POSTER: Reflected attacks abusing honeypots

We present the observation of distributed denial-of-service attacks that use reflection of the flooding traffic off reflectors. This type of attack was used in massive attacks against internet infrastructure of Czech Republic in March, 2013. Apart from common hosts in the network, honeypots were abused as the reflectors. It caused the false positive incident detection and helped attackers. Honeypots, which are by default set to accept any incoming network connection, unintentionally amplified the effect of reflection. We present an analysis of the attack from the point of view of honeypots and show the risks of having honeypots respond to any incoming traffic. We also discuss the possibilities of attack detection and mitigation and present lessons learned from handling the attack. We point out a lack of communication and data sharing during the observed attack

Lessons Learned from KYPO – Cyber Exercise & Research Platform Project

Cyber attacks became significant threat for a critical information infrastructure of a state. In order to face them it is necessary to study them, understand them, and train personnel to recognize them. For this purpose we have developed a KYPO - Cyber Exercise & Research Platform for simulation of numerous cyber attacks. In this paper we present the KYPO platform and first experience gained from Capture the Flag game training.Cyber attacks became significant threat for a critical information infrastructure of a state. In order to face them it is necessary to study them, understand them, and train personnel to recognize them. For this purpose we have developed a KYPO - Cyber Exercise & Research Platform for simulation of numerous cyber attacks. In this paper we present the KYPO platform and first experience gained from Capture the Flag game training

Flow-based detection of RDP brute-force attacks

This paper describes a design and evaluation of a network-based detection of brute-force attacks on authentication of Microsoft Windows RDP. The network flow data provides sufficient information about communication of two nodes in network, even though the RDP communication is encrypted. An analysis was based on the network flow data collected in the Masaryk University network and host-based data from logs of a server with opened Remote Desktop Connection. These data helped us to improve the flow detection using the information gathered from the server event log. Despite the fact that RDP is encrypted, flow data gives us a sufficient amount of information to determine whether the connection is an authentication or regular remote desktop session. We implemented the attacks detection as a plugin for the widely used NfSen collector. The plugin is involved in the active defense of the network of Masaryk University

Lessons Learned From Complex Hands-on Defence Exercises in a Cyber Range

We need more skilled cybersecurity professionals because the number of cyber threats and ingenuity of attackers is ever growing. Knowledge and skills required for cyber defence can be developed and exercised by lectures and lab sessions, or by active learning, which is seen as a promising and attractive alternative. In this paper, we present experience gained from the preparation and execution of cyber defence exercises involving various participants in a cyber range. The exercises follow a Red vs. Blue team format, in which the Red team conducts malicious activities against emulated networks and systems that have to be defended by Blue teams of learners. Although this exercise format is popular and used worldwide by numerous organizers in practice, it has been sparsely researched. We contribute to the topic by describing the general exercise life cycle, covering the exercise's development, dry run, execution, evaluation, and repetition. Each phase brings several challenges that exercise organizers have to deal with. We present lessons learned that can help organizers to prepare, run and repeat successful events systematically, with lower effort and costs, and avoid a trial-and-error approach that is often used

KYPO Cyber Range: Design and Use Cases

The physical and cyber worlds are increasingly intertwined and exposed to cyber attacks. The KYPO cyber range provides complex cyber systems and networks in a virtualized, fully controlled and monitored environment. Time-efficient and cost-effective deployment is feasible using cloud resources instead of a dedicated hardware infrastructure. This paper describes the design decisions made during it’s development. We prepared a set of use cases to evaluate the proposed design decisions and to demonstrate the key features of the KYPO cyber range. It was especially cyber training sessions and exercises with hundreds of participants which provided invaluable feedback for KYPO platform development

Honeypot Testbed for Network Defence Strategy Evaluation

In this paper, we describe a network defence strategy testbed, which could be utilized for testing the strategy decision logic against simulated attacks or real attackers. The testbed relies on a network of honeypots and the high level of logging and monitoring the honeypots provide. Its main advantage is that only the decision logic implementation is needed in order to test the strategy. The testbed also evaluates the tested network defence strategy. We demonstrate an example of network defence strategy implementation, the test setup, progress, and results. The source code of the testbed is available on GitHub

Analyzing an Off-the-Shelf Surveillance Software: Hacking Team Case Study

In July 2015, a major distributor and developer of covert surveillance tools, Italian company Hacking Team, has been hacked. Due to the attack, nearly 400 GB of internal data leaked on sharing networks. The data contained the latest version of the surveillance software named Galileo, including full technical and user documentation. We use this opportunity to examine key features of surveillance software that was designed for governmental agencies and its specification was kept secret. In this paper, we deploy the system in an isolated virtual environment and test its behavior during a surveillance operation. We use collected information to classify the advancement level of Galileo among similar mass-spread malware and the advanced persistent threats tools. With the hindsight of nearly two years, it is also possible to evaluate the impact the data leak had.In July 2015, a major distributor and developer of covert surveillance tools, Italian company Hacking Team, has been hacked. Due to the attack, nearly 400 GB of internal data leaked on sharing networks. The data contained the latest version of the surveillance software named Galileo, including full technical and user documentation. We use this opportunity to examine key features of surveillance software that was designed for governmental agencies and its specification was kept secret. In this paper, we deploy the system in an isolated virtual environment and test its behavior during a surveillance operation. We use collected information to classify the advancement level of Galileo among similar mass-spread malware and the advanced persistent threats tools. With the hindsight of nearly two years, it is also possible to evaluate the impact the data leak had

Cloud-based Testbed for Simulation of Cyber Attacks

Cyber attacks have become ubiquitous and in order to face current threats it is important to understand them. Studying attacks in a real environment however, is not viable and therefore it is necessary to find other methods how to examine the nature of attacks. Gaining detailed knowledge about them facilitates designing of new detection methods as well as understanding their impact. In this paper we present a testbed framework to simulate attacks that enables to study a wide range of security scenarios. The framework provides a notion of real-world arrangements, yet it retains full control over all the activities performed within the simulated infrastructures. Utilizing the sandbox environment, it is possible to simulate various security attacks and evaluate their impacts on real infrastructures. The design of the framework benefits from IaaS clouds. Therefore its deployment does not require dedicated facilities and the testbed can be deployed over miscellaneous contemporary clouds. The viability of the testbed has been verified by a simulation of particular DDoS attack