Orchestrated Cyber Deception Demonstrator using Virtual Machine Introspection

Description

Summary of the work The approach will develop and deliver VMI-based deception-oriented effects on virtualise hosts, as well as create a OpenC2 compliant Application Programming Interface (API) and Web user interface for the monitoring, administration and orchestration of these effects. Expected Contract Length 6 Months Latest start date Monday 9 August 2021 Why the Work is Being Done Current cyber deception approaches typically rely on deceiving adversaries either before they gain access to internal networks and/or during the lateral movement phases of an intrusion. When deception is utilised, it is typically at the network level – once a malicious actor gains access to an individual host, current deception measures are often limited. What measures are available often contaminate hosts with tell-tale signs of their presence (logs, suspicious processes, or inconsistent decoy data which stands out), or may be bypassed through modified Tools, Techniques and Procedures (TTPs). Problem to Be Solved Virtual Machine Introspection (VMI) allows for the monitoring of the runtime state of application generated system level instructions in virtual environments. As VMI allows for monitoring of low level requests from applications and processes to the underlying system kernel, it should be possible to manipulate these in order to feed intentionally erroneous data back to the source, deceiving the adversary utilising it. If such activity could be coordinated with other Defensive Cyber (DC) tooling, this provides an opportunity to manipulate and gather threat intelligence on as well as a means to hinder their further progression. Who Are the Users As a Cyber Security Researcher, I need to utilise VMI to deceive adversary activity within a virtualised Windows and/or Debian environment so that I can determine the viability of the approach. I need to be able to coordinate these VMI implementations with other tooling via a OpenC2 compliant API, and observe the actuation of this activity in a web front end. Existing Team The supplier will be working with a dedicated technical partner from Dstl for day to day interaction. Alongside this will be a small team from the Authority who will contribute to and review work carried out under this task. This team will act as hosts, when or should the need to work on or demonstrate the concepts on our site arises. This team operates out of their own laboratory space which is equipped to support software development and deployment. Current Phase Alpha Skills & Experience • Demonstrate experience creating software using Python 3 and/or C to run on Debian-based Linux operating systems (>= Ubuntu 18.04 LTS) without reliance on closed-source, proprietary, software dependencies. • Demonstrate, with evidence the ability to conduct agile software development in-house, without support from subcontractors. • Demonstrate with evidence the ability to continue and evolve software development from a complex inherited and/or Open Source codebases. • Demonstrate with evidence the ability to deliver without authority funded capability enhancements (for example, procurement of additional ICT to support development activities). • Demonstrate experience developing cyber security or system management software (preferably for high threat and government organisations). • Demonstrate, with evidence, the ability to produce appropriate levels of documentation, and conduct verification and validation of software. • Demonstrate experience using Git-Source-Code-Management(SCM)and broader collaborative development tool-suites. Provide examples of providing customers with access to developmental and release versions of software source-code, and engaged them in the development process. Nice to Haves • Demonstrate, with evidence, experience utilising the LibVMI and/or other VMI software libraries in the development of cyber security tooling. • Demonstrate, with evidence, experience of working with, monitoring and/or manipulating systemcalls on Windows and/or Linux-based operating systems. • Demonstrate, with evidence, working knowledge of x86 cpu instruction sets and manipulating system memory. • Indicate, with evidence of prior work, the ability to adhere to appropriate coding standard(s) for the development of software (i.e. PEP 8) • Indicate whether the proposed solution(s) are applicable to A: Windows, B: Debian based Operating Systems, or C: both. Work Location We would expect the majority of the work to be conducted at the suppliers own address, but there maybe times when both formal meetings and development work will take place at our Salisbury Site (COVID permitting). Working Arrangments To ensure that the demonstrator can be utilised alongside other Dstl tooling as the concept develops and evolves, the project will utilise an iterative and incremental approach to delivery. The supplier must adopt an Agile system engineering approach (e.g. Scrum) and work closely with the Authority throughout the development process to realise the project’s aims. It is expected that this work will require significant dialogue between the Authority and the supplier throughout the contract period; the Authority will make staff available to support this. No. of Suppliers to Evaluate 5 Proposal Criteria • The proposed technical solution offered by the supplier (0.3) • The proposed approach and methodology (0.2) • The proposed deception concepts utilising VMI and targeted Operating System(s) (0.2) • How the approach or solution meets user needs (0.1) • Provide estimated timeframes for the work. (0.1) • Detail and explain identified risks and dependencies. Provide details of offered approaches to manage these risks. (0.1) Cultural Fit Criteria • Demonstrate consistent cultural commitment to agile software development practices. (0.5) • Demonstrate with evidence that they are able to respond to an evolving customer requirement. (0.2) • Demonstrate with evidence being transparent and collaborative when making decisions. (0.1) • Demonstrate with evidence of sharing knowledge and experience with other team members. (0.1) • Demonstrate with evidence an ability to successfully deliver within the UK Defence landscape. (0.1) Payment Approach Fixed price Evaluation Weighting Technical competence 70% Cultural fit 10% Price 20% Questions from Suppliers 1. Has there been prior work been undertaken by industry which Dstl would like to see this future work build on? We are not aware of any work carried out by industry utilising VMI explicitly for cyber deception that would be suitable to build upon.Any proposals requiring use of prior work should be restricted to material and/or software where the supplier can guarantee a perpetual, royalty-free, irrevocable, transferable worldwide licence to use, change and sub-license the material where it is needed to enable both:(a) receive and use of the Deliverables from the proposed work; and(b) make use of the deliverables provided by a Replacement Supplier 2. Will the authority retain all intellectual property from the engagement, or will the supplier be able to re-use any outcomes for their own future research needs and goals? All generated IPR will be owned by the authority."9.2 Any New IPR created under a Contract is owned by the Buyer. The Buyer gives the Supplier a licence to use any Existing IPRs and New IPRs for the purpose of fulfilling its obligations during the Contract Period."For use post contract, you'll require written permission from the authority as per section 9.4 of the T&Cs. "9.4 Neither Party has the right to use the other Party’s IPRs, including any use of the other Party’s names, logos or trademarks, except as provided in Clause 9 or otherwise agreed in writing."