Event RPE: The Rotten Apple in the Bushel
RPE: The Rotten Apple in the Bushel
Date: January, 2020 | Location: DreamPort Facility in Columbia MD
Although we commonly phrase like "a few bad apples" in everyday English, one of the earliest occurrences of the phrase we can find is from Benjamin Franklin's Poor Richard's Almanack in 1736. In this pamphlet Ben Franklin wrote "The rotten Apple spoils his Companion". This describes the risk that a single compromised host or user poses to an entire network. The network is our bushel and the assets online are the apples. DreamPort plans to execute an RPE where we identify or enhance existing solutions or participants develop a new prototype solution designed to monitor a network for the purposes of identifying a compromised account or host from network forensic artifacts and configuration details.
We want to find a product or team willing to demonstrate, build or enhance their offering so that it can detect compromised accounts from live or offline network packet capture (PCAP) and log files (Windows Event and Syslog) only and without external stimulus such as a security alert or human observation. We also want to identify a solution that can analyze hosts for intrusion without any Internet connection to a cloud computing service.
We are particularly interested in solutions that use machine learning or artificial intelligence techniques to analyze, classify and understand data in a rapid fashion. For this reason, the periods of performance for a participant this time through will be very short such that only automated solutions could produce the desired results. If you understand machine learning and are willing to work, do not let a short window of time stop you. DreamPort is looking for extremely motivated people who understand machine learning or artificial intelligence almost as much as we want completed solutions!
During this RPE, we will infect hosts within the RodinCorp network we used in RPE-003 with malware and common attacks which will perpetrate the theft of user credentials. This network will operate as normally designed with users and automated processes constantly logging in and out (of a Windows domain), administrators logging and out of services such as the local firewall and SSH and users logging in and out of applications on the local network. The desired solution will first identify as many login types as possible, and then determine the difference between a malicious or invalid login and a normal, valid login. At periodic drops, we will allow participants to parse log files and captured network activity for the express purpose of identifying which accounts and hosts that are compromised. For the purposes of this RPE, not every host in this network will have Anti-Virus or personal security product protection enabled including explicit disabling of Windows Defender. This network will have network time protocol (NTP) synchronization enabled allowing users to make assumptions based on accurate time details in the PCAP and log files.
Participants will be given multiple PCAP samples just as in RPE-004, but they will have a very short window of time to analyze the evidence and determine if an account was compromised and which hosts were compromised using either the target account(s) or other known malicious tools, techniques or procedures (TTP). Using training data provided they should attempt to determine if:
- A compromised account was used during this time window and if so:
- What account was compromised?
- Where was the account used?
- What was the account used for?
- Were there any legitimate uses of the account during this time?
- Approximately when was the account compromised?
- A host on the network was compromised using some other means besides account compromise
We will release training sample data on the DreamPort website at least 14 days in advance of this RPE in the form of registered user accounts, machine-readable network configuration details and known good packet capture (PCAP) and log files. During our training period, the network will be operated continually with normal logins, normal server and file share traffic and normal web browsing. We will not elaborate any further on 'network configuration details' as we want participants to identify the structure and source of this data on their own. Depending on feedback, we may release additional information but do not count on being given the answer key before the test.
There will be multiple assumptions participants can make regarding the types of account activity they will see at layers 2 and 3 on this network:
- Accounts (computer and user) authenticate to a central Windows 2016 domain controller
- Accounts will authenticate to 1 main network share, but each user may open their own shares on their machine
- There are at least 2 legit HTTP services on the local network that users will authenticate against
- Email is served externally by Office 365
- There are no more than 2 servers that offer SSH login
- There are 2 active administrative users
- There is at least 1 developer who is experimenting with SAMBA
We will update this list of assumptions if appropriate prior to the start of the RPE.
The evaluation process for this RPE will take place in a series of rounds each lasting approximately 1 hour. At the start of a round, each participant will be given a drop of evidence (PCAP and log files). They should parse these files as rapidly as possible and attempt to provide answers to the questions we posed previously. At the end of the first hour, the total possible evaluation scores a participant can get will drop rapidly. Within one more hour the participant will not be able to receive any score for this round illustrating the need for using automation solutions for parsing and classification
Outside of any completed solution a participant may bring, this RPE requires participants have the at least intermediate experience in the following skills:
- Visual Studio/mingw or GCC or clang
- Windows API
- Syslog & Windows Event log parsing (and understanding)
- libPCAP or WinPCAP or npcap
The following skills are STRONGLY suggested:
- Machine Learning
- Machine Learning APIs (for example)
Participants should be prepared to either bring their existing solutions for identifying compromised Microsoft Windows accounts and hosts or develop new approaches on the fly. We believe the best approaches to solving this problem is using Machine Learning (ML) algorithms and as such we are not looking for signature-based solutions like Anti-Virus or Intrusion Detection.
Participants in this RPE should prepare to parse multiple network packet capture (PCAP) files as fast as possible. Each file will not be more than five hundred megabytes (MB) in size. Participants should bring their own machines for this RPE and there are no limits on the type of operating system, programming language(s) or number of machines used save for the team(s) present at DreamPort must not exceed 5 people in size.
Participants will be able to utilize external services for analysis and processing if they wish.