By Gregory Moore
Mike Stanfield is a senior security analyst in the Center for Applied Cybersecurity Research (CACR). In the context of this post, Mike is also project liaison for the ResearchSOC. Mike oversees the technical integration with ResearchSOC partners and clients.
The DETER project (cyber DEfense Technology Experimental Research) helps address the critical strategic issue of cyber threats. DETERLab is an advanced testbed facility where leading researchers and academics conduct critical cybersecurity experimentation and educational exercises. — DETER website
We asked Mike to talk about how ResearchSOC is using DETERLab.
Recently, we started engaging with the National Radio Astronomy Observatory in New Mexico. This is a great example of the peculiar challenges facing ResearchSOC. They are obviously a little different than your standard enterprise setup like we have here at Indiana University or at any bank or other business. For them, off-the-shelf solutions don’t really work, and no one really knows what to do to secure a telescope. ResearchSOC is building customized solutions to help provide projects like this some baseline security for these large expensive instruments that the NSF is funding.
We’re using the DETERLab setup that allows us to essentially build a test network topology. We design it and load it into DETERLab’s system. It spins up a variety of machines for us to emulate to test different kinds of network configurations and see how our services will run in those networks. This is all new research—we’re building these things that have never been used in this kind of capacity before. We are using DETERLab as a proving ground that tests these things before we try to engage one of these big telescopes. We don’t want to just start sticking things on the networks that the telescopes use that haven’t been thoroughly tested.
DETERLab allows us to programmatically define a network. I can say ‘I need a network that has these 10 different hosts on it, I want them to be running this operating system, and I want them to be connected to each other through this local link, or I want everything to route to this one box.’ I just define that in a file and then I upload it into their system. Their system parses that file, figures out what I’m trying to say, and builds that for me automatically.
I can go get some coffee, come back, and now I have my test network up and running. I can remotely log into each of those machines, configure them to my liking, and do my testing. The other advantage is DETERLab was specifically designed for security research, so they provide some nice things for that. For example, they specifically provide some vulnerable hosts that we can use—like software stacks that we know are vulnerable to various kinds of attacks.
I don’t have to manually configure something as broken and since they already had that in mind, they’ve taken some precautions. If something were to go wrong with my setup and something were to get compromised there, I’m not going to compromise the other experiments that are running in their testbed.
That potential risk was a problem as we were looking for ways to test vulnerabilities. It’s kind of hard to say to the Information Security Office here at IU, ‘I want to stand up a purposely vulnerable box and I want to connect to the internet. Are you guys OK with that?’ That’s what the DETER folks do. They were able to accommodate us to set up that sort of testing off site. The DETER folks have been super helpful. Being able to find a service like this designed for security research is just much easier.
Their biggest clients are probably professors who want to set up a simple lab for their students to test these more dangerous, risky things in a controlled environment. A lot of their documentation points to that use case. But since we’re doing something similar—just more of a larger research project instead of a course—we’re able to benefit from that.
The setup has its quirks, but those quirks really come from the fact that it is designed to do what it does in the way it does with this nice segregation protecting different users from each other, protecting them from the internet, and making sure a compromise wouldn’t impact everyone. Of course, that introduces some complexity. There are some things we’ve had to work around to do the things we want to do since what we’re trying as part of our research isn’t exactly just some students in a class. We’re testing running enterprise tools connecting to the internet, so the challenges are different. The DETER folks have been super supportive, super helpful, and it’s been easy to get support when we have problems.
Our goal is to get a firm understanding of how our project is going to work. The ResearchSOC is combining some things that already exist. We’re taking the OmniSOC here at IU to do 24/7 monitoring. We’re taking a project from Duke University called STINGAR which is like an automated honeypot system. We’re taking another project out of the Pittsburgh Supercomputing Center (PSC) that is a vulnerability identification service. It is the key thing that we’re testing on DETER. PSC is building infrastructure to do automated vulnerability scans, so they have some machine setups where they run this software. They can point it at a network, scan every host on that network looking for vulnerabilities, and aggregate those back into a report that they provide to ResearchSOC.
Those sorts of things have existed for a while. But not a lot of people have been deploying it, even at academic institutions and definitely not at research institutions. We’re working with PSC to figure out how to scan these kinds of novel networks—like a telescope—that have sensitive systems. We don’t want to accidentally damage them by scanning them when they were never intended to be scanned. Part of our testing is doing some basic calibration and making sure when scanning that everything works, that our data collection is functioning properly, and that we’re able to scan and generate data and ingest that data into other systems.
Having DETER set up a vulnerable system to allow access from our scanner has been helping PSC to tune their product and helping us tune how we’re going to collect that data and ingest it—coming up with reports, how are they going to look, and how we triage false positives. DETER is really helping us set up that whole workflow.
I think DETER is especially good for people wanting to do academic security research where finding the right hardware and the network space when you’re on a campus or in a lab is very difficult—especially for smaller universities or smaller research projects that don’t have access to some of the resources we have here at IU. I’m very happy that they are providing this service and I hope people become aware of it so they can take advantage of it.
Hopefully this post will help raise that awareness.
The work of the DETER team is supported by funding from the U.S. Department of Homeland Security Science and Technology through their support for the DETECT project. Additional support includes: DARPA funding for the SAFER project; National Science Foundation (NSF) funding via CISE and OCI grants and the GENI Project Office.
Since the 2003 inception of the original NSF/DHS-funded initial project, DETER has been supported by the NSF, DHS, DARPA, and DoD/AFOSR, in a series of grants for a variety of efforts including infrastructure expansion, testbed operations, community support, and research collaboration. Additional hardware resources have been contributed by Hewlett-Packard, Cisco, Juniper, and Sun. See https://deter-project.org/
The Research Security Operations Center (ResearchSOC) is a collaborative security response center that addresses the unique cybersecurity concerns of the research community. ResearchSOC helps make scientific computing resilient to cyberattacks and capable of supporting trustworthy, productive research. For more information on the ResearchSOC, visit our website or email firstname.lastname@example.org.