This September, the Cybersecurity Hands-On-Training (CyberHOT) Summer School was organized in Chania, Crete under the auspices of NATO Maritime Interdiction Operational Training Center(NMIOTC). PHOENI2X project was one of the sponsors and PhD students from its consortium partners participated in the event. Below is a summary of presentations and activities that took place during CyberHOT 2022.
Day 1
After the morning welcome by the organizers, the first Keynote Speaker, Mr. Tejas Patel from DARPA, presented the Cyber Hunting at Scale (CHASE) program. This program seeks to develop automated tools to detect and characterize novel attack vectors, carefully pick the correct data and enhance protective measures across and within enterprises. Based on an enterprise federated model sharing, the goal is to get rid of the alert fatigue, a real problem for security supervisors caused by the sheer amount of available data. CHASE can prioritize data based on anticipated malicious behavior and ultimately build models that can tell a story. Detection indicators provide very promising results even when compared against SOC reports. More information can be found here: https://www.darpa.mil/program/cyber-hunting-at-scale.
The next session focused on Defensive Strategies. A brief presentation by Dr. Nicholas Ayres and Prof. Leandros A. Maglaras highlighted the correct incident response principles and phases (Preparation, Detection, Eradication and Recovery). The presenters also talked about Advanced Persistent Threats (APT) that can cause severe damage to critical infrastructures and analyzed their main stages: reconnaissance, initial access, penetration and malware deployment, lateral movement, staging of the attack, exfiltration or damage infliction and of course setting up possible follow up attacks.
The core part of this session was the interactive training which was based on a Critical Infrastructure protective scenario. For this activity, a tabletop gaming environment combined with a tablet application called Simulated Critical Infrastructure Protective
Scenarios (SCIPS) was used. The attendees were split into teams of 5 persons each and each team represented a Power Production Company. A specific role was given to every member (CEO, Power Plant Director, Security Director etc.) with unique responsibilities each. As a team, the participants were asked to make strategic decisions based on real world cyberattack scenarios that threaten their organization within an escalating geopolitical climate. As the goal of the game was the stabilization of the company’s share price, a balance had to be found between adequate security and efficient use of available resources. The hard-learned takeaway of this interactive game was how important is for security analysts to be as efficient as possible by covering the most important vulnerabilities, always be prepared against thwarting attacks and be in a position to recover after successful ones taking into consideration the impact on business continuity. In the afternoon session hosted by Nuri Fattah, the participants were grouped into teams (Blue) of 5-8 people each. A virtual infrastructure (Cyber Range) was the basis for live and technical demonstrations of Cyber Attacks. These attacks included the latest types of attacks that hacking groups utilize. Upon commencing an attack, every team had to use the available tools (e.g., Wireshark) to analyze data and detect malicious activity. What was immediately evident, was that the team spirit and valuable cooperation across all members of a Blue Team is of paramount importance, as participants try to analyze, brainstorm, and ultimately decide on a course of action regarding an incoming attack. An open discussion at the end of the session between the trainers and the teams highlighted the optimal decisions to be taken during a high-pressure situation, taking into account the unbothered operation of our infrastructure.
Day 2
During the second day, the focus of the courses shifted from defensive to attacking techniques, and the participants took the role of the aggressor. A series of attack scenarios were presented on a fully virtualized environment provided by the “Hack the Box” platform (https://www.hackthebox.com/). After splitting into teams of 4 to 5 people, the participants could spawn each scenario’s set of virtual machines and freely experiment on various scenarios. Each scenario was designed to demonstrate one type of attack ranging from probing for open ports and password guessing to setting up a reverse shell on a target machine, with the ultimate goal of capturing the flag, which came in the form of a hexadecimal number.
For each exercise, the teams were given some time to experiment and try out potential solutions freely, with the instructors providing pointers when needed, and answering questions. After some time, the solution would be given and discussed step by step, so as to clearly demonstrate the methodology and thought process behind each scenario. Day two served as a very good introduction of the offensive side of cybersecurity, providing a solid basis for
anyone interested in penetration testing and hunting for vulnerabilities on their systems.
Autors:
Giorgos Georgakakos, Phd Candidate, University of Patras, Greece
Charis Dimopoulos, Phd Candidate, University of Patras, Greece