News

CyberPoint Interns Learn Penetration Testing, Among Other Things

This post documents the actions taken by our summer interns at CyberPoint. We presented them with a series of questions and their answers are un-edited below (they were warned).


First, let's start with introductions. Who are you? First names are fine. What were the projects you executed this summer at CyberPoint International? Please give us descriptive answers, but in your own words for each project. You worked on three separate things, what were they?

Our names are Lucas, Davis, and Ehren, and we are rising seniors at Gilman School who interned at CyberPoint International this summer. We worked on three projects. The first project was using Yoda's Protector and UPX to pack various malware files. The second project was creating a cluster for the Bro Intrusion Detection System which would send alerts if it detected any suspicious traffic on the network. Our final project was to use CATO to do penetration testing on a customer's website.

For CATO, can you please describe it in your own terms? What does it do? Do not describe or reveal details of the target(s) you focused on, these are considered sensitive to you and your 'customer'. Instead, tell me what kinds of things you did to your targets?

CATO is an application created by CyberPoint that places all the tools that one would need to perform penetration testing on one website. CATO also organized the findings and placed them in a database where they could be reviewed by other members of the team and automatically assigned CVSS ratings (a scoring system for vulnerabilities related to how dangerous they were to the integrity, accessibility, and confidentiality of the information) to vulnerabilities. Using CATO, we performed different types of scans such as Nikto and OpenVAS. Additionally, we discovered more targets like other domain names and IP addresses associated with the one we originally found and performed more scans on those targets. Without such a simple interface like CATO, the process of scanning the website would have been much more difficult and tedious.
cluster

How much introduction did you get to CATO and how to use it? Did you find it difficult to use?

We did not get much introduction to CATO; however, we did not find it very difficult to use with the limited knowledge of it that we had.

Tell me something that you learned while working with CATO? Did you learn about a new tool? A way to analyze a target for vulnerabilities? The process of analyzing targets for vulnerabilities in the first place?

We came in knowing almost nothing about penetration testing, save for what it was. We learned about the methods and process of finding vulnerabilities and things like the kill chain attack approach. CATO definitely helped us put the knowledge we gained to action.

For your Bro Cluster, what was the goal of this effort? What did you understand you were trying to accomplish? What does Bro do?

The goal of creating the Bro Cluster was to learn about computer clusters, Intrusion Detection Systems, Linux, and different kinds of traffic. The goal for the Bro cluster started off by being able to recognize and send an alert for an Nmap scan, but gradually evolved to being able to recognize malware traffic. Bro is an intrusion detection system which sits on and monitors a network and creates notices for suspicious traffic and activities.
cluster

You switched operating systems on your Bro cluster node partway through, why was that?

We switched operations systems partway through building the cluster because we found that some of the software necessary was not completely compatible with the original operating system. We started using Raspbian Stretch, then switched to Arch Linux, and finally to Ubuntu Mate.

For your Bro Cluster, tell me what you learned about the individual hardware of your cluster platform? What was the name of the platform? Did you like working with it? Did you dislike it? What platform did you use and what did you learn about it?

We learned how to configure a Raspberry Pi with different distributions of Linux, the first single board computer any of us had worked with. We also made a stack structure for the boards, making the hardware and wires more organized. We used three different distributions of Linux: Raspbian, Arch Linux, and Ubuntu Mate. Raspbian, a platform based on Debian and probably the most well-known OS (Operating System) for Raspberry Pis, and Arch Linux, a Linux distribution without a desktop environment and that is relatively straightforward and easy to use, both were not working with PF_RING, an essential component to the operation of a Bro Cluster. Finally, we came upon Ubuntu Mate which did work with PF_RING, so this is the platform we finally decided to settle on using. Overall, it was not very hard to use because it worked very similarly to Ubuntu 16.0.4 LTS, a platform we were familiar with. With all of the distributions of Linux we worked with, we learned more about operating in the terminal.

If unanswered in your introduction, tell me what you did to try and get the Bro system to recognize and alert on your actions? You did at least 3 independent things on your two connected laptops.

We setup the Bro cluster to monitor traffic going between two laptops. From one of the laptops, we ran an Nmap port scan on the other, which triggered a notice on bro. The second thing we did on our laptop was using a pcap file (a file which captures packets that moved across a network) downloaded from the internet which acted like a piece of malware was running across the network. We used Tcprewrite to edit the file so that it appeared that it was coming from one laptop to the other originally, and then used Tcpreplay to send the packets across the network. This also registered an alert for bro. Finally, we set up one of the laptops to host a server which had the EICAR test file (a file universally agreed upon by antivirus software developers that registers as a piece of malware for the sake of testing) as a downloadable link on it. We connected to the server from the other laptop and downloaded the file over Ethernet, but this did not register an alert.
cluster

Do you believe you have successfully proven that work is being divided up amongst all nodes in your cluster?

We cannot conclusively say that work is being divided amongst all nodes in the cluster. Documentation for Bro suggests using a physical hardware device as a load balancer, but we instead used one of the raspberry pis as the frontend. We used Tcpdump on one of the worker nodes to see all the traffic that it was seeing and saw that the manager was communicating with it. Additionally, we found log files that suggest that work is divided, but when timing the difference between how long it takes to register a notice using only one node versus 12, we found that there was not a significant difference in the timing. We hypothesize that the nodes are indeed dividing the work, but there was not enough traffic for there to be a significant difference in timing. We think that the difference would become apparent if we had a significant increase in the amount of traffic.

Did you have fun?

Definitely.

About CyberPoint

At CyberPoint, we work to create a future where individuals and organizations from across the globe can operate safely and securely in cyberspace and benefit from the technological innovations that increasingly connect our world. A rapidly growing cyber security company, CyberPoint integrates and delivers innovative, leading-edge services, solutions, and products to protect what's invaluable to customers worldwide. We discover the threats and vulnerabilities that expose data, systems, and infrastructure to compromise, we quantify risks, and we design defenses that provide critical protection. Learn more at cyberpoint.com.

12.23.15
Vicki Gumtow Featured in "Powered By Women: Meet Maryland's female tech leaders" (Daily Record)

12.23.15
CyberPoint wants the Force to be with you when thinking about your firm's cyber security (Baltimore Business Journal)

12.21.15
CyberPoint CEO Karl Gumtow Honored for International Leadership

12.21.15
CyberPoint Patents Similarity Search and Malware Prioritization

12.21.15
This video shows why the Death Star needed a cybersecurity platform (Technical.ly Baltimore)

12.21.15
CyberPoint's 2015 Women in Cyber Security Reception

12.3.15
Patent Issued for Similarity Search and Malware Prioritization (USPTO 9197665) (Equities.com)

11.17.15
Baltimore Artists Anna and Caroline Zellhofer, Selected to Create New Work for Annual Women in Cyber Security Reception

11.6.15
CyberPoint Delivers Keynote and Technical Talk at RSA Abu Dhabi

11.5.15
Karl and Vicki Gumtow: Giving back is everybody's business (Daily Record)

10.19.15
CyberPoint International Commits $1,000,000 to New Charitable Endowed Fund at the Baltimore Community Foundation

10.19.15
CyberPoint pledges $1 million to Baltimore community fund (The Baltimore Sun)

10.19.15
CyberPoint hopes to inspire others to give by creating $1M charitable fund (Baltimore Business Journal)

10.7.15
David S. Clapp and Vicki Gumtow Elected to Baltimore Community Foundation Board of Trustees

8.28.15
"Not the Wild West." Squadron Leader Emma Lovett, Royal Australian Air Force, Talks Cyberspace and International Law at CyberPoint Speaker Series

8.25.15
When Opportunity Knocks, CyberPoint Answers

8.13.15
CyberPoint Recognized as One of Fastest Growing US Private Companies—Making 2015's Inc. 5000 List

8.12.15
Keith Mularski, FBI Cyber Expert, Describes Cyber Mob-Busting at CyberPoint Speaker Series

8.5.15
CyberPoint Interns Set Sail!

7.27.15
Cybersecurity firm commissions work of art (Technical.ly Baltimore)

7.23.15
CyberPoint's Karl Gumtow Named One of Maryland's "Most Admired CEOs" by Daily Record

6.29.15
EY Names CyberPoint CEO Karl Gumtow Maryland Entrepreneur of the Year in Technology Category

6.26.15
Planit, CyberPoint founders take home 'Entrepreneur of the Year' awards (Technical.ly Baltimore)

6.25.15
CyberPoint Welcomes Fourth Year of Summer Interns!

6.24.15
CyberPoint Announces Next Speaker Series Guest: Keith Mularski from the FBI Cyber Squad

6.24.15
Challenge Accepted: CyberPoint is Getting Fit

6.9.15
DARPA Awards CyberPoint New $6M Research Contract

5.7.15
CyberPoint Supports the Fund for Rebuilding Baltimore

5.5.15
CyberPoint at RSA 2015

3.28.15
CyberPoint Supports the 2015 Women in Cybersecurity Conference

1.22.15
University of Maryland Highlight's James Ulrich's Research

12.2.13
Innovative New Product from CyberPoint Offers Secure and Convenient Coverage for Consumers Operating in Public Spaces

11.20.13
Dawn C. Meyerriecks, the CIA's Deputy Director for Science and Technology, Speaks at CyberPoint on Empowering Intelligence Integration

11.6.13
CyberPoint International Acquiring High-End Engineering Firm Bitmonix

10.21.13
CyberPoint Wins $5.4M Advanced Cyber Research Contract for DARPA VET Program

9.6.13
CyberPoint Celebrates 4th Year Mentoring Cristo Rey Jesuit High School Students

8.26.13
Security Ledger Talks About Prescient's "Made Overseas, Secured in America" Approach

8.22.13
CyberPoint's Prescient T700S-FW VTC System Named as Finalist for 2013 Golden Bridge Hardware Security Innovation Award

8.20.13
Bloomberg Adds CyberPoint's Prescient to the Conversation about Securing Technology Products Made Overseas

8.12.13
CyberPoint among Daily Record's "Innovators of the Year"

7.31.13
CyberPoint's CTIC hosts Technical.ly Baltimore's Meetup on Growing Maryland's Cybersecurity Industry

7.24.13
CyberPoint CEO Karl Gumtow Discusses Future of Cyber Security Industry

7.17.13
CyberPoint's David Tohn to Discuss New Approaches to Cyber Security Staffing and Training

7.16.13
CyberPoint's Paul Kurtz to Discuss Cyber Security for the Aviation Industry

7.8.13
Congressman Ruppersberger's Tech Trek takes him to CyberPoint

5.23.13
Robert Vamosi, Security Analyst and Bestselling Author, Speaks at CyberPoint on the Security Cost of Digital Convenience

4.17.13
Cyber Security Leaders Gather at the CTIC to Discuss Business Growth

3.19.13
Sherri Ramsay, Former NTOC Director, Speaks at CyberPoint on Why Cyber Security is a Team Sport

2.26.13
The Cyber Security LifeJourney™ Premieres at RSA 2013

2.26.13
Technology from China, Made More Secure in the US

2.20.13
RSA Update: CyberPoint's Jerry Caponera Will Speak About How Prescient Enhanced the Security of a Chinese-made VTC System

1.25.13
CyberPoint Recognized by Baltimore Magazine as one of the 'Best Places to Work 2013'

1.14.13
CyberPoint Develops DarkPoint, a New Tool Applying Machine Learning to the Problem of Automating Malware Analysis

1.10.13
CyberPoint Helps Prepare First-of-Its-Kind Cyber Jobs Report for Maryland

1.9.13
CyberPoint's James Ulrich Tells FloCon How CyberVaR Assesses Value-at-risk