NCL: Facilitating Cybersecurity Experimentation as a Community - - PowerPoint PPT Presentation

ncl facilitating cybersecurity experimentation as a
SMART_READER_LITE
LIVE PREVIEW

NCL: Facilitating Cybersecurity Experimentation as a Community - - PowerPoint PPT Presentation

Aug 13, 2023 203 likes •383 views

NCL: Facilitating Cybersecurity Experimentation as a Community Liang Zhenkai National Cybersecurity R&D Lab (NCL) National Cybersecurity R&D Lab National Cybersecurity R&D Lab (NCL) Shared national infrastructure of

slide-1
SLIDE 1

NCL: Facilitating Cybersecurity Experimentation as a Community

Liang Zhenkai National Cybersecurity R&D Lab (NCL)

slide-2
SLIDE 2

National Cybersecurity R&D Lab

  • National Cybersecurity R&D Lab (NCL)

– Shared national infrastructure of Singapore for cyber-security research & development

  • Objectives

– Simplify research and experimentation effort – Provide realistic testing environment – Enrich users' testing and validation

  • Offered services

– Infrastructure, Ready-to-use Environments, Data

slide-3
SLIDE 3

Infrastructure

  • 200

Servers

  • Software

defined network

  • GPU

Servers

  • Flexible

network topology

Environments

  • Ready-to-Use

vulnerability configuration

  • Malware

runtime

  • Cyber Range

components

Data

  • Data

collection

  • Malware
  • Akamai
  • Data

hosting and access control

  • IMPACT

dataset

Services of NCL

slide-4
SLIDE 4

Life Cycle of Cyber Security Research

Analysis Solution Attack Description Goal: Reuse existing configuration efforts Setup Research

slide-5
SLIDE 5

NCL Infra from User’s View

NCL Infrastructure

Data Repo

slide-6
SLIDE 6

Virtual Enterprise Network

slide-7
SLIDE 7

Catalog of Vulnerabilities

slide-8
SLIDE 8
  • Outbreak on May 12, 2017

– Infected more than 300,000 computers over 150 countries. – Encrypting user files – Asking for Bitcoin

  • Target vulnerability CVE-2017-0143 (MS17-

010)

– Vulnerability in SMB (port 445), originally exploited in ETERNALBLUE – Patch released on March 14, 2017 by Microsoft

The WannaCry Ransomware

slide-9
SLIDE 9

Virtual Enterprise Network

slide-10
SLIDE 10
  • Kill switch

– www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

  • HTTPS request to a few IPs

– 199.254.238.52 – 154.35.175.225 – 128.31.0.39 – .......

  • Random probing of next target

– Local network first, then external network – Different interval of probing, 10 – 25 per second

WannaCry Network Behavior

slide-11
SLIDE 11
  • Propagate but never connect with TOR

servers

  • DB349B97C37D22F5EA1D1841E3C89EB4
  • Never propagate but do connect with TOR

servers

  • 509C41EC97BB81B0567B059AA2F50FE8
  • Query a domain first, and do nothing if no

response

  • 8DD63ADB68EF053E044A5A2F46E0D2CD

More Network Behaviors

slide-12
SLIDE 12
  • Malware related files appear
  • Background of desktop changes
  • Encrypted files ‘*.WNCRY’ appear
  • Notification window appears
  • Original files disappear

WannaCry System Behaviors

slide-13
SLIDE 13
  • Different order of events
  • Different filename extension of encrypted

files

  • E.g. ‘*.wry’ of

8DD63ADB68EF053E044A5A2F46E0D2CD

  • Different notification windows and

backgrounds of deskop

Variants of System Behavior

slide-14
SLIDE 14

Life Cycle of Cyber Security Research

Analysis Solution Attack Description Goal: Reuse existing configuration efforts Setup Research Goal: Share and reuse research knowledge

slide-15
SLIDE 15
  • A community-maintained resource set on

NCL to support research

– E.g. network behavior modeling, binary analysis to identify vulnerability for zero-days.

Facilitating Research

slide-16
SLIDE 16
  • With automated vulnerability setup, we

can gather knowledge of experiments

  • E.g., three level of information

– CVE description – Executable environment – Analysis results from research projects

NCL as a Knowledge Base

slide-17
SLIDE 17

Flexible Infrastructure Ready-to-use Environments Data and data management Community Knowledge Base

NCL Platform http://ncl.sg

The NCL Platform