Paraphrasing Sun Tzu: In order to win the battle you must know the enemy. Good advice, but in cyber-world, how does one learn about an enemy so nebulous? Forensics only gets you so far. And, testing on live networks is just asking for trouble. Enemy one, good guys nothing.Good news. I found a group of researchers Sun Tzu would be proud of. Their project DETER (cyber-DEfense Technology Experimental Research) helps decipher cyber-criminal activity on the Internet:
"The DETERlab test bed is a general-purpose experimental infrastructure that supports research and development on next-generation cyber security technologies. The test bed allows repeatable medium-scale Internet emulation experiments for a broad range of network security projects, including experiments with malicious code."
The following schematic shows the basic setup of DETERlab:
I include the next slide to give you an idea as to the scope of the project:
The idea is brilliant. Scientists and researchers can muck around on a faithful representation of the Internet and not worry about messing things up.
All the effort to accurately replicate the Internet has allowed significant insight into the bad guy's world. Check out this webpage. The test bed played a role in every one of the publications, theses, and reports.
I needed to learn more. The gentleman at USC who answered my call caved under my barrage of questions (note to self: Work on phone skills). To my good fortune, he put me in touch with Ms. Terry Benzel, the energetic Deputy Director at USC's Information Sciences Institute and a DETERlab project lead. To start things off, Ms. Benzel provided a brief history of the project and overview of current activities.Ms. Benzel: The DETER project was initially funded in 2003 by the National Science Foundation and the Department of Homeland Security. The initial objectives of the project were:
- Design, build, and operate a network test bed specifically to support security research.
- Catalog software tools to help create, monitor, and analyze complex security experiments.
- Facilitate the creation of a collaborative community of security researchers.
In conjunction with the DETER project, NSF funded a companion project, EMIST. That group provided the initial test frameworks and methodologies needed to represent network attacks and defense mechanisms.
The EMIST community also served as the initial users of the lab, working closely with the DETERlab developers to define and test early capabilities. The EMIST project ended in 2007.
Currently, the DETERlab has over 2000 participating researchers.
To the future
The deputy director, intent on uncovering additional cyber-crime secrets, started talking about next-generation test beds. She emphasized, the project cannot take baby steps. They have to leap frog current cyber-security experimentation. Why? It's the only way to get ahead of the bad-guy curve.
- Support for larger and more complex experiments.
- Advance the quality and accuracy of experimental results.
- Build a knowledge base of experimental designs and results.
- Provide a user-friendly interface for both novice and experienced users.
- Support a significantly larger and more diverse research community.
Ambitious as this sounds, the deputy director was not finished. She went on to describe three initiatives DETERlab is undertaking to compliment the above improvements:
Create an advanced scientific instrument:
As a scientific instrument, the DETERlab test bed needs to provide data that are repeatable, valid, and usable by researchers. Doing so will advance scientific enterprise by distinguishing valid results from artifacts. It also allows experimenters to build on each other's work.
Furthermore, it will provide a significant expansion of experiment scope beyond what is available today. For example, DETERlab will support worst-case experiments, multi-party experiments, and experiments that interact with the Internet.
A major hindrance today, is the steep learning curve needed to set up and orchestrate experiments. One of our goals is to provide a friendly system, supporting all levels of expertise, from novice to sophisticate. And support all user needs, from classroom exercises to product testing and scientific research.
Create advanced test bed technology:
New test bed technology will be able to evaluate experiments of increased complexity. Including:
- The use of concrete physical nodes having specific OSs and application software.
- The ability to implement abstract virtualized models.
It will allow the input of information associated with the experiment, such as goals and invariants, by using the following:
- A virtualization engine: To examine each element and determine the appropriate physical or virtual technology to achieve the asked-for parameters.
- An embedder: To allocate/configure test bed hardware and software resources needed to accomplish the experiment.
- A federator: To allocate the embedded containers to physical nodes, using remote as well as local resources.
Support new application domains:
The DETER Project remains as flexible as possible, conducting experiments related to ongoing research, and those related to new threats. We only require that researchers be interested and willing to collaborate with the DETECT project. Two application domains we currently focus on are:Botnet Support: Botnets are a fundamentally different type of malware. The attacker is actively engaged; manipulating the botnet, uploading new software modules, and monitoring the effectiveness of the botnet. We are implementing new scientific instrument and advanced test bed technologies so researchers can understand the inner workings of the bot code. Critical Infrastructure Support: Critical infrastructure systems are vulnerable to attacks from cyber and physical realms separately, or more dangerously, in combination. Protecting such systems requires the ability to model the reaction of such cyber-physical systems to both kinds of attacks.
The intersection of cyber security with critical infrastructure lies in cyber-physical systems that can be modeled in DETER by:
- Representing physical entities using DETER nodes operating as cluster computers.
- Using additional DETER nodes to emulate the communication links.
- Configuring the ties between the nodes to represent the sensors and effectors present in such infrastructure.
In the longer term, we envision the ability to model individual application domains on separate test beds, allowing for more complex modeling of critical infrastructure. Also, utilities could participate in emulations without compromising sensitive information when they provide test responses.
I have written about some of my less-than stellar online experiences. That's why I'm all for gaining any advantage we can on cyber criminals. Knowing there are skilled people like the DETERlab crew dedicating their time to that end means a lot.
I would like to thank Ms. Benzel for helping me explain the inner workings of DETERlab. I also wanted to mention that the project has received a significant grant from the DHS, allowing scientists continued access to the test bed.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.