Open Cyber Challenge Platform
Cyber Challenges have been proven to be effective, realistic, up-to-date, hands-on training tools to teach cyber security at the high school, college, industry, and government levels. The most common type of cyber challenge is the Red Team v Blue Team exercise, that prepare participants for responding to different types of common cyber related incidents.
While there are a number of existing platforms available to run cyber challenges on, none of them are low-cost options suitable for high schools and colleges to use in their curriculum. Some current solutions are restricted to use by government agencies and employees only, others are created from scratch for single use events, and most are commercial packages that are too expensive for most high schools and colleges to purchase and maintain.
This research project proposes the development of an Open-source Cyber Challenge Platform (OCCP), that is composed of a low-cost platform, allows for community developed plug-and-play modules, and is freely distributed to high schools and universities. Currently, the OCCP research team at URI has designed and built the architecture framework, and developed and alpha-tested a basic network defense challenge scenario.
Gray Team — is normal traffic and service requests that must be maintained
Red Team — attacks network to steal data and deny services
Blue Team — defends network (patches vulnerabilities, etc)
White Team — officiates and scores challenge
Possible Uses in Teaching/Training/Challenges
Network Defense – Blue Team is students, Red Team is scripted attacks. Negative points assigned to Blue for data stolen and services denied.
Penetration Testing – Red Team is students, Blue Team is scripted. Positive points assigned for data stolen and services denied.
Secure Programming – Blue Team is student programmers, Red Team is scripted attacks (e.g. SQL injection). Negative points assigned for data stolen and services denied.
Digital Forensics – Read Team is scripted attack, Blue Team of students must find what data was stolen and who did it.
Virtual Target Network (VTN)
This is the basic VTN layout that is used in the current Network Defense scenario. Note that the white team is not shown.
- VMWare vSphere package of virtual machines on a virtual network
- Runs on one low-end/moderate physical computer/server
- Virtual internal network, external (Internet) network, private white team network
- Current network defense scenario uses “metasploitable”, which is a virtual web server with vulnerabilities as part of the metasploit project.
Red Blue Network Defense Scenario
Gray Team (simulates normal traffic and service requests)
- Ruby scripts generate traffic
- What protocols, timing/density of requests, and specific VTN services are specified in configuration file
- Use of standard protocol libraries (e.g. http library) to generate traffic under Ruby scripting
- Gray scripts report to White Team successful receipt of services for scoring purposes
Red Team (attacks)
- Scripted for network defense, secure programming and forensics
- Human for penetration testing
- For current network defense scenario:
- Exploits come from Metasploit (open source) library
- Configuration file specifies attacks and timing
- Ruby (scripting language) scripts execute exploit attempts
- Red scripts report success to White scripts for scoring
Red Team in Network Defense Scenario
- Attacks Run
- Brute force login
- Web application exploit
- tikiwiki php exec
- Exposed internal services
- Post Exploit
- Privilege escalation
- Backdoor accounts
- Stolen passwords
- Website defacement
- Erase logs
Blue Team (defends)
- Humans in Network Defense, Secure Programming, and Forensics
- Scripts in Penetration Testing
Blue Team in Network Defense Scenario
- Blue Team gets short “network administrator” document showing network architecture, passwords, etc.
- Blue Team is given pre-training on the specific tools and components used (e.g. pfSense firewall)
- Blue Team is provided a “network administrator” virtual desktop with all required tools (and possibly an Internet connection to get other tools and documentation). E.g.
- Blue Team has an email account on the network administrator desktop to which hints can be emailed
White Team (officiates and scores)
- Uses Nagios (open source network monitoring) to get status of services
- Uses Nagios messages to receive updates from the other teams
- Displays running score
- Provides monitoring of all parts of the system for White Team human administrators
White Team in Network Defense Scenario
- Red team reports successful exploits (negative points)
- Gray team report successful services (positive points) and denied/incorrect service (negative points)
- Provides “hint” communication for White Team humans to help Blue Team humans
This research is being supported by the U.S. National Science Foundation grants:
- Federal Cyber Service Scholarship For Service Program: Award 1241515
- Research Experience For Undergraduates: Award 1004409