Event RPE-004: The Needles in the Haystack
RPE-004: The Needles in the Haystack
Date: February, 2019 | Location: DreamPort Facility in Columbia MD
How difficult is it to actually find a needle in a haystack? We are going to find out. DreamPort plans to execute an RPE competition where participants design and implement a solution for automatically identifying the most important assets (needles) on the DreamPort HQ network (haystack) without any prior human knowledge. HQ is the network we used and will continue to use in multiple RPE. Our ideal candidate solution must be able to monitor a network via packet capture (PCAP) only, and automatically identify critical computers or endpoints on the network. A critical endpoint is a computer, server or hardware device which if it was powered down or destroyed, users can not do their job as effectively or possibly at all. When enough critical assets are disabled the network serves no purpose. When a network is compromised or under investigation for potential compromise, responders may have little to no knowledge of the design of the network upon arrival. Where are user workstations? Where are servers? What is the most important service on the network (by active user count or system CPU/memory utilization)? They may or may not be able to interview any support personnel, but they may also have no time available to perform their investigation.
DreamPort wants to find a solution that can not only 'map' the network in the traditional sense but provide inferences as to the most important servers, workstations or hardware devices. Once these assets are identified they could be isolated, replicated or studied closely via live forensics.
In this RPE, participants will connect their solution to a network tap or span port from a managed switch. They must gather and process network traffic (PCAP) and produce at a minimum the following items:
- A network map identifying as many assets as possible
- Assertions (including confidence ratings) of key assets by network-level protocol (DNS, DHCP)
- Assertions (including confidence ratings) of key assets by application level protocol (e.g. HTTP, FTP, SQL)
- Assertions (including confidence ratings) of important endpoints by user-class (e.g. Administrator)
There are no restrictions on the implementation of a candidate solution but RPE participants must bring their own computer(s). Network access methods (e.g. span port, network tap) will be provided by DreamPort. Solutions must support 10/100/1G network speeds but DreamPort will guarantee that the network will not be saturated during the evaluation of the candidate solution.
DreamPort intends to evaluate multiple participants at the same time but reserves the right to limit the number of active solutions based on network congestion and estimated overhead any solutions may impose on the network (e.g. SPAN ports can affect switch performance).
Evaluation of candidate solutions will consist of connecting the solution to a DreamPort network setup for this RPE and measuring the time it will take for a solution to identify assets from a pre-determined starting time, proper and complete generation of the network map(s) and the number of assertions the solution will make accurately. DreamPort will employ actors to drive network assets during these evaluation periods to ensure proper and realistic traffic generation.
DreamPort will publish explicitly limited PCAP files of the DreamPort network for this RPE in advance of the actual evaluation.
This RPE requires participants have the at least intermediate the following skills:
- PCAP Processing (libPCAP)
The following skills are suggested:
- Machine Learning
The successful candidate(s) will develop a solution that can ingest packet capture (PCAP) either via file or live off the wire, process the data and automatically categorize hosts based on importance. It should provide simple output that a user with minimal training can interpret. The solution should attempt to identify hosts at each of the application layers we have discussed previously and attempt to identify endpoints of important users within the network. There are no expectations on the amount of time required for classification and reporting.