RPE-021: Visualizing the Future

Events

RPE-021: Visualizing the Future

Date: : January 17-19, 2023 | Location: Virtual or DreamPort Facility in Columbia, MD

---

Description

No, we’re not talking about meditation techniques…

After recovering from recent cyberattacks, our fictitious city DreamValley is looking to improve their cybersecurity posture by sharpening their penetration testing tools. They wish to outfit their Red Teams with a web-based visualization tool that enables graphical planning of an upcoming pentest and then updates that visualization in real time during the pentest.

In this rapid prototyping event (RPE) we are seeking innovative visualizations to support penetration testing and offensive cyber operations, including the ability to plan resources prior to a pentest and to dynamically visualize changes during a pentest. We encourage participation from students at colleges and universities, small businesses, and other non-traditional participants.

This RPE directly addresses the following U.S. Cyber Command technical challenge problems:

• 2020 2.2 CHALLENGE PROBLEM: Information Environment Visualization
• 2020 2.3 CHALLENGE PROBLEM: Deep Network Knowledge and Awareness

Overview

Software like Microsoft Visio is frequently used to create static network diagrams. Tools such as ManageEngine OpManager and SolarWinds Network Performance Monitor can dynamically generate network diagrams based on network discovery results. For penetration testers, the now-deprecated Armitage offered basic network visualization of red space hosts. Cobalt Strike includes a derivative of this Armitage GUI and network visualization (shown below), which also supports visualization of network tunnels and exploitation paths.

In this RPE, we are challenging participants to produce a prototype browser-based graphical user interface that allows planners and operators to visualize blue space (e.g., operator workstations), gray space (e.g., redirectors), and red space (e.g., externally-facing WordPress server). We envision two phases of operation for solutions:

1. Planning for a penetration test
2. Live monitoring of an ongoing penetration test

The planning phase involves definition of the initial network elements prior to a pentest. These would be populated via a REST API and a provided JSON schema (see below) that defines elements with associated metadata such as display labels and coloration. Ideal solutions (bonus points!) would also allow interactive (i.e. drag and drop) definition of elements and manual repositioning.

The live monitoring phase involves dynamic updates to the visualization during a pentest based on calls to the REST API. For example, network elements might change color as they are compromised, newly-discovered red space hosts would be added to the visualization, and existing network connections (e.g., netstat) as well as operator-created network tunnels could be added and removed. Ideal solutions (bonus points!) would enable interactive features such as filtering (e.g., show network connections to/from one host) and manual repositioning of elements.

Solutions must allow the current visualization to be exported to JSON at any time, e.g., after planning or during a penetration test. Similarly, export to PNG, JPG, or BMP via the REST API must also be supported—we will leverage this for data collection during the event. Participants may use any desired programming language(s) for their solutions, but the visualization must work properly on current versions of Chromium-based browsers. Ideal solutions would be deployable as a Docker container, but this is not required for this prototype stage AND participants will use their own computing equipment for this event.

Several related challenges are explicitly out-of-scope for this RPE, as we wish to focus on innovation in visualization. These challenges could be part of a full solution:

• invoking the REST API based on monitoring of Metasploit, BeEF, or Cobalt Strike logs
• assigning meaning to element colors (e.g., red = compromised)
• authentication, user access control, or MFA (e.g., role-based visibility or action limits)
• adding workflow management (e.g., assign discovered host to a specific operator)
• adding tasking of compromised nodes a la Armitage / Cobalt Strike
• supporting multiple, unrelated penetration tests (scalability)

Prior to the event, MISI will provide sample JSON data to all registered participants. Participants are naturally encouraged to create their own data to verify their ability to generate and update corresponding network diagrams. Below is an example network diagram generated with Visio. Like the Cobalt Strike example above, this diagram is provided for context only and does not indicate a preference for a particular visual representation.

How It Will Work

During the event, each participant must provide the URL for their user interface and the URL (and if necessary, an API key) for their REST API. DreamPort staff will then display all competitors’ solutions on the same large screen, allowing side-by-side comparison of all visualizations. We will exercise the REST APIs of each participant to generate an initial network reflecting the plan for a penetration test. Then the real fun begins: we will feed updates to all solutions in real time and evaluate how each visualization performs with dynamic updates. Participants are encouraged to attend in person, but remote participation will also be possible.

Following the event, we will schedule individual evaluation sessions with each competitor to thoroughly interact with their prototypes during static and dynamic operation, including exercising “bonus” features such as interactive / drag-and-drop / WYSIWYG updates to elements. These evaluation sessions can be in-person or remote.

Schedule

We have chosen the following schedule of events:

• 22 November 2022: RPE Announced Publicly
• 6 January 2023: Registration Closes
• 9 January: Q&A Session (Hybrid)
• 17 January: Main Event (Hybrid)
• 18-19 January: Individual Evaluation Sessions (Hybrid)

Participants are welcome to attend the Q&A session, main event, and follow-on individual sessions in person at the DreamPort facility in Columbia, MD or virtually.

Please note that the Q&A session is mandatory – at least one person from each competing team must attend!

Evaluation

Participants will be evaluated based on:

Required features

• Correctly display all added networks and endpoints
• Correctly display—or make available for display—all connections
• Visualization updates dynamically—no manual refresh required—when elements are added, removed, or updated via the REST API
• Ability to export visualization to PNG, JPG, or BMP—format is your choice
• Ability to export visualization to JSON

Desired features

• Responsive to dynamic changes (low latency)
• Ease of navigation through complex networks
• Good aesthetics
• Innovative ways to highlight dynamic changes
• HTTPS support for browser and REST connections
• API key for REST API
• Support for interactive planning, e.g., drag and drop
• Support for manual repositioning
• Support for interactive filtering, e.g., show only connections from endpoint X

Suggested Skills

We recommend the following skills for RPE participants:

• Web front-end development, e.g., React, Angular, or Vue.js
• Web back-end REST API development
• Network mapping and diagrams, e.g., Visio, SolarWinds
• Existing pentest GUI solutions, e.g., Armitage, Cobalt Strike

REST API Definition

As noted above, no authentication is required for this REST API and it supports only a single pentest. A simple Python implementation is provided in our public RPE-021 GitHub repository. This example includes annotations to further describe the API inputs and outputs.

Endpoint	Method	Description
/elements	GET	Returns a list of all elements
/elements	POST	Adds or updates multiple elements
/elements	DELETE	Deletes all elements
/element/{id}	GET	Retrieve one element by ID
/element	POST	Add an element
/element/{id}	PUT	Update an existing element by ID
/element/{id}	DELETE	Delete an existing element by ID
/image	GET	Returns a PNG, JPG, or BMP of the current visualization

JSON Schema

The JSON Schema being used for this challenge can be found in our public RPE-021 GitHub repository. The schema defines top-level elements to represent a network (a group of endpoints), an endpoint (ranging from firewalls to servers to ICS/SCADA devices), or a connection between endpoint network interfaces. The README file provides further technical information, including resources for JSON Schema for those less familiar with it.

Here is an example definition of a network in this schema:

{
    "id": "dmz_1",
    "timestamp": "2022-11-10T15:14:00",
    "label": "DMZ",
    "color": "red",
    "data": "",
    "elem_type": "network",
    "cidr_block": "192.168.200.0/24"

}
          

Next, here is an example definition of an endpoint:

{
    "id": "wordpress_1",
    "timestamp": "2022-11-10T15:14:00",
    "label": "WordPress",
    "color": "red",
    "data": "",
    "elem_type": "endpoint",
    "endpoint_type": "server",
    "os_type": "linux",
    "network": "dmz_1",
    "interfaces": [
      {
        "label": "eth0",
        "interface_id": "wordpress_1_eth0",
        "ipv4": "192.168.200.10",
        "mac": "00:01:02:03:04:05"

      }
    ]
}
          
          

Finally, here is an example definition of a network connection:

{
   "id": "ssh_tunnel_1",
    "timestamp": "2022-11-10T15:14:00",
    "label": "SSH ",
    "color": "red",
    "data": "Operator: Natasha",
    "elem_type": "connection",
    "interface_from": "wordpress_1_eth0",
    "interface_to": "redirector_1_eth0",
    "line_type": "solid"
}
        
          

As explained above, a real solution would include a capability to parse logs from operational tools (e.g., Metasploit), generate these JSON elements, and send them to the REST API. For this event, DreamPort will create a simple tool that invokes all competitors' REST APIs in parallel using simulated pentest data, allowing us to compare the visualizations in real time.

Update as of 3 Jan 2023

The REST API was tweaked slightly on 22 Dec 2022 to allow POST /elements to update existing elements as well as to add new elements. We anticipate making heavy use of POST /elements during the RPE to send multiple updates (new / updated elements) with a single REST API call to eliminate the overhead of multiple PUT /element/ calls. The diagram below illustrates our planned architecture for this event.

Please note that DreamPort defines only the two interfaces for this RPE: the REST API (e.g., https://participant1.com/rpe21/rest) and the Chromium browser URL (e.g., https://participant1.com/rpe21/visualization). Participants are free to design whatever interface is suitable between their client-side front end and their back end – this interface is not shown in the diagram but would certainly exist in a dynamic web application. Registered participants will be informed of any limitations on outbound connections from the RPE network.

Why Not GraphQL?

A REST API was suggested early in the RPE planning process and momentum did the rest. We acknowledge that with this change, the published REST API is growing closer to a single-endpoint GraphQL interface. The main exception is that element deletion still requires individual REST calls (other than a “full reset” via DELETE /elements).

This REST API is only intended for DreamPort to feed data to the visualization and for DreamPort to capture the state of that visualization (whether JSON or JPEG). It is NOT intended to constrain the design of participant visualizations. It is also not intended to represent significant effort for participants – the example REST API was written in a few hours – to allow participants to focus their efforts on the visualization.

Register

Registration is now closed. Thank you!