Ghosts in the Machine: Orchestrating a Realistic Cybersecurity Exercise Battlefield - Dustin Updyke

okay we're gonna go ahead and get started so the next speaker is Dustin Updike you'll be presenting on ghosts in the machine orchestrating a realistic cyber security exercise battlefield it's a little bit about Dustin Dustin uptick is a cyber security researcher at the Carnegie Mellon University's assert having previously served with multiple industries an array of Technology roles dustin transition into security supporting cyber workforce development for multiple government and commercial contracts his current interests are in game theory machine learning and a without further ado let's welcome Dustin [Applause] hi is this thing on okay sorry I'm a stroller so I'm not gonna stand there at the podium thanks to besides for having me thanks to all of you for coming out on Dustin

and originally this talk was going to be about developing a software system that would replicate human behavior on a computer the good guys the bad guys everything in between in a way that we could use it for training and exercise those people learning different things about the security industry but I realized what who my team is what we do and how we think are sort of critical to understanding why we developed this software and how we did it so you get both of those stories because I don't think one makes sense without the other and that's what we're going to go through today so of course everything I say today is not necessarily the opinions of my employer of the

University so my job is to be interested in workforce development particularly in the realm of cyber and security that landscape we'll walk through today how it's going to change how we anticipate it's a change in the next couple of years and what that might look like and what the implications are for that change now the TLDR of this talk is that everything that we do in terms of training should be rooted in some sort of realistic scenario right so to borrow a phrase from the military we want to train as we fight and so the the exercises and the training that we put together and I'll walk you through today the number one pillar that we try to always stay on

course for is to deliver something that people would see in their daily operations and for them to do the sorts of things that they do in their day job right and the thinking there is if you've done it enough times in training you'll know exactly what to do when that situation arises in real life correct if you don't do that then we find that's a great place to pick up lots of bad habits right if you're gaming your training you're probably not getting the most out of it so in terms of realism this is where we have to start does anybody recognize this yeah so this is the planet amine er7 it's from episode 23 of the first season

of Star Trek the original one and so the crew the enterprise goes there and finds that the planet has been locked in war for 500 years except there's no destruction there's no chaos there's not really any sign of armed conflict at all so it turns out that the entire war has been fought in a computer simulation for 500 years the the caveat is that if you're killed in the simulation you must submit yourself to a disintegrator and sort of kill yourself in real life right so that's a pretty realistic simulation right that's not what we aspire to do right we're not trying to build Skynet or something like this but I think it's a very interesting question how far

should we go in terms of building training that mimics what you're going to do in your day job it's probably short of this right but it's probably not the basic stuff that you can read out of a textbook either so yeah that's a Meany r7 and I got some cool suits so as part of our simulation we wrote a package that's that's a that's a little bit down the stack so assume we're doing some sort of network training we have a network and there's lots of tools to do that right on ESXi or some other hypervisor we have an internet and it's probably in a box right it probably isn't the actual Internet that's outside and again

there's tools for that so now we need activity on that wire right we need users quote unquote I don't like to use users not not for anything but because user sim isn't is not a new thing right there's lots of tools out there that does that but it's a range of things and we want to be a little bit more precise in what that is so there there's there specialized hardware that puts packets on a wire there they're highly realistic packets but they don't track back to any particular machine at the other end of the spectrum and the sei is actually done some work in this area we can automate Windows or Linux or something

like that to do certain things so that it looks like a user is on that box right we took that model and we we went with it we added a bunch of things that we hadn't seen in the market before and again this is not a this is not a sales talk right but we we added a couple of features we added the network effect so that we could command and coordinate large number of VMs to do certain types of user behavior either as an enclave as a group of machines or as a single machine so at the end of the day we're able to model all different types of human behavior on a box and if it was

done really really well you wouldn't know whether it was me or a computer simulation of me sitting at the other end of the cable so does everybody have in mind that person back home on their network that's super annoying that clicks on everything that launches like everything you're not supposed to do right we could we could actually model those people with ghosts because you probably have those people that you have to deal with in your organization now you can model them and make fun of them and even give them names right because they have a user name on your network so they can have some fun with that as well so this is sort of the last group that I

need to poke a stick at and say you know you should be scared there's lots of scary things in the world the point I want to make is that the scary things are rapidly increasing right the number of attacks the sophistication of those attacks the things that we are seeing today are largely unseen in the past and the the thing that a lot of people forget is that training needs to keep pace with that right if we're seeing more sophisticated attacks that include larger sets of data that includes machine learning systems we need to figure out how to build that my team needs to figure out how to build that in training and make it affordable

and not super resource intensive and not custom for every single client that comes down the path right so that keep that in the back of your mind we do all different sorts of training events I'll call them training it for our purposes we'll be sort of a one-on-one thing I need to learn Python I need to learn the bash shell I'll eat I need to learn basic networking cloud architecture those are the things you normally go off and do on your own in whichever medium suits you best right you can you can get a book you can do the audio book you can heck you can go to youtube and probably learn it in an afternoon right from some 13

year old incur blackest tan we also do exercises which i think is super interesting because I don't know that they exist very often in the commercial non military world so an exercise is I guess the best analogy for it is if we were an elite soccer team and we had a game this weekend I think someone is playing right now right what's the score if we wanted to know how we were going to do the best predictor of how we were going to do is to play a scrimmage game against a team that is most like the team were actually going to play right use the same equipment the same rules and go out there and try to win and that

would give us some baseline of what we're good at at what we need to improve upon etc that's an exercise that can't be done in a drill right in a drill you can stop and tie your shoe in a scrimmage game and you don't want to lose you have to be prepared for those sorts of things so the military does exercises all the time right that proves that units are our combat ready cyber teams do that just the same and I don't see that in the in the consumer world too often but it's really interesting because the dichotomy there is everybody has a job to do but they also have to operate as some sort of

team right and guess what a lot of us operate as a team so how do you train and improve and even baseline where you're at in your organization if teams don't train together and then simulations are of course they're just automating the whole thing looking at the result data set to make some assumptions or some predictions about how it might be in the future now for all of these we we do a certain set of of things starting with the network right we build highly realistic or as realistic as possible networks that match what people are using in their production environments it might be the whole thing it might be a subset of what we want to train upon

but we use the same tools and products that they would use in production you know cost not being a factor sometimes that sort of changes the dynamic a little bit but but for most part we're using the actual tool tools that they're using in production then on top of that we layer different types of scenarios so it might be to try new some new hunt technique that DCO is is is interested in it might be to validate that their internal processes and communications are up to snuff maybe there are a couple of years old and they want to take a look at that maybe it's to assert that soldiers are meeting their mettle which is that third line that's an interesting

term it's a military term it's a mission essential task list it's typically not tied to knowing the tool or knowing a process it's basically can you get this thing done under a high / high duress right and I always think that that's kind of interesting because that's not how we hire or how we fill out our resumes right we put I have 10 years of Python experience I know how to use plunk and that's what we get hired for right the military says no we don't really care so much how you do it there's there's outcomes that we want to see and you need to be able to do it quickly obviously we have to work with

the stakeholders on that side to figure out how we can validate those assessments and time it and all that sort of thing some of the more fun things that we get to do is to actually roleplay the different characters that are in the exercise that might be some headquarters that is telling you what to do it might be some Intel Group either inside or outside of your organization providing you some direction it might be a super grumpy contractor from lock that's pissed off that his machine you turned his machine off somehow so we get really into character and we have a lot of fun with those the funnest of all of them is when we get to play Red Team

right in military terms that's up for sometimes we get to do that sometimes another group does that when the other group does that that's just another set of requirements for us they are typically not the ones being evaluated in an exercise so they're part of assessing providing the tools for assessment of the actual blue team we work a lot with blue team's and then a point that I would like to make is that the exercise can be facilitated meaning we're they're either virtually or face to face or it couldn't be completely on demand where you sort of go into the system you pick this scenario and then everything is controlled by the computer and of course that is directly linked to

building ghosts and we'll get to that in a second so when we do the red teaming my my team always sort of scoffs at these are these on-demand exercise there's nothing you can do on a computer that's as good as we are we're making all sorts of gut decisions we're reading all these different data points that would be all that's impossible to replicate with with any kind of programming right that just can't be done I'm a software developer so that is a really juicy statement to launch in front of me I get excited about what I love when people say that's impossible right because I want to get started on that like tomorrow how can I was there a

charged string for that but over and over people have made this statement and it's kind of interesting because at the same time I was reading ready player one I haven't seen the movie and most people say that I shouldn't bother but the book is interesting because you you jack into the Oasis just like you go into these different scenarios and you you you take on some task right and at the other end of the task is some thinking adversary that you have to sort of battle it out with right I will admit that most on well not most all on-demand exercises for anyone of a certain skill set they start to get they feel very gaming right and you start to

take those shortcuts that we don't like because it's you know it's not realistic it's not using the right tools it's for vm's and we're calling that an enterprise network whatever the reason might be so so that you know that's a place for us to improve right there's a lot of opportunity to make those better and if I could make an exercise that my team would be challenged by like that would be something that would help not only more experienced cyber experts to improve and practice new things but that would allow our military to use it etc etc etc so that's not a new idea right a thinking adversaries been around for for a long time does anybody remember this

movie I'm not dating I'm dating myself but you know again this is not a new idea there's lots of reasons that it hasn't been done right the sheer complexity of being a network administrator the the amount of data that you would have to have on that exercise being able to make good decisions based on that data that's coming in etc etc etc so yeah so that's the challenge that was sort of the thing that got us thinking about automating our users and the good guys and the bad guys and everything in between and that's sort of the context for it now we we do these exercises right and and I want to veer off for a second and talk

about that team thing right to me cybersecurity is a team exercise there aren't very many people out there that are lone guns doing something without any other organization that they're interacting with and that's an interesting dichotomy because there's certain skills that you and I have to have right if we go back to the soccer analogy we've got to be in peak physical condition right to be able to run for 10 miles in a soccer game we need to be able to not only know our position but all the other positions around us on the team right where is everybody going to be when we have the ball where's everybody going to be when we don't have

the ball so we can get it back in and be back on the attack but then and so we we all do that right we all train we all learn new things we all or buying books and listening to podcasts and all that sort of thing but again back to that that team thing there's not a lot of opportunities for teams to train together and sort of focus on the dynamics of the team and less on what what each individual component is doing so if you think about it like how do you how can you say that your DCO is a great DCO and is effective in its job if you've never trained them if you have no baseline for it as an

aside I suspect that the commercial world does not do that because they might be very disappointed with the results and therefore somehow are liable for it I don't know right but but it's but it's an interesting thing that we don't see very often outside of our DoD partners now this is a say it's it's really it's actually not that hard right there are five areas that we typically concentrate on for even the most unsophisticated exercise that gives teams opportunities to baseline and say hey we're doing very good at this hey our SOP is is entirely adequate even though it's five years old so as long as we are clear about what roles people are playing and they're the same and the

exercise as they are in real life the tactics and the adversaries that we're dealing with are realistic to what our job is so if we do an exercise where we're defending webservers and I don't actually have that in in my in my daily operations back at company X that's not really helpful right communication is an interesting one because it's an easy way to practice like hey we've identified something how fast can we turn around and do something about this and mitigate some threat or some vulnerability that's just been announced and that environment is also an interesting one if a team sits together we train them together if they don't sit together we don't let them sit together right so that they get

used to how things are actually on the company floor on the technology side we again we install all the tools that they would expect to see and they use every day I assume at some point they're an expert on that tool so let's put it into training so that they can they can show that off a bit so if we're using Cisco routers we put them in in game as well I will admit that licensing is a huge pain in the neck right right in the middle the exercise it like never fails that the Cisco licensing goes down and everything slows to a crawl and and everybody sort of slaps their forehead but replacing it with some other router

severely handicapped so those teams and we try to avoid it likewise for the red team we try to make it so that they're able to do all of the things that they want to do in that than that scenario sometimes that means before the exercise starts we have to have a conversation with blue team's about letting PowerShell execute or letting off on some GP oh right but that's an understood game ISM and they're sort of okay with that the worst possible thing is when the cyber ghost comes in at some predetermined time put some payload on a machine that nobody can explain how it got there or why it's there and then all of a sudden hell breaks loose and teams

are like wow I was really realistic that's great where did that come from right so we we really avoid that and and work hard to make it a more realistic hey this is how this got inside the wall and you can find that in the logs you can see that in the network traffic etc etc of course for a red team they have a host of different personas that they're going to use in that scenario might be a hostile nation state I saw someone with with the t-shirt with these three characters on such a cool t-shirt but right all these all these different personas have different motivations different strategies about how they're going to attack and death of course

that's different opportunities for teams to learn about what that's going to look like in the real world how to identify it how to mitigate it and for our software's purposes we would want to be able to recreate all of these different personas in our exercise right so let's get down to the to the software the software is called ghosts it's open source it's out on github right now I do all the development out there all the bugs are are plain to see all the feature requests are as well we have used it for the last two years operationally that's our our test ground some of these bigger exercises are using multiples of thousands of characters in

game and we're able to support that with a with a pretty simple stack but it's out there check it out if you're interested in building your own sort of training environment we have a lot of tools to help you do that quickly and easily for for any kind of exercise or training typically we have interactions between humans that's us right and then these characters that are represented in game as NPCs to borrow a term from from D&D right that's any that's any character in the game that's controlled by the computer and again if ghost is gonna do it really well you won't be able to tell which is which right they need to be behaviorally accurate that

means Todd and logistics needs to be doing logistic e types of things browsing certain websites filling out certain types of documents sending emails to certain types of people versus someone over in marketing or communications or etc etc so that's really an infinite array of configurations that you'd that you'd want to have right you want to have that real enterprise-e level configuration mess that we try to avoid but in in no short order is sort of necessary and of course they need to be fully autonomous in a in a long-running exercises some of ours are are over nine months we're not gonna go in and tinker with them right we might reconfigure them or whatever but but we don't have to restart them or

do anything like that so if we were able to do that if we were able to replicate the the people that we're there to protect bless you and the people that are coming in from the outside scanning our networks looking for vulnerabilities right that would be kind of like real life and that would give our participants higher training value and of course we correlate that with hey if you're doing exactly what you're doing in operations in your training you're gonna know how to react that should be successive that should that should result in better chance of success in the real world than not so the technology behind ghosts is a simple client-server architecture the server

we've been working over and over again to make it as simple as possible to stand up right now it's three doctor containers so docker compose up and you're ready to roll and the clients are approaching that that level of ease as well their zip file they don't require any special permissions or any kind of install scripts put it in a folder run it as that user and it should be good to go there's a little bit of configuration to get the - to talk of course but other than that you should be good initially they will get their instructions from the command server including who am i representing right I'm Tony from from marketing and here is my list of

timeline events that I'm gonna do throughout a day I'm gonna browse these websites I'm gonna fill out these documents every so often I'll respond to email etc and I did and of course we can update that throughout the exercise for the entire exercise for groups of machines or one machine at a time in addition to that the agents are starting to learn about where they're sitting on the network as well so we call it the coffee counter effect if we took any one of us and put us in a new company on Monday right we start to figure some things out we even with the least permissions we'd be able to figure some things out like what's my upstream

Network look like what file shares are available what printers are out here what other machines are around me in addition we probably go get a drink at some point coffee water whatever right and we be like hey Chris where do you work what are you doing today right and we start to figure out who sits around us and what they do right so all of that information the agents use the agents clients use to reason about what to do next so you gave me these sort of guardrails of things to do throughout the day but I'm going to pick what is is is next for me on my list unless we specifically program it to do one two

three right which is which is not kind of real-world that we're looking for typical install for us is to put the control server out of game across the hypervisor we have a technology called V tunnel you install on ESXi and it tunnels all of the traffic from the clients so that players can't see it that's actually important because really good players will see that traffic and they'll start to take a look right they'll use any edge they can to win and I don't blame them right but we use this v tunnel to hide it so they don't see it at all so there's nothing on the clients that you can look at that would tell you oh this is this is a this is

something good and this is something bad right so let's watch over here that doesn't exist and we hide all the traffic back and forth that gives us the opportunity to do a lot of different things so blue team can set up however they want they can set up their firewalls there they can divide up their networks however they want they want to do that ghost doesn't care about any of that it just stands up and starts running as long as it has permissions to run as the user it's good to go same thing for the red team they can organize by they could stand up boxes that do different parts of the kill chain right

I have these bunch of boxes over here doing recon and when they find something they're gonna send that over to the next phase which is going to look to exploit some vulnerability that's been found right and then of course we can do stuff in the middle so that the red team can either attack directly they can MIT can cover my Sun box in the middle and and do a jump or we can do insider threat right the sei has done a ton of work in s in insider threat and we can represent the the malicious plant that would that's like a foreign nation spy is putting responder and all sort of nasty stuff on the network or we can have you

know that person that we were talking about before that clicks on everything and just keeps clicking and just keeps getting themselves further down the hole we can do any one of those things so I'm going to do a demo and I apologize distributed systems are sort of hard to demo but we'll go through it so you get a flavor of what it looks like so this is the Windows client right it fires up as the user once it installs it's going to it installs itself and then it goes off and hides and starts to get to work on the configuration that we've given it so you can see it's firing up different office documents it's going to pull up

Word Word Excel PowerPoint and going to start sending and responding to emails now there's no browser so the configuration let's change that it's all JSON text files you can go in and and do it here you can do it on the server and send it down the browser is actually running in headless mode because for larger thousand VM enclaves that's pretty resource intensive so we run it headless so I changed that file I save it go says oh I got new instructions to do and it's gonna restart and start to perform those new actions and there's the browser so you can for all these configurations that can be random right you can you can browse HTTP HTTPS sites at random

you can browse them go to this site go to this page download this payload unzip it do something nasty but here we just have a normal machine that's going to go throughout the day create different kinds of documents browse different web sites and you know that creates a lot of of realistic noise on the network that's just people doing their day jobs if I wanted to fire off something that's a one time I'm thoughtful I'm over here doing all these different timeline of events I can do that a couple different ways there's a drop box where I just paste in a script and it's gonna execute that script move it to the outbox as completed here you see it's just running

PowerShell and unzipping some file I can do that as many times as I want so now you have a machine that's doing its normal things of the day and then someone stops by and says hey can you take a look at the zip file you can do those sorts of scenarios as well and again you can do it here on the box but you probably do it up at the command server send that to an API and ghosts will deliver it to the machines that you indicate could be all of the machines could be some of the machines or it could be one machine all that information gets logged up at the command server I have this really

cranked up so you can see a new Enclave is coming online is checking in saying hey I'm here and reporting all of its activity so the top line is your macro numbers and that middle graph is well I ran 15 PowerPoint documents today I did 35 emails I clicked on a bunch of things and I ran these ten PowerShell commands so all of that gets logged if it's a command where there's an expected payload you get that payload as well and then you can do something with it so you can LS on a folder until something happens now if I show you one machine and the command server that's really not that exciting right what's exciting is when

you have a bajillion machines out there doing all these random things that kind of looks like a corporate network right actually the best ghost installation I can't tell you what they're doing right just like I can't tell you what Joe Schmoe is doing on a corporate network on Tuesday morning at 10:15 that's pretty real so back to the back to the admin dashboard for a sec again the top line is the macro numbers this is a nine month exercise that we did where a team would exercise then they would go into a sandbox period to sort of respond to how they did adjust some of their configurations put new things in then we'd exercise again

then we sandbox we did that four times but you can see at the top we get a an overall picture of agents reporting in this is the timeline of events that I've done they also report in their health statistics so you can configure hey these clients need to be able to get out to these internet sites they need these permissions they need whatever and then when they can't do one of those things they'll report back as an alert right so sometimes we see teams block whole 24's or something like that which is a sort of a game violation and and this is a way that we get alerted and then they poll as well just to say

hey I'm here is there anything new for me to do the second line is just meant to show that we can tune the activity pretty precisely in terms of let's turn up the amount of stuff that our users are doing or let's turn it down at different points throughout the exercise and then the bottom line is just a slice of in this particular time period we had 111 machines browsing Firefox for them working on Excel documents clicking on things running commands etc so you have access to all that data row by row this is just a rollup it's nice to have at at the you know if you're facilitating an exercise that here's what's going on and

everything is sort of happening as you expect so as far as working on this software like I said it's about years old we've worked through that I don't know why we picked a three-phase approach maybe it sounded good or we saw it on some blog post but in the third year where we're sort of down there at phase three we can deploy really large networks we can have them do all sorts of random things on a machine that you and I would do and we can get all that information back that leaves us with this huge data set of everything that basically happens in that exercise and so what we're looking at this summer is

can we start to automate some of those things that my team said we couldn't automate so can we have machines that are doing scans and then find something that we can actually do something with and trip that off to another machine that's going to try to take advantage of it right that's where we're at this summer we have a couple people working on it I can't tell you that that's something we're gonna turn around next year and come back here and say well we have all these automated tools now to attack other nations with like no it's it's going to be a long process but if we can start to make some progress with that maybe in a few years we'll have

something that's worth talking about because it would be totally awesome to have a simulation where experienced players could go in and have have an experience where they say hey that that was actually pretty challenging like that thing was who's not cheating right we don't want to create something that knows everything about everything but hey this was pretty realistic and it was pretty challenging it taught me some places I need to improve and so that's sort of the lead-in to where we think some things are going right training and exercise should always be rooted in that that next level thing right that's why we're working on this so that we can have teams be able to train on things

that are happening right now in the world or are about to happen or expect it to happen right so the best exercise is for us or when we see something in the news and we're able to get it in there that week and teams are like wow now I know what that's going to look like in the real world I can identify it and hopefully I can mitigate it before you know we even have to deal with it but that's what training and exercise is about right it's not about training on things that are five years old and learning to deal with things that five year old way right that's fighting a new battle with old tools and

I think we know how that turns out so that's part of our problem part of our problem is the sophistication of the networks that everyone is managing and securing is sort of outpacing our ability to keep pace with it right or keep up with it that could be cost that could be resources training is always sort of the last thing that people want to pay for right so we have to look at new ways to recreate these hyper realistic scenarios without breaking the bank and without having to use a hundred people to do every single one of them custom right and so some of the things that we're looking at is using machine learning using shared resources to recreate that

now imagine if I know everything with ghosts I essentially know everything in an exercise that my NPCs are doing I know the results of everything they're doing so I sort of know that whole one side of the exercise now maybe I can provide my players feedback and work like a custom experience for them based on how they're moving through that exercise it's like a it's like a choose-your-own-adventure if we were able to do that maybe we could we could use that to bring higher fidelity to the types of scenarios that we see right maybe there's a way that we can reuse some of the vulnerabilities and some of the malware that we're using in different ways without having to write

it from scratch maybe if we could add everything that the actual human players were using to that are doing to that data set then we'd really have something right now I know basically everything that's going on inside my exercise maybe I can really give you feedback about well this thing happened and you missed it and now you know things are really going wrong inside your network that real-time that real-time feedback would be sort of key to that jacking into the Oasis and taking on this thinking adversary in a way that actually helps you get better as an operator and then the last step of that is if we were doing exercises that we're doing that

then why couldn't we just add a layer of machine learning on top of the exercise to tell you which exercise you would get the most from right how do you pick which scenario to train on going back to the Vietnam slide right you shouldn't train on things you already know and things that you're already good at maybe you should train on this thing here because we've detected some weakness in the force right that's scary right for this room that should be super scary because what if we hooked what if we hooked production systems to our training environments like what if the training was so good and so realistic and so oasis like that we just took the

results of training to improve our production systems what if we took our production systems to build better training modules because it would be then based on the things that are actually running in production now that's crazy right that's a whole new vector we are opening ourselves up to attack how do you separate training data from real data well what if the training data was actually valuable in some way that influenced what we do in production these are not my words these are what they're talking about inside the sei there are lots of agencies already thinking about how can we do our training almost as a simulation to influence what we do in real production environments and therefore how can we

use production data to create better training for our for our employees so the takeaways I hope that you might get from that is there's lots of different ways to train as individuals how do you get better as a team right how do you learn new things versus get better at things both individually and like I said as a team and these last couple of slides right how do you build a training environment that's very very realistic and then how do you maximize that training to improve your daily operations right hopefully I hope you get something that might help you to improve your current organization today we got tons of tools out there on the on

the table that might help you build that simulated environment and that's all I have I'm Dustin I am a researcher up at cert but I snuck in here I don't have a security background it's like I'm a total Fausta right I'm a software developer but I have been in security for the last two years and I'm studying philosophy at CMU which is all about game theory making decisions and complex systems it's pretty cool program so that's my story I'm sticking to it any questions thank you [Applause]