KYPO: A TOOL FOR COLLABORATIVE STUDY OF CYBERATTACKS IN SAFE CLOUD ENVIRONMENT ^ HCII'2015 Tuesday 7th July, 2015 Radek Ošlejšek Zdenek Eichler, Dalibor Toth oslejsek@fi.muni.cz KYPO BY CSIRT-MU KYPO Overview and Architecture KYPO Provides: ■ Isolated environment for building virtual computer networks, running experiments and analysing results safely. ■ Analytic tools to study various cyber attacks (forensic analysis). ■ Cyber security training programs, e.g. "capture the flag" games. KYPO Portal: Challenge Problem: Diversity of users and their objectives ■ Diversity of users: Security expert vs. students. ■ Diversity of objectives: Finding hidden data coherence vs. learning how some attack behaves. ■ Diversity of workflows (security scenarios): Forensic analysis vs. "capture the flag" game vs. concrete attack learning, etc. Requirements: ■ Intuitive web-based access without installing anything on client side. ■ Shneiderman's visualization mantra (overview first, zoom and filter, then details-on demand). ■ Variable GUI (pre-configured layouts, configurable interactions and visualizations, etc.). ■ Variable collaboration modes. KYPO - Cyber Exercise & Research Platform Page 3/13 KYPO Portal: Technologies Web Portal ■ Complies JSR standards for web portals. ■ LifeRay: Popular framework for corporate webs. ■ Portlets: "independent" windows (text, table, graph, ...) implemented in various languages (Java, Javascript, WebGL, ...). ■ Pages composed of portlets + inter-portlet communications. LifeRay = platform for building security-scenario-related GUI KYPO - Cyber Exercise & Research Platform Page 4/13 KYPO BY CSIRT-MU Visualization Portlets: Network topology VNC connection, physical/logical roles of nodes, links utilization, □r 'olf/10.19.1.2 I—|SBot4/10.19.4.8 Master network/10.19.1.0/24 i «SR! »V ■■ _s? ^•UBotnet network 1/10.19.4.0/24 f^fc . . .'. ■ i*m ■ ■«'. 'ft ...... 1 / ■ÖI3/10.19.4.7 TV ■! Internet/10.19.5.0/26 LBotnet network/10.19.3.0/24 Target network/10.19.2.0/24 Hj Sheep/10.19.2.4 0t2/10.19.3.7 Ot1/10.19.3.6 KYPO - Cyber Exercise & Research Platform Page 5/13 Visualization Portlets: 3D Chart ■ Special visualizations for educational purposes. ■ WebGL, fully interactive, supports gesture-based inetraction ,..,x- ,:.r >,.. i..,..-.,-.,.,.-.-.^.—-.-'.2Z 1CK4C 10:15:0 1D:1S:2Q 10:15:40 10:16:0 10:1fjSmber OfflOWS Workbenches (predefined layouts) ■ Predefined pages (tabs of web browsers) for user roles ■ Timeline portlet synchronizing other portlets. KYPO - Cyber Exercise & Research Platform Page 7/13 Collaboration Modes ■ Individual views on shared data. ■ Individual sandboxes. ■ Role-based collaboration. t t t tit ♦tt Evaluation: Online demos and exercises ■ Online tutorial at AIMS 2014: 20 participants, DDoS attack demonstration followed by hands-on training of compromising and abusing a server, 40 virtual machines in 6 sub-networks. ■ Online "capture the flag" game at TF/CSIRT Technical Colloquium in 2015, 25 participants. ■ Cyber Czech 2015: In preparation, with Czech National Security Authority, about 20 players (cyber security experts) in 6 teams will defend their network of 15 servers and desktops against known vulnerabilites, misconfigurations and attacks. KYPO - Cyber Exercise & Research Platform Page 9/13 Formal Evaluation Evaluation process: ■ 10 university students of the Faculty of Informatics MU. ■ Subjects were asked to evaluate their knowledge about hacking and DDoS attacks. ■ Subjects played level based game which led the students through the scenario. The goal was to compromise target server and then run DDoS attack. ■ Subjects were asked to evaluate their knowledge again. KYPO - Cyber Exercise & Research Platform Page 10 / 13 KYPO BY CSIRT-MU Formal Evaluation (cont.) Results: Knowledge about hacking and DDoS ■ 1 = 1 don't know nothing about that ■ 5 = I'm able to perform an attack before afler before afler Results: Evaluation of the course itself ■ 1 = Strongly disagree; 5 = Strongly agree ■ Most often appeared values: ■ I enjoyed the ability to perform real attack: 5 ■ I learned something new: 4 ■ I enjoyed the course: 4 KYPO - Cyber Exercise & Research Platform Page 11 / 13 Conclusion and Future Work ■ KYPO Lab: 4K projector, multitouch wall, videoconference, ... ■ Techniques for remote collaboration. ■ Complete support for visual analytics workflow. ■ KYPO as a service. QUESTIONS AND ANSWERS www.kypo.cz # Ocsirtmu Radek Oslejsek oslejsek@fi.muni.cz üvr @) CSIRT-MU