d/b/a mark yanalitis cc some rights reserved red teaming approaches, rationales, engagement risks...
TRANSCRIPT
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
2012 Information Systems Security Organization (ISSA) Information Security Forum
Dave and Buster's180 E Waterfront Dr
Homestead, Pennsylvania
Presenters: Mark Yanalitis CISSP, IT Infrastructure Architect, PNC Bank
Bill Johnson CPP, Director of Corporate Security and Employee Safety, Highmark Inc.
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
2
Goals for today• Define Red Teaming and its’ rationale • Discuss differences between commercial
and full-spectrum Red Teaming • Discuss differences between commercial
and full-spectrum methodologies• Examine common engagement risks• Application of Red Teaming methods • A companion document exists as
supplemental reading resource for this presentation
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
3
Red Teaming Definitions“An array of activity where the overall goal is to understand the adversaries perspective in order to identify one's own vulnerabilities and challenge one 's own assumptions.”1
“Authorized, adversary-based assessment for defensive purposes.“2
“Review of control design and threat-based penetration testing to simulate actual attacks.”3
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
4
Commercial v. Full Spectrum
Commercial engagements
• Threat-based modeling• Compliance mandates• IT Audit adjunct testing• Goal is quick penetration• Cost and time driven• Automation dependency• Survey the known
Full-Spectrum engagements
• Capabilities-based or hybrid modeling
• Simulations• Goal is understanding• Risk analysis driven• Human in the loop• Expand the knowable by
parsing the unknown
Friday May 4th, 2012
Lets explore the motivating factors for commercial and full-spectrum red
teams
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
5
Methodologies
Friday May 4th, 2012
Targeting
Client EngagementMaster Service
Agreement
Statement of WorkRules of
Engagement
Bond of IndemnityIdentify Scope
Compromise
Report
Reconnaissance
Scan & Attack
Reload
Commercial
Full Spectrum
Source: Sandia National Laboratories IDART, 2011
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
6
The Intelligence Process
Friday May 4th, 2012
40%
5%
30%
20%
5%
Adversary (Full Spectrum Red Team) Time Expenditure
Intelligence and Logistics
Live System Discovery
Detailed Prepa-rations
Testing and Practice
Attack Execution
4 Schudel, G. and Wood, B. (RAND, SANDIA & GTE: 2000)
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
7
Intelligence CycleA full-spectrum red team will focus upon likely adversarial courses of action as well as current capabilities.
Internally to the team, a need exists to have common doctrinal understanding of resource identification, intelligence collection, collection management, training, and leadership.
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
8
Finished Product
Phase 6
Revision Tracking and Real-Time Group Review
Phase 5
Desktop Publishing and Word Processing
Production of Graphics, Values, and On-line Briefs
Phase 4
Collaborative Works
Note-taking and Organization of Ideas
Structural Argument Analysis
Phase 3
Interactive Search and Retrieval of data
Graphic and Map-based visualization of data
Modeling and Simulations
Phase 2
Clustering and linking Relational databases
Statistical Analysis to reveal Anomalies
Detection of changing trends
Detecting of Alert Situation
Phase 1
Conversion of paper documents to digital form
Automated Foreign Language translation
Processing Image, Video, audio, signal data
Auto-extraction of data elements from text and images
Standardizing and converting data formats
Intel Fusion Approach
Friday May 4th, 2012
5 Adapted from Steele, Robert, D. (New Craft of Intelligence: 2002)
A red team collects and produces intelligence at variable rates and differing fidelities. The red team leader must be prepared for these eventualities.
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
9
Bias in the Intel processSources of cognitive error
Sources of cognitive error can be found in individual minds, the collective agreement of the team, team composition, and in the quality of support given to the effort. Each individual team member carries both a cognitive bias as the known outsider pre-judged by their own past experiences, as well as the bias of their culture.
Organizational and environmental bias indicatorsThe assignment is not taken seriouslyThe team or sponsor becomes too removed from the decision-making processA lack of interaction with the blue teamInsufficient access to the details of the targetLoss of team confidences The team fails to capture the details of the adversary, and instead mirrors itselfThe red team does offers no challenge to the blue teamThin top cover: the lack of a robust channel to act on findings in a timely manner, or consider findings with any seriousness.Applied post-event after many bodies already have been thrown at the problemThe wrong team targeting the wrong problem (Threat-based team vs. a capabilities based problem)A lack of clarity on the urgency of issues at handThe red team approach is a one-time activity
Friday May 4th, 2012
6 Defense Science Board. Task Force Report on The Role and Status of Red Teaming Activities: (DoD: 2003)
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
10
Role play the AdversaryLets explore the difference between a threat-based adversary model and capabilities-based
adversary model.
Threat – A threat represents a known quantity, a known effect singular in origin, essentially a Pathogen-Antigen model. A threat is an X-Y direct, or inverse relationship.
Capability – Actors (or a confederation of multiple actors) capable of achieving a singular goal either due to access to resources, or some form of institutional support. The force multiplier effects of capability-based actors behave like an algebraic expression where leading factors have orders of magnitude, possibly even having orders of operation.
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
11
Adversarial Modeling
Friday May 4th, 2012
Red Team A
Red Team B
Adversary A
AdversaryB
AdversaryC
The Universe of Actors and ActionsIn the full-spectrum Red Team context, the sponsor may need more than one type of red team to realistically model the capability. In the commercial world, modeling capability-based actors is the exception, not the norm.
Source: Sandia National Laboratories IDART, 2011
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
12
Adversarial Prototyping
Friday May 4th, 2012
Relative sophistication across adversaries
Sophis
tica
tion
Naive Novice
AdvancedNovice
Professional Hacker
OrganizedCrime or Cyber-
Terrorist
ForeignIntelligence
7 Op. Cit. Schudel, G. and Wood, B. : 2000
‥
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
13
Threat Profiling
Friday May 4th, 2012
8 Duggan, et. al. SANDIA, 2007
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
14
Attack Trees
Friday May 4th, 2012
9 Schneier, Bruce. Modeling Security Threats (Dr. Dobb’s Journal: 1999)
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
15
Smart Grid Attack Diagram
Friday May 4th, 2012
10 Penn State University SIIS Laboratory. (Network and Security Research Center: 2010)
CorporateNetwork The Internet
DDR PSTN DID1-(724)-got-powr
128K CSU/DSULink over carrier
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
16
Smart Grid Attack Tree
Friday May 4th, 2012
11 Ibid. Penn State University SIIS Laboratory: 2010
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
17
When to Use Red Teaming
Friday May 4th, 2012
Don't use RT methods for, Do use RT methods for,
Simple systems or processesComplex systems or complex system of systems
Undefined environmentsHostile and well-defined environments
Low consequence systemsSystem with unknown consequences
Problems already identified Adaptable adversaries
Compliance and certification suffices
Informing on security trade-offs
When unready to receive an extreme answer
Training and doctrine
12 Atkins, William. Read Teaming – It's Good to be Bad. (Missouri S&T ACM SIG in Security: 2010)
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
18Friday May 4th, 2012
Ok, you try it now. Target: A reciprocating high-speed gas compressor
Source: BPI Compression 2011
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
19
Case Study Client SituationA new foreign multi-national corporation (OCONUS) enters Southwestern PA as a result of a purchase and repackage of a number of leases sold by Chesapeake Energy. Almost all of these functional wells remain capped, and lack the infrastructure to get the gas to market.
The corporations‘ local CONUS office has orders to open several fields and secure the infrastructure needed to handle gas compression and transfer. The local office issues an RFP, and engages a low-bid contractor solution. The preferred corporate contracted insurer does not feel the site protection solution adequately protects their underwriting investment of leased equipment. The insurer will not offer favorable rates until the site security concerns resolve to their satisfaction.
Home office Corporate Security comes into the conversation late, and recommends that the site protection solution for the compressor be turned over to a Red Team/Blue Team for evaluation.
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
20Friday May 4th, 2012
The red team simulation revealed complete destruction of the compressor and block house site plan in 10 minutes. What was the solution? Where are the vulnerabilities? why did the solution work?
½ ton pickup
A cinderblock
Fender Jack
Stump Remover
Mentos
Duct Tape
Magnesium Ribbon
2 black Super Fan Suits
Five 2L bottles of Cola
One 2L bottle of Clorox
1 Large Sling Shot
Estimated 3 weeks of site observation and rehearsal
Flood light and CCTV camera
No buried fence
It frequently rains here
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
21
Case Study Red Team Solution
The full red team observed and collected intelligence on the target site for 3 weeks developing a number of information collections and applying information analysis techniques. They chose their best scenario.
During the preparation phase, the pair melted down Stump Remover, which contains Potassium Nitrate, the main ingredient in smoke bombs. By adding in some refined sugar, the two made 2 baseball size smoke bombs on a kitchen stove. Magnesium ribbon, bought at an online camping store with a stolen credit card, served as the wicks. The Cola was cut with 20% Clorox and the tops were taped over with Mentos in the bottle necks then loosely capped. The two planned to tape the bottle bombs into the seats and floors of the truck on site, and tie in place the steering wheel.
Two red team members drove a rental car and a stolen pickup to the nearby target site. The red team members changed into black superfan suits (to prevent any hair, shoe, or clothing fibers from falling into the truck). The pair drove lights-out, a sanitized 3/4 ton stolen pickup truck (interior scrub-down, second stolen plate, and tire replaced with junk bald tires) to within 30 yards of the block house on a rainy night.
On site, the truck rear was jacked up. While one threw/shot the lit smoke bombs at the base of the fence near the camera, the other placed the cinder block on the accelerator and turned on the ignition, and put the truck in drive. When enough smoke obscured the camera, the jack was kicked out and the truck sped forward ramming the fence and crashing into the block house at high speed. The Mento/Cola/Clorox bombs burst inside the cabin of the truck spoiling the interior environment defeating most physical forensic analysis. The truck destroyed the compressor, and brought most of the block house down on the target. The two fled on foot to the get-away car, and then later burned their suits in to black plastic lumps and discarded them.
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
22
Case Study: Blue Team Counter-Measures
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
23
Case Study: Blue Team Counter-Measures
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
24
Thank you for listening, are there any questions or comments?
Friday May 4th, 2012
d/b/a Mark Yanalitis CC Some Rights Reserved
25Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
Use your powers for the greater good, not evil.
Friday May 4th, 2012
Fight the Good Fight
d/b/a Mark Yanalitis CC Some Rights Reserved
Red Teaming Approaches, Rationales, Engagement Risks and Methodologies
26
References1 McGannon, Michael. Developing Red Team Tactics, Techniques, and Procedures. (Red Team Journal: APR 2004). Internet.
Found at http://redteamjournal.com/2 Sandia IDART Methodology. http://idart.sandia.gov/methodology/index.html3 Price Waterhouse Coopers. Is your critical infrastructure safe? (PWC LLP:2010) Internet. Found at
http://www.pwc.com/en_US/us/industry/utilities/assets/cyber-attacks.pdf 5.4 Schudel, G. and Wood, B. Modeling the Behavior of a Cyber Terrorist. (RAND National Security Research Division
proceeding of workshop. Appendix C: Santa Monica, California: 2000) 49-59. Internet. Found at http://www.csl.sri.com/users/bjwood/cyber_terrorist_model_v4a.pdf.
5 Steele, Robert, D. The New Craft of Intelligence: Achieving Asymmetric Advantage in the Face of Nontraditional Threats. (U.S. Army War College Strategic Studies Institute: 2002). 34-36.
6 Department of Defense Science Board. Task Force Report on The Role and Status of Red Teaming Activities (Office of the Under Secretary of Defense For Acquisition, Technology, and Logistics. Washington, D.C. 20301-3140:2003). Internet. Found at www.au.af.mil/au/awc/awcgate/dod/dsb-redteam.pdf
7 Op. Cit. Schudel and Wood, 2000.8 Duggan, David, P., Thomas, Sherry R., and Veitch, Cynthia K.K., and Woodward, Laura. Categorizing Threat - Building and
Using a Generic Threat Matrix. (SANDIA National Laboratories, Albuquerque NM. REPORT SAND2007-5791: September 2007). Internet. Found at http://idart.sandia.gov/methodology/materials/Adversary_Modeling/SAND2007-5791.pdf
9 Schneier, Bruce. Modeling Security Threats - Attack Trees (Reprint Dr Dobb’s Journal: 1999. Counterpane Internet Security: 1999). Internet. Found at http://www.schneier.com/paper-attacktrees-ddj-ft.html
10 Penn State University SIIS Laboratory. Advanced Metering Infrastructure Security. (Penn State University Systems and Internet Infrastructure Security Laboratory, Computer Science and Engineering (CSE) Network and Security Research Center (NSRC): 2010). Internet. Found at http://siis.cse.psu.edu/smartgrid.html
11 Ibid. Penn State University, 201012 Atkins, William. Read Teaming – It's Good to be Bad. (Missouri S&T ACM SIG in Security. SANDIA Critical Infrastructure
Systems Department, NM, 10 FEB 2010). Internet. Found at. http://acm.device.mst.edu/security-files/2010-02-10-Red_Teaming.ppt
‡ See the supplemental paper that accompanies this presetation titled : Yanalitis, Mark. RED TEAMING APPROACH, RATIONALE, AND ENGAGEMENT RISKS (self-published: 2011).
Friday May 4th, 2012