Cyber Ranges

(1)

Cyber Ranges

A design and implementation of a Virtual Honeypot

HARIS SALAM

Master’s Degree Project

Stockholm, Sweden November 11, 2013

XR-EE-LCN 2013:010

(2)

A B S T R A C T

Traditionally, many devices such as firewalls, secured servers, computer networks, hosts and routers. But with rapid technological advancements, security for the virtual world also needed improvement. As they say need is the mother of all inventions; such a need lead to the creation of Honey pots. Today, Honeypots are gaining attention and the usage of these systems is increasing.

Honeypots are, essentially traps, set to detect, deflect, or in some manner coun- teract attempts to access and use information systems. They mostly consist of a network device that appears to be part of the network, but it is actually separated and monitored by security researchers continuously to review the activities.

This thesis covers the commercial design, implementation and future direc- tions of these systems. An introduction to the topic is given, explaining basic security concepts and vulnerabilities and flaws that lead to attacks.

We set-up a set of vulnerable environment and virtual routers, where the learners could practice offensive and defensive security techniques for cyber warfare. A simulation was created; several machines and routers were connected together. Each router is deliberately set-up so that it has (security) vulnerabilities.

Practitioners will be required to penetrate in those routers and systems. These ranges are specifically designed for the defense sector and it caters the internet and network security.

i

(3)

A C K N O W L E D G E M E N T S

This research work was carried out at TRANCHULAS Pvt Ltd Labs. I would like to express my gratitude to the following people for supporting this work with criticism, encouragement and helpful assistance. First of all, my all gratitude goes to Mr. Zubair Khan for interesting discussions and exchange of ideas.

I would like to thank my co-advisor Mr. Talib Osmani for bestowing me an opportunity to explore vulnerabilities and malwares. I am grateful for his valuable advice, peer review, critical feedback that helped me stay focused on the important parts. I want to thank my parents without their support I wouldn’t be able to write this thesis.

I am also very grateful to my examiner Mr. Panagiotis Papadimitratos for his support, smart advices and comments on my work. I had a tremendous growth in my knowledge of Network Security after working on this thesis. I believe that in future the only security which shall be required would be that of networks.

ii

(4)

C O N T E N T S

1 Introduction 1

1.1 Problem Definition . . . 2

1.2 Purpose . . . 4

1.3 Scope . . . 5

2 Related work 7 2.1 Low Interaction Honey Pot . . . 7

2.2 High Interaction HoneyPots . . . 8

2.3 Hybrid Honey pots . . . 8

3 Design and Simulation 9 3.1 Methodology. . . 9

3.2 Honeypot Architecture . . . 13

4 Using CyberRanges 16 4.1 Over All Description: . . . 17

4.2 Product Perspective: . . . 17

4.3 User Characteristics and Constraints . . . 19

4.4 Functional Requirements . . . 19

4.5 Patched Servers . . . 20

4.6 Data Repository . . . 20

4.7 Highly Critical Use Cases . . . 20

4.7.1 Use Case UC03: Attack Machine . . . 20

4.7.2 Use Case UC06: Acess ScoreBoard . . . 21

4.7.3 Use Case UC09: Test Pattern . . . 22

4.7.4 Use Case UC11: Identify New Pattern . . . 23

4.7.5 Use Case UC13: Identify Best Hacker . . . 24

4.8 Conclusion . . . 24

Bibliography 26

iii

(5)

L I S T O F F I G U R E S

3.1 VMware Architecture [20] . . . 10

3.2 Networking Architecture [12] . . . 11

3.3 Basic Cisco Router on a Virtual Machine . . . 12

3.4 A Bridge Network [12] . . . 13

iv

(6)

1

1 I N T R O D U C T I O N

Basic security concepts helpful in grasping the approach are listed:

• Vulnerability: This term refers to functionality or component which leaves the system exposed to exploitation.

• Threat is a possible cause for breach of security

• Attack is the intended, actual violation or act of misbehaviour.

• Confidentiality limits access content and data.

• Integrity ensures that unauthorized alteration of the data is prevented (allowed only to the authorized entities).

• Freshness ensures data, is in its original format and is not previously seen.

• Authentication corroborates the identity of the entity and the address of an access point to the network.

• Availability ensures the system remain operational, e.g., the network services available to authorized end-users.

To carry out a cyber-attack, access to the target network or network component is gained. Local Area networks (LAN) which are Ethernet based and broadcast every packet: this is helpful for a cyber-attacker trying to perform a passive or an active within the LAN. An attacker could corrupt the content in the forwarding tables at either bridges or routers. This way, packets can be forwarded to parts of the networks that are inappropriate. Routers also tend to have forwarding tables that are equally vulnerable to cyber-attacks [18]. Routers tend be configured in a different manner compared to switches and bridges. Routers share information they carry with the neighbouring routers, hence breach of one of the router tables affects other neighbouring routers. Dial in access is another facility which tends to provide the attacker opportunity to attack. There are some places available on a LAN that are vulnerable e.g. connections to internal data and voice communication services. In this work, I am concerned with wire-line networks and their security, not self-organizing, infrastructure-less networks [17][16].

(7)

2 problem definition 1.1

As during last few decades technology is getting revolutionized on a large scale, the larger the internet becomes the harder it becomes to protect it. The idea of this work came from a basic concept of warriors. Warriors tend to guard their borders from foreign attacks. Similarly cyber warriors guard the network from the attackers. Cyber Ranges are the test beds for the cyber games and simulations in order to further enhance the cyber security.

For my thesis, I used Cyber-Ranges and I created different platforms for different skill sets, so that my set-up caters to all the people according to their interest and field of excellence. This thesis covers a comprehensive study on how to make an enterprise level gigabit Ethernet network, as it is deployed at the enterprise level. Then a thorough study is conducted to make a real network transformed into virtually simulated Honeypot. This honeypot is then placed before the enterprise firewall or TMG (Threat Management Gateway) with the public IP address as of the company IP address.

A recent boom has been seen in the past few years in securing enterprise level networks from the outside network. The good news is that currently tremendous amount of research is being carried out on it. This thesis focuses on providing a proof of concept for the implementation of a virtual Honeypot.

1.1 problem definition

Security has always been a major concern for large, medium and small scale corporate organizations. Network insecurity started long time back when the telephone conversations were tapped. With the development in the means of communication the concept and ways of network insecurities also evolved.

The main purpose of the network security is prevention of loss of data and its misuse. If security is not implemented efficiently it can cause Breaches of Confidentiality, Data Destruction and Data Manipulation.

Today’s world is increasingly relying on networks with internet use and complexity increasing day by day. This results in high rise of security problems.

New threats and vulnerabilities are found every day. During the first half of 2008, 3,534 vulnerabilities were disclosed by vendors, researchers and independents, from 8% to 16% of these vulnerabilities were exploited when they were released [7].

To mitigate network threats and cyber-attacks, different network operators and network security professionals designed and developed many solutions.

Monitoring allows professionals to understand different threats. As described earlier, one goal of this thesis is to monitor threats and to reduce damages; this leads us to the design and implementation of a monitoring framework that we could integrate with the enterprise level network.

(8)

1.1 problem definition 3

Malicious activity on the network can be characterized by different approaches; e.g., monitoring production networks, that is, hosts or devices actually used tracking any unused IP address space. In the first approach, traffic is filtered out while the second approach assumes that the traffic received by the unused IP address space is generally of three categories: malicious activity, misconfiguration and backscatter from spoofed address [8].

The tools used to monitor production networks are intrusion detection systems or network traffic sniffers, such as TcpDump or NetFlow. Space network sensors are used for monitoring the unused IP address. There are two kinds of sensors: (i) Passive sensors, are those sensors which collect or drive the data without any interaction with the source, and (ii) Active sensors that draw the data to the source collecting additional data about the source. Using the active approach for actively collecting the data of unused IP address space is what really needed and will be used here.

For honeypots to be deployed, their location, architecture and configuration of network have to be considered. The Data received by the Honeypots dependent on these three factors.

The location of the Honeypot is the sub network IP address used by the Honeypot to receive and send traffic. Currently, there are more than 4.4 billion of unique IP addresses. Denial of Service attacks target specific locations. Honey pots should be ideally placed in front of the firewall, demilitarized zone, or behind the firewall. The location of the Honeypot is a prime factor in their successful deployment.

A method for finding a good location for a defined number of honey pots identifies as good positions for the honey pots are the locations which take minimum time to detect viruses.

Besides the location, the size of the Honeypot is also an important factor to control attacks. When it comes to the sized of honey pots. There is a classification of honey pots based on their sizes.

Interaction tends to define the level of activity a hacker will be allowed. Low interaction honeypots have limited access to the hackers usually working with emulating services and operating systems. High Interaction honeypots tend to be more complex structures because they include real operating systems and applications. In high interaction honeypots, all the systems are real, i.e., no simulations.

A high interaction Honeypot is a general network resource, for example a computer or router, with no users and task allocated. This kind of honeypot is hard to be differentiated from a production machine. The best example to explain the high interaction honeypots is Honeynet [4]. Honey nets are not software or system rather it is an architecture which is ready to be attacked;

all the activities are controlled and observed. In other words, honey nets act as fishing nets for the hackers. Attackers find and break into the honeypots

(9)

4 purpose 1.2

without realizing that they are within a honeypots. All the actions of the hackers are captured. Actions of the hackers are captured by inserting kernel modules .there modules are embedded in the victim machine which will capture the actions of the attacker.

A low interaction Honeypot has limited interaction with the attacker by emulating a set of services [6]. This type of honeypot grabs the information about the initial steps of an attack. Information about the future evolution of the attack is hard to capture and infer, as the level of interaction is low. Honey D [1] is an example of the low interaction honeypot. This honeypot runs on UNIX and the unused IP space is monitored. Whenever there is an effort to create a connection with the unused IP space the honey D intercepts and takes the role of the victim. The configuration of the Honeypots translates the set of services offered to the attackers and hence the behavior of the Honeypot.

Services include opened ports and different software listening for network connections on the Honeypot. Services can be virtual or real, for example, a vulnerability to perform research on some specific type of attack. For a large enterprise, there are many configurations available.

1.2 purpose

As the world becomes a global village, cyber-crime has become a common practice, with criminal exploitation of data throughout the internet, desktops and data centers. Such crimes at a national level it tends to jeopardize national security and financial health of a country. Developed Countries have also fallen prey to cybercrimes, hence no nation is safe. Cyber terrorism has exploited many organizations. Many websites having tremendous amount of hidden data got revealed by the hackers. Big names, like Google, Sony, Lockheed martin, Scotland Yard, NAB, Pentagon etc., got hacked despite having strong security [8]. This practice is not common for individual benefits; even Nations penetrate into cyber space of other Nations for cyber espionage. Cyber Warfare has become such a universal practice that it is considered as the “Fifth Domain of Warfare” [8] . Hence, to secure the cyber margins one really needs to work out for our protection of the cyber space of their respective countries.

Throughout the world hackers are penetrating into the systems and extracting all the required information. Just to shield these attacks one should be virtually prepared to examine these alarming activities. A framework which enhances one’s skills, and assess one’s strength in the field of the cyber warfare should be created.This will give healthy environment for the users to enhance their capabilities for the defense of cyber space.

(10)

1.3 scope 5

1.3 scope

It is difficult to measure the value of security consultants and employees. With a well-scoring system, Cyber ranges can be used to accurately measure hacker’s skills. The main purpose of this project is to spread security techniques, measure security level and strengthen technical and management skills. It is good way to convince hackers to demonstrate their skills in public. A set of vulnerable machines should be created, where target organizations can practice offensive and defensive security techniques for cyber warfare. This product could act as a modern cyber range to make IT armed forces proficient in the field of cyber warfare. The cyber range will cater services for both hackers and anti- hackers. It could prove to be a testing ground and a functional Honeypot where several machines are connected together. Each machine will have applications or Routers with security vulnerabilities in it. Users will be required to penetrate in those applications and systems.

This product is specifically for the defense sector and it provides benefits, such as: Spreading security techniques, Measuring security skills, Strengthening of technical and management skills, learning more from the competition then testing and Team coordination.

The users performing the penetration testing will have to use particular types of exploits. An exploit is a chunk of data, or sequence of commands that takes advantage of vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. I will be focusing on:

• Network Exploits: It includes network hijacking from telnet to SSL and SSH, man in the middle attack, passive sniffing.

• Cisco and Juniper Exploits, which includes ARP spoofing, HTTP authentication bypass attack, HTTP server denial of service attack and etc.

• Auxiliaries including Metasploit framework auxiliary modules.

• Backtrack tool is a free security audit toolkit including hundreds of open source security tools used by both security professionals and hackers.

• SQL injections are a technique used to attack a website, by including SQL statements to be passed in as rogue SQL command to the database.

• FTP service intrusion.

• Web server intrusion

• File intrusion

(11)

6 scope 1.3

The machines in the entire framework will be updated from time to time with the latest techniques .Updates will be carried out because being a cyber- warrior for a country’s defense one should know about all the latest trends in cyber world. Latest threats and viruses, new buggy products, vulnerabilities, tools which can help to get a control etc.

(12)

7

2 R E L A T E D W O R K

This chapter gives a detailed view of relevant systems to collect the attack data using the Honeypots. The first Idea was presented by the project called

“Darknets”. They provided the idea of passively monitoring the unused IP address space. As it was based on the Network telescope [5] [21] which had a loophole for Denial of Service attack [14] . The network telescope was based on the concept that traffic sent to communication dead end, for example an unallocated IP address space. There was another project called Blackholes which was able to study traffic from 16.8 million IP addresses to observe the global trends of worms’ activity[15] .

2.1 low interaction honey pot

Project “Darknets” had the capability of monitoring all scales networks but only at limited scale due to the lack of active responders [14] . Two research projects

“The Internet Motion Sensor” and “iSink” [11] implemented active responders to Darknets. These researches provided an important attribute by collecting the traffic from the unused IP addresses to get the understanding of the differences in the traffic collected. This was the phase of transition from passive Darknets to the active Honeypots [7] .

Widely used low interaction Honeypot in the commercial sector is Honeyd [24] . It can create a virtual network hosts using unassigned IP addresses. Every host has a property to run certain configurations and specific operating system.

This flexibility provides Honeyd to be a low interaction honeypot as it will emulate these services.

Another low interaction Honeypot is Nepenthes[6] . It was designed to automatically capture the malwares, which flows from one host to another. It has a highly vulnerable framework that provides the mechanism to capture the infection of the malware.

(13)

8 hybrid honey pots 2.3

2.2 high interaction honeypots

Honey net project [6] was another related project; it was a high interaction honeypot. It has different tools to help professionals to deploy their Honeynet and analyze suspicious traffic. A tool called Honeywall [4] was specially designed to administer high interaction honeypot. A web interface is created to monitor victimized system and a mechanism to control any outgoing connections from compromised honeypots.

The most efficient and economical solution to host a honeypot is to entirely use the virtual environment. Virtual environment when compared to the real system can be monitored easily, can be saved and cleared after a compromise.

The solutions for this kind of virtual environment has been provided by the VMWare, Virtual box, UML (user mode linux), Xen, and Virtual PC by Microsoft[9] [3].

2.3 hybrid honey pots

Security professionals and t researchers invented more efficient type of Hon- eypots which are able to collect the detailed process of attacks on large IP addresses space. These type of Honeypots created are classified into the Hybrid Honeypot category.

Collapser [2] is a tool to simplify the deployment of high interaction honeypots on large IP address space, using the tunnels to route traffic from networks into a centralized pool of honeypots. The limitation of the Collapser is to filter out the collected traffic in order to prevent the overloading on the high interaction honeypots. Recently a new research is carried out at the University of Maryland [13] to develop an advanced architecture for network threats quan- tification for honeypots. The research presents an adaptive model to increase the efficiency of the previous honeypots, provided scalability and flexibility of honeypots by using hybrid architecture of honeypot, the architecture was based on a decision engine Drawback of this advanced network is that the attacks are not filtered thus preventing the usage of resources efficiently. Therefore it took several months to analyze and extract important results from the data collected [13]. A similar idea and study has been presented by the University of Valencia in their project called NetinVM [7] , but this research was only limited to secure the application servers on the networks. Network security was not a part of the research.

(14)

9

3 D E S I G N A N D S I M U L A T I O N 3.1 methodology

First question which arose while preparing for this thesis was how to build such an environment which can be used as honeypot and data collection. These questions lead to different methods that have been adopted for implementing the idea. The first step was to make a virtual environment setup comprising of routers and application specific servers. The second challenge was to create a network using these virtual systems together; which can act as a real network.

The third challenge was to log every activity on the honeypot, and to collect the data after the honeypot is compromised. The fourth challenge was to find and develop a set of network, routers specific and applications – databases specific vulnerabilities. Further – how to exploit them. The last challenge was how to address the issue of scalability and to hide the features and identity of honeypot.

As at certain stages advanced hacker are able to acquire the information that whether they are on a Honeypot or a real system.

Virtual Environment Architecture

To address the first challenge for implementing a virtual environment in which the honeypot framework can be used, a research on Virtualization proved to be very helpful. Virtualization is an abstract layer that separates or distances the physical hardware from the OS (operating system) to provide increased IT resource utilization, flexibility and scalability. It allows multiple machines with heterogeneous operating systems and applications to run side by side on the same physical hardware [19] .

There were many features which had to be compared to choose architecture for the virtualization. VMware in this field has a mark able reputation. On the other hand there is a big name in level-1bare metal hypervisor called Xen, which gives direct access to the computational resources such as processor cores, memory and GPU via the Hypervisor.

VMware developed proprietary device drivers to support a variety of networks. VMware virtualization is binary translation, i.e. each OS request to the processor is intercepted and translated into virtualization instructions. For example if an OS request a halt to the processor, it will ensure that the specific VM

(15)

10 methodology 3.1

is halted instead of halting the system [23] . See figure 3-1 for the architecture [7].

VMware ESX Server run the virtualization layer on the physical machines which then abstract the resources. A guest OS can use multiple processors simultaneously using SMP (Symmetric multiprocessing: which involves a mul- tiprocessor computer architecture where two or more processors are connected to a single shared main memory and controlled by a single OS instance). The Virtual infrastructure client allows administration and users to connect remotely, while the distributed

Figure 3.1: VMware Architecture [20]

resource scheduler (DRS) intelligently allocates and provides a balanced computing power across the hardware resources for the VMs.

Nowadays, most of the IT department’s infrastructures are built on VMware ESX, with virtual data centers using the industry standard technology and hardware, so this feature can hide the attacker from detecting the honeypot from the production environment as well.

Regarding the networking of the Guest OS, VMware provides multiple gigabit Ethernet network interface cards, which can further be used to assign to virtual routers. When the routers are settled up in the virtual environment add multiple Ethernet cards can be added for it to be functional up and running.

Networking architecture

VMware gives the only solution that provides a highly rich set of virtual networking elements. Looking at the bigger picture then this whole virtual

(16)

3.1 methodology 11

networking architecture seems to be a part of physical network architecture.

Figure 1-2 shows the basic network architecture of the VMware [7].

Figure 3.2: Networking Architecture [12]

Figure 3.2 shows the basic architecture of the network inside and outside the virtual environment. The network terms in the virtual environment are: VIFs (Virtual interfaces), V Switches (Virtual Switches) and PIFs (Physical interfaces).

In the same way as physical NICs (Network Interface Card) have the MAC address - there is also a MAC address assign to each VIFs as well. The OS and applications talks to the VIFs as they talk to the physical NICs. The VSwitch are 2 layered physical switches. Each server has their own VSwitches Two physical NICs can be bonded together for a guest OS to be used for better throughput, in that case the bond has a unique MAC address as compared to the MAC addresses of the physical NICs.

Virtualization of network, storage and server platforms has been maturing over time. Virtual Network devices are nowadays often deployed [10]. VMware provides a rich set of these networking capabilities that integrates with the enterprise networks. All the networking capabilities of the VMware are provided by VMware ESX server and VMware Virtual Center is used for monitoring them.

It allows us to integrate the virtual and physical machines in a consistent manner. Virtual Switches in the VMware architecture is the main networking component which allows 248 simultaneous virtual switches on each ESX server [19]. It provides the core layer forwarding engine. It has MAC address table, port forwarding table. It looks up in the MAC table whenever the frame arrives, forwards it to one or more ports for transmission. It also avoids unnecessary deliveries.

A further explanation of the Networking architecture is done by the figure 3-3 [23]. VMware provides Five different virtual networking configurations for windows or Linux hosted operating systems.

(17)

12 methodology 3.1

• Shared Folder for accessing any data.

• NAT (Network address translation) with LAN Switching.

• Bridged mode, with no internal LAN switching.

• Host only solution, a router with LAN switching.

• Internal Network, with VSwitch performing DHCP services (same as Host only with host disconnected).

A virtual cisco router in a virtual environment is run on a Linux machine.

The Cisco IOS has to be installed on the linux machine . Standard Linux distribution (Ubuntu) was used because it supports more than one interface bridge, whereas in Windows XP for example, there is only single Interface Bridge can be used. Since there are at least two interfaces for a cisco router, so two interface bridges are needed. This is shown in figure 1-4 below (it is only a combination of possible network which can be defined inside the virtual environment).

The first step is to define the nodes. A virtual client (Virtual PC) can have Windows XP installed on it. The next task is to assign the network interfaces to the VM, so that router can be assigned at least a minimum of two Ethernet cards.

Figure 3.3: Basic Cisco Router on a Virtual Machine

A VSwitch should be present which is bound to the physical adapter. After this step there comes the boding of VIFs to the cisco router, which is done

(18)

3.2 honeypot architecture 13

through the Linux Ethernet cloud settings. the cisco router has to be configured through the CLI and can assign the IP addresses and the routing protocols.

The NAT configuration on the VMware is the default one; it provides NAT service, DHCP server and upstream routing to the internet. For the bridged mode configuration the virtual machines can participate on the real physical network as peers with the host. In this project bridged mode is used for the Honeypot architecture. The real network provides the DHCP service, upstream routing to the internet, NAT services etc.

Figure 3.4: A Bridge Network [12]

3.2 honeypot architecture

As this honeypot is based on the virtual architecture (because of low production cost and better reliability) which classifies it as a low interaction honeypot. But, on the other, as the operating systems and the Cisco IOS uses hardware through the VMware hardware translation (hypervisor)which makes it hybrid in nature.

In the related work chapter it is mentioned about projects which are either Low interaction honeypot or high interaction honeypot. None of them had the design based on VMware architecture, for the usage in real world scenarios. The honeypot architecture presented in this thesis is like a real networks comprising

(19)

14 honeypot architecture 3.2

different systems and all the activities are logged and analyzed. As they are not the part of production area so any activity on the honeypot is considered as an attack. The honeypot architecture is flexible and it can be created in any topology for existing network architectures, giving the attackers the feel of real network. It also depends on the services that have been provided in the Honeypots.

All the CISCO devices which are modeled here have a high level of vulnerabilities set by default. For example some routers are set with the default passwords, some with the web management interface enabled etc.

Mechanism of Working

The honeypot is not a single product that can be installed, it is a whole architecture made up of multiple technologies and products. The deployment;

(Placement of the honeypot) of the honeypot is Data Control, Data Capture and Data collection.

Data Control is the management or monitoring of the activities in and out from the Honeypot. Data control is used to prevent the attackers from attacking any other systems once he/she is in the honeypot. Mostly the attackers use the compromised systems to discover other vulnerable systems. The environment has to be controlled of the honeypot so that we cannot give the attacker all the freedom.

There are three techniques used to control the data: connection control, intrusion prevention and bandwidth control. Connection control is used to limit the outgoing connections from the honeypot. Ingoing connections to the honeypot will not be controlled as to refrain the intruder from a chance to attack other systems. Bandwidth limitation is used to manage the outgoing and ingoing traffic to the honeypot. For example against a Denial of Service attack the attacker will not be given a chance to choke the whole system.

Data capture means logging the entire attack on the Honeypot. The main purpose of this project is learning. So the data captured provides a valuable set of data to analyze the attacker’s activity. Data capture is a threefold activity to provide redundancy. The activities used to capture the data are the firewall activity, network activity and system activity. Firewall logs represent the active data captured, while the network logs define the passive data captured. Firewall logs all the activities on the ingoing and outgoing connections; it then stores this in the form of log at /var/log/messages. It provides the first indication when the system is compromised. Network activities are logged by using the packet sniffers for example TCPDump. The need to capture the network activity is to capture every packet going in and out of the Honeypot. System activity is logged on the Honeypot itself. For that special kernel modules are installed for example Sebek is used [22] .

(20)

3.2 honeypot architecture 15

Data collection is the collection of the data from the honeypot to a centralized location. It is not the requirement of the Honeypot mechanism. The only purpose is to store the captured data from multiple honeypots at a central location to study the attacks and its implications.

(21)

16

4 U S I N G C Y B E R R A N G E S

This Chapter provides overview on using the Cyber Ranges, architecture and functionality. Followed by the set of exploits used and their description. This chapter will also focus on the use cases.

The main goal of this study is to develop and equip the professionals about the latest cyber trends and propose an efficient solution to overcome current honeypots. This study proposes a better way to determine and address the size and the location of the honeypots better scalability and better configuration for the whole system.

Throughout the world there are many cyber attackers which keep on penetrating into the systems and extract all the required information. Just to shield these attacks, security professionals should be competent enough to examine these alarming activities.

Audience

• People who are working as cyber warriors.

• Anyone who is concerned about the cyber defense.

• Defense sectors.

Cyber Rangeshas two CORE components:

• Score Board

• Routers and Servers (vulnerable machine as a VM).

Scoreboard (GAME): It is a server which will keep all the score records of the users doing this penetration testing. It will keep on updating the scores of the users (hackers) who will achieve the targets with suitable steps.

After a player hacks a machine, he approaches the scoreboard through adding his information. The scoreboard then looks up the pattern of attack in the table, maintained in the database/file log at the backend of a scoreboard.

There can be two possibilities:

if the pattern is present in the table The scoreboard checks whether the player has completed all the steps of attack ;used accurate sources or not and then raise his score.

(22)

4.1 over all description: 17

if the pattern is not present in the table The scoreboard directs the issue to the administrator. The administrator checks the pattern by using its knowledge and information gathering. Since it’s a new hacking pattern, administrator will check its validity and upgrade it in database/log file and also give bonus scores to the hacker for coming up with this new idea. The careful event logging helps to measure:

• Effectiveness

• Responsiveness

Router/Server Having Vulnerable Machines: This server has different machines on which problem/vulnerable applications are activated on multiple operating systems. The users have to penetrate in those applications by using hacking techniques. Right now the focus is on 10 machines having:

• 8 Routers Exploits

• 3 Kernel level exploits

• 2 Service level exploits

These services will be unpatched and will run on a non-persistent mode.

Platform of every machine will be different which will help the user to work in every scenario. This is the minimum scope, but as cyber ranges is all about the latest trends and skills so new techniques will get merged time to time.IT has to be to make sure that the servers will be fully patched and secured. So that there will be no chance to hack them.

4.1 over all description:

This simulation provides a unique hands-on experience that teaches valuable lessons and concepts in computer and network security so that the skills of securing the cyber ranges will be improved and polished.

4.2 product perspective:

Cyber security companies are facing loss in economic, physical, and human infrastructures which makes cyber security a national priority [22] . This challenge gives rise to create our own range. This Range can secure our digital data and national integrity. The service which this thesis is providing will help to recognize the potential attacks and will be able to test their skills for the real time environment.

(23)

18 product perspective: 4.2

User Interfaces

User interface is the interface where interaction between humans and machines occurs. In this project the system user is interacting with the system twice. In the start of the system the user will enter its credentials to get registered for the simulation.

The second interaction will occur when the user will interact with the score board. It will happen when the user will hack some application running on server one. After hacking the application user will get connected to the server 2.Next Following information will be inserted ID, the service Id of the machine which is attacked and the IP address of that machine.

Hardware Interfaces

Hardware interface is an architecture used to interconnect two pieces of equip- ment. Cyber ranges have two servers which are interconnected as a VM, so that first server can send the results to the second server. First server has all the vulnerable machines which will be hacked by the users. The results of the hacked machine will be transferred to the scoreboard by the hacker. At this point both servers will communicate. The second server has the score card application. The score card has a job to manage all the scores of the users connected to the server one ; this application is a standalone application. It will take input from the server one and ultimately gives the output to server one in the form of scores. A minimum of 4GB ram and 320 GB hard disk is required, and a LAN connection on the host machine to have hypervisor and VM’s running on them.

Communication Interface

Our communication will take place through LAN. Users will connect on a single LAN network to connect to the server and access its services. All the data will be exchanged between servers on this LAN server.

Memory Constratints

For having this product in a running form a minimum of 4GB ram and 320 GB hard disk is required , and a LAN connection on the host machine to have hypervisor and VM’s running on them.

Operations

• User login

• Server will generate id to the user

(24)

4.3 user characteristics and constraints 19

• User will try to hack the vulnerable machines

• User will send its information to the scoreboard

• Scoreboard will verify it

• Score board maintenance

• Hacking pattern analysis

4.3 user characteristics and constraints

User should have the following characteristics and constraints.

• For connection one should have the LAN connected to their computer, through that LAN

• They will connect to the servers and start the penetration testing only if they are on the same LAN.

• Apart from this, user should have enough skills to hack the machines.

• User should be aware of the concept of cyber ranges.

• User cannot enter a wrong pattern more than 10 times.

• If user hacks with a new and valid method there will be a bonus point for him after the pattern verification

4.4 functional requirements

Vulnerable Application

The server must have multiple operating systems running on it. On these operating systems there will be vulnerable applications, except that application there should not be any other vulnerability in that machine (potential consideration).

Hacker ID

When a hacker gets into the testing playground the server provides him with an ID, that ID must be unique as it will give representation of that hacker throughout the testing time.

(25)

20 highly critical use cases 4.7

4.5 patched servers

Both of the servers will be patched. All the security holes will be fixed and there will be no vulnerability in them (potential consideration).100 % system security is difficult but one can patch them to the maximum level.

4.6 data repository

There will be storage of data files in which one can keep the record of the hackers, the machines they are hacking, the number of attempts they have done, the patterns they have used, vulnerability and the original exploits

Score Board

When the hacker will get the access of any machine it will approach the scoreboard server to get its score status. Hacker has to enter his id, IP address of machine he has hacked, the exploit and its details which he has used. After verification the score board will raise the score. If he has entered any different pattern then that pattern will be checked by the administrator through research.

Score will be given by then approval of administrator.

4.7 highly critical use cases

4.7.1 Use Case UC03: Attack Machine use case: Attack Machine.

scope: System under design CYBER RANGES level: User Goal

actor(s): Hacker pre condition

Hacker must be signed in (authentication)

A unique hacker ID should be assigned to hacker.

type Primary and Essential

sucess guarantee(post condition) • Hacker has penetrated into the machine.

(26)

4.7 highly critical use cases 21

• Hacker has got complete control of the machine(by checking the vulnerability exploited or not).

main success scenario (basic flow) • Hacker first checks the vulnerability of the machine, which he has selected to penetrate.

• User selects best possible exploit for the application and start attacking the machine.

• server will give control of machine to the hacker if he hacks it in time.

extensions (alternate flow) • If the version of exploit entered by the hacker is wrong, the system will ask the hacker to re-enter it.

• If hacker sends wrong exploit to the server, the system will ask the hacker to re-enter it.

• If the hacker sends wrong exploit for 10 times, he will be signed out.

frequency of occurence Continuous in all phases

4.7.2 Use Case UC06: Acess ScoreBoard usecase: Access Scoreboard

actor(s): Hacker pre condition

sucess guarantee(post condition) • The details of hacker and hacking will be stored in the scoreboard’s database.

main success scenario (basic flow) • System will ask the hacker to enter his hacker ID.

• Hacker will send the hacker ID to the server

• System will ask the hacker to enter the IP address of the machine he has penetrated into.

• Hacker will send the IP address of machine to the server.

(27)

22 highly critical use cases 4.7

• Hacker will select the exploit

extensions (alternate flow) • If the hacker ID entered by the hacker is wrong, the system will ask the hacker to re-enter it.

• If the IP address of penetrated machine is wrong, the hacker will re-enter it.

4.7.3 Use Case UC09: Test Pattern usecase: Test Pattern

actor(s): Scoreboard pre condition

Hacker should have completed the penetration testing Details of hacker have been saved in the database.

sucess guarantee(post condition) • The hacking pattern of hacker will be verified

main success scenario (basic flow) • The scoreboard will locate the IP address of hacked machine in the look up table.

• The scoreboard will match the pattern of exploit.

extensions (alternate flow) • If the pattern of exploit/SQL injection entered by the hacker does not match with the pattern in the table, the scoreboard will forward it to the administrator.

(28)

4.7 highly critical use cases 23

4.7.4 Use Case UC11: Identify New Pattern usecase: Test Pattern

actor(s): Scoreboard ,Administrator pre condition

The pattern of exploit/SQL injection entered by the hacker does not match with the pattern in the table lookup table.

sucess guarantee(post condition) • The hacking pattern of hacker will be verified

• The scoreboard database will be updated.

main success scenario (basic flow) • The scoreboard will send the exploit to the administrator to verify it.

• The administrator will verify the pattern.

• The administrator will update the database of scoreboard and add the new exploit to it.

• The administrator gives the control back to scoreboard for evaluating the hacker.

extensions (alternate flow) • None

(29)

24 conclusion 4.8

4.7.5 Use Case UC13: Identify Best Hacker usecase: Identify Best Hacker

actor(s): Scoreboard pre condition

The hacking pattern has been verified.

The scores of hackers have been calculated.

sucess guarantee(post condition) • The best hacker/winner will be identified.

main success scenario (basic flow) • The scoreboard will group the scores of all hackers.

• The scoreboard will display the scores to all the hackers.

• The hacker having highest score will be declared the winner.

extensions (alternate flow) • None

4.8 conclusion

Because our dependence on computers and network is increasing day by day, a fool proof network security is of tremendous importance. The concept of honeypot is to full fill this task. In this thesis a complete architecture to compensate the current drawbacks of honeypots are presented. Started by defining what are honepots and how they can capture

(30)

4.8 conclusion 25

the attack, Followed by a study of the elements including architecture, location,configuration and scalability that security analysts would need to define when deploying the honeypots in enterprise organizations.

(31)

B I B L I O G R A P H Y

[1] Honeyd org. 2007. URL:http://www.honeyd.org/.

[2] Virtual box. 2008. URL:http://www.virtualbox.org.

[3] VMWare, 2008. URL:http://www.vmware.com.

[4] Honeynet project, 2012. URL:http://www.honeynet.org/tools/sebek/.

[5] J. W. Andres. Cyber Warfare: Techniques, Tactics and Tools for Security Practi- tioners. Syngress, 2009.

[6] Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and Felix C. Freiling. The nepenthes platform: An efficient approach to collect malware. In Diego Zamboni and Christopher Krügel, editors, RAID, volume 4219 of Lecture Notes in Computer Science, pages 165–184. Springer, 2006. URL: http://dblp.uni-trier.de/db/conf/raid/raid2006.html#

BaecherKHDF06.

[7] R.G." "Berthier. "Advanced honeypot architecture for network threats quantifica- tion". "ProQuest", "2009".

[8] Lord Broers (Chairman), Lord Colwyn, and Lord Haskel Baroness Finlay of Llandaff. Personal internet security. Technical Report 5, August 2007.

[9] George Chamales. The honeywall cd-rom. IEEE Security and Privacy, 2(2):77–79, 2004. URL: http://dblp.unitrier.de/db/journals/ieeesp/

ieeesp2.html#Chamales04.

[10] Citrix Systems. Technical and commercial comparison of Citrix XenServer and VMware, 2010.

[11] T. Cymru. The darknet project, June 2004. URL:http://www.cymru.com/

Darknet.

[12] Frank Denneman. vsphere networking esxi 5.0 and vcenter server 5.0.

Technical report, 2009.

[13] Xuxian Jiang and Dongyan Xu. Collapsar: A vm-based architecture for network attack detention center. In USENIX Security Symposium, pages 15–28. USENIX, 2004. URL: http://dblp.uni-trier.de/db/conf/uss/

uss2004.html#JiangX04.

26

(32)

BIBLIOGRAPHY 27

[14] D. Moore, C. Shannon, G.M. Voelker, and S. Savage. Network telescopes:

Technical report. CAIDA, April, 2004.

[15] D. Moore, G.M. Voelker, and S. Savage. Inferring internet denial-of-service activity. Technical report, DTIC Document, 2001.

[16] P. Papadimitratos. Secure ad hoc networking. In IEEE Consumer Commu- nications and Networking Conference CCNC, Las Vegas, NV, USA, January 2006.

[17] P. Papadimitratos. "on the road - reflections on the security of vehicular communication systems". In Proceedings of the IEEE International Conference on Vehicular Electronics and Safety ICVES, pages 359–363, Columbus, OH, USA, September 22-24 2008.

[18] P. Papadimitratos and Z.J. Haas. Securing the internet routing infrastructure. IEEE Communications Magazine, 40(10):60–68, October 2002.

[19] Carlos Perez. Netinvm project report. Technical report, 2012.

[20] Alan Renouf. Vmware infrastructure architecture overview. Technical report, 2006.

[21] Dug Song, Rob Malan, and Robert Stone. A snapshot of global internet worm activity. Technical report, November 2001.

[22] Lance Spitzner. The honeynet project: Trapping the hackers. IEEE Security and Privacy, 1(2):15–23, 2003.

[23] VMware Systems Inc. VMware Infrastructure Architecture Overview, 2012.

[24] Vinod Yegneswaran, Paul Barford, and David Plonka. On the design and use of internet sinks for network abuse monitoring. In Erland Jonsson, Alfonso Valdes, and Magnus Almgren, editors, RAID, volume 3224 of Lecture Notes in Computer Science, pages 146–165. Springer, 2004. URL:http:

//dblp.uni-trier.de/db/conf/raid/raid2004.html#YegneswaranBP04.