Perception and the Cyber Security Challenge
The Challenge itself is one of many events set up by the Cyber Security Challenge UK organisation (www.cybersecuritychallenge.org.uk/), a not-for-profit organisation with the aim of bolstering the national pool of cyber skills. As sponsors of the event, Roke agreed to host this particular event, testing 42 participants from around the UK. Challengers were selected from a larger group of applicants who successfully completed some pre-event challenges, and none were currently working in the network security industry.
The Roke organisers of the Cyber Security Challenge Face to Face (F2F) event contacted the Perception team to discuss the use of Perception as a solution to be the “all seeing eye”, overseeing the challenge as it took place. With the high volume of hacking activities taking place on the day, it was vital for the assessors to have a tool that could quickly identify and hone in on participants actions. The assessors were tasked with ensuring the rules of engagement were adhered to and the claimed courses of action could be validated, and Perception was used to carry out this task.
The Perception team were keen to exercise Perception on a network with such a high volume of potentially malicious activity. They were also interested in better understanding which behaviours would be triggered where Internet of Things (IoT) devices were deployed. Based on the brief provided by the Cyber Security Challenge team, the Perception team’s main objective was to be able to alert the assessors to any rule breaking as it happened and therefore demonstrate Perception's ability to proactively detect. In addition to that the Perception team sought to provide detailed post-analysis of events carried out during the day, to provide the assessors with the necessary evidence to back up claims made by the participants.
Differences from a Real-World Deployment
The Cyber Security Challenge was an unusual deployment for Perception, which is typically deployed within the networks of commercial organisations. Whereas normally Perception would be deployed to the core of a network with multiple normal users carrying out their normal day to day business, in this scenario it was deployed on a tiny network which hosted a large number of hackers, a number of IoT devices, no normal user traffic, and active malware. Although there is value in noting the difference between this scenario and a standard Perception deployment, there are salient commonalities and threat scenarios that are present in both Perception's natural habitat on a network for a commercial network, and the Cyber Security Challenge F2F's infected, hacker-dense, IoT-focussed network.
Firstly, the activity of a large number of hackers allowed Perception to prove that it would handle detecting all of the activities of the attackers and active malware, rather than a single attacker or piece of malware. Although Perception is well-suited to networks of all sizes, it is very seldom deployed on networks with the presence of multiple malicious actors simultaneously and this gave it the opportunity to demonstrate that even in extreme circumstances Perception could still handle the accurate detection of multiple threat sources. In real networks there have been instances of an attacker infecting a high number of devices simultaneously in order to cause maximum damage or to hide their true intentions, and it is important to the Perception team as designers of network security systems to demonstrate they have a tool that can handle these types of scenarios.
Secondly, IoT devices are usually thought of as being used in homes, rather than businesses. This is only partly true, a huge number of businesses deploy network attached devices such as smart TVs, IP cameras, and access control systems in their offices. The management of these devices is usually seen as the responsibility of a facilities department within a business, which typically means they aren't subject to the same security and software update controls that would be enforced by an IT team. Even amongst Perception’s current customers it has detected the use of IoT devices running old software that could be vulnerable, and as IoT devices become more and more mainstream, this is only going to become more of an issue. It is a very common occurrence in today’s security landscape for an IoT device to be a first point of infection within a network due to their poor design, relative lack of security updates, and the inability to install anti-virus software on them. The Cyber Security Challenge F2F event is a perfect opportunity to show Perception can identify these types of threats where other protections aren’t suitable.
The logistics of running a challenge of this type also raised some minor differences, for example the networks themselves were not connected to the internet, providing a safe environment for the event. Participants were only allowed to use the provided Internet laptop for research on a separate Internet connected network outside of the challenge network.
About the Cyber Security Challenge Face to Face Event
The Cyber Security Challenge F2F event was a day-long event based around a smart home. A fictional IoT device manufacturer, EKOR, had heard reports that some of its devices were less secure than initially thought. During the course of the day somebody malicious would exploit a home network and was going to use these exploits to physically break into the home by hacking a smart lock on a front door. The attacker would achieve this by exploiting a vulnerable server and then using a separate vulnerability in the update mechanism to deploy malware to the IoT devices in the victim’s home.
7 teams of 6 participants each were ‘hired’ by EKOR to try and find system vulnerabilities and give feedback to EKOR of what they should do to solve the issues, preferably before the attacker gains access to the home. The participants were briefed that EKOR suspected there were vulnerabilities in their products, but had no information on what activity was to happen on the day. Their activity would include looking at the EKOR network and how the smart devices worked in order to gain an understanding of what the vulnerabilities may be. The teams were against the clock to get the information to EKOR as there was a set time for when the attacker was going to break into the home.
Perception Deployment on the Cyber Security Challenge Network
Each of the 7 teams had 6 laptops to work on (one for each participant) and a scaled down version of EKOR’s smart home products, a hub, a light, a door lock, and a camera. All of these devices were connected to a switch specific to that team. Finally, the teams were given an internet connected laptop which was separate from their switch so they could look up anything they needed to. The seven team switches then fed into an 8th ‘core’ switch.
Simulated EKOR internal servers and other simulated external servers were also connected to each team switch to give the illusion of a real world network, as well as to facilitate the activity planned for the day. This gave the teams a realistic environment to work with while ensuring isolation of all the teams. Other than the separate internet connected laptops, the challenge was conducted on a standalone network with no connection to the Internet. Any IP addresses/domain names/etc. used for the ‘external’ devices are purely fictional.
The Perception sensor took a SPAN feed from the core switch, meaning it could monitor all activity on the network. The Perception sensor then used a virtual private network (VPN) to communicate with the Perception Central Correlation Server (CCS) which aggregated behaviours and displayed them in the UI for the Perception team to view. The CCS can be hosted locally or remotely, however in the interest of keeping the challenge network as simple as possible, it was decided to deploy remotely and communicate via a VPN in this instance.