 2008 11 19
Tc 2008 11 19Tc 2008 11 19
Tc 2008 11 19jeffiel
 
ERA - Tracking Technical Debt
ERA - Tracking Technical DebtERA - Tracking Technical Debt
ERA - Tracking Technical DebtICSM 2011
 
gio's tesi
gio's tesigio's tesi
gio's tesicapitan_jo
 
Botnets & DDoS Introduction
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS IntroductionKae Hsu
 
Linked In 1èRe Table Ronde 20110330
Linked In 1èRe Table Ronde 20110330Linked In 1èRe Table Ronde 20110330
Linked In 1èRe Table Ronde 20110330Dario Mangano
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Más contenido relacionado

Similar a Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceresearchinventy
 
Green Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker KeynoteGreen Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker KeynoteBellLabs
 
The Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyThe Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyServiceMesh
 
Zero Visibility: Critcality of Centralized Log Management - v1
Zero Visibility: Critcality of Centralized Log Management - v1Zero Visibility: Critcality of Centralized Log Management - v1
Zero Visibility: Critcality of Centralized Log Management - v1asherad
 
Intel open stack v1
Intel open stack v1Intel open stack v1
Intel open stack v1benbenhappy
 
What's Next In An On Demand World
What's Next In An On Demand WorldWhat's Next In An On Demand World
What's Next In An On Demand WorldBertram Gugel
 
Michael S Sutton
Michael S SuttonMichael S Sutton
Michael S SuttonMikiwis
 
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication ChannelsBNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channelsclaudijd
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012Agora Group
 
Twilio Web Service API for building Voice Applications
Twilio Web Service API for building Voice ApplicationsTwilio Web Service API for building Voice Applications
Twilio Web Service API for building Voice ApplicationsTwilio Inc
 
Tc 2008 11 19
Tc 2008 11 19Tc 2008 11 19
Tc 2008 11 19jeffiel
 
ERA - Tracking Technical Debt
ERA - Tracking Technical DebtERA - Tracking Technical Debt
ERA - Tracking Technical DebtICSM 2011
 
Botnets & DDoS Introduction
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS IntroductionKae Hsu
 
Linked In 1èRe Table Ronde 20110330
Linked In 1èRe Table Ronde 20110330Linked In 1èRe Table Ronde 20110330
Linked In 1èRe Table Ronde 20110330Dario Mangano
 

Similar a Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness (20)

Mega & micro technology trends
Mega & micro technology trendsMega & micro technology trends
Mega & micro technology trends
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on Android
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
 
Green Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker KeynoteGreen Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker Keynote
 
The Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyThe Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud Strategy
 
Ns2
Ns2Ns2
Ns2
 
Zero Visibility: Critcality of Centralized Log Management - v1
Zero Visibility: Critcality of Centralized Log Management - v1Zero Visibility: Critcality of Centralized Log Management - v1
Zero Visibility: Critcality of Centralized Log Management - v1
 
Intel open stack v1
Intel open stack v1Intel open stack v1
Intel open stack v1
 
Intel open stack v1
Intel open stack v1Intel open stack v1
Intel open stack v1
 
The Network After SONET
The Network After SONETThe Network After SONET
The Network After SONET
 
What's Next In An On Demand World
What's Next In An On Demand WorldWhat's Next In An On Demand World
What's Next In An On Demand World
 
Michael S Sutton
Michael S SuttonMichael S Sutton
Michael S Sutton
 
BNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication ChannelsBNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012
 
Twilio Web Service API for building Voice Applications
Twilio Web Service API for building Voice ApplicationsTwilio Web Service API for building Voice Applications
Twilio Web Service API for building Voice Applications
 
Tc 2008 11 19
Tc 2008 11 19Tc 2008 11 19
Tc 2008 11 19
 
ERA - Tracking Technical Debt
ERA - Tracking Technical DebtERA - Tracking Technical Debt
ERA - Tracking Technical Debt
 
gio's tesi
gio's tesigio's tesi
gio's tesi
 
Botnets & DDoS Introduction
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS Introduction
 
Linked In 1èRe Table Ronde 20110330
Linked In 1èRe Table Ronde 20110330Linked In 1èRe Table Ronde 20110330
Linked In 1èRe Table Ronde 20110330
 

Último

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Último (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

  • 1. Hit „em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness Adam Doupé, Manuel Egele, Benjamin Caillat, Gianluca Stringhini, Gorkem Yakin, Ali Zand, Ludovico Cavedon, and Giovanni Vigna University of California, Santa Barbara ACSAC 2011 – 7/12/11
  • 2. What Are Live Security Competitions? • AKA Hacking Competitions • Useful educational tool for teaching computer security • Born as a way to showcase security skills – DefCon‟s CTF • Various forms – Challenge set (DefCon quals, iCTF challenges, CMU‟s competition, DIMVA competition, RuCTF) – Capture the flag (DefCon, iCTF 2003-2007, CIPHER) – Other designs • Attack-only (e.g., iCTF 2008) • Defense-only (e.g., Cyber Defense eXercise)
  • 3. Why Live Security Competitions? • Real-time factor enhances understanding • Forces teams to: – Analyze unknown services/binaries – Defend systems from attack – Utilize different security skills – Work as a team – Create novel tools Doupé - 7/12/11
  • 4. Key Insight • Security competitions can be designed to generate datasets for research • In the 2010 international Capture The Flag (iCTF), we structured the competition to create a Cyber Situational Awareness dataset Doupé - 7/12/11
  • 5. Situational Awareness • By putting perceived events into the context of the currently executing mission, one can improve decision making • Mission – Series of tasks that an organization wishes to carry out • Task – Discrete step that is carried out using a service • Service – Provided to users to accomplish a task Doupé - 7/12/11
  • 6. Cyber Situational Awareness • Situational awareness extended to the cyber domain • Large organizations constantly under attack – Which attacks are important? – Which assets are important? • “What if” scenarios Doupé - 7/12/11
  • 7. Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
  • 8. The 2010 iCTF: A Cyber SA Competition • Introduced the concept of cyber-mission • “Not all attacks are created equal” • Participants must be aware of cyber- missions and cyber-assets • Attackers must time their attacks to cause the maximum amount of damage
  • 9. The Setting • Teams are part of a coalition to bring down the rogue nation of Litya • LityaLeaks site used to leak description of Litya‟s cyber-missions • Litya‟s network protected by a firewall and an IDS – If an attack is detected, nation‟s access is shut off – Nations can bribe network administrator • Litya has a botnet in each nation, stealing their money – If botnet is disabled, nation‟s access shut off • Money made by solving side challenges.
  • 14. Petri-net Representation of Mission T8 T13 T2 T12 Failure Analysis Establish Drive-by Detect Clean-up T10 Attack Failed T7 T11 Reeval Deliver Attack T9 T1 Start T4 T5 Blackhat SEO Search Engine Result Analysis End T3 Doupé - 7/12/11
  • 15. . . . . Service 1 Service 2 … Service 10
  • 16. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot
  • 17. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network VPN server …
  • 18. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network Firewall/IDS Briber Flag Submission VPN server …
  • 19. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
  • 20. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
  • 21. Competition Overview • December 3rd 2010 ~8 hours • 72 teams • ~900 participants (largest at the time) • 7 of 10 services compromised • 39 teams submitted 872 flags • 69 of 72 teams solved at least 1 challenge • 37 GB of traffic Doupé - 7/12/11
  • 22. Analysis of iCTF Data • Use the data to validate models and theories • We introduce two Situational Awareness metrics: – Toxicity • Capture the amount of damage an attacker has caused – Effectiveness • Capture how effective the attacker was at causing damage Doupé - 7/12/11
  • 23. Analysis – CAD - Criticality • C(s, t): service criticality [0,1] – Expresses the criticality of service s at time t – Function can have any shape • iCTF: 1 when service active, 0 otherwise Service: MostWanted
  • 24. Analysis – CAD - Attacker • A(a, s, t): attacker activity [0, 1] – Represent the attacker‟s activity with respect to a service – Can have any shape • iCTF: 1 when team attacked a service, 0 if no attack Team: PPP Service: MostWanted
  • 25. Analysis – CAD - Damage • D(s, t): Damage to the attacker [0, 1] – Represents the penalty for performing an attack against service s at time t – Can have any shape • iCTF: 1 when service is inactive, 0 when active Service: MostWanted
  • 26. Analysis – Toxicity ò t2 Toxicity(a, s, t1, t2 ) = A(a, s, t)× (C(s, t) - D(s, t)) dt t1 ì 1 if C(s, t) - D(s, t) > 0 ï OptimalAttacker(s, t) = í ï 0 î otherwise
  • 27. Analysis – Effectiveness ò t2 MaxToxicity(s, t1, t2 ) = OptimalAttacker(s, t)× (C(s, t) - D(s, t)) dt t1 Toxicity(a, s, t1, t2 ) Effectiveness(a, s, t1, t2 ) = MaxToxicity(s, t1, t2 )
  • 28. Analysis – Toxicity of PPP Team: PPP Service: OvertCovert
  • 29. Analysis – Toxicity and Effectiveness
  • 30. Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
  • 31. Lessons Learned • The Good – Pre-competition information prepared teams who took advantage – Winning team automatically qualified for DefCon • The Bad – Structure of the competition was complex and was understood by a subset of the teams – Services too hard • The Ugly – Intentionally put a root backdoor into bot – Losing points sucks Doupé - 7/12/11
  • 32. Conclusions • Live security exercises great for learning and security education • They can be designed to create a research dataset • Designed the 2010 iCTF to produce the first publically available dataset on CSA • Presented SA metrics: toxicity and effectiveness
  • 33. Questions? Data: http://ictf.cs.ucsb.edu/data/ictf2010/ Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe Doupé - 7/12/11