 Okay, my name is Linda Butler and I am the Blue Team Project Lead for the Open Source Cyber Challenge Platform Project, which is a bit of a mouthful. Basically, that means I'm the head scenario and game design architect for the project, and it's a pretty awesome job. I've been told that there is no Q&A session for the Track 4 Turbo Track, so I'm going to try to finish this up early, and then if you have more questions after that, I've got some business cards for the project. You're more than welcome to email me. I'm always excited to talk about what we're doing. The emails would also give you, you know, research papers for the project, source code, networks, maps, all the fun detail stuff, because with 20 minutes, we're barely going to have enough time to get into, you know, the grand architecture. So I'm going to begin by laying out the foundation of the project, how it all started, and why we think it's such a vitally important project to create. After that, I'm going to talk a little bit about the philosophy of our design, the methodologies we came up with. From there, we step out onto the architecture of the platform itself, and we talk about what it is, what our proof of concept ended up being, how that proof of concept performed in the alpha tests, and what we hope to add to it before release it. Finally, I want to talk a little bit about, like, our grand future plan for the project, what we hope to create with the University of Rhode Island and the open source community's help. So the idea for the project started with Dr. Victor Faywolf, who is the head of the University of Rhode Island's Digital Forensics and Cyber Security Center. The University of Rhode Island is known for its digital forensics, but it's much newer to the cybersecurity side of the field. And everybody in this room knows that practical experience will teach what no amount of classroom theory will. More so, it teaches it in an exciting and lasting manner. So when Dr. Faywolf decided that he wanted to add a cybersecurity program, the first thing he did was go looking for a high quality, flexible, open source, or at the very least affordable tool that would help his students get this practical experience. He didn't find it. The current commercial solution solutions, like, say, CyberNexus platform cost upwards of $100,000, and that doesn't even count the very expensive annual maintenance contract. I've been told that SANS' net wars is very good. It's also about $2,000 per student. Governmental solutions like SIRT's XNET or the National Cyber Range are available primarily to government or government contractors. Stepping away from the commercial or the governmental, we do have events like the capture the flag tournament that's going on down the hall, which they're good. They convey a lot of value. But you have to acknowledge that these are idiosyncratic labors of love. Each tournament is the fruit of months of dedicated effort by professors, students, ardent tournament organizers. It's amazing what they do, but the overall availability of institutions who can host or create such events is a relatively small percentage of the population. So he looked around and he couldn't find this tool that would give everything that he wanted it to do. And he has a research budget. I mean, University of Rhode Island, it's not huge, but it's not teeny. But he was thinking, okay, well, what about schools that don't have a research budget? What about high schools? What about community colleges? What about smaller universities that can't spend $100,000 on their computer science students? If in this era when computer security is more important than ever, in an era when Sony and Google and major companies have been penetrated, when Department of Defense and NATO networks have been compromised, in an era where the importance of trained, skilled cybersecurity professionals is higher than ever, in this era, if we don't have a high-quality open-source, freely distributed tool that will help train us for the future, then could we make one? So that's the question he asked. That's how the OCCP project got started. And now that you know the question that we started with, I'll talk about how each student from across the country for graduate students and two URI staff advisors got together to try to answer it. When we hammered out the philosophy and the constraints of our design methodology, we ended up with three guiding principles. The first was that we wanted it to be open source. We wanted as few barriers as possible to the widespread distribution, adaptation, alteration. We want the project to grow. We need the project to grow. The University of Rhode Island can create the engine, but the U.S. government paid $40 million to create its equivalent for its employees. The only way we as private citizens can come up with anything close is if we can get the open-source community who would eventually use this training stool to invest in adapting and maintaining it. The second design principle flowed directly from that awareness. If we were planning to leverage the open-source community's brilliance in order to continue the project, we had to make sure that we had a design methodology that facilitated that loosely cohesive distributed design process. In a word, we wanted to focus on building a platform that increased modularity. The University of Rhode Island right now is, like I said, creating the game engine. We plan to release it with modules in at least four different topics. Network defense, penetration testing, digital forensics, and secure programming. But what we would like to see happen is to see more people look at this platform and say, okay, you know, this is a pretty good idea, but maybe it's a professor and he's thinking, well, you know, this isn't exactly what I want to teach my class. I want to teach a focus on firewall rules. So I'm going to create this. And then hopefully after he creates it, he releases it back to the repository that's being maintained by the University of Rhode Island. I mean, imagine if you could go to a website, browse through numerous different scenarios with different levels of difficulty, different policy focus, different subject matter, click and have it download in the background, and then play through an entire challenge complete with educational component and scoring engine. That's what we want to create. Finally, we decided in that best and most traditional of open source rules that whenever we could, we'd be using pre-existing open source tools. And we did this for two reasons. First was simple practicality. We had three months to throw together a proof of concept that included a game engine, a module to run it on, a scenario, a scoring engine, a educational component. We just didn't have time to do it all from scratch. But second and even more importantly, we were hoping that by using pre-existing well-known open source components, that we would lower the barriers to entry for when it comes to other people participating in the development. It's daunting a little bit to consider learning a whole new language or game operating system, even if it's a project you really want to support. It's a whole lot less intimidating when you learn all you have to do is write more automated Metasploit code for the red team attacking scripts in the network defense scenario. So having talked about the background and the design philosophy, you guys have the who, the why, the where, the how. And I'm going to fill in the what. What the OCCP is exactly and what we accomplished in our proof of concept. So the first thing to cover is that all this gameplay takes place on a virtual platform. It's a variety of advantages conveyed by that, most prominently being that you can quickly and relatively easily alter the network topography. If you want to test your class as a class instead of just testing individuals, just clone off more blue workstations and you have simultaneous play. If you want to increase the complexity of the target network, add in a few firewalls, throw in some subnets, do a few configurations and you're good. And finally, if you you're in the middle of your network defense exercise, you're kind of failing, your box has been compromised, your website to face, the database has been stolen. And you know, if it was really be crying in a corner or homicidal, you hit the button reset to the beginning and you're back in business. So that's what it all is going to be played out on. Now on top of the network, we have various units that are somewhat similar to the Department of Defense's CDX exercise. We have a red team, a white team, a gray team, and a blue team, red being offense, blue being defense, white being monitoring and scoring, and gray being facil simulated network traffic. Unlike the CDX and other tournaments, this is a training tool. So it's not deliberately designed as a player versus player environment. It's player versus environment. Everything except for the individual who's being tested or learning or whatever your objective at the time is all going to be automated scripts. For white team, we decided to use Nagios as the basis for a scoring engine. If anyone doesn't know what that is, it's a powerful, flexible network monitoring tool. And we found that we could adapt it pretty easily as a central correlation and analyzation engine for the white team. It would be able to take the responses from the red team about which attacks were succeeding and failing, and information from the gray team about what network traffic was being responded to. And it took them, it scored them, it presents a nice little moving scoreboard as you play through the game. The scoring algorithms are very customizable. Right now, like by default, we have it set up so that maintaining the continuation of your network services is basically weighted about equally as preventing the destruction of confidentiality of your database. But you can change that. If, for example, you decided you wanted to create a scenario where instead of maintaining a small company, you were maintaining a top secret database, I don't know. But you can alter the coefficients so that making sure that that confidentiality is not breached is twice as important as making sure you have a 100% uptime on services. For the red team, we decided to start by using a tool that we all know and love. We started with Metasploit. It lends itself very well to automated scripting through Ruby. We set a scenario with escalating attacks. There's a delay built in to give the system admin's time to actually react to the attacks. And there's a randomizer built into the delay so that you don't know the attacks are coming every four minutes. They might come every anywhere between two and seven minutes. This is also adjustable and customizable. Whenever we could, we added customization because although the modularity will help in giving you a beginning or intermediate or advanced options, we still wanted to give as much play room within that as possible. The red team also had a wide variety of IP addresses that they could choose with. And that matched well with the gray team. The gray team decided one of the big challenges was creating somewhat realistic simulated network traffic. And the way gray team decided to do this was with a web crawler. There were hundreds of websites, which gave a good approximation of the variety in which you might see in real life. And we would take an MD5 hash of the websites, compare it with the MD5 hash that they received when they requested the website. If they matched, then sent to the white engine, okay, good. If there wasn't a match, we could assume that there was something wrong with the website. It had been defaced, something had happened. And that gets reported to the white scoring engine and points start getting deducted. For blue team, the console itself wasn't so much like the emphasis. Because it was a basic network administration console. You have SSAH and Wireshark and all your basic network tools. For blue team, the main challenge was making sure that we created the educational component to match the pacing of the scenario. When we did our proof of concept scenario, we deliberately designed it for the beginning level student. They might know firewalls, they might know networking. That wouldn't necessarily mean they had any familiarity with the tools that were specifically being used in the project. At the beginning level, we weren't expecting them to. But that also means that we're kind of penalizing them for not being super knowledgeable about a system that they never seen before. So we decided to fix this through a series of email alerts. I used Tenchi, which is a log watch analyzer. And knowing ahead of time what attacks were coming, I could specifically configure specific triggers to ensure that at the right time they would get various emails, some vague, some more pointed, that would help guide students on the correct path to what they needed to accomplish to basically win at the scenario. So overall, it's an ambitious program. It's an ambitious project. I think it's probably going to take maybe two years to get it to the point where we would really like to see it, where you can just click it and it will download itself and it will install itself. And it might ask you a few questions, but take care of everything else in the background. But that's what we're aiming for. That's what we're working towards. And if any of you guys are interested in the project or would like to keep a watch out for what happens in the future, we'd always be more than interested and happy to hear from you guys, whether it's ideas or anything else. I said I was going to end it early, and I think I managed to accomplish that. So I'm going to ask if anybody has any questions about the project. Yeah, he asked if there were currently plans to basically record the entire session and let you play back what the attacks did, what you did in response. And that is one of the features that we are planning on implementing. It's one of the great things about the virtual reality. I mean, since it's all being done in bits and bytes anyway, it's not as hard as it would be otherwise to keep moving snapshots of what's happening. Anyone else? It doesn't, mainly because the University of Rhode Island is still designing it, but it should have one up fairly shortly. We don't want to put up the portal until we have like right now we're in alpha testing, but we would want to at least get to like beta before we started releasing source code. I mean, it depends on how professional we want it. If you want it like super professional, like I said, one click installation, we're probably talking at least a year. He's asking where we're targeting it towards and the answer I want to give is towards everybody. We're specifically looking at like high school students and college students. I would like to make sure there was something for the IT professionals because these are the people I think will eventually need to help us continue the project. But I mean, I'm actually not at the level of an IT professional myself yet. So we'd have to bring in people at that level before I knew exactly what would help. Right now the hardware requirements are basically nothing. Because it's virtual, if you want to do a complex simulation, you're going to need a server. It can be a pretty cheap server, but the ones we're running the University of Rhode Island are about $75,000. That said, the proof of concept one we created, you could run on any desktop that had about eight gigabytes of RAM. Are we having modules for programming application? Yeah. I mean, that's the plan. Like I said, our proof of concept was network defense, but we're definitely looking at what we could do for programming defense, because secure programming is obviously one of the most important parts of securing a network. Do we have a way of waiting the systems differently? We could. I mean, like I said, one of the main emphasis is on spend customizability and modularity. And if we want to wait different parts of the network differently, then all we have to do is modify this existing scoring engine algorithms. Not legal team, but it's going to be whatever license helps emphasize the distribution and free use, basically. I mean, we don't want people making money off it, but if you can take it, change it and get more people interested, then more power to you. And that is definitely the sign for I have to go. Thank you, everyone. And like I said, if you've got further questions, I have business cards with my email address up here.