User Guide

Who is this guide for? This guide is for every user of the OCCP, scenario contributors, and developers. It gives background about the platform, installation options, and its general usage.

The OCCP Documentation is in development. The Subscribe page is active so that you can sign up for notifications of releases. The Project Plan page shows the current development schedule.

General OCCP Concept

The OCCP concept is based this design:

  • Virtual Scenario Network (VSN)– a network of virtual machines representing an organization's IT infrastructure (network, servers, workstations, data stores, IT tools, etc.)
  • Gray Team - scripts that generate “normal” use of the VSN services.
  • Red Team – people or scripts that attack the VSN to deny/corrupt services, steal data, etc.
  • Blue Team – people or scripts that represent the IT staff for the the VSN.
  • White Team – people and scripts that monitor/support the system, and officiate/score the challenge instance.
The OCCP supports challenges types. Current challenge types include:
Network Defense – Blue Team is students, Red Team is scripted attacks. Positive points assigned to Blue for services kept active, negative points assigned to Blue for data stolen and services denied. Secure Programming – Blue Team is student programmers, Red Team is scripted attacks (e.g. SQL injection). Negative points assigned for data stolen and services denied.
Penetration Testing– Red Team is students, Blue Team is scripted. Positive points assigned for data stolen and services denied. Incident Response – Read Team is scripted attack, Blue Team of students must find what data was stolen and who did it.
Digital Forensics - The Blue Team are students who search for evidence in the VSN. The Red Team is scripted, but is optional - there may be an on-going malicious component or the Red Team may be dormant. Malware Analysis - The Blue Team are students who search for malware in the VSN and diagnosis it. The Red Team is scripted, but is optional - there may be an on-going malicious component or the Red Team may be dormant.

A specific instance of a challenge is called a scenario. Here is a description of a proof of concept Network Defense scenario .

All OCCP scenarios require the installation of the Administrative VM, which does the work necessary to setup the rest of the scenario. The Administrative VM accepts a scenario package (described below), and then configures the Game Server, VSN, and other support machines as required.

Game Server: The Game Server is a VM for running the scenario. It:

  • Runs all Gray script actions (e.g. “normal” service requests to the VSN)
  • Runs all automated team scripts (e.g. Red scripts in a Network Defense challenge).
  • Interacts with the Gray scripts and Team scripts to track the score
  • Controls the Game Clock
  • Provides White Team services such as communication with the players
  • Exposes Web services for:
    • Moderator monitoring of the challenge scenario
    • Spectator monitoring of the challenge scenario
    • Player monitoring of the challenge scenario
  • Can be interacted with using the Game Server Web Application

Italics denote features to be implemented

Administrative VM: This VM is used by the administrators before a challenge instance to:

  • Start the Game Server & VSN VMs;
  • Automatically reconfigure the VMs of the scenario, if necessary;
  • Automatically set up VPN networking for remote VMs, if necessary.

Scenario Package: The download of an OCCP scenario is in the form of a scenario package with these components:

  • Documentation on the specific scenario for the Administrators (e.g goals of the scenario, required skill sets of the participants, training materials for participants, network topology, etc.)
  • Templates for documentation to be provided to the players (goals, network topology, initial passwords, etc)
  • Virtual Scenario Network Virtual Machines
  • Player Virtual Machines
  • A Scenario File - an XML file that is read by the Game Server and Administrative VM components of the OCCP at start-up to configure the scenario. The scenario file contains:
  • A description of the Gray actions for the Game Server to perform. This description includes the action to be performed, and when it is to be performed.
  • A description of the automated team actions for the Game server to perform. This description includes the action to be performed, and when it is to be performed.
  • A description of scoring events and their weights. This is used by the White scripts to score the challenge scenario.
  • A description of the VSN, such as what servers it has, and what the content of the servers are. This allows the Administrative VM to manage the other VMs.

The scenario file XML tags are described in Scenario File.

The VMs are packaged in the Open Virtualization Format (OVF) file format (see http://dmtf.org/standards/ovf ), which is a widely-used text file format that specifies VM configurations. OVF can be used to specify VMs in most prominent hypervisors, including VMware and Virtual Box.

Installation Roadmap

This section aims to guide you in determining the installation requirements of the OCCP. Because the OCCP is designed to be flexible, you will need to make decisions based on the infrastructure available to you, your experience level, and your usage goals. This section outlines various options available to you, but is by no means exaustive. Users with higher technical abilities may use other hypervisors or setups by performing additional configurations on their own.

Note: As development of OCCP continues elements of this roadmap will change. We wish to automate various phases and be able to provide documentation of more advanced setups we are unable to automate for the user.

Quicker Start Guide If you just want to demo OCCP without any commitments or design choices, the Quicker Start Guide may be for you. The assumptions the guide makes may leave you with a less than ideal setup for your particular infrastructure and is really only meant for to try OCCP quickly. However if you intend to actually use OCCP you should follow this section instead of the Quicker Start Guide.

Steps

Choosing a Hypervisor

  1. What hardware do you have available to you?
  2. What are the requirements of the scenarios you intend to run?

These two questions will go a long way in determining what hypervisior is right for you. No matter which hypervisor you choose, you must ensure that it can provide enough resources to accommodate the virtual machines in the scenarios you intend to run. Remember that the minimum requirements in the installation documentation for each HV does not take into consider the additional resources the VMs will need.

If you can afford to dedicate a machine to being your OCCP hypervisor then a type 1 hypervisor is a good choice. The machine should be fairly robust and be able to accommodate several virtual machines simultaneously. If you cannot afford to dedicate one machine to OCCP or do not have resource rich hardware, you may be able to make use of a type 2 hypervisor.

Type 1 Hypervisor Choices

These hypervisors will require you to install on a dedicated machine. They are baremetal hypervisors and typically have certain hardware requirements to ensure a successful installation and usage. Installation of these hypervisors is generally well documented but does require more effort then a type 2 hypervisor.

Type 2 Hypervisor Choices

These hypervisors are installed on top of your operating system as a program. Though easier to install than a type 1 hypervisor, the virtual machine must share resources with the host operating system.

The OCCP depends on having at least one hypervisor to use but is capable of working with several hypervisors at once. More detail about possible configurations and licensing options for hypervisors can be found on the Deployment Methods Page

Configuring your Hypervisor(s)

TODO: As the OCCP is still under heavy development, best practices for configuring your hypervisors has not yet been established. However the current OccpAdmin program is able to make some configuration changes for you if they are required. This of course relies on the program's ability to connect to the hypervisor's API and having proper permissions to do so. The OccpAdmin program can also support the use of multiple hypervisors. If you wish to leverage multiple hypervisors please see: Distributed Deployments

Install the Administrative VM

Please refer to: The Installation Section

Install the SetupVPN

If you are using more than one hypervisor and any of your VSN machines will be on a different hypervisor than your Administrative VM then you will need the SetupVPN installed, to do so please refer to: The Installation Section

Installing a scenario

Each Scenario Package should be self contained and have information on its download page about options, use, and description. After downloading and unpacking the scenario to the proper location for your Administrative VM, you should make any necessary edits to the Scenario File. For instance, you may wish to change the RAM or other variables for your needs. Finally you can use the deploy mode of the OccpAdmin program to install the scenario. The OccpAdmin program will import the VSN, configure the networking, and take proper snapshots.

Running a Challenge

When it is time to run the challenge, simply run the OccpAdmin program in launch mode. Once the OccpAdmin program reports success you can shut down your Administrative VM and transition to your GameServer where you can launch the challenge.

Concluding a Challenge

The OccpAdmin program provides a "poweroff" mode that will shutdown all VMs that it started for the challenge.

Advanced Setups

If you are able to or need to make use of multiple hypervisors for the OCCP you'll need to be aware of some additional components. If you are only using one hypervisor, the Router VM will be deployed for you. However once more than one hypervisor is involved the user must install the SetupVPN on every hypervisor that you intend to use that your Administrative VM is not on. With that VM in place the OccpAdmin program can also install the VPN System for you. When your VSN spans multiple hypervisors the VPN will facilitate networking as if the VMs were on the same hypervisor. Such a setup will also require a map file which dictates which VMs are on each hypervisor and where to put the router. More information about this can be found: Distributed Deployments

Glossary

The definitions found here are used throughout the OCCP project. We attempt to define them in clear terms that can be used consistently in all documentation.

Base VM - a VM that has a specific configuration that allows the OccpAdmin program to perform additional configurations and create other VMs.

Challenge - a type of game play style. Examples include Network Defense, Capture the Flag, Insider Threat, among others.

Hypervisor - Hypervisor Information This article also defines Type 1 and Type 2 hypervisors in the Classification Section

Instance - a single run of a scenario.

Instance File - A slightly modified version of a Scenario File containing instance-specific parameters

Scenario File - Describes the general network setup, scoring and scripted events for a Scenario

Scenario - a challenge that has been configured with content over a particular scenario network.

Commonly Used Acronyms & Abbreviations

HV - Hypervisor

IDE - Integrated Development Environment

ISO - [File Extension] Disk Image

OCCP - Open Cyber Challenge Platform

OS - Operating System

RDP - Remote Desktop Protocol

UAC - User Account Control

VDI - Virtual Desktop Infrastructure or [File Extension] Virtual Disk Image

VM - Virtual Machine

VPN - Virtual Private Network

VSN - Virtual Scenario Network