ansiblefest-2015

View Github Repository Open presentation in a new window

mattkaar

See all presentation from mattkaar

ansiblefest-2015

0 0

ansiblefest-2015

Building Cyber Exercise Environments for AnsibleFest 2015

On Github mattkaar / ansiblefest-2015

Building Cyber Exercise Environments

Matt KaarCyber Workforce DevelopmentAnsibleFest 2015

Copyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under
Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the
Software Engineering Institute, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect the views of the United States
Department of Defense.

References herein to any specific commercial product, process, or service by trade name,
trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation, or favoring by Carnegie Mellon University or its Software
Engineering Institute.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL
IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,
WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED
FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY
KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution. Please
see Copyright notice for non-US Government use and distribution.

This material may be reproduced in its entirety, without modification, and freely
distributed in written or electronic form without requesting formal permission.
Permission is required for any other use. Requests for permission should be directed to
the Software Engineering Institute at permission@sei.cmu.edu.

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0003066

Cyber Intrusions

The Internet can be a dangerous place…

Sony Pictures

Response to planned release of The Interview* starring Seth Rogen and James Franco

 

Ashley Madison

PII for 33 million accounts released "Full delete" option still retained GPS coordinates of each account.

 

Penn State UniversityCollege of Engineering

 

Attack began in 2012. Discovered in 2014, attacker identity unknown. Cut connection to the Internet in mid-2015. 18,000 staff and students notified that PII was compromised.

U.S. Department of DefenseJoint Chiefs of Staff

 

(…) an unclassified email system (…) was taken down for 12 days after they received sophisticated "spear-phishing" emails (…)

The emails appeared to be from USAA, a bank that serves military members, and each sought to persuade the recipient to click a link that would implant spyware into the system.

www.latimes.com/nation/la-na-cyber-spy-20150831-story.html

United StatesOffice of Personnel Management

 

Cyber Exercises

Defenders need practice.

Facebook

 

PhishMe

 

CERT DivisionSoftware Engineering InstituteCarnegie Mellon University

Practice hands-on cyber offense and defense

Simulation, Training and Exercise Platform (STEP)

 

 

Diverse Virtual Machine Environments

Operating Systems/Cloud

Networking

Security

Web/Databases

Apps/Development

User simulation

 

Impossible to fill an exercise with a realistic user population Need to create users that perform normal behaviors to create the 'noise' and keep defenders honest * Users 'complain' when things don't work.

Automated Assessment

Constructive Feedback Scoreboard * Rankings

Gaming Elements

 

Exercise Construction

AKA, where Ansible fits in to all of this…

Ansible's goals are foremost those of simplicity and maximum ease of use. It also has a strong focus on security and reliability, featuring a minimum of moving parts, usage of OpenSSH for transport (…), and a language that is designed around auditability by humans — even those not familiar with the program.

docs.ansible.com

First Contact—October 2012

On Sun, Oct 14, 2012 at 4:55 PM, Matt Kaar wrote:

Jason,

<snip>

In other news, I stumbled across this distributed SSH tool that will
hopefully make it easier to run jobs across our many sensors.

http://ansible.cc/

I know you've already got Python scripts cooked up for your backend
stuff, but figured I'd pass it along just in case.

-Matt

Old Construction Process

Build virtual machine from scratch or clone existing disk.

Make changes that add uniqueness to VM—add scripts to apply custom variables at deploy-time.

Save new disk image ready for future deploy.

Issues

Finished virtual machines became stale over time. No quick way to recreate them—lots of patch jobs.

Too much effort applied to keep opaque VMs up and running (domain controllers, Exchange servers, etc.)

Process revolved around logic stored in individual VMs—orchestration was difficult.

Project EMMET

The Master Builder

EMMET's Build Process

 

EMMET's Toolkit

Packer

ISOs go in, seed images come out.

A seed image is a minimal OS install ready for Ansible management (SSH or WinRM enabled).

Seed Image Pipeline

  • Windows (XP/7/8/10)
  • Windows Server (2003/2008/2012)
  • CentOS
  • Ubuntu
  • Security Onion
  • Kali Linux
  • Arch Linux
  • CoreOS
  • VyOS
  • pfSense
  • Solaris
  • VMware ESXi

Ansible

Takes a seed image and automates everything else.

  • Windows Domain Install
  • Adding Synthetic User Accounts
  • MS Exchange/Email Setup
  • Manage a Certificate Authority
  • Multi-network DHCP
  • Purposely inserting vulnerabilities into VMs
  • Inserting malware/bots in a simulated Internet
  • Deploying the STEP platform itself

Why we chose Ansible…

Readability

With many exercise developers on the team, we needed a tool that kept playbooks simple.

Also, 'dusting off' older playbooks to use down the road needed to be as painless as possible.

  Windows Support  

Many of our playbooks involve setting up Windows applications and services (Active Directory, Exchange, IIS, MSSQL, SharePoint)

Dear Red Hat: Please keep Windows support. :) #ansibleallthethings

Separation of Playbooks and Roles

Playbooks are focused at the project level—include specific implementation details.

Roles stay more generic (i.e. Active Directory install, deploy botnet, etc.)—encourages reuse among teams.

$ tree -d emmet-ansible
emmet-ansible
├── group_vars -> playbooks/customerA/group_vars
├── library
├── playbooks
│   └── customerA
│       └── group_vars
│   └── customerB
│       └── group_vars
└── roles
    ├── apache_web
    │   └── tasks
    ├── domain_controller_2008
    │   ├── files
    │   └── tasks

What's Next?

Domain Auth via Kerberos

Continuous Integration

First with seed images…

 

…then with Ansible roles.

 

Finally, playbooks for entire exercise environments.

Takeaways

Ansible allows us to move faster and with better repeatability.

Simple enough to get the entire team building playbooks.

Extensible to hardware and operating systems outside of supported Ansible modules.

The End

Matt Kaar @mattkaar

Building Cyber Exercise Environments Matt KaarCyber Workforce DevelopmentAnsibleFest 2015