Red Teaming: Be Prepared for Anything€¦ · 1 A’War’Foo,ng’ Red Teaming: Be Prepared for Anything Optimal Risk 2016 v3 Presented(by((Mike%O’Neill% Managing’Director’

T.E.S.S.O.C

A Mul,faceted A3ack

Red Teaming – Physical

Red Teaming – IT

The Rise of Converged Vulnerabili,es

Worst fears?

Limita,ons & Roadblocks

Presentation Structure

1

A War Foo,ng

Red Teaming: Be Prepared for Anything

Optimal Risk 2016 v3

Presented by

Mike O’Neill Managing Director

Dan Solomon Director of Cyber Risk &

Security Services

Be Prepared. For Anything

Red Teaming: Testing your Preparedness, Building your Resilience

•  Threats not related to war are grouped five categories:

Ø  Terrorism,

Ø  Espionage,

Ø  Subversion,

Ø  Sabotage

Ø  Organised Crime

•  TESSOC typically reflected the hierarchy of defence priorities. Now complicated by Cyber.

•  Cyber now cuts across all five domains and now should top the hierarchy of priorities.

2


T.E.S.S.O.C framework


3


Threats to on-shore installations: Europe 2015 assessment

Threat Impact Vulnerability Short Term Trend

Terrorist attack on LNG terminal High High Low Increasing

Terrorist attack on port personnel High High Low Stable

Sabotage of POL tanks and pipelines High Medium Low Increasing

Sabotage of port authority buildings Medium Medium Low Increasing

Hostage taking High Medium Low Increasing

Nuclear device in container High High Low Increasing

Biological or chemical device in container High High Medium Increasing

Sinking of a vessel in port to clock channels or locks High Low Medium Increasing

Vehicle-‐borne IED attack Medium Low Low Stable

Ship-‐borne IED attack Medium Low Low Stable

Destruction or sabotage of Telecommunication systems Medium Low Low Stable

Destruction or compromise of cargo in port Medium Low Medium Increasing

Cyber attack against port control IT network & applications High Medium High Increasing

Cyber attack to destroy port management databases Medium Medium High Increasing

Cyber attack on port control network and theft of data Medium Medium High Stable

Infiltration by unauthorised persons to steal information Medium Medium High StableSource: Optimal Risk

•  Cyber threats are high probability in the short term and are a reality

•  In many cases ports authorities are unaware of sophisticated breaches and their impact

•  Cyber defence is weak against convergence threats

•  Cyber resilience concepts are weakening and untested


IT factors can include:

•  Spear Phishing

•  APT and Custom Malware Insertion

•  Attacks on:

–  Infrastructure including VPN

–  Wi-Fi networks including the executives’ homes

–  Applications

–  Mobile Device Vulnerabilities

–  DDoS

4


A Multifaceted Attack

Human factors can include:

•  Gathering open source intelligence on key employees and leveraging this knowledge to subvert employees

•  Compromise of employees which may be coerced to obtain further access into networks, or manipulated into disclosing sensitive data

•  Physical infiltration of facilities and gain access to internal devices & networks

•  Delivery of malware on physical devices to employees

•  A ‘planted’ Insider


•  A prolonged and persistent attack across multiple vectors, using different methods, and in several phases over days or weeks

•  Sophisticated ‘conditioned’ weapons [with the capacity to learn and adapt] that can act in coordination

•  Complex scenarios, likely for espionage or sabotage purposes with a converged back-story

•  The attack is likely to mobilize the organisation’s full Blue Team capability through phases of identification, defence, response, and recovery to an attack in depth

•  The attack escalates and challenges the organisation’s various responses, methods, teams and decision- makers

5


A Multifaceted Cyber Attack


•  Red teaming: A real-world approach to testing security, protocols, & awareness; ultimately to address security requirements and evaluate the risk involved in their viability, modelling threats on all potential layers of attack

•  Testing resilience to realistic incidents, how a port enacts & adapts business continuity plans, how appropriate contingency plans are, and under which conditions they are more likely to fail.

•  Identifying multiple points of failure whether technical, or human, or procedural.

•  Identify short-term tactical fixes for immediate remediation of any outstanding vulnerabilities within the tested environments

•  Identify long-term strategic measures that will proactively thwart any potential repetition of vulnerabilities discovered

•  Prompt engagement in program of remediation efforts and security posture reinforcement 6


A Simulated Attack or ‘Red Teaming’


USB drive Planted

Security Post Le< Una=ended Communica?ons

Room Penetrated

Physical Infiltration

Access was granted to limited access areas, allowing our team to obtain photographs of facility internals, and insert custom malware on internal devices.


Dummy ‘Bug’

Installed

Silent Alarm 5-‐minute Response Time

Network Switchboard Infiltrated


During the exercise the team entered a restricted area and placed simulated electronic surveillance equipment



USB drive Planted in Terminal

Two Breaches

WiFi Antenna Installed

Physical security was circumnavigated, breach incident response was ineffectual, allowing our team to exit without reprimand.


External Network Penetration

A vulnerable web applica,on was exploited to disclose its en,re backend database


x.x.126.27 x.x.162.10

x.x.169.30

Exposed Administra?on

Page

Unencrypted FTP

Service

Unencrypted SIP

Service


11


Other Aspects

•  Nearly all sensi,ve applica,ons were found vulnerable in some way,

Ø from allowing data theR and data manipula,on.....

Ø  ........to enabling a3ackers to lock out key users.

•  A number of high-‐severity vulnerabili,es within working applica,ons, included:

Ø A server which underpins a cri,cal applica,on was using outdated soRware which allowed our team to compromise and take control over the server & applica,on.

Top Issues •  Physical security neglects advanced

threat preparedness in favour of simple physical security risk

•  Insufficient employee awareness of advanced cyber a=acks

•  Insufficient protec?on of high-‐value employees against external threats

•  Lacklustre adherence to system maintenance policies

"...We’re very pleased by your work; you’ve exceeded our expecta8ons in every aspect” Source: Customer’ SVP Security


•  Physical security systems undermined by poor procedure and processes

•  Poor personnel vetting practices, and weak verification & control of movement between port areas

•  Introduction of integrated security systems increased vulnerability particularly through COTS solutions

•  Sophistication of systems is still low, compared to airports, in particular access control to critical areas

•  Poor levels of integrated monitoring, and control room resourcing

•  Dynamic contingency planning in based on analysis of out-of-date scenarios

•  Low levels of resilience in critical networked information systems

•  Insufficient encryption, biometric protection, and poor counter-espionage counter-measures

•  High vulnerability to BYOD threat

12


Converged Vulnerability


13


Worst Fears?

Permanent Denial-of-Service [PDoS]

A3acks in the future will range from rendering hardware useless by crashing hard drives, machine-‐level PLCs and by increasing the voltage within CPU’s.

A3acks aim to push hardware to its extreme performance, or conduct ac,ons for which it was not designed as well as the more obvious corrup,ng of internal program and data structures

Recovery will require replacement with new hardware, exposes the vulnerability of not holding redundant capacity.

In many cases it is not prac,cal to hold spare parts for major pieces of infrastructure. The resultant down,me could be catastrophic for some businesses, without suitable redundancy and capacity

PDoS attacks will include:

•  Over-‐vol,ng

•  Over-‐clocking

•  Over-‐usage

•  Power Cycling

•  Phlashing


14


Lets Imagine................

1.  Systems go down while containers are in port and all work stops effec,vely un,l it is resolved?

2.  A compromised system meant that you cannot trust what is in a container from a par,cular carrier or country?

3.  If other countries, in par,cular the US, were not prepared to accept shipments from this port.

4.  If the country had only one major deep-‐sea port and:

•  Food and fuel not being unloaded. Contemplate the impact over a 3 day period

•  If a PDoS takes down systems permanently, systems will need to be replaced which could take days. If hardware is affected then the impact could be weeks.

•  Overland distribu,on con,ngencies will need to be enacted.

•  Other countries dependant on exports and onward distribu,on will be affected, and the problem becomes an interna,onal crisis with geo-‐poli,cal implica,ons.

What would happen if:

1.  Port could not handle cargo for 8 hours

2.  Port could not handle cargo for 2 days

3.  Port could not handle cargo for 4 days

4.  Port could not handle cargo for 2 weeks


•  What did the port gain from the red team Ø  It created awareness

Ø  Demonstration of reality: a game changer

Ø  Hard Lessons benefits without the pain

Ø  Very quickly absorbed into organisational perceptions

Ø  Demonstration of interdependencies

Ø  Learning by doing: Failings in response as well as security

Ø  Immediate tactical priorities for remediation

Ø  Priorities for re evaluation of policy

Ø  Priorities for physical security

Ø  Priorities for security investment 15


Consequences

•  What happened next?: Ø  Change of Approach

Ø  Impact on Confidence

Ø  Changes to Business Practices

Ø  Security Investment & Focus

Ø  Awareness of High-Impact Threats

Ø  Review of Risk ‘Agenda’ [& recalibration of appetite]

Ø  Revise Enterprise Risk Management


Dealing With Decep,on

Roadblocks

Symptoms of Delusion

Insurance

Compliance

Silver Bullets

Cultural Myopia Accep,ng Mediocrity

Analy,cal Bias

Perspec,ves on ‘Cold War’

Ignorance

Leadership Risk-‐Informed

Intelligence

Reac,ve approach Vulnerability Scanning

Analy,cal Failure

Formalised Policy & Planning Board-‐level Consensus

Outdated methods Budgets

Forewarning

Tackling Uncertainty

Effec,ve Capability

Misaligned Strategy Converged Threat Awareness

Complacency

Compe,ng Priori,es

Iner?a

Silos

Cost

Assessing Probabili,es

Risk

Outdated Assump,ons

Informa,on Assurance


A War Footing

ü  ‘Raise your gaze’ and seek better vision

ü  Anticipation of the unexpected

ü  Embrace the Plausible, not just the Probable

ü  Practice makes Perfect

ü  Develop a ‘Forensic’ approach to Causes of Security Failure

ü  Be Reluctant to Simplify Plans and Preparation

ü  Declare an Absolute Commitment to Proactivity

17


Dan Solomon Director, Cyber Risk & Security Services Tel: +44 7850 761834 Email: [email protected] Crisis, Risk & Security Specialists


Mike O’Neill Managing Director Tel: +44 7768 354009 Email: [email protected] Crisis, Risk & Security Specialists

Thank You

PHYSICAL SECURITY

RED TEAM BLUE TEAM

CYBER SECURITY

Consultancy & Planning Surveys & Audits Response & Protec?on

Threat Modeling & Forensics Advanced Cyber Defence

Risk Analysis

Reinforcing Your Security

Building Your Resilience Tes?ng Your Preparedness

Exercising Your Response

Documents

Red Teaming: Be Prepared for Anything€¦ · 1 A’War’Foo,ng’ Red Teaming: Be Prepared for Anything Optimal Risk 2016 v3 Presented(by((Mike%O’Neill% Managing’Director’