kypo cyber range: design and use cases › repo › 1386573 › 2017-icsoft-kypo... · kypo cyber...
TRANSCRIPT
KYPO Cyber Range: Design and Use Cases
Jan Vykopal1, Radek Ošlejšek2, Pavel Celeda1, Martin Vizváry1, Daniel Tovarnák1
1Institute of Computer Science, Masaryk University, Brno, Czech Republic2Faculty of Informatics, Masaryk University, Brno, Czech Republic
{vykopal|celeda|vizvary|tovarnak}@ics.muni.cz, [email protected]
Keywords: KYPO, cyber range, cyber attack, system design, cloud computing, network virtualization
Abstract: The physical and cyber worlds are increasingly intertwined and exposed to cyber attacks. The KYPO cyberrange provides complex cyber systems and networks in a virtualized, fully controlled and monitored environ-ment. Time-efficient and cost-effective deployment is feasible using cloud resources instead of a dedicatedhardware infrastructure. This paper describes the design decisions made during it’s development. We pre-pared a set of use cases to evaluate the proposed design decisions and to demonstrate the key features of theKYPO cyber range. It was especially cyber training sessions and exercises with hundreds of participants whichprovided invaluable feedback for KYPO platform development.
1 Introduction
Operational cyber environments are not suitablefor building a systematic knowledge of new cyberthreats and to train responses to them. Therefore,cyber ranges or testbeds are usually built to providea realistic environment suitable for training securityand operations teams. A cyber range provides a placeto practice correct and timely responses to cyber at-tacks. The learners can practice skills such as networkdefence, attack detection and mitigation, penetrationtesting, and many others in a realistic environment.
Despite the increasing popularity of cyber exer-cises (Welch et al., 2002; NATO CCDCOE, 2017),there is very limited public information about plat-forms used. Due to the specific use of cyber ranges(government, military, industry), many technical de-tails are regarded as sensitive. This paper shall pro-vide an integrated view of the KYPO cyber range(KYPO, 2017), which has been in development since2013. KYPO was made for researching and develop-ing new security methods, tools and for training se-curity teams and students. It provides a virtualisedenvironment for performing complex cyber attacksagainst simulated cyber environments.
Apart from the technical aspects, the transdisci-plinary features of cyber exercises are equally im-portant. Preparing and carrying out cyber exerciserequires substantial time, effort and financial invest-ments (Childers et al., 2010). The major workloadis carried out by the organizers, particularly in the
exercise preparation phase. The ultimate goal of acyber range developers is to minimize this workloadand to support all phases of an exercise’s life cycle.We have designed and executed a cyber defence exer-cise to validate the KYPO cyber range prototype. Thetechnical part of the exercise relies on the built-in ca-pabilities of KYPO and was used in six runs of a cyberdefence exercise for 50 participants. Several lessonswere learned which provided important guidance forfurther KYPO research and development.
This paper is divided into six sections. Section 2shall provide background information about testbedsand cyber ranges. Section 3 will describe KYPO’sarchitecture design and list the main components ofthe proposed architecture. Section 4 shall describethe user interface and interactions in the KYPO cyberrange. Section 5 will show three selected use cases.Finally, Section 6 will conclude the paper and outlinefuture work on KYPO.
2 Related Work
In this section, we introduce generic testbedswhich can be used in cyber security. Then we fo-cus on environments which have been specially devel-oped for cyber security training. While some of theseevolved from generic testbeds, others were designedwith cyber security in mind. The environments arecostly, but versatile large-scale infrastructures withstate of the art parameters and features as well as
lightweight alternatives with limited scope, function-ality and resources.
The Australian Department of Defence publishedan extensive survey of state of the art cyber rangesand testbeds (Davis and Magrath, 2013). The surveylists more than 30 platforms which can be used forcyber security education worldwide. This number isbased on publicly available, non-classified informa-tion. Since the development and operation of somecyber ranges is funded by the military and govern-ments of various countries, there is likely to be otherclassified cyber ranges. To cover recent advances andinnovations, we have done a systematic literature re-view from 2013 to 2017.
2.1 Generic Testbeds
Emulab/Netbed (White et al., 2002) – this is a clus-ter testbed providing basic functionality for deploy-ing virtual appliances, configuring flexible networktopologies and the emulation of various network char-acteristics. The network topology must be describedin detail by an extension of NS language. Emulab al-locates computing resources for the specified networkand instantiates it in a dedicated HW infrastructure.
Emulab has been developed since 2000 and thereare currently about 30 of its instances or derivates inuse or under construction worldwide (Emulab, 2017).It can be considered to be a prototype of an emulationtestbed for research into networking and distributedsystems. It provides accurate repeatable results in ex-periments with moderate network load (Siaterlis et al.,2013).
CyberVAN (Cyber Virtual Ad hoc Network, 2017)– this is a cyber experimentation testbed funded bythe U.S. Army Research Laboratory and developedby Vencore Labs. CyberVAN enables arbitrary ap-plications to run on Xen-based virtual machines thatcan be interconnected by arbitrary networks topolo-gies. It employs network simulators such as OPNET,QualNet, ns-2, or ns-3, so the network traffic of emu-lated hosts travels through the simulated network. Asa result, this hybrid emulation enables the simulationof large strategic networks approximating a large ISPnetwork.
2.2 Cyber Ranges
DETER/DeterLab (Mirkovic et al., 2010) – the DE-TER project was started in 2004 with the goal of ad-vancing cyber security research and education. It isbased on Emulab software and has developed new ca-pabilities, namely i) an integrated experiment man-agement and control environment SEER (Schwab
et al., 2007) with a set of traffic generators and mon-itoring tools, ii) the ability to run a small set of riskyexperiments in a tightly controlled environment thatmaximizes research utility and minimizes risk (Wro-clawski et al., 2008), and iii) the ability to run large-scale experiments through a federation (Faber andWroclawski, 2009) with other testbeds that run Em-ulab software, and with facilities that utilize otherclasses of control software. Lessons learned throughthe first eight years of operating DETER and an out-line of futher work are summarized in (Benzel, 2011).
DETER operates DeterLab which is an open fa-cility funded by U.S. sponsors and hosted by theUniversity of Southern California and Universityof California, Berkeley. It provides hundreds ofgeneral-purpose computers and several specializedhosts (e. g., FPGA-based reconfigurable hardware el-ements) interconnected by a dynamically reconfig-urable network. The testbed can be accessed fromany machine that runs a web browser and has an SSHclient. Experimental nodes are accessed through asingle portal node via SSH. Under normal circum-stances, no traffic is allowed to leave or enter an ex-periment except via this SSH tunnel.
National Cyber Range (NCR) (NCR, 2017) –the NCR is a military facility to emulate militaryand adversary networks for the purposes of realisticcyberspace security testing, supporting training andmission rehearsal exercises (Ferguson et al., 2014).Its development and operation have been funded bythe U.S. Department of Defense since 2009 and thetarget user group are U.S. governmental organiza-tions. The NCR enables operational networks to berepresented, and interconnected with military com-mand and control systems, with the ability to restoreto a known checkpoint baseline to repeat the test withdifferent variables. The NCR is instrumented withtraffic generators and sensors collecting network traf-fic and data from local and distributed nodes. TheNCR has demonstrated the ability to rapidly configurea variety of complex network topologies and scale upto 40,000 nodes including high-fidelity realistic rep-resentations of public Internet infrastructure.
Michigan Cyber Range (MCR) (MCR, 2017) –this is an unclassified private cloud operated by Merit,a non-profit organization governed by Michigan’spublic universities in the USA. The MCR has offeredseveral services in cyber security education, testingand research since 2012.
The MCR Secure Sandbox simulates a real-worldnetworked environment with virtual machines that actas web servers, mail servers, and other types of hosts.Users can add preconfigured virtual machines or buildtheir own virtual machines. Access to the Sandbox is
provided through a web browser or VMware clientfrom any location.
Alphaville is MCR’s virtual training environmentspecifically designed to test teams’ cyber securityskills. Alphaville consists of information systemsand networks that are found in a typical informationecosystem. Learners can develop and exercise theirskills in various hands-on formats such as defence andoffense exercises.
SimSpace Cyber Range (Lee Rossey, 2015) – aU.S. private company runs this cyber range, whichenables the realistic presentation of networks, infras-tructure, tools and threats. It is offered as a servicehosted in public clouds (Amazon Web Services orGoogle), at the SimSpace datacenter, or deployed inthe customer’s infrastructure and premises.
The cyber range provides several types of pre-configured networks containing from 15 to 280 hostswhich emulate various environments (generic, mili-tary, financial). It is possible to generate traffic emu-lating enterprise users with host-based agents and runattack scenarios automatically by combining variousattacker tasks. All activities can be also monitoredat network and scenario level (network traffic, attack-ers’ and defenders’ actions, and activities of emulatedusers at end hosts). The platform is controlled viaa web portal that also provides access to the resultsof an analysis and assessment of monitored activitieswithin the cyber range.
EDURange (EDURange, 2017) – this is a cloud-based framework for designing and instantiating in-teractive cyber security exercises funded by the U.S.National Science Foundation and developed by Ev-ergreen State College, Olympia, Washington. EDU-Range is intended for teaching ethical hacking andcyber security analysis skills to undergraduate stu-dents. It is an open-source software with a web fron-tend based on Ruby and backend deploying virtualmachines and networks hosted at Amazon Web Ser-vices. The exercises are defined by a YAML-basedScenario Description Language and can be instanti-ated by the instructor for a selected group of students.EDURange supports Linux machines which can beaccessed via SSH. It also has built-in analytics forhost-based actions, namely a history of commands ex-ecuted by students during the exercise.
2.3 Lightweight Platforms
Avatao (Buttyán et al., 2016; Avatao, 2017) – thisis an e-learning platform offering IT security chal-lenges which are created by an open community ofsecurity experts and universities. Avatao is devel-oped by an eponymous spin-off company of CrySyS
Lab at Budapest University of Technology and Eco-nomics, Hungary. It is a cloud-based platform us-ing lightweight containers (such as Docker) insteadof a full virtualization. This enables it to start a newchallenge in its virtual environment very quickly incomparison with booting full-fledged emulated hosts.Learners and teachers access the challenges via webbrowser. Hosts and services within the virtual envi-ronment are accessed by common network tools andprotocols such as Telnet or SSH.
CTF365 (CTF365, 2017) – this is a Romaniancommercial security training platform with a focuson security professionals, system administrators andweb developers. It is an IaaS where users (organizedin teams) can build their own hosts and mimic thereal Internet. CTF365 provides a web interface forteam management, instantiating virtual machines us-ing predefined images and providing credential to ac-cess the machines using VPN and SSH. Each teamhas to defend and attack the virtual infrastructure atthe same time. As a defender, a team has to set upa host which runs common Internet services such asmail, web, DB in 24/7 mode. As an attacker, the teamhas to discover their competitor’s vulnerabilities andsubmit them to the scoring system of the CTF365 por-tal.
Hacking-Lab (Security Competence, 2017) – thisis an online platform for security training and com-petitions run by a Swiss private company. It pro-vides more than 300 security challenges and has about40,000 users. The platform consists of a web por-tal and a network with vulnerable servers emulatedusing virtual machines or Docker containers. Eachteam administers a set of vulnerable applications andhas to perform several tasks simultaneously, namelyattack the applications of their competitors, keep theirown applications secure, and up and running, find andpatch vulnerabilities, keep applications up and run-ning, and solve challenges. A Linux-based live CD isprovided to ease the use of Hacking-Lab. It containsmany hacking tools and is preconfigured for VPN ac-cess.
iCTF and InCTF iCTF framework (Vigna et al.,2014) was developed by the University of Califor-nia, Santa Barbara for hosting their iCTF, the largestcapture the flag competition in the world since 2002.The goal of this open-source framework is to providecustomizable competitions. The framework createsseveral virtual machines running vulnerable programsthat are accessible over the network. The players’ taskis to keep these programs functional at all times andpatch them so other teams cannot take advantage ofthe incorporated vulnerabilities. The availability andfunctionality of these services is constantly tested by a
scorebot. Each service contains a flag, a unique stringthat the competing teams have to steal so that theycan demonstrate the successful exploitation of a ser-vice. This flag is also updated from time to time bythe scorebot.
InCTF (Raj et al., 2016) is a modification ofiCTF that uses Docker containers instead of vir-tual machines. This enhances the overall game ex-perience and simplifies the organization of attack-defence competitions for a larger number of partici-pants. However, it is not possible to monitor networktraffic, capture exploits and reverse engineer them toidentify new vulnerabilities used in the competition.
3 KYPO Architecture Design
The KYPO cyber range is designed as a modu-lar distributed system. In order to achieve high flex-ibility, scalability, and cost-effectiveness, the KYPOplatform utilizes a cloud environment. Massive vir-tualization allows us to repeatedly create fully oper-ational virtualized networks with full-fledged operat-ing systems and network devices that closely mimicreal world systems. Thanks to its modular architec-ture, the KYPO is able to run on various cloud com-puting platforms, e. g., OpenNebula, or OpenStack.
A lot of development effort has been dedicated touser interactions within KYPO since it is planned tobe offered as Platform as a Service. It is accessedthrough web browser in every phase of the life cy-cle of a virtualized network: from the preparation andconfiguration artifacts to the resulting deployment, in-stantiation and operation. It allows the users to stayfocused on the desired task whilst not being distractedwith effort related to the infrastructure, virtualization,networking, measurement and other important partsof cyber research and cyber exercise activities.
3.1 Platform Requirements
At the beginning of the development of the KYPOplatform, many functional and non-functional re-quirements were defined both by the developmentteam and the project’s stakeholders. The requirementswere first prioritized using the MSCW method (Musthave, Should have, Could have, and Would like, butwill not have). After the prioritization process, weidentified the must have requirements that were themost likely to influence the high-level architectureof the KYPO platform as a whole. The followingselected requirements have strongly influenced ourhigh-level design choices.
Flexibility – the platform should support the in-stantiation of arbitrary network topologies, rangingfrom single node networks to multiple connected net-works. For the topology nodes, a wide range of op-erating systems should be supported (including arbi-trary software packages). The creation and config-uration of such topologies should be as dynamic aspossible.
Scalability – the platform should scale well interms of the number of topology nodes, processingpower and other available resources of the individualnodes, network size and bandwidth, the number ofsandboxes (isolated virtualized computer networks),and the number of users.
Isolation vs. Interoperability – if required, differ-ent topologies and platform users should be isolatedfrom the outside world and each other. On the otherhand, integration with (or connection to) external sys-tems should be achieved with reasonable effort.
Cost-Effectiveness – the platform should supportdeployment on commercial off-the-shelf hardwarewithout the need for a dedicated data center. The op-erational and maintenance costs should be kept as lowas possible.
Built-In Monitoring – the platform should nativelyprovide both real-time and post-mortem access to de-tailed monitoring data. These data should be relatedto individual topologies, including flow data and cap-tured packets from the network links, as well as nodemetrics and logs.
Easy Access – users with a wide range of expe-rience should be able to use the platform. For lessexperienced users, web-based access to its core func-tions should be available, e. g., a web-based terminal.Expert users, on the other hand, should be able to in-teract with the platform via advanced means, e. g., us-ing remote SSH access.
Service-Based Access – since the development ef-fort and maintenance costs of a similar platform arenon-trivial for a typical security team or a group ofprofessionals, our goal is to provide transparent ac-cess to the platform in the form of a service.
Open Source – the platform should reuse suitableopen source projects (if possible) and its release arti-facts should be distributed under open source licenses.
3.2 High-Level Architecture
It can be seen that many of the requirements were al-ready created with a cloud computing model in mind.This naturally influenced the KYPO platform highlevel architecture (Figure 1). The platform is com-posed of five main components – infrastructure man-agement driver, sandbox management, sandbox data
store, monitoring management, and the platform man-agement portal serving as the main user interactionpoint. These components interact together in orderto build and manage sandboxes residing in the un-derlying cloud computing infrastructure. In the fol-lowing paragraphs, we will individually describe eachcomponent. Since the user interface (platform man-agement portal) is very complex it is thoroughly de-scribed in Section 4.
Computing Infrastructure
Sandbox
Sandbox Management
Infrastructure Management
Driver
Sandbox Data Store
Monitoring Management
Platform Management Portal
Figure 1: KYPO platform high-level architecture overview.
3.2.1 Infrastructure Management Driver
The infrastructure management driver is used to con-trol the computing infrastructure. A computing in-frastructure consists, in general, of housing facilities,physical machines, network devices, and other hard-ware and related configuration artifacts. It forms theraw computing resources such as storage, operatingmemory, and processing power. KYPO is designed torun on public cloud computing infrastructure so thatsandboxes can be built without the need of dedicatedinfrastructure.
The infrastructure management driver is the onlycomponent of the architecture which directly accessthe low level computing infrastructure. Therefore, thesupport of multiple cloud providers is isolated to thissingle component. API provided by the driver offersservices which enable the management of virtual ma-chines and networks in a unified way. At present, theKYPO runs on OpenNebula cloud and the adaptationto OpenStack is under development.
3.2.2 Sandbox Management Component
The sandbox management component is used to cre-ate and control sandboxes in the underlying comput-ing infrastructure. During the deployment of a sand-box, it orchestrates the infrastructure via infrastruc-ture management driver in order to configure virtualmachines and networking.
Advanced networking is one of the most importantfeatures of the KYPO platform. KYPO uses cloudnetworking as an overlay infrastructure. The underly-ing cloud infrastructure uses IEEE 802.1Q, i.e. Vir-tual LAN tagging, using Q-in-Q tunneling. Q-in-Qtunneling allows KYPO to configure sandboxes net-working dynamically. It also does not depend on theL2 and L3 network addressing of the infrastructure,using a separate networking configuration. The sand-box networking allows users to configure their ownL2/L3 addressing scheme in each LAN.
The networking in the sandboxes is done usingone or more Lan Management Nodes (LMN). EachLAN network is managed by one LMN. LMN is astandard Debian system with an Open vSwitch (OvS)multilayer virtual switch (Linux Foundation, 2017).It combines standard Linux routing and OvS packetswitching. The intra-LAN communication is done onthe L2 layer using OvS as a learning switch. Theinter-LAN communication is forwarded from switchto standard Linux routing tables.
The notion of KYPO points is used to connect ex-ternal devices, systems and networks to the KYPO en-vironment. Since the KYPO platform is cloud-based,there is a need for the mechanism to be able to connectsystems and devices that do not have a virtualized op-erating system, i. e. they are hardware-dependent, orlocation dependent.
We have developed a device which connects suchsystems – based on a Raspberry Pi platform whichautomatically connects after its boot via Virtual Pri-vate Network (VPN) tunnel to the sandbox in KYPO.This makes the point very easy to use since it has verysmall proportions and it can be easily delivered andconnected anywhere. The connection is secured viathe properties of the VPN.
3.2.3 Sandbox Data Store
The sandbox data store manages information relatedto the topology of a sandbox and provides its genericabstraction. Since the KYPO is partially an overlayenvironment, it is necessary to bridge the configura-tion of nodes in the cloud infrastructure and the innerconfiguration of virtual machines.
Therefore, modules working with sandbox-relateddata, e. g., the platform management portal or themonitoring management component, do not retrieveinformation directly from the cloud but utilize thesandbox data store instead.
The store contains information about end nodes,IP addresses, networks, routes, and network proper-ties during the whole lifetime of the sandbox. Theyare updated by the sandbox management componentwhenever changes to the sandbox are made. For ex-
ample, when a user deploys a new node or deletes acurrent node.
3.2.4 Monitoring Management Component
The monitoring management component providesfine-grained control over the configuration of thebuilt-in monitoring and also provides an API that ex-poses the acquired monitoring data to external con-sumers (e. g., platform management portal). All thenecessary information about the sandbox’s topologyis read from the sandbox data store, i. e. informationabout existing network links and nodes. Currently,the platform supports simple network traffic metrics(e. g., packets, and error octets) and there is also sup-port for flow-based monitoring and full-packet cap-ture.
In order to cope with the largely heterogeneousmonitoring data that is inherently generated withinsandboxes and the KYPO platform itself, we use thenormalizer design pattern and the notion of a monitor-ing bus component implementing this pattern, as de-scribed in detail by (Tovarnák and Pitner, 2014). Thelong-term objective of such a deployment is to renderthe monitoring architecture within the platform fullyevent-driven. This is motivated by the growing needfor advanced monitoring data corelations both in theterms of real-time and post-mortem analysis.
During the development of the platform, we en-countered a problem as to how to differentiate be-tween the monitoring functionality that should bebuilt in, and the functionality that should be, concep-tually, a part of a cyber exercise scenario and the re-sulting sandbox topology. We have determined thata reasonable decisive factor is the intended consumerof the monitoring data and the desired intrusivenessof the monitoring components on the scenario.
For example, in the case of host-based monitor-ing, there is a need for various monitoring agents tobe installed and configured on the end-nodes. If theintended consumer is not part of the scenario, e. g., themonitoring data are used for the purposes of progresstracking or scoring in cyber-exercises, the monitoringagents must be protected from misconfiguration andother manipulation by the participants. This, how-ever, breaks the fourth-wall, so to say, since the partic-ipants need to be informed that such misconfigurationis prohibited, including network misconfiguration andso on. This can be sometimes seen as intrusive.
When the intended consumers are the partici-pants themselves, the monitoring components andtheir configuration should be a part of the scenario.This way it can be misconfigured or stopped alto-gether. Yet in this case, the monitoring data can be
rendered unusable for external consumers, e. g., forthe purposes of ex-post analysis.
3.2.5 Platform Management Portal
The Platform Management Portal (PM Portal) medi-ates access to the platform for the end users by pro-viding them with interactive visual tools. In particu-lar, the PM Portal is designed to cover the followingtypes of interactive services.
Management of cyber exercises – the preparationof cyber exercises is very complex process which re-quires us to define security scenarios, allocate hard-ware resources, manage participants, and so on. ThePM Portal supports the automation of these tasks byintroducing a system of user roles and correspondinginteractions.
Collaboration – many security scenarios are basedon mutual collaboration where multiple participantsshare a sandbox and jointly solve required tasks or,on the contrary, compete against each other. The PMPortal supports multiple flexible collaboration modescovering a wide range of scenarios.
Access to sandboxes – the PM Portal enables endusers to log into computers allocated in a sandboxvia remote desktop web client as an alternative user-friendly access point to the portal-independent com-mand line SSH access.
Interactive visualizations – regardless of whethera user is analyzing a new malware or is learning newdefence techniques against attackers, it is always cru-cial to understand and keep track of progress and cur-rent developments inside the sandbox. The PM Por-tal, therefore, provides specialized visualization andinteraction techniques which mediate data and eventsmeasured in sandboxes.
4 User Interface and Interactions
The variability of security issues that the KYPOinfrastructure is able to emulate places high demandson the realization of the Platform Management Portaland its interactive services. While traditional appli-cations are usually based on clearly defined require-ments and use cases that delimit software architectureas well as provided functionality, the design of the PMPortal has to deal with the dynamic character of its us-age. This is because the use cases are defined at theuser level as part of security scenarios and then userinterfaces have to also be either definable or at leasthighly configurable at the user level.
To assure high accessibility of the services for alltypes of end users, the PM Portal is designed as a web
application where users are not bothered by the needto install anything on their device (not even browserplugins or extensions such as Java or Flash).
To deal with the dynamic character of the KYPO’suse, the PM Portal complies with Java Enterprise WebPortal standards, as defined in JSR 168 and JSR 286.Web portals are designed to aggregate and personal-ize information through application-specific modules,so-called portlets. Portlets are unified cross-platformpluggable software components that visually appearas windows located on a web page. Once developed,a portlet can usually be reused in many security sce-narios. Another key feature of enterprise web por-tals is their support of inter-portlet communication,synchronization and deployment into web pages andsites. We utilized these features to create complexscenario-specific user interfaces as preconfigured webpages composed of mutually cooperating portlets.
4.1 Role-based Access Control
Preparation of a cyber exercise is very complextask comprising scenario definition, allocation of re-sources, user management, and so on. In order to au-tomatize these processes by means of user interaction,it is necessary to define user roles with clear accessrules and responsibilities.
Scenarist devises security scenarios with all nec-essary details including sandbox definition and the de-sign of web user interfaces for end users engaged inthe scenario. At this level, the interfaces are defined asgeneric templates used to generate per-user web pagesin further “scenario execution” phases. Besides thescenario and UI management, scenarists also autho-rize selected users to become organizers of exerciseswith adequate responsibilities.
An organizer is a well-instructed technicallyskilled person authorized by a scenarist to plan andprepare cyber exercises or experiments of a particularsecurity scenario. Organizational activities consist ofthe allocation of sandboxes in the cloud, adjusting in-formation pages, configuring a scoring subsystem andother scenario-specific services, inviting participants,etc. Organizers also delegate selected participants tobe supervisors of the exercise.
Participants represent end users engaged in a par-ticular cyber exercise or experiment. They utilizeweb UIs prepared by scenarists and perform tasksprescribed by the security scenario. If the users areinvolved in multiple experiments or exercises at thesame time, they have to choose a particular one at thebeginning of the interaction.
We distinguish between ordinary participants andthose having extended supervising privileges. Or-
dinary participants have just one scenario role as-signed. Scenario roles limit particular participants’access to particular hosts in the sandbox based sce-nario definition. For instance, an exercise scenariodefines the roles of an attacker and a defender. Theattacker then has no direct access to the hosts con-trolled by the defender and vice versa. In contrast,participants with supervisor privileges have access toall nodes in the network implicitly. Supervisors alsousually utilize specific web forms and visualizationsthat reflect their specific needs. Another differencecan be found in a multi-sandbox collaboration mode.While ordinary participants have access to only a sin-gle sandbox, supervisors can access all the sandboxesallocated for a given exercise.
Authentication of all users is based on federatedidentities. Credentials of users attempting to log intothe PM Portal are redirected to a central system foridentity management, which integrates many existingidentity providers and authenticates users against theirexternal electronic identities. Besides well-knownidentity providers (such as Facebook or Google) it iseasy to integrate other external accounts on demandvia a LDAP service. Participants of cyber exercisescan, therefore, use their Google or corporate user-names and passwords to access the KYPO infrastruc-ture.
Once authenticated, the authorization of a user ismanaged directly in the KYPO infrastructure. ThePM Portal checks the user against his or her as-signed roles and offers the appropriate web pages andportlets for further interaction. The more roles theuser has assigned, the broader the user interfaces ofthe PM Portal are available.
4.2 Collaboration Modes
The combination of flexible web UIs (supported bythe PM Portal) and the loose coupling of individualportlets (with sandboxes via remote access) enablesus to simulate various collaboration strategies (Eich-ler et al., 2015). Three basic collaboration modes aredepicted in Figure 2. The combination of these modeswith other traditional web-browser features (such asmultiple browser tabs opened at the same time ormulti-display views) provide a very flexible solutioncovering a wide range of security scenarios.
Individual sandboxes – every participant has theirown private sandbox and web user interface. The webUI is defined by a scenarist only once in the form of atemplate and then the participants have the same set ofinteractive tools available. Thanks to its cloud-basedinfrastructure, it is easy to allocate many identicalsandboxes for individual users on demand. Neverthe-
Figure 2: Collaboration modes: individual sandboxes, indi-vidual views on shared data and role-based collaboration.
less, sandboxes do not depend on each other. There-fore, participants can complete the same tasks via thesame user interface but the state of sandboxes maydiffer depending on their activities. This collabora-tion mode is useful mainly for individual training andcyber security experiments.
Individual views on shared data – the participants,each of them sitting at his or her own computer, sharea sandbox and the measured data are shared. Partici-pants have the same web UI at their disposal but theyuse them independently. They can focus on differ-ent parts of the network, explore different aspects ofthe security scenario, return back in time and so on,but they never affect the views of other participants.This collaboration mode is useful mainly for collec-tive learning about security threats or for collaborativeforensic analyses.
Role-based collaboration – in this mixed ap-proach, participants are divided into teams with pre-scribed roles, such as attackers or defenders. Teamshave predefined web user interfaces according to theirtasks. Teams can share a sandbox which plays therole of a battlefield. This collaboration mode is use-ful for exercises where multiple teams either coop-erate or compete against each other in a single sharedsandbox. However, this role-based approach extendedwith multiple sandboxes enables us to go even further.For example, we can create multiple defending teams,each having its own isolated sandbox, and a single at-tacking team fighting against them simultaneously.
4.3 Web Front-End and Visualization
The web portal technology used for the implementa-tion of the PM Portal enables us to develop special-ized interactive user interfaces, which are narrowlyfocused on specific goals, but also allow us to com-bine them easily into complex systems of mutually
synchronized views supporting complex workflows.There is no space to describe all the developed userinterfaces and interactive visualizations in detail, norto discuss their combinations leading to the support ofvarious security scenarios. Instead, we present only afew selected portlets that were used most often duringvarious cyber exercises organized by the KYPO teamso far.
4.3.1 Capture the Flag Games
The PM Portal offers complete support for design-ing and playing level-based games where users com-plete cyber security tasks. The administrators’ inter-face enables the game designer to define the networktopology, individual tasks, hints with penalties, timelimits and other necessary information. There is alsosupport for sandbox allocation and player enrollment.The players’ interface guides them through the gameand is usually supplemented with an interactive net-work topology view.
4.3.2 Network Topology
One key visualization of the PM Portal is a generaltopological view, as shown in Figure 3. Versatilitywas one of the key requirements for this visualizationsince the network topology is present in all scenarios.Routers, links, computers and servers are representedin the visualization.
Figure 3: A simple network topology with highlightedroles, network traffic and incoming emails.
The topology visualization shows multiple dy-namic data measured in the corresponding sandbox.The small icons close to the nodes represent logicalroles, e. g., attacker or victim. Unusual traffic on linksis visualized with colors and animations. Nodes canbe accompanied by the visualization of user-definedevents such as incoming emails. Clicking on a node, auser, if privileged, can access the node’s remote desk-top via VNC or SPICE client. In this case, a new tabis opened in the browser with the screen of the remotehost. This visualization is fully interactive, enablingusers to re-organize nodes, collapse, and reveal sub-networks, zoom in and out, and so on.
4.3.3 Time Manager
Data measured in sandboxes and provided by themonitoring management component have the form ofa time series. Therefore, many visualizations usedin the PM Portal have to cope with time-related dataqueries in order to show the sandbox’s state either ata particular point in time or within a given time span.It would be impractical to deal with time constraintsin every particular portlet independently. Instead, wedeveloped a Time Manager portlet (Figure 4) whichenable users to visually define time restrictions thatare propagated to other portlets on the page.
Figure 4: A generic timeline management visualization.
4.3.4 Analytic Graphs
KYPO provides several analytically oriented visu-alizations and interactions. For instance, measuredsandbox data can be transformed into 2D line chartsand radar charts or they can be visualized in 3D, asshown in Figure 5. These analytic graphs providealternative views on multivariate data measured inthe sandbox. To help users to identify anomalies,the visualizations are fully interactive, support the re-ordering of axises simply by their direct manipulationand can switch between two 3D views smoothly bymeans of animation so that the user keeps track of theinvestigated part of the graph and never loses context.
Figure 5: Interconnected analytic graphs.
4.4 Physical Facility
Although the KYPO cyber range is accessible re-motely via a web browser, many exercises are orga-nized in a physical KYPO laboratory. Its hardware
equipment offers a high variability of display tech-niques as well as a reconfigurability of inputs and out-puts so that it is possible to support variable collabo-ration strategies and to distribute relevant informationacross several teams and roles.
The room consists of a training area over which amultimedia control center and a visitors’ gallery arelocated, as shown in Figure 6.
Figure 6: The KYPO laboratory is a versatile room. Itssetting can be adjusted to best fit the needs of ongoing exer-cises.
The training area is equipped with six mobileaudio-video tables, each for 3-4 learners. The ta-bles integrate all-in-one touch computers providingaccess to the KYPO infrastructure. The room is fur-ther equipped with four mobile FullHD displays andtwo UHD/4K displays. These displays can be ei-ther connected to individual AV tables or used to dis-play shared information. Nevertheless, the informa-tion sharing is primarily managed by two wide centraldisplay surfaces; a projection screen and display wall.The projection screen is 5 meters wide and supportsFullHD 2D or 3D projection from up to 4 sources atthe same time, e. g., the supervisor’s screen and work-ing spaces of 3 teams. The display wall consists ofa matrix of 5x3 Full HD displays and a multi-touchframe supporting detection of up to 10 simultaneoustouches (i. e. true multi-touch).
The distribution of content into display outputs ismanaged centrally by the coordinator sitting in thecontrol center. Some basic tasks can be also manageddirectly by the supervisor, who has a table located to-gether with the AV tables in the training area.
5 Cyber Range Use Cases
KYPO can be used for various different applica-tions. During its design and development, we focusedon these three main use cases: i) cyber research, de-velopment, and testing, ii) digital forensic analysis,
and iii) cyber security education and training. Allthese use cases have a similar set of requirements onthe cyber range, but they differ in scenario-specifictools, the availability of pre-defined content, user in-teractions and expected knowledge, skills, and effortlevel of the users. However, the concept of sandboxesand the platform management portal helps us to copewith this fact, i. e. various types of sandboxes withvarious types of tools can be provided, from an emptysandbox for researchers to a fully populated and con-figured sandbox for a complex cyber security exer-cise. In the following text, we describe the differ-ences of the three use cases in a detail, and providereferences to research papers employing or benefitingfrom an application of the KYPO cyber range.
5.1 Cyber Research and Development
The first use case presented here supports research,development, and testing new methods or systems forthe detection and mitigation of cyber attacks in net-work infrastructures of various types.
In this case, KYPO provides a sandbox andoptional monitoring infrastructure for experiments.Users can provide their own virtual images for hoststo be instantiated. Alternatively, they can start withgeneric virtual hosts available in KYPO which runcommon operating systems, services and applications(e. g., Ubuntu Server, MS Windows Server 2013, De-bian Server with configured DNS server) and installapplications used in the experiment.
Network traffic and host based statistics can bemonitored and stored within KYPO’s infrastructure,where they are immediately available for analysis.Experiments can be evaluated via analytic tools thatresearchers deploy into the KYPO infrastructure andutilize according to their interests. Researchers canalso utilize interactive visualizations of the PM Por-tal. The network topology visualization (with an indi-cation of network traffic and event-based activities to-gether with 2D and 3D analytic graphs) is especiallyvaluable. The time manager helps to keep track ofreal-time developments in the sandbox.
This use case is intended for security researchersand experienced network administrators because it re-quires an advanced level of knowledge in network-ing, host configuration and some knowledge of virtu-alization technologies. Researchers need to be experi-enced in order to assemble or adjust their experiment-specific web UIs, to define their own topologies andother scenario properties, and to properly design mul-tiple sandboxes for comparison studies. Regardingthe KYPO user roles, researchers play the role of sce-narist, organizer and supervisor.
There are several public papers using KYPOfor cyber security research and development rang-ing from a simulation of a DDoS attack (Jirsík et al.,2014) through to an evaluation of a network defencestrategy (Medková et al., 2017) and an analysis ofsurveillance software (Špacek et al., 2017).
5.2 Digital Forensic Analysis
The second use case partially builds upon the previousone and covers basic forensic analysis, which can bepartly automated by tools deployed in the sandbox.In this use case, the users can deploy virtual imagesof unknown or malicious machines in the predefinedsandbox network and run a set of automated dynamicanalyses. The sandbox contains an analytic host thatprovides pre-configured tools and an environment forrudimentary forensic analysis.
This use case supports security incident handlersand forensic analysts in focusing on the subject mat-ter and removes the burden of spending their precioustime in the setup of an analytic environment. Sincethe digital forensic analysis extends the previous usecase, the required KYPO user roles are also similar.
5.3 Education and Training
The last use case covers a diverse type of edu-cational hands-on activities, such as security chal-lenges, competitions, capture the flag games, and at-tack/defence cyber exercises; all of which closely fol-low the learning-by-doing principle.
In our experience, the education and training usecase has proven to be the most challenging. On onehand, the KYPO platform needs to provide many ad-ditional features, mainly in the terms of user interac-tions, in order to support both the learners and edu-cators in their roles. On the other hand, there is aconsiderable amount of customized content that mustbe created in order to fit a particular educational ac-tivity, whilst remaining reusable (e. g., virtual hosts,exercise data stored at hosts).
Some activities, e. g., capture the flag games, aredesigned to be held without much direct input fromthe teacher. Instead, the assignments for the learn-ers are implanted into the platform where the gameis deployed, including additional instructions and anevaluation of the submitted solutions. The learnerstypically choose individual tasks or follow the prede-fined path of the game. Once they find a solution, theysubmit the requested data to the game platform whichimmediately provides a response whether the solutionis correct or not. If it is, they can proceed further.
In the other cases, it is desirable for the educatorsto be able to control the flow of the hands-on activ-ity based on automatically acquired status informa-tion about the simulated infrastructure in the sandboxand also manually trigger tasks for learners, and eval-uate their actions and reports.
Whatever the case, it is desirable to put mini-mal requirements on the learners’ knowledge of theKYPO infrastructure, virtualization technologies andother advanced concepts. As a result, the learners canfocus only on the subject of the exercise or training,such as a penetration testing tutorial or a cyber secu-rity game.
With regard to KYPO’s user roles, learners fol-low the scenario roles assigned to them, and interactwith predefined web user interfaces. Instructors havesupervisor privileges to keep track on learners’ activi-ties and to be able to interfere in their activities if nec-essary. In contrast, substantial preparation effort andtechnical skills are required from scenarists and or-ganizers who create the content of exercises, allocateresources and manage the preparation and executionphase.
This use case motivates further research in activelearning of cyber security. We evaluated the bene-fits of design enhancements in generic capture the flaggame scheme provided by KYPO platform (Vykopaland Barták, 2016). Next, we introduced methods ofdistributing learners into teams with respect to theirproficiency and the prerequisite skills required by acyber exercise (Vykopal and Cegan, 2017).
6 Conclusion
Today, KYPO is the largest academic cyber rangein the Czech Republic. The platform is fully cloud-based and supports multiple use cases (research, edu-cation and training). We organize national cyber exer-cises and training sessions to validate proposed cyberrange components and to continually improve them.We also use KYPO for hands-on security courses togive students realistic experience in cyber security.
Our current work focuses on research into toolsfor more realistic, economical, and time efficient sim-ulations of real cyber entities. We develop tools tofurther automate the preparation and execution of cy-ber experiments. We connect KYPO to other facilities(e. g., ICS and LTE networks) to create a more real-istic cyber-physical environment. We aim to executecurrent and sophisticated cyber attacks in the KYPOinfrastructure to provide a research environment forsimulation, detection, and mitigation of cyber threatsagainst critical infrastructure.
In addition to the technology based contributions,we would like to contribute to transdisciplinary learn-ing in cyber security to cope with the ever-evolvingthreat landscape. To make a desirable improvementin the skills of the learners, technical skills must becomplemented by communication, strategy and otherskills for effective attack detection and response.
Acknowledgements
This research was supported by the Security Re-search Programme of the Czech Republic 2015-2020(BV III/1 – VS) granted by the Ministry of the Interiorof the Czech Republic under No. VI20162019014 –Simulation, detection, and mitigation of cyber threatsendangering critical infrastructure.
Access to the CERIT-SC computing and stor-age facilities provided by the CERIT-SC Center,provided under the programme “Projects of LargeResearch, Development, and Innovations Infrastruc-tures” (CERIT Scientific Cloud LM2015085), isgreatly appreciated.
REFERENCES
Avatao (Last accessed on Mar 22, 2017).https://avatao.com/.
Benzel, T. (2011). The Science of Cyber Security Experi-mentation: The DETER Project. In Proceedings of the27th Annual Computer Security Applications Confer-ence, pages 137–148. ACM.
Buttyán, L., Félegyházi, M., and Pék, G. (2016). Mentoringtalent in IT security–A case study. In 2016 USENIXWorkshop on Advances in Security Education (ASE16).
Childers, N., Boe, B., Cavallaro, L., Cavedon, L., Cova,M., Egele, M., and Vigna, G. (2010). Organizinglarge scale hacking competitions. In Detection of In-trusions and Malware, and Vulnerability Assessment,pages 132–152. Springer.
CTF365 (Last accessed on Mar 22, 2017). Capture The Flag365. https://ctf365.com/.
Cyber Virtual Ad hoc Network (Lastaccessed on Mar 22, 2017).http://www.appcomsci.com/research/tools/cybervan.
Davis, J. and Magrath, S. (2013). A survey of cyber rangesand testbeds. Technical report, DTIC Document.
EDURange (Last accessed on Mar 22, 2017).http://www.edurange.org/.
Eichler, Z., Ošlejšek, R., and Toth, D. (2015). KYPO: A Toolfor Collaborative Study of Cyberattacks in Safe CloudEnvironment, pages 190–199. Springer InternationalPublishing, Cham.
Emulab (Last accessed on Mar 22,2017). A list of Emulab Testbeds.http://wiki.emulab.net/Emulab/wiki/OtherEmulabs.
Faber, T. and Wroclawski, J. (2009). A federated experi-ment environment for Emulab-based testbeds. In TRI-DENTCOM, pages 1–10.
Ferguson, B., Tall, A., and Olsen, D. (2014). National cyberrange overview. In 2014 IEEE Military Communica-tions Conference, pages 123–128.
Jirsík, T., Husák, M., Celeda, P., and Eichler, Z. (2014).Cloud-based security research testbed: A DDoS usecase. In 2014 IEEE Network Operations and Man-agement Symposium (NOMS).
KYPO (Last accessed on May 16, 2017). https://kypo.cz/.Lee Rossey (2015). SimSpace Cyber Range. ACSAC 2015
Panel: Cyber Experimentation of the Future (CEF):Catalyzing a New Generation of Experimental Cyber-security Research.
Linux Foundation (Last accessed on Mar 22, 2017). OpenvSwitch. http://openvswitch.org/.
MCR (Last accessed on Mar 22, 2017). The Michigan Cy-ber Range. https://www.merit.edu/cyberrange/.
Medková, J., Husák, M., Vizváry, M., and Celeda, P.(2017). Honeypot Testbed for Network Defence Strat-egy Evaluation. In Proceedings of the 2017 IFIP/IEEEInternational Symposium on Integrated Network Man-agement, pages 887–888. IEEE Computer Society.
Mirkovic, J., Benzel, T. V., Faber, T., Braden, R., Wro-clawski, J. T., and Schwab, S. (2010). The DETERProject. In 2010 IEEE International Conference onTechnologies for Homeland Security (HST ’10).
NATO CCDCOE (Last accessed on May 16, 2017).Locked Shields. http://ccdcoe.org/event/cyber-defence-exercises.html.
NCR (Last accessed on Mar 22, 2017). The Na-tional Cyber Range. http://www.acq.osd.mil/dte-trmc/docs/Docs/NCR/2015_NCR
Špacek, S., Celeda, P., Drašar, M., and Vizváry, M. (2017).Analyzing an Off-the-Shelf Surveillance Software:Hacking Team Case Study. Security and Protectionof Information, (IX).
Raj, A. S., Alangot, B., Prabhu, S., and Achuthan, K.(2016). Scalable and Lightweight CTF Infrastruc-tures Using Application Containers. In 2016 USENIXWorkshop on Advances in Security Education (ASE16), Austin, TX. USENIX Association.
Schwab, S., Wilson, B., Ko, C., and Hussain, A. (2007).SEER: A security experimentation environment forDETER. In Proceedings of the DETER Commu-nity Workshop on Cyber Security Experimentation andTest on DETER Community Workshop on Cyber Secu-rity Experimentation and Test 2007. USENIX Associ-ation.
Security Competence (Last accessed on Mar 22,2017). Hacking-Lab. http://www.hacking-lab-ctf.com/technical.html.
Siaterlis, C., Garcia, A. P., and Genge, B. (2013). On theUse of Emulab Testbeds for Scientifically RigorousExperiments. IEEE Communications Surveys Tutori-als, 15(2):929–942.
Tovarnák, D. and Pitner, T. (2014). Continuous queriesover distributed streams of heterogeneous monitor-ing data in cloud datacenters. In 2014 9th Interna-tional Conference on Software Engineering and Ap-plications (ICSOFT-EA), pages 470–481.
Vigna, G., Borgolte, K., Corbetta, J., Doupe, A., Fratanto-nio, Y., Invernizzi, L., Kirat, D., and Shoshitaishvili,Y. (2014). Ten Years of iCTF: The Good, The Bad,and The Ugly. In 2014 USENIX Summit on Gam-ing, Games, and Gamification in Security Education(3GSE 14).
Vykopal, J. and Barták, M. (2016). On the Design of Secu-rity Games: From Frustrating to Engaging Learning.In 2016 USENIX Workshop on Advances in SecurityEducation (ASE 16), Austin, TX. USENIX Associa-tion.
Vykopal, J. and Cegan, J. (2017). Finding Exercise Equi-librium: How to Support the Game Balance at theVery Beginning? In Proceedings of the 2017 ACMSIGCSE Technical Symposium on Computer ScienceEducation, SIGCSE ’17, pages 719–719, New York,NY, USA. ACM.
Welch, D., Ragsdale, D., and Schepens, W. (2002). Trainingfor information assurance. Computer, 35(4):30–37.
White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S.,Newbold, M., Hibler, M., Barb, C., and Joglekar, A.(2002). An Integrated Experimental Environment forDistributed Systems and Networks. pages 255–270,Boston, MA.
Wroclawski, J., Mirkovic, J., Faber, T., and Schwab, S.(2008). A two-constraint approach to risky cybersecu-rity experiment management. In Sarnoff Symposium.
Invited paper.