KC7 – Intrusion Analysis

The SANS CTI Summit occurred earlier this week and even though I was not able to attend in person, I was able to join remotely. As always there were lots of great talks but the one that caught my attention was for in person attendees only. This talk was for a new Open-Source project called KC7. The name comes from the 7 stages of the Lockheed Martin Cyber Kill Chain. You can follow the project on twitter @KC7cyber.

The genius behind this game is Simeon Kakpovi and Greg Schloemer. They did an episode of SANS Threat Analysis Rundown with Katie Nickels.

The unique thing about this project is that it aims to use real threat data and the actual tools cybersecurity professional’s use to help anyone learn the art of Intrusion Analysis in a gamified format. Normally, this is the kind of data you cannot get access to without already having a job in the field. The KC7 Github page states the following.

KC7 allows you to learn the big picture of cybersecurity analysis and threat intelligence using realistic data. The game simulates an intrusion by multiple cyber threat actors against a fictitious company that spans the entire Cyber Kill Chain.

Players use Kust Query Language (KQL) queries to triage logs in Azure Data Explorer to:

• Investigate suspicious activity in the company’s environment.
• Pivot on known actor indicators to uncover additional selectors and find more intrusion activity.

Game players get experience triaging Web, Email, and Endpoint audit logs.

Getting Started

Pre-Built Data

The great thing about this is that you do not need any special hardware to participate, and it is easy to setup. All you need is a web browser and a free account for Azure Data Explorer. The GitHub page for this project has a getting started video and documentation. You can also download the KC7 – Cyber Challenge Training.pdf which introduces you to the scenario, key nomenclature and concepts, an introduction to the Kusto Query Language (KQL) and a series of questions to answer from the data.

How AWESOME is that?! But wait, there’s more!

Hosting your own game

What you need.

They also built a web-app in which you can dynamically generate a new dataset. This option is a bit more complex and requires some additional work which is what I am going to focus on in this next part. With this option you can host your own game for your career day event at your local high school or university. It can also be a great training exercise for professionals wanting to skill up.

What you will need:

• A computer on which to host the server.
• The code located at https://github.com/kkneomis/cyber-challenger.git
• An Azure account (free)
• Azure Data Explorer Cluster Service (Free but have to sign up and provide a credit card as proof of identity. The nice thing is that unlike most things the auto-renew is not turned on by default.)

• Some time. (~ an hour or so).

Setting up the host.

So, lets dig in and get started setting it up. The first thing we need is a machine to run the server. For this I created a virtual machine (either VirtualBox or VMWare) on my laptop with the Guest OS of Ubuntu Desktop 22.04 LTS. I am assuming you know how to do this. When setting up the guest I left it as 2 cores and 4GB of Memory. I also chose the bare bones version of the install.

Once the guest is up and running, I ran the following commands to install what was needed as well as a few preferential items.

Needed:

• git
• python3
• python3-virtualenv (while not required it is a good idea as it allows you to create a virtual environment in which to install the requirements of a project while keeping your host OS code environment clean.)

My preferences:

• vim (My preferred cli text editor)
• terminator (my preferred terminal as it is easy to split the screens)

The commands:

sudo apt update && sudo apt upgrade -y && sudo apt auto-remove

This command updates the apt repositories, downloads and installs the updates and then removes any packages that are no longer needed.

sudo apt install python3 python3-virtualenv git vim terminator

The above command installs the required items as well as the preferred items.

virtualenv cyber-challenger
mv cyber-challenger test
git clone https://github.com/kkneomis/cyber-challenger.git
cd test/ && mv * ../cyber-challenger && cd .. && rm -rf test/
cd cyber-challenger
source bin/activate
pip install -r requirements.txt
pip install tabluate

The above commands will create a virtual python environment, download the cyber-challenger repository from git and move it into the virtual environment. The environment will then be activated, the required python modules in requirements.txt will be installed as well as the required tabulate module. Tabulate is not in the requirements.txt file but is required to run the server.

You can now type the following command to start the server:

python app.py

You will then see the following output to your screen:

As you can see this is running on the localhost on port 8889. So, open up the browser on your VM and navigate to http://127.0.0.1:8889/login. You will then be presented with the following webpage.

Login with the default credentials of admin for both the username and password. Once you login you will see the following:

Over to the official documentation to setup Azure.

We could start the game now, but it would just log everything to a local database and not push anything to your Azure Data Explorer Cluster which is needed for you or others to play the game. So, head over to the official documentation on the KC7 Wiki about setting up your Azure Data Explorer cluster in the Azure Portal.

Follow the documentation to set everything up in azure, grant permissions and register your app as well as gather the needed environment variables. Please see below for the notes on these steps for some issues I ran into and how I worked around them.

NOTES:

1. Your subscription option from the drop-down will likely be different.

2. You will have to choose a unique cluster name. If you try to use “kc7round1” you will get an error as it is already in use.

1. You can leave this at its default so it likely will not be the same.
2. Once you click the Review and Create button it will take a while before you are able to move onto the next section (step 4 in the official documentation) and create your database. (~10 minutes or so).

Now it should be smooth sailing until we get to Register an application.

1. The default here prevented me from granting a game user with a personal email@outlook.com access to the cluster to pull down the information into their Azure Data Explorer instance. This is likely the option you would want if you are going to be hosting this as a training exercise at a single company.
2. This is the one I chose as it will allow me to grant a user with a work or personal account access to the cluster to pull down the information into their Azure Data Explorer instance.
3. This option would be what you would want to choose if you were going to run this for a high school or college event.

Back to the VM for the final steps.

Now that we have followed the official documentation and gathered our environment variables it is time to go back over to our VM to put them in the config.py file.

Open up your terminal and navigate to the cyber-challenger directory. Before we start making changes to the config.py file I recommend making a backup of it using the following command.

cp config.py config.py.bkp

Now open up config.py in your favorite text editor (mine will be VIM).

If you are following along with exactly what I am doing here is a brief intro to vim. When you open up a file you will be in command mode. You issue commands to vim by using a colon : (must press shift to use the colon) and then letters or words. The 3 command we will use will be w for write, q for quit and if you make unwanted changes and need to force quit the command will be q! In order to edit the document, you need only press the i to enter edit mode. In edit mode you use the arrow keys to navigate. The delete or backspace key to delete text. Anything you type will appear on the screen while you are in edit mode. To exit edit mode and enter back to command mode you need simply to press the Esc key. See the box below for how the command mode commands would appear in vim.

:
:w
:q
:q!
i

Now lets get to editing the config.py file. When you first open the file it will appear as:

When putting in your environment variables in the appropriate spot you will replace everything in between the { } including the curly braces themselves.

Don’t close this file just yet. We need to make one more change in order to allow the server to push the generated data into your Azure Data Explorer cluster.

Just below the CLIENT_SECRET variable is another section of code:

1. This ADX_DEBUT_MODE=TRUE will prevent the data from being uploaded to your cluster.

We simply need to change the True to False as seen below.

1. As you can see it now reads false.

Go ahead and save the file and exit the editor now.

Head back to the web browser.

1. Click on “Admin Central” to expose the drop-down menu.
2. This is where we start, stop or reset the game and can see the game state.
3. This is where we add new teams, delete existing teams and can see the member count, mitigations and score for each team.
4. This is where we can delete users.
5. This is where we give users permissions to access the data from our Azure Data Explorer cluster.

Start the game!

The first thing we are going to do is to start the game so click on “Manage the Game”.

1. We can see the state of the game is false which means it is not running.

Click start to start the game and then switch over to the terminal that is running your server. You should start to see the following.

1. You should see that the game is starting.
2. Once it generates the initial data for the company, employees you should see it start uploading data. This means that you set everything up correctly and data will now be available in the Azure Data Cluster.

1. Passive DNS data being added.
2. Cycle 1 of the game being generated with data.

1. Finally, the data generation has completed, and all the data should be available in the SecurityLogs database you set up. This process can take around 10 minutes or so.

Grant permissions to the database.

Click on “Mange ADX Perms” in Admin Central.

1. For users with personal emails use the msauser= prefix and then their email address.
2. For users using emails on Corporate (AAD) tenants use the aaduser= prefix and then their email address.
3. Click “Update ADX Permissions”. This should not take very long and the users should now appear in the “Existing Users” section just to the right. Once the user is here they will be able to follow the steps in the KC7-Cyber Challenge Training.pdf to add your cluster to their Azure Data Explorer (page 5 and 6) and begin the game.

NOTE: Unless the user signed up on the cyber challenge webapp with their email address their username for the game scoring will likely be different than the user you are adding here for them.

Congratulations!

You have now successfully set up the KC7 web-app and are ready to host your own games. In the next post I will show you how to customize the game a bit including changing the default admin name and password as well as the company name, threat actor names and others as well.

I hope you found this post helpful. Happy hunting and learning.

Addendum: The creators of KC7 also have a kc7_data repository on GitHub with some additional scenarios, their guides and instructions on how to ingest that data into your Azure Data Explorer.

Advertisement