Teaching penetration and malware analysis in a cloud-based environment.

Abstract

This paper outlines evaluation of running a private Cloud-based system over two semesters at Edinburgh Napier University for two modules: Security Testing and Advanced Network Forensics (BEng (Hons) level and focused on Penetration testing and Malware Analysis); and Penetration Testing (MSc level). Overall, over the two semesters, these modules supported over 100 students within an isolated Cloud-based environment for penetration testing and malware analysis. These were taught using two different Cloud-based environment, one (DFET) allowed for a wide range of server and desktop instances to be used in a wide variety of network configuration, and the other (Linux Zoo) which focused on guiding students using a Capture The Flag methodology. The DFET (Digital Forensics Evaluation and Training) Cloud creates new training methods/techniques to support judicial authorities, law enforcement agencies and associated stakeholders in the fight against cybercrime through the development of a virtual (cloud-based) cybercrime training environment to include real life simulation and scenario analysis. Currently it is partly funded by DG Home – Prevention Of and Fight against Crime, and aims to improve crime detection rates by providing scenario-based training in line with the dynamic nature of cybercrime. Overall DFET aims to create a training infrastructure which can share cyber training across Europe, and allow access to hands-on environments, no matter the physical location of trainer. Its core partners are Edinburgh Napier University, Joseph Stefan Institute (JSI), Stockholm University, Police Scotland, and Aconite Internet Solutions. The current DFET Cloud contains four main cluster nodes, where each cluster node runs VMware vSphere 5.1 with VMware vCenter used to manage the instances. This gives a total of 119 GHz CPU, 520 GB of physical memory, and 18 TB of disk space. The paper shows the main architecture, and shows that all of the management components, such as a domain controller, are run as virtual machines. The paper outlines the structure of modules, and in the coverage of the labs within the Cloud environments, including the usage of Metasploit, Metasploitable and Web assessment systems. For the evaluation, the paper focuses on the performance analysis of a large-scale penetration testing coursework. The results highlights a key breakpoint in the Cloud which occurred when over 80 students where completing their Penetration Testing coursework and working for a 12pm deadline, and where the resources within the infrastructure became stressed where there was a considerably lag in remotely accessing the DFET Cloud. Overall the system coped by increasing memory allocation for vCenter, and in stopping running instances which had been dormant for several weeks. The paper will showcase the best practice used for the creation and maintenance of the Cloud environment, and how subjects such as Malware Analysis and Penetration Testing can be achieved within a private cloud environment, and where students can learn new methods, without the danger of ethical and moral problems. It will also highlight the key pointers towards scaling up the environment to support and increasing number of remote and distance learning students, including the methods used to script the creation of instances, and in the returning them back to a pool, along with enhanced failover protection, and in isolating instances using VLAN technology. The results are also backed-up by a student survey on the usage of the Cloud environment, and in how this enhanced their learning.