cleansweep technical 2
TRANSCRIPT
-
7/31/2019 CleanSweep Technical 2
1/39
Version FINALUnclassified//Official Use OnlyAugust 2011
Red Team ReportCleanSweep: Technical Details
Prepared for: United States Department of LaborMr. Ed HuglerDeputy Assistant Secretary for Operations
United States Department of LaborFrances Perkins Building200 Constitution AvenueWashington, DC
Prepared by: Scott MaruokaRT Project LeadDepartment 5627Sandia National Laboratories505-P O Box 5800, MS 0620Albuquerque NM 87185-0671
Sandia National Laboratories is a multi-programlaboratory managed and operated by SandiaCorporation, a wholly owned subsidiary of LockheedMartin Corporation, for the U.S. Department of EnergysNational Nuclear Security Administration under contractDE-AC04-94AL85000.
For additional Information, contact:Han Wei Lin, Project ManagerPhone: 505Email @sandia.gov
OFFICIAL USE ONLY
May be exempt from public release under theFreedom of Information Act (5 U.S.C. 552),Exemption 5, Privileged Information.
Department of Labor review required beforepublic release
William AtkinsOrg.0562829 AUG 2011
-
7/31/2019 CleanSweep Technical 2
2/39
OFFICIAL USE ONLYCleanSweep Contents
August 2011 OFFICIAL USE ONLY Page ii
Table of Contents
Table of Contents ............................................................................................................................. iiExecutive Summary......................................................................................................................... 1CleanSweep: Technical Details....................................................................................................... 2Introduction .................................................................................................................................. 2
Objective ...................................................................................................................................... 2Rules of Engagement .................................................................................................................. 3Scope........................................................................................................................................... 4Red Team .................................................................................................................................... 4Analysis Environment .................................................................................................................. 5Methodology................................................................................................................................. 5Threat Model.............................................................................................................................. 15Nightmare Consequences ......................................................................................................... 17Adversary................................................................................................................................... 18Analysis...................................................................................................................................... 20Attack Graph.............................................................................................................................. 21
Summary ....................................................................................................................................... 27Observations.............................................................................................................................. 32Recommendations ..................................................................................................................... 32
Attachment 1: Agenda ................................................................................................................... 33Attachment 2: Cost Estimates ....................................................................................................... 35
-
7/31/2019 CleanSweep Technical 2
3/39
OFFICIAL USE ONLYCleanSweep Executive Summary
August 2011 OFFICIAL USE ONLY Page 1
Executive SummaryOverthecourseofthelastfouryears,theDOL
wasapproachedbyvariousregulatory
authorities(e.g.OIG,SEC,andFBI)concerned
thatkeyeconomicdatawerepotentiallysubjecttounauthorized,prematurerelease.
Theeconomicdatainquestionaresubjecttoan
embargoprocesswherebyDOLcontrolsthe
timingofitsreleasetoreportersandthegeneral
public.TheobjectiveforCleanSweepwasto
identifypotentialvulnerabilitiesintheDOL
PressLockuproomfacilityandassociateddata
embargoandreleaseprocedures,provide
mitigationoptionsforvulnerabilitiesidentified,
andassistinmitigationverificationshouldDOL
decideto
implement
recommended
mitigation
options.
CleanSweepcustomersincludedstakeholders
fromseveralorganizationswithinDOL:
Operations,theOfficeofPublicAffairs(OPA),
andtheBureauofLaborStatistics(BLS).Eachof
theseentitieshaditsownuniqueperspective
regardingthenatureoftheperceivedthreatand
consequently,differingideasonpotential
solutions.Thecommonconcernamongstthese
stakeholdersrevolvedaroundtheunauthorized,
prematurereleaseofembargoeddata.
Likelyadversariesinthisscenarioareprofit
driven,technicallysophisticatedindividualswho
mayhaveconsiderableresourcesattheir
disposal.Theirtechnicalproficiencyenables
implementationofstealthysurveillance
equipment.Thoughtheyarewillingtobendand
potentiallyviolaterulesandlaws,violenceis
unlikelyasanoperationalmethod.
ThoughDOL,BLS,andOPApersonnelaredoing
duediligenceintheireffortstomonitorthe
presslockup
facility,
their
efforts
are
complicatedbythepresenceofnonDOLIT
equipmentandcommunications linesinthis
facility.Theopaquenatureofthisequipmentto
DOL,BLS,andOPAstakeholdersisamajor
impedimenttoensuringthatembargoeddatais
notreleasedpriortoauthorization.
Thepresenceofequipmentownedbypress
organizationsnecessitatesthataccesstoareas
housingDOLcommunications anddata
infrastructureismadeavailabletocontractors
workingforthesepressorganizationsto
conductmaintenance.Thisaccess,though
controlledbyDOLpersonnelescortingsuch
maintenancecontractors,createsopportunities
foradversariestocompromisecriticalDOL
communicationsanddatainfrastructure.
Thefollowing
actions
would
mitigate
against
risksidentifiedduringCleanSweep:
ReplacecomputersandotherITequipmentinthePresslockupfacility
withDOLownedequipmentand
removetheprivatedatalinescurrently
inuse.Thiswouldeliminatetheneed
fortheBlackBoxesaltogether.
ProhibitanyoneotherthanDOLpersonnel(orcontractorsworkingfor
DOL)fromenteringcommunications
closetswithoutatechnically
knowledgeableescort.
Provide/traintechnicallyknowledgeableescorts.
Modifyexistingpolicytorequirepersonalitemsbekeptinlockers
outsideofthePressLockuproom.
Divestmentshouldbeaprerequisite
forroomentry.
ThoughnotdirectlyaddressedintheSNLRed
Teamanalysis,theapparentrootcauseforthe
issuesdrivingthisassessmentisthepresenceof
algorithmictradersinthepresslockupfacility.
ModifyingDOL
policy
on
what
criteria
qualifies
applicantstoattendreleaseeventswouldlikely
beofbenefit.
-
7/31/2019 CleanSweep Technical 2
4/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 2
CleanSweep: Technical DetailsThissectionofthereportisintendedforpersonnelinterestedinthedetailsofthe
SandiaRedTeamconclusionsdescribedintheManagementOverview.Someofthe
informationisrepeatedfromprevioussectionstohelpestablishcontextforthose
readerswho
have
chosen
to
begin
with
this
section.
Where
that
information
is
repeated,additionaldetailisprovidedforthetechnicalreader.
IntroductionOverthecourseofthelastfouryears,theDOLwasapproachedbyvariousregulatory
authorities(e.g.OIG,SEC,andFBI)concernedthatkeyeconomicdatawerepotentially
subjecttounauthorized,prematurerelease.Theeconomicdatainquestionaresubject
toanembargoprocesswherebyDOLcontrolsthetimingofitsreleasetoreportersand
thegeneralpublic.ThefocusofDOLmanagementconcernisthephysical,technical,and
proceduralcontrolswhichconstitutethisembargoprocess.
ObjectiveSNLIDARTwastaskedtoidentifypotentialvulnerabilitiesinDOLpresslockuproom
facilitiesandassociateddataembargoandreleaseprocedures,providemitigation
optionsforvulnerabilitiesidentified,andassistinmitigationverificationshouldDOL
decidetoimplementrecommendedmitigationoptions.
InformationsharingwasperformedviaSNLexternalSharePoint(anSSLenabled
collaborationapplication).
SandiasIDARTteamexecutedthefollowingassessmentactivities:
1) DocumentReview Analysisofavailablesecurityprocesses,procedures,rules,
securityequipment
technical
specifications,
floor
plans,
and
other
artifacts
relatingtotheembargoprocess.Conductopensourceresearchonpertinent
subjects.
2) Kickoffmeeting Facetofaceengagementwithkeystakeholdersintheembargoprocesstosetcommonexpectationsfortheassessmentoutcome,andfinalize
scopeandtherulesofengagementforassessmentactivities.
3) VulnerabilityAssessment IDARTTeammembersconductedaninspectionandevaluationofthephysicalattributesofthepresslockupfacilityandsurrounding
areaswithintheFrancesPerkinsBuilding,theinformationtechnologyequipment
containedwithintheLockupFacility,associatedcommunicationsinfrastructure,
technicalsecurity
equipment,
and
conducted
interviews
with
DOL
personnel
taskedwithimplementingtheembargoprocess.
4) SandiaNationalLaboratoriestechnicalspecialistsexecutedexteriorandinteriorsurveysoftheradiofrequency(RF)spectrumintheareaofinterest,and
conductedanotherradiofrequencyspectrumanalysisduringaninformation
embargo/releaseevent.Thesepersonnelusedacombinationofproprietaryand
publiclyavailablebutcontrolledequipmentandapplications.
-
7/31/2019 CleanSweep Technical 2
5/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 3
a. EstablishbaselineRFreadingsforthetargetarea.
b. ConductRFassessmentofthetargetareaduringapressevent.
c. Compareresults,identifyanomalies.
FindingsfromtheseassessmentactivitieswereanalyzedusingtheIDARTmethodology
describedthroughout
this
document,
and
the
results
are
recorded
in
this
report.
Rules of EngagementSNLIDARTactionswerelimitedtoobservationandassessmentduringCleanSweep no
attemptsweremadetoactivelyexploitpotentialvulnerabilitiesidentified.DOLagreed
toprovideaccessandsupporttoSNLIDARTteammembersduringassessment
activities.TheseRulesofEngagement(ROE)weredevelopedbySNLIDARTpersonnelin
concertwithDOLofficials,andwereformulatedtoensurethattheRedTeam
assessmentactivitieswouldnotadverselyimpactDOLoperationswhileconcurrently
providingresultsusefultoDOLmanagementforformulatingriskbasedcorrective
measures,
if
needed.
OfparticularnoteisthatITsystems(e.g.computers,monitors,I/Odevices,routers,
switches)withinthepresslockupfacilityarenotownedbyDOL,withtheexceptionof
theAirPatrolconsoleandLAN.Eachpressagencywithaccesstothelockupfacilityowns
andmaintainstheirownequipment,includingthecommunicationslinestotheoutside
world.TheSNLIDARTRedTeamwasthereforelimitedtovisualexamination(no
physicalcontact)andobservation(visualandpassiveRF)whenthesystemswereused
bypresspersonnelduringapressrelease.
Notification: SandiapresentedproposedassessmentactivitiesforCleanSweeptoDOL
officialsintheStatementofWork(SOW)createdpriortocommencementofthis
project.Approval
of
the
CleanSweep
SOW
signified
DOL
approval
for
the
assessment
activitiesdocumentedtherein.SNLagreedtonotifyDOLofficialspriortothestartofany
assessmentactivityandobtainDOLapprovalbeforebeginninganysuchactivity.Sandia
willnotifyDOLattheconclusionoftheassessmentandverballyprovidetheresults.SNL
IDARTandDOLpersonnelworkedjointlytodeveloptheassessmentscheduleof
activities,providingconcurrenceonassessmentdates,times,andprocesses.
DOLofficialsweremadeawareofandconsentedtotherequirementthatfederallaw
enforcementbenotifiedshouldSNLIDARTpersonneldiscoversurveillancedevices
duringtheirassessment.
InformationProtection:InformationcollectedduringthecourseofCleanSweepwillbe
retainedby
Sandia
in
electronic
work
papers.
A
final
report
that
includes
notifications
of
findings,recommendationsthatsummarizepreliminaryfindingsbasedonthesedata,
andpossibleremediationactionsforinformationtechnologysecurityweaknessesor
deficiencieswillbeprovidedtoDOLofficialsataresultsbriefing.Sandiawilldestroyall
retainedcopiesoflogsanddataattherequestofDOL.
TechnicalDetailsofthisSandiaassessmentreportcontainsOfficialUseOnlyinformation
describingspecificvulnerabilitiesandattackstepsforpotentialexploits.Noclassified
-
7/31/2019 CleanSweep Technical 2
6/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 4
informationwasgeneratedduringthecourseofCleanSweepactivities.Sandiawill
protectallcopiesoflogsanddataappropriatetothelevelofsensitivity.AllSNLIDART
personnelagreedtoprotectandholdinconfidenceanyDOLproprietaryinformation
discoveredduringthecourseofCleanSweep,andprovidedwrittenassentofthis
agreementtoDOLofficials.
ScopeIdeally,RedTeamswouldprefertoidentifyeveryweaknessinatargetsystem,explore
andtestallvulnerabilities,andproduceareportprovidingacompletepictureofthe
targetenvironmentssecurityposture.Inreality,aprojectsbudgetandscheduleplacea
limitonthescopeofassessmentactivities.
TheIDARTprocessaddsfurtherlimitstoprojectscopebyspecifyingthethreatmodel
andassociatedadversariesandconstraints.Theselimitsareusedas"realitychecks"on
RedTeamcoursesofactionandrecommendations.ForDOL,thethreatmodeloriginally
specifiedanadversarialupperlimitofmoderatecapability,characterizedby
individualsor
organizations
seeking
to
profit
from
premature
access
to
embargoed
economicdata.AsexplainedbyofficialsrepresentingtheDepartmentofLabor,the
OfficeofPublicAffairs(OPA),andBureauofLaborStatistics(BLS),thescopeofthis
assessmentwaslimitedtohowsuchanadversarymightexfiltrateembargoedeconomic
datafromthepresslockupfacilityduringapressreleaseevent.
TheRedTeamconcentratedonthefollowing:
PhysicalattributesofthepresslockupfacilityandsurroundingareaswithintheFrancesPerkinsBuilding,200ConstitutionAvenueNW,Washington,DC.
Businessprocessesassociatedwithpressembargoandreleaseproceduresasdocumentedbypolicy,andasobservedduringanactualpressreleaseevent
RadioFrequency
(RF)
environment
for
the
area
of
interest
Computerandcommunicationsequipmentinthepresslockupfacility
Communicationsinfrastructureforthepresslockupfacility
TheRedTeamspecificallydidnotconsiderthefollowing:
ThreatsandvulnerabilitiesassociatedwithDOLinsiders
ThreatsandvulnerabilitiesassociatedwithDOLInformationTechnology(IT)systemsusedintheacquisitionofdataandproductionoffinishedeconomic
analysis
Surveillancevulnerabilitiesatotherlocationsassociatedwiththedataembargoand
release
process
Parallelembargo/releasefacilityandprocessfortelevisionjournalists
Red TeamSandia/IDARTcreatedateamwhosememberspossessskillsspecificallychosento
addressthevariousissuespresentedbythisproject,withRedTeammembers
representingseveralSandiaorganizations.Theteamconsistedoffive(5)memberswith
-
7/31/2019 CleanSweep Technical 2
7/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 5
technicalspecialtiesincludingcybersecurityandthreatassessment,ITsystem
penetrationandexploitation,physicalsecuritydesignandthreatassessment,electronic
surveillance,andriskmanagement.
Analysis Environment
AllCleanSweep
activities
occurred
at
the
United
States
Department
of
Labor
headquarters,locatedintheFrancesPerkinsBuildingat200ConstitutionAvenue,
Washington,DCasdepictedinFigure1.Thesixstorysteelandlimestonebuildingcovers
twosquareblocksnearthebaseofCapitolHill,andwascompletedin1974.1
Figure 1. Frances Perkins Building exterior view from Constitution Avenue.
TheIDARTRedTeamconductedpreliminaryanalysisofinformationacquiredduringthis
assessmentwhileonsite,whichwascommunicatedtoDOLstakeholdersduringanout
briefingattheconclusionofassessmentactivities.AcopyoftheCleanSweepagendais
providedasAttachmentA.
UponreturningtotheSandiaNationalLaboratoriesAlbuquerque,NMfacilitytheRed
TeamandanIDARTsubjectmatterexpert(whodidnotaccompanytheRedTeamto
DOL),conductedfurtheranalysistoidentifyandthenrefinepotentialattackscenarios
andappropriatemitigationstrategies.
MethodologyForthisassessment,theRedTeamusedtheIDARTmethodologyillustratedinFigure2.
TheIDARTmethodologyfollowsthestandardactivitiesshownontheleftofthefigure
byperformingtheworkanddevelopingtheproductsshownontherightofthefigure.
-
7/31/2019 CleanSweep Technical 2
8/39
-
7/31/2019 CleanSweep Technical 2
9/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 7
placedontheanalysisorontheRedTeam.Theresultsofthisphasearebasedon
customerrequirementsandareusuallyproducedbyajointRedTeam/customerteam,
althoughsometimestheRedTeamdevelopsrecommendationsthataresubmittedto
thecustomerforapproval.
DOLofficialsandSNLmanagementteammembersconductedinitialdiscussionsonthe
issueof
apotential
information
leak
of
sensitive
economic
data
during
the
embargo
and
releaseprocess,resultinginapreliminarysitevisitbySNLpersonnel.Subsequently,SNL
IDARTProjectManager,HanLin,andProjectLead,ScottMaruoka,workedwithDOL
officialstocreateaStatementofWork(SOW)capturinganddocumentingproject
detailsregardingperceivedthreat,nightmarescenarios,associatedmilestonesand
deliverables,andprojectscopeandconstraintstoIDARTactivities.
Data Collection
ThesecondphaseoftheIDARTMethodologyconsistsofdatacollection.Inthisphase,
theRedTeamreviewsallavailableapplicabledocumentation,collectsopensource
material
relevant
to
the
target
system,
and
visits
an
operational
customer
site
if
feasible
andappropriate.ThisphaseservestoprovidetheRedTeamwiththeappropriate
backgroundinformationtomodeltheadversariesidentifiedintheThreatModel.The
RedTeamdevelopsadetaileddescriptionalongwiththemissionandobjectivesofthe
targetsystem.TheRedTeamalsoidentifiesitscriticalsuccessfactorsalistof
objectivesthatwillserveasindicatorsofRedTeamsuccess.Thesubsequentsystem
characterizationandanalysisphasesareverydependentontheaccuracyand
completenessofthesystemdescriptiongeneratedinthisstep.Asnotedpreviously,
IDARTactivitieswerelimitedtoobservationandassessmentduringCleanSweepso
successindicatorswerenotapplicableasnopenetrationandexploittestswere
conducted.
CleanSweepdatacollectionactivitiesconsistedofdocumentreview,interviewsofDOL
Operations,OPA,andBLSpersonnel,physicalinspectionofthepresslockupfacilityand
adjoiningareas,wiringclosetsandtelecommunicationshubrooms,andobservationofa
livepresseventinvolvingdataembargoandrelease.
DOLprovidedthefollowingdata:
1) DOLLockupRoomWirelessDeviceDetectionUserGuide combinedconceptofoperations(CONOP)coversAirPatrolconsole,MantisHandheldBluetooth
detector,andAirCheckWiFitesterequipment.
2) DOLLockupRoomTaskSummary stepbystepCONOPcoveringAirPatrol,AirCheck,
and
Mantis
tools.
3) PressRoomActivitylogs 10JAN201112APR2011 chronologicallyordereddocumentationofPressLockupfacilitymonitoringactivitiesperformedbyBLS
InformationAssurancepersonnel;samplereportform.
4) BlackBoxusersmanualandtechnicalspecifications.
5) EquipmenttoBlackBoxCablingguide.
-
7/31/2019 CleanSweep Technical 2
10/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 8
6) InventoryofBlackBoxesinuse.
7) AHall/FillichiomemodatedMarch2,2011suggestingvariouschangestosecuritypolicyandproceduresforthePressLockupfacility.
8) EvacuationandshelterinplacepolicyforthePressLockupfacility.
9) Adraft
copy
of
Lockup
facility
rules
for
press
personnel
and
their
employers.
10)AdraftcopyofLockupfacilityresponsibilitiesforDOLstaff.
11)NumerousphotographsofthePressLockupfacilityworkspaces.
12)FloorplansfortheFrancesPerkinsbuildingandthePressLockupfacility.
13)FindingsfrompreviousassessmentsconductedbyBLSIA.
14)Timelineofsecurityissuesandassociatedmitigationmeasureimplementation.
15)May2008letterfromOPAtonewsorganizationsdocumentingsecurityrulesforthePressLockupfacility.
16)Meetingminutesfrom2008incidentresponse.
Characterization
Duringsystemcharacterization,theRedTeamcombinesalltheinputsfromthePlanning
andDataCollectionphaseswithdomainexpertisetogenerateavarietyofdifferent
viewpoints,suchasthoselistedintheIDARTMethodologydiagram.Someviewpoints
maybesimpleasvendorsuppliednetworkmapsorphysicaldiagrams.Othersmayshow
complextiminginteractionsbetweensystemcomponentsandexternalinputsources.
TemporalView
Based
on
interviews
of
OPA
and
BLS
personnel
and
first
hand
observation,
SNL
IDART
producedthetemporalviewillustratedinFigure3,DataEmbargoandReleasetimeline.
Figure 3. Data Embargo and Release timeline.
SNLIDARTpersonnelnotedthatpressattendeesqueuedupoutsidethepresslockup
facilitywaitingfortheroomtoopen.Onceallowedin,thesepresspersonneldispersed
totheirvariousworkareas.Signinandsurrenderofcellphonesoccurredaftertheyhad
beenallowedentry,withsomeindividualsneedingtoberemindedbyOPApersonnelto
signinandturnincellphones.Requiringpresstosigninandsurrendercellphonesprior
-
7/31/2019 CleanSweep Technical 2
11/39
-
7/31/2019 CleanSweep Technical 2
12/39
-
7/31/2019 CleanSweep Technical 2
13/39
-
7/31/2019 CleanSweep Technical 2
14/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 12
Figure 7. Cluttered press work area, showing what appear to be networking appliances tothe left of the workstation and monitor. Note the two Black Boxes atop the network gear.
Theinteriorofthepresslockupfacilityissomewhatcrowded,andsomeofthework
spacesusedbypresspersonnelareclutteredwithITequipment,asillustratedbyFigures
7and8.MembersoftheSNLRedTeamweresomewhatsurprisedtofindwhat
appearedtobenetworkappliances(e.g.switchesandrouters)capableofsupporting
infrastructurewellbeyondtheworkstationstowhichtheywereconnected.SincethesedevicesarenotDOLownedequipment,theRedTeamwaslimitedtovisualonly
inspection,andcouldnotverifythatcomputerandnetworkappliancecasesandchassis
containedonlystandardequipment.AsexplainedbyOPAandBLSstaff,theelaborate
networkingconfigurationsaremeanttogivetheirownersanadvantageover
neighboringcompetitorsintransmittingdatawhenitisauthorizedforrelease.
Duringthelivepressreleaseevent,IDARTpersonnelinthepresslockupfacilitynoted
theambienttemperaturebecameuncomfortablywarm,likelyduetothehuman
occupantsandtheconsiderableamountofITequipmentpresent.Manyofthework
areasfeaturedmorethanoneBlackBox,whicharesuppliedbyDOL.
-
7/31/2019 CleanSweep Technical 2
15/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 13
Figure 8. Cluttered press work area, with Black Box under network appliance andobscured by telephone.
RFView
SNLtechnicalpersonnelconductedexternalandinconferenceinspectionsoftheRadio
Frequency(RF)environmentbothpriortoandduringalivepressrelease,todetectthe
presenceofclandestinesurveillancedevicesinthearea.Nosuchdevicesweredetected.
A
breakdown
of
these
activities
consisted
of:
1) SearchandanalysisoftheRFspectruminthetargetareadelineatedasthepresslockupfacility.SeeFigure9.
2) Technicalandphysicalexaminationoffixtures,furnishings,andequipmentlocatedwithinthetargetarea.
3) Technicalandphysicalexaminationofelectronicandelectricalequipment,electricalwiring,andutilitypathways.
4) Technicalandphysicalinspectionoftheinteriorandexteriorsurfacesoftheperimeterwalls,floors,ceilings,andotherstructuralobjectswithinthetarget
area.
5) Physicalinspectionoftheexteriorperimetertoincludeapplicablespacesaboveandbelowthetargetarea.
-
7/31/2019 CleanSweep Technical 2
16/39
-
7/31/2019 CleanSweep Technical 2
17/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 15
ForRFmonitoringduringthepressrelease,SNLtechnicalpersonnelsetupequipmentin
anofficeadjacenttothetargetarea,withaBLSIArepresentativeobserving.AnRF
contactobservedduringthepressreleaseeventwasdeterminedtohavebeencaused
byasourceoutsidetheLockupfacility,andwasalsoidentifiedbyBLSIApersonnelon
theirequipment.
Analysis
TheAnalysisphaseishighlyvariable,dependingontheproject'sbudgetandschedule,
theThreatModel,andanyconstraintsidentifiedduringthePlanningphase.Thisphase
canrangefromaQuickLookoverview(aswasconductedforCleanSweep),which
identifiespotentialvulnerabilitiesandattackswithoutverificationtesting,toadetailed
analysisinwhichthesystemorportionsofitaresubjectedtoadeepanalysiswithfull
attackdevelopment,validation,andcountermeasuregeneration.
TheintentionallylimitedscopeandrulesofengagementforCleanSweepdictatedthat
nopenetrationtestingandexploitationofidentifiedvulnerabilitiesoccur.Basedupon
information
derived
from
document
review,
interviews,
and
direct
observation
on
site,
theRedTeamconductedatabletopattackbrainstormexerciseresultinginattack
graphsdepictingpotentialattacksthatteammembersthoughthadviablepotentialfor
success.
Threat ModelTheIDARTmethodologybeginsbydevelopingathreatmodeltobeusedforRedTeam
operations.AsthescopeofoperationsforCleanSweepwaslimitedtoobservationand
analysis,noattackexerciseswereconducted.Instead,threatandadversarymodeling
providedthebasisforattackscenariovetting whatwasrealisticintermsofperceived
attackergoalsandcapabilitylimitations.Thismodeldefinestheadversariesalongwith
theirskills,
resources,
and
motivations.
Establishing
an
adversary
model
allows
analysts
topostulatemoreaccuratelyonwhattypesofattacktoolsorweaponswilllikelybe
broughttobearagainstdefenders,andsoinstructastothemostappropriatemitigation
strategiestoemploy.
Threats
Thefirststepindevelopingathreatmodelistoestablishwhichthreatsexisttothe
targetsystemsmissionandwhichthreatsthetargetsystemisintendedtomitigate.
Figure11showsgeneralsystemthreatsastheyrelatetooperationalenvironments.
-
7/31/2019 CleanSweep Technical 2
18/39
-
7/31/2019 CleanSweep Technical 2
19/39
-
7/31/2019 CleanSweep Technical 2
20/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 18
AdversarySandiahasdevelopeddetailedmodelsthatidentifytheskill,resources,motivationsand
threatsofvariousadversaries.Thatsaid,thesemodelscanrarelybesimplypluggedinto
aproject.Sinceeverysystemthataredteamassesseshasuniquecharacteristics,the
adversarymodelsmustbecustomizedforeachproject.Sandiasadversarymodelsallow
forthat.
TheRedTeamschoiceofadversarymodelsisdrivenbythreefactors:
ThethreatsandnightmareconsequencesidentifiedbytheRedTeamandcustomer:Morecomplexnightmareconsequencesoften,butnotalways,
requiremoresophisticatedadversaries.
Thematurityofthesystem:MorematuresystemscanbenefitfromRedTeamemulationofmoresophisticatedadversaries,aslowerlevelthreatshaveoften
alreadybeenaddressed.Lessmaturesystemsprofitmorefromless
sophisticatedadversarialattack.Sinceeventrivialattacksarelikelytosucceed,
thereis
little
reason
to
show
that
high
level
attacks
are
successful.
ProjectbudgetandscheduleandinformationavailabletotheRedTeam:Highlysophisticatedattackssuchasthoseatthenationstatelevel(Cyberterrorist
organizations,MilitaryInformationOperationsunits,andForeignIntelligence
Services)usuallyrequireindepthknowledgeofthetargetsystem.TheRed
Teamcanacquiresuchinformationintwoways:synthesizeit,limitedbyproject
budgetandschedule,orobtainitfromthecustomerorsystemvendor.Ifthese
optionsarelimitedornotavailable,theRedTeamwillnotbeabletoadequately
emulatethehigherthreatlevelsandwillchoosetoholdadversarycapabilities
toalowerlimit.
DOL Adversary ModelAsnotedpreviouslyinthescopesection,DOLmanagementperceivedthatapotential
threatexistsfromindividualsororganizationswishingtoprofitfrompremature,
unauthorizedaccesstokeyeconomicdata.Advanceknowledgeofsuchdatawouldgive
itspossessoraheadstartadvantageagainstotherfinancialtraderswhotransmitted
theinformationlater,duringtheofficialrelease.
AccordingtoDOLofficialsinterviewedduringthisassessment,concernexistsoverwhich
pressorganizationsareallowedaccesstoinformationalreleaseevents.Attheheartof
thedebateiswhatcriteriashoulddefineapressorganizationvs.abusinessprimarily
interestedinsupplyingdataforalgorithmictrading.Thelinebetweensuchentitiesis
blurredby
organizations
which
provide
both
traditional
journalistic
content
as
well
as
algorithmictradingproductstotheircustomers.InterviewswithDOLofficialsindicate
thisissueisrelevantbecauseorganizationsprimarilyconcernedwithalgorithmictrading
wouldhavesignificantmonetaryincentivetocircumventtheembargoimposedonkey
economicdatapriortoitsofficialrelease.ANewYorkTimesarticleposted
contemporaneouslywiththewritingofthisreportstatedthatHighFrequencyTraders(a
typeofalgorithmictrader)made$12.9billioninprofitsinthelasttwoyears.2
-
7/31/2019 CleanSweep Technical 2
21/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 19
Withtheassessmentscopelimitedtothepresslockupfacilityandassociateddata
embargoandreleaseprocesses,theSNLIDARTRedTeamfocusedonlyonadversaries
withopportunity,motivationandwillingnesstosubvertsecuritycontrolsspecifically
associatedwiththisfacility.Thiswasanimportantlimitationinthatiteffectively
excludedcommonadversariesusingtheInternetasapreferredattackvector3,4
while
DOLInternet
connected
systems
where
the
key
economic
data
of
interest
is
produced
andstored arenotwithinthedefinedscopeofCleanSweep.Thefullspectrumof
adversariesisillustratedinTable1,theGenericThreatMatrix.
Table 1: Generic Threat Matrix. Foregoing potentially loaded terms such as hacker or
nation state actor, the Generic Threat Matrix provides a qualitative categorization ofadversaries based upon attributes describing their capabilities in terms of technical andorganizational capacity.
Thismatrixprovidesqualitativevaluestokeyadversaryattributes,enablingtheRed
Teamtogaugethecapabilitylevelandattacktools,tactics,andprocessessuchan
adversarywouldbringtobear5.
InformationprovidedbyDOLofficialsandpersonnelandgleanedbytheSNLteam
duringtheirassessmentactivitiesindicatesthefollowingadversarythreatprofileforthe
presslockupfacilityanddataembargoandreleaseprocess:
Intensity:Medium
The
threat
is
moderately
determined
to
pursue
its
goal
and
is
willing
toacceptsomenegativeconsequencesresultingfromthatpursuit.Acceptable
consequencesmayincludeimprisonment,butusuallynotthedeathofgroupmembers
orinnocentbystanders.
Stealth:MediumThethreatismoderatelycapableofmaintaininganecessarylevelof
secrecyinpursuitofitsgoal,butisnotabletocompletelyobscuredetailsaboutthe
threatorganizationoritsinternaloperations.
-
7/31/2019 CleanSweep Technical 2
22/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 20
Time:WeekstoMonthsThethreatiscapableofdedicatingseveralmonthstoplanning,
developing,anddeployingmethodstoreachanobjective.
TechnicalPersonnel:TensThethreatiscapableofdedicatingasmall,independent
groupofindividualstoprovidethetechnicalcapabilityofbuildinganddeploying
weapons.Thereisfullcommunicationbetweenthemembersofthegroup.
CyberKnowledge:HighThethreatiscapableofusingexpertproficiency both
theoreticalandpractical inpursuitofitsgoal.Thethreatisabletoparticipatein
informationsharingandiscapableofmaintainingatrainingprogram,aswellasa
researchanddevelopmentprogram.
Access:MediumThethreatisabletoplanandplaceagroupmemberwithindirector
limitedaccesswithinarestrictedsystem.
TheKineticKnowledgecategorywasnotusedinthisanalysis,assuchcapabilitywasnot
judgedtobenecessarytocompromisethetargetenvironment.
The
sum
of
these
attributes
fall
between
levels
five
(5)
and
six
(6),
both
within
the
mediumrangeofthreatactor.Theteamassessedtheadversaryherelackedthe
highlevelofintensitybecauseitisunlikelytheywouldemployviolentmeanstomeet
theirgoalofexfiltratingembargoeddatapriortotheofficialreleasetime.Thisadversary
hasahighratingforcyberknowledgecapabilitybecauseofthehighlytechnicalnature
ofalgorithmictrading.
Insummary,likelyadversariesinthisscenarioareprofitdriven,technicallysophisticated
individualswhomayhaveconsiderableresourcesattheirdisposal.Theirtechnical
proficiencyenablesimplementationofstealthysurveillanceequipment.Thoughthey
arewillingtobendandpotentiallyviolaterulesandlaws,therearelimitstowhatthese
adversariesarewillingtodotoachievetheirgoals violenceisunlikelyasanoperational
method.
AnalysisInthissectionwediscusstheattacksthatweredevelopedandrunbyRedTeam
personnel.UsingtheIDARTmethodology,theRedTeambeginsanalysisofthetarget
systemandcreatesthevariousviewpointsdiscussedaboveintheError!Reference
sourcenotfound.section.Next,theteamholdsabrainstormingsession,invitingSandia
employeesthathaveexpertiseintheareasaddressedbythetargetsystem.TheRed
Teamleaddescribesthetargetsystem,presentsandexplainstheviewpoints,and
answersanyquestionsbeforebeginningthebrainstorming.
Duringbrainstorming,
very
little
filtering
is
applied
to
submitted
ideas.
If
an
attack
idea
willobviouslynotworkorviolatestheROE,itmaybefilteredimmediately.Otherwise,
allideasareaddedtotheattackgraphsandwillbefilteredlater.Thisallowsallideasto
inspireotherideasthatmaynotbefiltered.
Theresultofthebrainstormingsessionistheprojectsattackgraphadiagramthat
suggestsstartstates,endstates,andattackpathsconnectingthetwostates.Manyof
theattackstepswillbeinvalidated,andsomewillbefilteredbecausetheyarebeyond
-
7/31/2019 CleanSweep Technical 2
23/39
-
7/31/2019 CleanSweep Technical 2
24/39
-
7/31/2019 CleanSweep Technical 2
25/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 23
Attacksareratedinseverityfromcritical,denotinganearcertainlikelihoodof
occurrence,tolow,denotinganunlikelyevent.Table2,AttackStepRiskRanking
System,capturesthesemetrics.Noneoftheattackstepswereidentifiedascriticalor
important.
Rating Definition
Critical Anattackstepthathasanearcertainriskofoccurringinthe
futureifithasnotalreadyhappened
Important Anattackstepthatisverylikelytooccurinthefutureand
mayalreadyhavetakenplace
Moderate Anattackstepthatislikelytooccurinthefutureandcould
alreadyhavetakenplace
Low Anattackstepthatisunlikelytooccurinthefutureand
probablyhas
not
yet
occurred
Table 2: Attack Step Risk Ranking System. For each attack step we provide a statement ofwhat was or could be done by an attacker.
Attacks
-
7/31/2019 CleanSweep Technical 2
26/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 24
MitigationOptions:
Modifyexistingpolicytorequirepersonalitemsbekeptinlockersoutsideofthepresslockuproom.Divestmentshouldbeaprerequisiteforroomentry.Cost:Low.
Metaldetectoratpresslockupfacilityentry.Securitycheckpointsatbuilding
entrancesare
some
distance
away
from
the
Lockup
facility,
and
press
personnel
are
notescortedbetweenpoints.Cost:Medium.
RemodelpresslockupfacilitywithRFshielding.AttenuatingmaterialblocksRFcommunicationsintooroutofthefacility.Cost:Medium/High
ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOLownedequipmentandremovetheprivatedatalinescurrentlyinuse.Cost:High.
Retainstatusquo.Cost:Nil.
Attacks
-
7/31/2019 CleanSweep Technical 2
27/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 25
MitigationOptions
ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOLownedequipmentandremovetheprivatedatalinescurrentlyinuse.Cost:High.
ProhibitanyoneotherthanDOLpersonnelorcontractorsworkingforDOLfromenteringcommunicationsclosetswithoutatechnicallyknowledgeableescort.Cost:
Medium.
Provide/traintechnicallyknowledgeableescorts.Cost:Medium.
Retainstatusquo.Cost:Nil.
-
7/31/2019 CleanSweep Technical 2
28/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 26
MitigationOptions
LimitthenumberofBlackBoxeseachpressorganizationmayuse.Cost:Nil.
MountBlackBoxestowalloronraisedshelvessothattheequipmentiswithinplainview.Useuniform,colorcoded,DOLissuedcablesbetweenBlackBoxesandIT
equipment.Cost:Low/Medium.
Adopttamperevidentdecalsforinventorytags.Cost:Low.
ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOLownedequipmentandremovetheprivatedatalinescurrentlyinuse.Thiswould
eliminatetheneedfortheBlackBoxesaltogether.Cost:High.
Retainstatusquo.Cost:Nil.
-
7/31/2019 CleanSweep Technical 2
29/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 27
SummaryThoughDOL,BLS,andOPApersonnelaredoingduediligenceintheireffortstomonitor
andcontrolthepresslockupfacility,SNLIDARTobservationsindicateopportunitiesfor
securityimprovements,rangingfromrelativelylowcostchangestoexistingpolicyupto
investinginnewITinfrastructureforthepresslockupfacility.Table2Comparisonof
MitigationAlternatives,capturesthecriteriasuchascost,risk,andperformanceforeachoption.AlsoincludedareschedulingrequirementsrelativetoSNLfollowup
activitiestoverify/validateeffectivenessofimplementation.
PolicyIssues
Thedataembargoandreleaseprocessiswellestablished,andenjoysanadvancedlevel
ofmaturity.Requisitedatasecuritypoliciesalreadyexist,butmaylackoptimal
implementation.
Currentpolicyrequirespresspersonneltosurrendercellphonesinthepresslockupfacilitypriortothedistributionofembargoeddata.Animprovementto
thisprudent
rule
would
be
to
collect
cell
phones
and
other
personal
items
such
aspurses,briefcases,totebags,etc.priortograntingentrytothefacility,and
securelystoringtheseitemsoutsideforthedurationofthepressreleaseevent.
1. Cost:Low.Approximately$2,200.00forhardwareandshippingpluslabortoinstall.
2. Risk:Low.Potentialpushbackfrompress;potentialliabilityforlost/damagedpersonalitems.
3. Performance:Mediumvalue.
4. Schedulepriority:Medium.Followupwouldconsistofobservingnew
process
in
action.
AnotherpolicyrequiresthatnonDOLpersonnelbeescortedwhileaccessingwiringclosetsandcommunicationshubs.Ensuringthatonlytechnically
knowledgeablepersonnelaregivenescortingdutieswouldbeasignificant
enhancementtothispractice,aswouldbedocumentingprocessand
procedures,andtrainingassignedescortsinsecurityconcepts(e.g.maintain
visualcontactonchargesforthedurationofeachvisit,limitingthenumberof
visitorsperescort,whotocontactandwhattodoshouldanincidentoccur,
whatconstitutesanincident).
1. Cost:Medium.Personnelwagesassociatedwithassigningtechnicalstaff(vs.nontechnical,whopotentiallyhavelowerhourlycost)and
development,documentation,
and
implementation
of
training.
2. Risk:Medium.PushbackfromDOLemployeesregardingadditionalassignments;lackofqualifiedpersonnel;prioritizingcurrentassignments
vs.escorting;costofhiringnewstaff.
3. Performance:High.
-
7/31/2019 CleanSweep Technical 2
30/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 28
4. Schedulepriority:High.Multistepsolutionrequiresearlystart;potentialdelaysforcontractnegotiationpertainingtoescortduties;policyand
proceduredevelopment,documentationandimplementationof
training.
Pressorganizationsarecurrentlyallowedtousetheirownequipmentinthe
presslockup
facility,
with
some
parties
implementing
complex
configurations
to
includeinfrastructuregradenetworkingappliancesandutilizingmultiple,DOL
suppliedBlackBoxes.Theresultingclutter,powerconsumption,heat
generation,andgovernmentexpenseforsupplyingBlackBoxescouldbe
reducedbychangingexistingpolicytolimiteachpressworkareatoastandard
equipmentconfiguration(e.g.asinglecomputer,monitor,keyboard&mouse).
1. Cost:None.2. Risk:Medium.Pushbackfrompressorganizations.3. Performance:Medium.Reducesclutter,makingBlackBoxstatus
identificationeasier;reducesheatgeneration,powerconsumption.
4. Schedule
priority:
Medium.
Though
minimal
in
implementation
effort,
SNLprojectperiodperformance(PoP)endisMarch2012.
AnotherpolicyoptionistocompletelydisallownonDOLequipment.Cost,risk,performanceandtechnicalramificationsofthispatharediscussedinthenext
section.
TechnicalIssues
ThepresenceofnonDOLITequipmentandcommunicationslinesinthisfacilityisof
concerntotheRedTeam.TheopaquenatureofthisequipmenttoDOL,BLS,andOPA
stakeholdersisamajorimpedimenttoensuringthatembargoeddataisnotreleased
priortoauthorization,andthepresenceofoutsiderequipmentopensattackvectors
intothe
DOL
environment.
Because
DOL
may
not
conduct
technical
inspection
of
this
equipmentormonitordatatrafficforunauthorizedactivity,thereisnowaytoascertain
withcertaintythatDOLdataisnotbeingexfiltratedwithoutDOLauthorization.
AllowingpressorganizationownedequipmentandcommunicationlinesinthepresslockupfacilitycreatesaneedfornonDOLmaintenancepersonnelto
accessDOLcommunicationsanddatainfrastructure.Replacingpressowned
equipmentanddatalineswithaDOLownedsolutionwouldremove
opportunitiesforadversariestocompromisecriticalDOLcommunicationsand
datainfrastructure.
1. ImplementingaDOL
owned
IT
solution
for
the
press
lockup
facility
wouldentailthepurchasing,configuring,andmaintainingsuch
equipment.
2. Anappropriatesolutioncouldbetailoredtoabarebonesconfigurationtosavecostandreduceattacksurface.Serviceslimitedto
Internetaccessshouldprovideadequatefunctionalityfortraditional
journalists,whileredirectingtheburdenofenhancedcapabilityaway
fromDOLandontothosewhodesireit.Applications(e.g.MSWord,
-
7/31/2019 CleanSweep Technical 2
31/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 29
algorithmictradingapplications,etc.)wouldresideonpressorganization
servers,andnotbetheresponsibilityofDOLtolicense,maintain,and
patch.
3. Suchasolutionwouldlikelyreduceheatgenerationandenergycostsforthepresslockupfacility.
4. DOLwould
have
complete
control
over
press
lockup
facility
hardware
andsoftwareandtheabilitytomonitoraswellasterminate/enabledata
communications.
5. SuchasolutionwouldbesegregatedfromDOLEnterpriseenvironments. Cost:High.Approximately$66Kforhardwareandsoftware,$3.2K
annuallyforlicenses,andbetween0.51.0FTEfor
maintenance/administration(pleaseseeAttachment2:Cost
Estimatesfordetails).
Risk:High.Pushbackfrompress;futureincreasestolicensingcosts;onusofdefendingnewenvironment;ensuringsegregation
fromDOLenterpriseenvironment.
Performance:High.EliminatesuncertaintiessurroundingnonDOLequipmentcapabilitiesandaccesstowiringclosets;reduces
clutter,heatgeneration,powerconsumption;eliminatesBlack
Boxcosts.
Schedulepriority:High.Complex,multiphaseoptionrequiresimmediatestarttofacilitatecompletionpriortoendofSNLPoP.
1. Cost:High.
Approximately
$40K.
2. Risk:Medium.Aswithanytechnicalproject,unintentionalservicedisruptionsmayoccur,withassociatedcoststoproductivityand
equipmentreplacement;intheeventthatunauthorizedsurveillance
devicesareidentified,lawenforcementmustbenotifiedimmediately.
3. Performance:High.WouldprovideDOLleadershipwithcleanbillofhealthfortheircommunicationsinfrastructure(uptothatpointintime).
4. Schedulepriority:Medium.ShouldonlybedoneafterremovingpressownedITequipmentandcommunicationlinesandimplementing
qualified/trainedescorts.
TheBlack
Box
devices
currently
employed
to
control
the
release
of
embargoed
datainthepresslockupfacilityaresimpleandfairlyrobust.However,the
currentconceptofoperationsgoverningtheirusemakescompromisingor
circumventingthiscontrolmechanismaplausibleoccurrence.Thecluttered
natureofthefacility,plethoraofnonDOLequipment,andmultipleinstancesof
BlackBoxesforsomepressorganizations,createsopportunitiestomask
activitiesdesignedtoneutralizethesecontroldevices.
-
7/31/2019 CleanSweep Technical 2
32/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 30
1. SealBlackBoxeswithtamperresistant/indicatinginventorylabels.Developandimplementpolicytomonitorlabelsfortampering.
Cost:Low.From$9.00/250basicsealsor$1,200.00/20Kforhologramseals;personneltime/wagesfordeveloping,
documenting,andimplementingprocess;auditing/checkingfor
tamperindications.
Risk:Low/Medium.
Performance:Lowforbasicseals/Mediumforhologramseals.
Schedulepriority:Low.2. MountBlackBoxestowalloronraisedshelvessothattheequipmentis
withinplainview.Useuniform,colorcoded,DOLissuedcablesbetween
BlackBoxesandITequipment.
Cost:Low/Medium.Laborforinstallation;standardizedcabling.
Risk:Low. Performance:Medium.
Schedulepriority:Medium.
Asnotedpreviously,surreptitioususeoftransmittingdeviceswasidentifiedasapotentialvulnerability.InstallingRFshieldinginthepresslockupfacilitywould
mitigateagainstthisvectorbyattenuatingRFsignalstrength.Productssuchas
foilbackedsheetrockarearelativelyinexpensiveimplementation.
1. Cost:Medium.Materials+labor.
2. Risk:Low.
3. Performance:High.Correctlyimplementedshieldingwouldgreatlyreducetheeffectivenessoftransmitterattacksfromwithinthepress
lockupfacility;thisoptionwouldeliminatetheneedforinroomRF
monitoring.
4. Schedulepriority:High.
-
7/31/2019 CleanSweep Technical 2
33/39
-
7/31/2019 CleanSweep Technical 2
34/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 32
Observations
ROE Constraints of Note
TheSNLIDARTRedTeamwaslimitedtoobservationandassessmentactivities no
activeexploitationexerciseswereperformedduringthecourseofCleanSweep.The
scopeof
allowed
activities
was
limited
to
the
press
lockup
Room
and
associated
data
embargoandreleaseprocesses.
1. Otherareasassociatedwithpreparationofthetargetdatawerenotsubjecttoobservationandassessment.
2. OperationalITsystemsassociatedwithpreparing/producingthetargetdatawerenotsubjecttoobservationandassessment.
3. AdversarymodelingspecificallyexcludedDOLpersonnelinsiderthreat.
Potential Avenues
ThefollowingactivitieswereproposedtoDOLbutnotsanctionedduringthisactivity1.
1. Technicalevaluation
and
assessment
of
BLS
IT
environments.
2. TechnicalevaluationandassessmentofRFenvironmentatBLS.
RecommendationsThereareareasforimprovementinpolicydevelopmentandimplementation,andfor
technicalmitigationstrategiestobettersecurethePressLockupfacility.
ShouldDOLdecidetopursuemitigationoptionsspecifictothePressLockupfacility,the
RedTeamsuggeststhefollowingmeasurestakeprioritystatus:
1. DisallownonDOLownedITequipmentandcommunicationlinesfromthePressLockupfacilityoranywhereelseonDOLpremises.
2. RequiretechnicallycognizantescortsaccompanynonDOLpersonnelintowiringclosetsandcommunicationshubs.
3. RequirenonDOLpersonneltosurrenderpersonalitemspriortoenteringthePressLockupfacility.Externalstoragelockerscouldsecurebelongingsforthe
durationofpressevents.
1Current reporting from open and sensitive sources indicates computer targeted network
exploitation (CNE) as the most prevalent method of unauthorized data exfiltration from a widerange of adversaries. It is the opinion of Red Team Cyber Security subject matter experts that theIT environments where the data are produced are more likely avenues for data loss than is thePress Lockup facility. CNE offers advantages such as anonymity to an adversary due to thedifficulty of conclusively attributing malicious actions over the Internet to specific individuals vs.actions carried out in person in the Press Lockup facility. Compromise of IT systems provides anadversary long-term, unauthorized accesses to potentially valuable information with little chanceof discovery.
1
-
7/31/2019 CleanSweep Technical 2
35/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 33
Attachment 1: Agenda
Han Lin, Project Manager; Scott Maruoka, Technical
Lead; Will Atkins, Michael Freund, Lyle Hansen,
Technical Team.
7-8 July, 2011
8:30 am Introductions All
9:00 am DOL/BLS Mission & Goals Ed Hugler
Deputy Assistant Secretary for
Operations
Carl Fillichio
Senior Advisor for Communications
and Public Affairs
Michael Levi
Associate Commissioner, BLS Office of
Publications and Special Studies
9:30 am SNL IDART Agenda Han Lin, Michael Freund, Lyle Hansen
Manager, Networked Systems Survey &
Assurance; Technical Team
10:00 am Introduction to IDART Will Atkins & Scott Maruoka
IDART Team
11:00 am Break
11:15 am Introduction to IDART Will Atkins & Scott Maruoka
IDART Team12:00 pm Lunch
1:00 pm Technical Team setup. Michael Freund, Lyle Hansen
1:00 pm Facility Wireless System Assessment Will Atkins
1:00 pm Interview with Jermaine Pegues. Han Lin, Scott Maruoka
1:30 pm Interview with Gary Steinberg. Han Lin, Scott Maruoka
-
7/31/2019 CleanSweep Technical 2
36/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 34
2:00 pm Interview with Rick Vaughn. Han Lin, Scott Maruoka
2:30 pm Interview with Anthony Ferreira. Han Lin, Scott Maruoka
3:00 pm Interviews with Carl Fillichio. Han Lin, Scott Maruoka
4:00 pm SNL Team Members depart All
6:30 am Briefing Preparation SNL Technical Team
8:00 am Press Briefing SNL Technical Team
9:00 am Interview with Jennifer Kaplan Han Lin, Scott Maruoka
9:30 am SNL Team Discussion & Analysis SNL Technical Team
12:00 pm Lunch
1:00 pm Presentation of Initial Findings SNL Technical Team
3:00 pm SNL Team Members depart All
-
7/31/2019 CleanSweep Technical 2
37/39
-
7/31/2019 CleanSweep Technical 2
38/39
OFFICIAL USE ONLYCleanSweep Technical Details
August 2011 OFFICIAL USE ONLY Page 36
Vanguard Metal QS Assembly : AssembledVanguard Metal QS Color : GreyCost: $1,279.92; shipping: $880.00; Total: $2,159.92
Lockers and Storage Catalog: http://lockerscatalog.com/items.asp?Cc=LLOCK-QSW&iTpStatus=0Hallowell Wall Mounted Premium Box LockerProduct ID: L236-1095Weight: 50 LBDimensions: 48 W X 18 D X 12 HColor: GreyUnassembledCost: $1,440.00; shipping: $880; Total: $2,320.00
Lockers.com: http://www.lockersupply.com/Penco Quick Ship: Vanguard Unit Packaged Lockers - Four-Wide Wall Mount - 68242SKU #: PN1122Dimensions: 13.625" H x 45" W x 18" D 43.0 lbs.UnassembledCost: $1,463.92; shipping: 116.19; Total: $1,580.11
Tamper-evident Labels
Tamperco: http://www.tamperco.com/Tamper Void Tamper Evident Labels s/22.htmTampervoid labels: $9.00/250Hologram labels: $1,200.00/20K
-
7/31/2019 CleanSweep Technical 2
39/39
OFFICIAL USE ONLYCleanSweep Technical Details
References
1Eugene Register-Guard (no author attributed),Labor building named for Madame Secretary,
April 11, 1980,http://news.google.com/newspapers?id=jIMRAAAAIBAJ&sjid=3eEDAAAAIBAJ&pg=5679,2910817&dq=frances-perkins-building&hl=en2
New York Times (no author attributed), High Frequency Trading, August 9, 2011,http://topics.nytimes.com/topics/reference/timestopics/subjects/h/high frequency algorithmic trading/index.html?scp=1-spot&sq=High%20Frequency%20Trading&st=cse 3
Cisco, Cisco 2010 Annual Security Report,http://www.cisco.com/en/US/prod/collateral/vpndevc/security annual report 2010.pdf4
Alperovitch, D. Revealed: Operation Shady Rat, McAfee Blog Central,http://home.mcafee.com/AdviceCenter/ExternalContent.aspx?id=cm malb5
Dugan et al, Sandia National Laboratories, Categorizing Threat: Building and Using a GenericThreat Matrix, September 2007.