Event RPE: The Rotten Apple in the Bushel
RPE: The Rotten Apple in the Bushel
Date: TBD, 2019 | Location: DreamPort Facility in Columbia MD
Although we commonly phrase like "a few bad apples" in every day English, one of the earliest occurrences of the phrase we can find is from Benjamin Franklin's Poor Richard's Almanack in 1736. In this pamphlet Ben Franklin wrote "The rotten Apple spoils his Companion". This describes the risk that a single compromised host or user poses to an entire network. The network is our bushel and the assets online are the apples. DreamPort plans to execute an RPE where we identify or enhance existing solutions or participants develop a new prototype solution designed to monitor a network for the purposes of identifying a compromised account or host from network forensic artifacts and configuration details.
We want to find a product or team willing to demonstrate, build or enhance their offering so that it can detect compromised accounts from network packet capture (PCAP) only and without external stimulus such as a security alert or human observation. We also want to identify a solution that can analyze hosts for intrusion without any Internet connection to a cloud computing service.
We are particularly interested in solutions that use machine learning or artificial intelligence techniques to analyze, classify and understand data in a rapid fashion. For this reason, the periods of performance for a participant this time through will be very short such that only automated solutions could produce the desired results. If you understand machine learning and are willing to work do not let a short window of time stop you. DreamPort is looking for extremely motivated people who understand machine learning or artificial intelligence almost as much as we want completed solutions!
During this RPE, we will infect hosts within the RodinCorp network we used in RPE-003 with malware which will perpetrate the theft of user credentials. At periodic drops we will allowing participants to parse captured network activity for the express purpose of identifying which accounts and hosts that are compromised. For the purposes of this RPE, not every host in this network will have anti-virus or personal security product protection enabled including explicit disabling of Windows Defender. This network will have network time protocol (NTP) synchronization enabled allowing users to make assumptions based on accurate time details in the PCAP files.
Participants will be given multiple PCAP samples just as in RPE-004, but they will have a very short window of time to analyze the PCAP and determine if an account was compromised and which hosts were compromised using either the target account(s) or other known malicious tools, techniques or procedures (TTP). Using training data provided they should attempt to determine if:
- A compromised account was used during this time window and if so:
- What account was compromised?
- Where was the account used?
- What was the account used for?
- Were there any legitimate uses of the account during this time?
- Approximately when was the account compromised?
- A host on the network was compromised using some other means besides account compromise
We will release training sample data on the DreamPort website at least 14 days in advance of this RPE in the form of registered user accounts, machine-readable network configuration details and known good packet capture (PCAP) and an extremely limited amount of known bad traffic. The known bad traffic will include at most 1 compromised account and 2 infected hosts with 1 external malicious destination for communication. We will not elaborate any further on 'network configuration details', we want participants to identify the structure and source of this data on their own. Depending on feedback we may release additional information but do not count on being given the answer key before the test.
There will be multiple assumptions participants can make regarding the types of account activity they will see at layers 2 and 3 on this network:
- Accounts (computer and user) authenticate to a central Windows 2016 domain controller
- Accounts will authenticate to 1 main network share, but each user may open their own shares on their machine
- There are at least 2 legit HTTP services on the local network that users will authenticate against
- Email is served externally by Office 365
- There are no more than 2 servers that offer SSH login
- There are 2 active administrative users
- There is at least 1 developer who is experimenting with SAMBA
We will update this list of assumptions if appropriate prior to the start of the RPE.
The evaluation process for this RPE will take place in a series of rounds each lasting approximately 1 hour. At the start of a round, each participant will be given a drop of PCAP files. They should parse these files as rapidly as possible and attempt to provide answers to the questions we posed previously. At the end of the first hour, the total possible evaluation score a participant can get will drop rapidly. Within one more hour the participant will not be able to receive any score for this round illustrating the need for using automation solutions for parsing and classification.
Outside of any completed solution a participant may bring, this RPE requires participants have the at least intermediate the following skills:
- Visual Studio/mingw or GCC or clang
- Windows API
- libPCAP or WinPCAP
The following skills are STRONGLY suggested:
- Machine Learning
- Machine Learning APIs (for example)
Participants should be prepared to either bring their existing solutions for identifying compromised Microsoft Windows accounts and hosts or develop new approaches on the fly. We believe the best approaches to solving this problem is using Machine Learning (ML) algorithms and as such we are not looking for signature-based solutions like anti-virus or intrusion detection.
Participants in this RPE should prepare to parse multiple network packet capture (PCAP) files as fast as possible. Each file will not be more than five hundred megabytes (MB) in size. Participants should bring their own machines for this RPE and there are no limits on the type of operating system, programming language(s) or number of machines used.