Event RPE-005: The Chameleons and the Snakes

Events

RPE-005: The Chameleons and the Snakes

Date: May 21 - 23, 2019 | Location: DreamPort Facility in Columbia MD
Registration is now full.

---

Overview

In September 2018 we conducted RPE-001 titled 'The Chameleon and the Snake'. While we were very excited to put on this event, as our first RPE it only focused on Windows tools and techniques for signature measurement and diversity. The online world does not take place on Microsoft Windows alone. Defenders must integrate, support and protect other operating systems and hardware on today's networks and so will we. This time around, we are going to conduct a similar RPE where we pit offense versus defense but extend out the possible targets to include Linux and Android.

We reserve the right to include iOS and OS X samples with time permitting. This means that the malware samples to alter may include scripted code such as Python.

This RPE specifically targets malware signature diversity and signature measurement for Microsoft Windows (x86 and amd64), Linux (x86 and amd64) and Android (x86 and ARM) in a simulated operational environment at a realistic pace. We want to challenge participants to:

1. As an 'attacker', create (through integration, enhancement or from scratch) a single tool for altering the signature of an operational tool for the previously named platforms without altering existing functionality
2. As a 'defender', create (through integration, enhancement or from scratch) a single tool for the fully automated classification of an unknown executable as malware/benign, variant of known sample, attributed to known group (based on previously established knowledge)

For this RPE, we reserve the right to split up offense and defense teams to reduce the downtime for each side while the other is working. We are considering 2 days for each side. Please pay attention if you plan to participate in this RPE and we will publish dates as soon as they are chosen.

Machine Learning

For this iteration we will give strong consideration to any defensive team who can prove their use of machine learning (in a one on one interview) for the purposes of identification, classification or attribution of submitted samples. We will not require teams to reveal details about their algorithms or features just provide a demonstration. Just as in RPE-001, we will release a subset of samples that are 'fair game' for the offense to use during the competition for the purposes of machine learning.

Evaluation

Participants will be evaluated by the type of team they are bringing (or joining), offense or defense. There will be separate scores list maintained for each side. Offense teams must provide a single sample chosen from the list of available candidates (published in advance on dreamport.tech) that they have altered in an attempt to evade detection by Defense teams. Each offense sample will be combined with random artifacts (both good and bad) into a single 'security alert' and given to each defense team. Defenders must evaluate each file and determine:

• Is the sample benign or malware?
• Is the malware known?
• If so, can it be attributed to a known campaign?
• If so, can it be attributed to a specific author?

Similar to RPE-001, Defenders should submit an analysis report for each sample detailing answers to these questions. Offenders will be evaluated by:

• Does your sample get flagged as malware? Benign?
• Does your sample add an excessive amount of data to the original sample (defined as more than 1.5 times the size of the original sample)?
• Do you use a known technique for alteration? Did you invent your own?
• Tool requires separate process/approach to invoke
• Tool requires elevated privileges to invoke
• Tool runs without any additional steps (e.g. unpacking)
• Tool produces Unique Hash each run against an input
• Team catches modified sample product
• Team attributes modified product to specific offense team

As previously mentioned, we will give strong consideration to a defense team who can prove their use of machine learning with a demonstration.

Suggested Skills

This RPE requires participants have the at least intermediate the following skills:

• Python
• C/C++
• Java
• ELF, PE, DEX/ODEX file format knowledge
• Malware Analysis
  • Automated Analysis Systems
    • CRITs
    • Cuckoo
  • Yara
  • STIX/MAEC
  • Sandbox Execution
  • Reverse Engineering
    • IDA Pro
    • Binary Ninja
    • Radare

Like RPE-001, there are two distinct technology paths that we are searching for here. For the offense, we are interested in a single technology that can alter the signature of multiple executable formats (e.g. ELF, PE) while for defense we are interested in an extensible automated solution that can perform automated classification, at least triage analysis and even attribution for suspicious files or artifacts. There is no single solution for either problem space currently. We are especially interested defensive solutions which can extend their behavior with minimal design changes (e.g. plugins, scripts).