Cyber Innovation Laboratory
The cyber innovation laboratory will allow businesses and academic researchers to test their cyber defenses against different attacks (e.g. malware, intrusion, denial-of-service, etc.) to support research, industry innovation, and training. The lab consists of data collection servers and its own self-contained quarantined network to prevent malware from escaping into the University or global network. Sensors will be developed and placed throughout the network to collect data, and protocols exist to harmonize the data and aggregate it on the server in real-time for analysis. Traffic will be generated on the network to replicate any real network to improve fidelity of the experiment. Exploit tools are continuously being tested for installation in the lab to simulate live attacks.
The reference architecture for the lab is presented in Figure 1. The current set up includes a 64-node Linux/Windows network, 32-node and 27-node Microsoft Windows networks, 4 small unmanaged switches, one large layer 3 switch, 1 network management server (To enable an active directory environment for the Windows machines), and 1 storage and compute server. The layer three switch is configured to mirror all traffic coming across it to a SPAN port that is connected to a Network Security Monitoring Appliance. Host logs are aggregated on Rsyslog servers that will listen on each subnet. The three main elements of the lab are attack propagation, data collection, integration of security devices; these are explained in more detail below:
The lab is designed to accommodate network reconnaissance, penetration testing, launching attacks, and conducting post penetration activities (e.g. lateral movement, data exfiltration, etc.). Several tools have been acquired for the attacks (open source, home grown, and commercial), and as attack vectors and the vulnerability landscape evolve, the portfolio of tools will also evolve. The capability of tools will include network mapping, probing the network, malware propagation, single vector attacks (e.g. Denial-of-Service, session hijacking, spoofing etc.), network mapping, reconnaissance, network scanning, and password cracking. Post exploitation activities will include reconnaissance, privilege escalation, installing key-loggers, and creating backdoors. Layered attacks will be facilitated through lillypadding, pivoting, proxying, ssh tunneling, and port forwarding.
The lab configuration is complete, with Windows and Linux operating systems and realistic applications to mimic an enterprise network topology. Different attack vectors have been identified and currently live attacks are being launched and monitored in the system. There is a project underway to develop the next generation of intrusion detection systems by correlating memory, network, and file system data. The use of the infrastructure has been on hold due to social distancing requirements. We are now opening it up for research collaboration with CHAaSM and starting data collection for research in the area.