KYPO — A PLATFORM FOR CYBER DEFENCE EXERCISES Symposium on “M&S Support to Operational Tasks Including War Gaming, Logistics, Cyber Defence” (MSG-133), Munich, Germany 15th October, 2015 Pavel ČELEDA, Jakub ČEGAN Jan VYKOPAL, Daniel TOVARŇÁK {celeda|cegan|jan.vykopal|danos}@mail.muni.cz KYPO Vision & Goals Vision Provide unique environment for research and development of new methods to protect critical infrastructure against cyber attacks in Czech Republic. Goals Cloud infrastructure, threat detection & advanced visualization. Cyber security courses and exercises – hands-on. Contribution Increase readiness of Czech Republic in cyber research. Advance training methods for security teams (CERT/CSIRT). KYPO — A Platform for Cyber Defence Exercises Page 2 / 19 KYPO Architecture KYPO — A Platform for Cyber Defence Exercises Page 3 / 19 KYPO Architecture Various Scenarious User Interface Cloud Users KYPO — A Platform for Cyber Defence Exercises Page 4 / 19 KYPO Use Cases KYPO — A Platform for Cyber Defence Exercises Page 5 / 19 Cyber Research & Development Sandbox design makes experiments easily repeatable. Provides monitoring using NetFlow and packet capture (PCAP). Data is stored for further analysis or fast replay of experiment. KYPO — A Platform for Cyber Defence Exercises Page 6 / 19 Forensics Analysis & Network Simulations Adjustments of the sandbox according to malware actions. Malware is kept in a safe isolated environment. Various tools can be used during the analysis in the sandbox. KYPO — A Platform for Cyber Defence Exercises Page 7 / 19 Security Training & Exercises Covering skills needed by both users and ICT administrators. Main advantages are high rate of interactivity, built-in monitoring, and remote access to all computers for students. KYPO — A Platform for Cyber Defence Exercises Page 8 / 19 The Design of a Cyber Defence Exercise KYPO — A Platform for Cyber Defence Exercises Page 9 / 19 Cyber Exercise Design Cyber Czech 2015 – October 6-7, 2015 Objectives Focused on defending critical information infrastructure. Participants are put into the role of CSIRT members sent into unknown organizations to recover compromised networks. They have to secure the simulated infrastructure, investigate attacks and cooperate with media and organizers. Attackers are skilled and coordinated with unclear motivations. KYPO — A Platform for Cyber Defence Exercises Page 10 / 19 Roles Blue Team Red Team - attack - scan - penetrate - secure - monitor - defense Green Team - maintain - repair - fix White Team - rules - score - guide KYPO — A Platform for Cyber Defence Exercises Page 11 / 19 Technical Implementation ? ? Blue Team N Blue Team 1 DMZ Desktop Segment Server Segment Gateway INTERNETGlobal Network D N S .ex www www KYPO — A Platform for Cyber Defence Exercises Page 12 / 19 Monitoring Infrastructure Built-in network traffic monitoring (provided by the KYPO platform). Ad-hoc host-based monitoring (based on Syslog). Ad-hoc service monitoring based on Nagios (network- and host-based). Basis for the scoring system and post-mortem evaluation of the exercise. KYPO — A Platform for Cyber Defence Exercises Page 13 / 19 Scoring Implementation Availability of requested services – based on Nagios monitoring. Resistance to prepared attacks – manually rated and entered by Red team members. Quality of reporting to the organizers and media – manually assessed by White team. Penalty for 10-minutes direct access to particular host simulating physical visit of a server room – entered by White team. KYPO — A Platform for Cyber Defence Exercises Page 14 / 19 Physical Facility – KYPO Laboratory KYPO — A Platform for Cyber Defence Exercises Page 15 / 19 Physical Facility – Cyber Czech 2015 All Blue team members (20 people) invited to KYPO Lab. 1 team = 4 people around a table with 3 desktops. KYPO — A Platform for Cyber Defence Exercises Page 16 / 19 Conclusion KYPO — A Platform for Cyber Defence Exercises Page 17 / 19 KYPO – Cyber Exercise & Research Platform Summary Largest (academic) cyber range in the Czech Republic. First Czech national cyber exercise – Cyber Czech 2015. Looking for R&D partners and cyber security practioners. KYPO — A Platform for Cyber Defence Exercises Page 18 / 19 THANK YOU FOR YOUR ATTENTION. www.kypo.cz Pavel Čeleda et al. @csirtmu celeda@mail.muni.cz