Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

Adam Doupe
Adam DoupeAssistant Professor at Arizona State University
Hit „em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness Adam Doupé, Manuel Egele, Benjamin Caillat, Gianluca Stringhini, Gorkem Yakin, Ali Zand, Ludovico Cavedon, and Giovanni Vigna University of California, Santa Barbara ACSAC 2011 – 7/12/11
What Are Live Security Competitions? • AKA Hacking Competitions • Useful educational tool for teaching computer security • Born as a way to showcase security skills – DefCon‟s CTF • Various forms – Challenge set (DefCon quals, iCTF challenges, CMU‟s competition, DIMVA competition, RuCTF) – Capture the flag (DefCon, iCTF 2003-2007, CIPHER) – Other designs • Attack-only (e.g., iCTF 2008) • Defense-only (e.g., Cyber Defense eXercise)
Why Live Security Competitions? • Real-time factor enhances understanding • Forces teams to: – Analyze unknown services/binaries – Defend systems from attack – Utilize different security skills – Work as a team – Create novel tools Doupé - 7/12/11
Key Insight • Security competitions can be designed to generate datasets for research • In the 2010 international Capture The Flag (iCTF), we structured the competition to create a Cyber Situational Awareness dataset Doupé - 7/12/11
Situational Awareness • By putting perceived events into the context of the currently executing mission, one can improve decision making • Mission – Series of tasks that an organization wishes to carry out • Task – Discrete step that is carried out using a service • Service – Provided to users to accomplish a task Doupé - 7/12/11
Cyber Situational Awareness • Situational awareness extended to the cyber domain • Large organizations constantly under attack – Which attacks are important? – Which assets are important? • “What if” scenarios Doupé - 7/12/11
Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
The 2010 iCTF: A Cyber SA Competition • Introduced the concept of cyber-mission • “Not all attacks are created equal” • Participants must be aware of cyber- missions and cyber-assets • Attackers must time their attacks to cause the maximum amount of damage
The Setting • Teams are part of a coalition to bring down the rogue nation of Litya • LityaLeaks site used to leak description of Litya‟s cyber-missions • Litya‟s network protected by a firewall and an IDS – If an attack is detected, nation‟s access is shut off – Nations can bribe network administrator • Litya has a botnet in each nation, stealing their money – If botnet is disabled, nation‟s access shut off • Money made by solving side challenges.
CARGODSTR-TQ-1442
COMSAT-WK-1127
SEDAFER-GOT-BKT-8217
DRIVEBY-DEPLOY-QFK-9751
Petri-net Representation of Mission T8 T13 T2 T12 Failure Analysis Establish Drive-by Detect Clean-up T10 Attack Failed T7 T11 Reeval Deliver Attack T9 T1 Start T4 T5 Blackhat SEO Search Engine Result Analysis End T3 Doupé - 7/12/11
. . . . Service 1 Service 2 … Service 10
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network VPN server …
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network Firewall/IDS Briber Flag Submission VPN server …
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
. . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
Competition Overview • December 3rd 2010 ~8 hours • 72 teams • ~900 participants (largest at the time) • 7 of 10 services compromised • 39 teams submitted 872 flags • 69 of 72 teams solved at least 1 challenge • 37 GB of traffic Doupé - 7/12/11
Analysis of iCTF Data • Use the data to validate models and theories • We introduce two Situational Awareness metrics: – Toxicity • Capture the amount of damage an attacker has caused – Effectiveness • Capture how effective the attacker was at causing damage Doupé - 7/12/11
Analysis – CAD - Criticality • C(s, t): service criticality [0,1] – Expresses the criticality of service s at time t – Function can have any shape • iCTF: 1 when service active, 0 otherwise Service: MostWanted
Analysis – CAD - Attacker • A(a, s, t): attacker activity [0, 1] – Represent the attacker‟s activity with respect to a service – Can have any shape • iCTF: 1 when team attacked a service, 0 if no attack Team: PPP Service: MostWanted
Analysis – CAD - Damage • D(s, t): Damage to the attacker [0, 1] – Represents the penalty for performing an attack against service s at time t – Can have any shape • iCTF: 1 when service is inactive, 0 when active Service: MostWanted
Analysis – Toxicity ò t2 Toxicity(a, s, t1, t2 ) = A(a, s, t)× (C(s, t) - D(s, t)) dt t1 ì 1 if C(s, t) - D(s, t) > 0 ï OptimalAttacker(s, t) = í ï 0 î otherwise
Analysis – Effectiveness ò t2 MaxToxicity(s, t1, t2 ) = OptimalAttacker(s, t)× (C(s, t) - D(s, t)) dt t1 Toxicity(a, s, t1, t2 ) Effectiveness(a, s, t1, t2 ) = MaxToxicity(s, t1, t2 )
Analysis – Toxicity of PPP Team: PPP Service: OvertCovert
Analysis – Toxicity and Effectiveness
Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
Lessons Learned • The Good – Pre-competition information prepared teams who took advantage – Winning team automatically qualified for DefCon • The Bad – Structure of the competition was complex and was understood by a subset of the teams – Services too hard • The Ugly – Intentionally put a root backdoor into bot – Losing points sucks Doupé - 7/12/11
Conclusions • Live security exercises great for learning and security education • They can be designed to create a research dataset • Designed the 2010 iCTF to produce the first publically available dataset on CSA • Presented SA metrics: toxicity and effectiveness
Questions? Data: http://ictf.cs.ucsb.edu/data/ictf2010/ Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe Doupé - 7/12/11
Service Exploitation
1 of 34

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

Download to read offline
Technology

Talk I gave at ACSAC 2011 on the paper: "Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness" which describes the 2010 international Capture the Flag (iCTF) competition. Paper is located here: http://cs.ucsb.edu/~adoupe/static/hit-em-where-it-hurts-acsac2011.pdf

Adam Doupe
Adam DoupeAssistant Professor at Arizona State University

Recommended

водород by
водородводород
водородСтојан Ѓоревски
2K views8 slides
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ... by
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...
deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separ...Adam Doupe
2.6K views83 slides
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili... by
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...
Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabili...Adam Doupe
923 views31 slides
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners by
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
4.6K views25 slides
Writing Groups in Computer Science Research Labs by
Writing Groups in Computer Science Research LabsWriting Groups in Computer Science Research Labs
Writing Groups in Computer Science Research LabsAdam Doupe
667 views9 slides
Study: The Future of VR, AR and Self-Driving Cars by
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
870.1K views28 slides

More Related Content

Similar to Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

Mega & micro technology trends by
Mega & micro technology trendsMega & micro technology trends
Mega & micro technology trendsUniversity of Hertfordshire
463 views66 slides
TOMOYO Linux on Android by
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
3.8K views38 slides
Research Inventy : International Journal of Engineering and Science by
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceresearchinventy
325 views5 slides
Green Telecom & IT Workshop: Rod Tucker Keynote by
Green Telecom & IT Workshop: Rod Tucker KeynoteGreen Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker KeynoteBellLabs
1.3K views34 slides
The Big Win: Stop Playing Small-Ball with Your Cloud Strategy by
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyThe Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyServiceMesh
664 views47 slides
Ns2 by
Ns2Ns2
Ns2Rizwan Pasha M
1.9K views30 slides

Similar to Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness(20)

Mega & micro technology trends by University of Hertfordshire
Mega & micro technology trendsMega & micro technology trends
Mega & micro technology trends
University of Hertfordshire463 views
TOMOYO Linux on Android by Toshiharu Harada, Ph.D
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on Android
Toshiharu Harada, Ph.D3.8K views
Research Inventy : International Journal of Engineering and Science by researchinventy
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
researchinventy325 views
Green Telecom & IT Workshop: Rod Tucker Keynote by BellLabs
Green Telecom & IT Workshop: Rod Tucker KeynoteGreen Telecom & IT Workshop: Rod Tucker Keynote
Green Telecom & IT Workshop: Rod Tucker Keynote
BellLabs1.3K views
The Big Win: Stop Playing Small-Ball with Your Cloud Strategy by ServiceMesh
The Big Win: Stop Playing Small-Ball with Your Cloud StrategyThe Big Win: Stop Playing Small-Ball with Your Cloud Strategy
The Big Win: Stop Playing Small-Ball with Your Cloud Strategy
ServiceMesh664 views
Ns2 by Rizwan Pasha M
Ns2Ns2
Ns2
Rizwan Pasha M1.9K views
Zero Visibility: Critcality of Centralized Log Management - v1 by asherad
Zero Visibility: Critcality of Centralized Log Management - v1Zero Visibility: Critcality of Centralized Log Management - v1
Zero Visibility: Critcality of Centralized Log Management - v1
asherad425 views
Intel open stack v1 by OpenCity Community
Intel open stack v1Intel open stack v1
Intel open stack v1
OpenCity Community286 views
Intel open stack v1 by benbenhappy
Intel open stack v1Intel open stack v1
Intel open stack v1
benbenhappy263 views
What's Next In An On Demand World by Bertram Gugel
What's Next In An On Demand WorldWhat's Next In An On Demand World
What's Next In An On Demand World
Bertram Gugel727 views
Michael S Sutton by Mikiwis
Michael S SuttonMichael S Sutton
Michael S Sutton
Mikiwis711 views
BNAT Hijacking: Repairing Broken Communication Channels by claudijd
BNAT Hijacking: Repairing Broken Communication ChannelsBNAT Hijacking: Repairing Broken Communication Channels
BNAT Hijacking: Repairing Broken Communication Channels
claudijd2.2K views
Trend Micro - 13martie2012 by Agora Group
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012
Agora Group1.3K views
Twilio Web Service API for building Voice Applications by Twilio Inc
Twilio Web Service API for building Voice ApplicationsTwilio Web Service API for building Voice Applications
Twilio Web Service API for building Voice Applications
Twilio Inc32.3K views
Tc 2008 11 19 by jeffiel
Tc 2008 11 19Tc 2008 11 19
Tc 2008 11 19
jeffiel317 views
ERA - Tracking Technical Debt by ICSM 2011
ERA - Tracking Technical DebtERA - Tracking Technical Debt
ERA - Tracking Technical Debt
ICSM 2011208 views
gio's tesi by capitan_jo
gio's tesigio's tesi
gio's tesi
capitan_jo500 views
Botnets & DDoS Introduction by Kae Hsu
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS Introduction
Kae Hsu1.2K views
Linked In 1èRe Table Ronde 20110330 by Dario Mangano
Linked In 1èRe Table Ronde 20110330Linked In 1èRe Table Ronde 20110330
Linked In 1èRe Table Ronde 20110330
Dario Mangano311 views
Next-Gen Security (using Cloud) by Jim Kaskade
Next-Gen Security (using Cloud)Next-Gen Security (using Cloud)
Next-Gen Security (using Cloud)
Jim Kaskade870 views

Recently uploaded

Ransomware is Knocking your Door_Final.pdf by
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
66 views46 slides
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfDr. Jimmy Schwarzkopf
24 views29 slides
SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
25 views38 slides
Future of AR - Facebook Presentation by
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentationssuserb54b561
22 views27 slides
MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
37 views8 slides
SUPPLIER SOURCING.pptx by
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptxangelicacueva6
20 views1 slide

Recently uploaded(20)

Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp66 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf24 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP25 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56122 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14137 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva620 views
Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum19 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.61 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi139 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld27 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal18 views
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe by Simone Puorto
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
Simone Puorto13 views
"Node.js Development in 2024: trends and tools", Nikita Galkin by Fwdays
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin
Fwdays17 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker48 views
Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum17 views
HTTP headers that make your website go faster - devs.gent November 2023 by Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn26 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya115 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum43 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge50 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining69 views

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

  • 1. Hit „em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness Adam Doupé, Manuel Egele, Benjamin Caillat, Gianluca Stringhini, Gorkem Yakin, Ali Zand, Ludovico Cavedon, and Giovanni Vigna University of California, Santa Barbara ACSAC 2011 – 7/12/11
  • 2. What Are Live Security Competitions? • AKA Hacking Competitions • Useful educational tool for teaching computer security • Born as a way to showcase security skills – DefCon‟s CTF • Various forms – Challenge set (DefCon quals, iCTF challenges, CMU‟s competition, DIMVA competition, RuCTF) – Capture the flag (DefCon, iCTF 2003-2007, CIPHER) – Other designs • Attack-only (e.g., iCTF 2008) • Defense-only (e.g., Cyber Defense eXercise)
  • 3. Why Live Security Competitions? • Real-time factor enhances understanding • Forces teams to: – Analyze unknown services/binaries – Defend systems from attack – Utilize different security skills – Work as a team – Create novel tools Doupé - 7/12/11
  • 4. Key Insight • Security competitions can be designed to generate datasets for research • In the 2010 international Capture The Flag (iCTF), we structured the competition to create a Cyber Situational Awareness dataset Doupé - 7/12/11
  • 5. Situational Awareness • By putting perceived events into the context of the currently executing mission, one can improve decision making • Mission – Series of tasks that an organization wishes to carry out • Task – Discrete step that is carried out using a service • Service – Provided to users to accomplish a task Doupé - 7/12/11
  • 6. Cyber Situational Awareness • Situational awareness extended to the cyber domain • Large organizations constantly under attack – Which attacks are important? – Which assets are important? • “What if” scenarios Doupé - 7/12/11
  • 7. Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
  • 8. The 2010 iCTF: A Cyber SA Competition • Introduced the concept of cyber-mission • “Not all attacks are created equal” • Participants must be aware of cyber- missions and cyber-assets • Attackers must time their attacks to cause the maximum amount of damage
  • 9. The Setting • Teams are part of a coalition to bring down the rogue nation of Litya • LityaLeaks site used to leak description of Litya‟s cyber-missions • Litya‟s network protected by a firewall and an IDS – If an attack is detected, nation‟s access is shut off – Nations can bribe network administrator • Litya has a botnet in each nation, stealing their money – If botnet is disabled, nation‟s access shut off • Money made by solving side challenges.
  • 14. Petri-net Representation of Mission T8 T13 T2 T12 Failure Analysis Establish Drive-by Detect Clean-up T10 Attack Failed T7 T11 Reeval Deliver Attack T9 T1 Start T4 T5 Blackhat SEO Search Engine Result Analysis End T3 Doupé - 7/12/11
  • 15. . . . . Service 1 Service 2 … Service 10
  • 16. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot
  • 17. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network VPN server …
  • 18. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C Internal Network Firewall/IDS Briber Flag Submission VPN server …
  • 19. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
  • 20. . . The Bank . . Service 1 Service 2 … Service 10 ScoreBot Botnet C&C LityaLeaks Internal Network Challenges Firewall/IDS Briber ScoreBoard Flag Submission VPN server …
  • 21. Competition Overview • December 3rd 2010 ~8 hours • 72 teams • ~900 participants (largest at the time) • 7 of 10 services compromised • 39 teams submitted 872 flags • 69 of 72 teams solved at least 1 challenge • 37 GB of traffic Doupé - 7/12/11
  • 22. Analysis of iCTF Data • Use the data to validate models and theories • We introduce two Situational Awareness metrics: – Toxicity • Capture the amount of damage an attacker has caused – Effectiveness • Capture how effective the attacker was at causing damage Doupé - 7/12/11
  • 23. Analysis – CAD - Criticality • C(s, t): service criticality [0,1] – Expresses the criticality of service s at time t – Function can have any shape • iCTF: 1 when service active, 0 otherwise Service: MostWanted
  • 24. Analysis – CAD - Attacker • A(a, s, t): attacker activity [0, 1] – Represent the attacker‟s activity with respect to a service – Can have any shape • iCTF: 1 when team attacked a service, 0 if no attack Team: PPP Service: MostWanted
  • 25. Analysis – CAD - Damage • D(s, t): Damage to the attacker [0, 1] – Represents the penalty for performing an attack against service s at time t – Can have any shape • iCTF: 1 when service is inactive, 0 when active Service: MostWanted
  • 26. Analysis – Toxicity ò t2 Toxicity(a, s, t1, t2 ) = A(a, s, t)× (C(s, t) - D(s, t)) dt t1 ì 1 if C(s, t) - D(s, t) > 0 ï OptimalAttacker(s, t) = í ï 0 î otherwise
  • 27. Analysis – Effectiveness ò t2 MaxToxicity(s, t1, t2 ) = OptimalAttacker(s, t)× (C(s, t) - D(s, t)) dt t1 Toxicity(a, s, t1, t2 ) Effectiveness(a, s, t1, t2 ) = MaxToxicity(s, t1, t2 )
  • 28. Analysis – Toxicity of PPP Team: PPP Service: OvertCovert
  • 29. Analysis – Toxicity and Effectiveness
  • 30. Overview • Live Security Competitions • Situational Awareness • Design of the 2010 iCTF • Cyber Situational Awareness Metrics • Lessons Learned • Conclusion Doupé - 7/12/11
  • 31. Lessons Learned • The Good – Pre-competition information prepared teams who took advantage – Winning team automatically qualified for DefCon • The Bad – Structure of the competition was complex and was understood by a subset of the teams – Services too hard • The Ugly – Intentionally put a root backdoor into bot – Losing points sucks Doupé - 7/12/11
  • 32. Conclusions • Live security exercises great for learning and security education • They can be designed to create a research dataset • Designed the 2010 iCTF to produce the first publically available dataset on CSA • Presented SA metrics: toxicity and effectiveness
  • 33. Questions? Data: http://ictf.cs.ucsb.edu/data/ictf2010/ Email: adoupe@cs.ucsb.edu Twitter: @adamdoupe Doupé - 7/12/11