red teaming: be prepared for anything€¦ · 1 a’war’foo,ng’ red teaming: be prepared for...
TRANSCRIPT
T.E.S.S.O.C
A Mul,faceted A3ack
Red Teaming – Physical
Red Teaming – IT
The Rise of Converged Vulnerabili,es
Worst fears?
Limita,ons & Roadblocks
Presentation Structure
1
A War Foo,ng
Red Teaming: Be Prepared for Anything
Optimal Risk 2016 v3
Presented by
Mike O’Neill Managing Director
Dan Solomon Director of Cyber Risk &
Security Services
Be Prepared. For Anything
Red Teaming: Testing your Preparedness, Building your Resilience
• Threats not related to war are grouped five categories:
Ø Terrorism,
Ø Espionage,
Ø Subversion,
Ø Sabotage
Ø Organised Crime
• TESSOC typically reflected the hierarchy of defence priorities. Now complicated by Cyber.
• Cyber now cuts across all five domains and now should top the hierarchy of priorities.
2
Be Prepared. For Anything
T.E.S.S.O.C framework
Red Teaming: Testing your Preparedness, Building your Resilience
3
Be Prepared. For Anything
Threats to on-shore installations: Europe 2015 assessment
Threat Impact Vulnerability Short Term Trend
Terrorist attack on LNG terminal High High Low Increasing
Terrorist attack on port personnel High High Low Stable
Sabotage of POL tanks and pipelines High Medium Low Increasing
Sabotage of port authority buildings Medium Medium Low Increasing
Hostage taking High Medium Low Increasing
Nuclear device in container High High Low Increasing
Biological or chemical device in container High High Medium Increasing
Sinking of a vessel in port to clock channels or locks High Low Medium Increasing
Vehicle-‐borne IED attack Medium Low Low Stable
Ship-‐borne IED attack Medium Low Low Stable
Destruction or sabotage of Telecommunication systems Medium Low Low Stable
Destruction or compromise of cargo in port Medium Low Medium Increasing
Cyber attack against port control IT network & applications High Medium High Increasing
Cyber attack to destroy port management databases Medium Medium High Increasing
Cyber attack on port control network and theft of data Medium Medium High Stable
Infiltration by unauthorised persons to steal information Medium Medium High StableSource: Optimal Risk
• Cyber threats are high probability in the short term and are a reality
• In many cases ports authorities are unaware of sophisticated breaches and their impact
• Cyber defence is weak against convergence threats
• Cyber resilience concepts are weakening and untested
Red Teaming: Testing your Preparedness, Building your Resilience
IT factors can include:
• Spear Phishing
• APT and Custom Malware Insertion
• Attacks on:
– Infrastructure including VPN
– Wi-Fi networks including the executives’ homes
– Applications
– Mobile Device Vulnerabilities
– DDoS
4
Be Prepared. For Anything
A Multifaceted Attack
Human factors can include:
• Gathering open source intelligence on key employees and leveraging this knowledge to subvert employees
• Compromise of employees which may be coerced to obtain further access into networks, or manipulated into disclosing sensitive data
• Physical infiltration of facilities and gain access to internal devices & networks
• Delivery of malware on physical devices to employees
• A ‘planted’ Insider
Red Teaming: Testing your Preparedness, Building your Resilience
• A prolonged and persistent attack across multiple vectors, using different methods, and in several phases over days or weeks
• Sophisticated ‘conditioned’ weapons [with the capacity to learn and adapt] that can act in coordination
• Complex scenarios, likely for espionage or sabotage purposes with a converged back-story
• The attack is likely to mobilize the organisation’s full Blue Team capability through phases of identification, defence, response, and recovery to an attack in depth
• The attack escalates and challenges the organisation’s various responses, methods, teams and decision- makers
5
Be Prepared. For Anything
A Multifaceted Cyber Attack
Red Teaming: Testing your Preparedness, Building your Resilience
• Red teaming: A real-world approach to testing security, protocols, & awareness; ultimately to address security requirements and evaluate the risk involved in their viability, modelling threats on all potential layers of attack
• Testing resilience to realistic incidents, how a port enacts & adapts business continuity plans, how appropriate contingency plans are, and under which conditions they are more likely to fail.
• Identifying multiple points of failure whether technical, or human, or procedural.
• Identify short-term tactical fixes for immediate remediation of any outstanding vulnerabilities within the tested environments
• Identify long-term strategic measures that will proactively thwart any potential repetition of vulnerabilities discovered
• Prompt engagement in program of remediation efforts and security posture reinforcement 6
Be Prepared. For Anything
A Simulated Attack or ‘Red Teaming’
Red Teaming: Testing your Preparedness, Building your Resilience
USB drive Planted
Security Post Le< Una=ended Communica?ons
Room Penetrated
Physical Infiltration
Access was granted to limited access areas, allowing our team to obtain photographs of facility internals, and insert custom malware on internal devices.
Red Teaming: Testing your Preparedness, Building your Resilience
Dummy ‘Bug’
Installed
Silent Alarm 5-‐minute Response Time
Network Switchboard Infiltrated
Physical Infiltration
During the exercise the team entered a restricted area and placed simulated electronic surveillance equipment
Red Teaming: Testing your Preparedness, Building your Resilience
Physical Infiltration
USB drive Planted in Terminal
Two Breaches
WiFi Antenna Installed
Physical security was circumnavigated, breach incident response was ineffectual, allowing our team to exit without reprimand.
Red Teaming: Testing your Preparedness, Building your Resilience
External Network Penetration
A vulnerable web applica,on was exploited to disclose its en,re backend database
Be Prepared. For Anything
x.x.126.27 x.x.162.10
x.x.169.30
Exposed Administra?on
Page
Unencrypted FTP
Service
Unencrypted SIP
Service
Red Teaming: Testing your Preparedness, Building your Resilience
11
Be Prepared. For Anything
Other Aspects
• Nearly all sensi,ve applica,ons were found vulnerable in some way,
Ø from allowing data theR and data manipula,on.....
Ø ........to enabling a3ackers to lock out key users.
• A number of high-‐severity vulnerabili,es within working applica,ons, included:
Ø A server which underpins a cri,cal applica,on was using outdated soRware which allowed our team to compromise and take control over the server & applica,on.
Top Issues • Physical security neglects advanced
threat preparedness in favour of simple physical security risk
• Insufficient employee awareness of advanced cyber a=acks
• Insufficient protec?on of high-‐value employees against external threats
• Lacklustre adherence to system maintenance policies
"...We’re very pleased by your work; you’ve exceeded our expecta8ons in every aspect” Source: Customer’ SVP Security
Red Teaming: Testing your Preparedness, Building your Resilience
• Physical security systems undermined by poor procedure and processes
• Poor personnel vetting practices, and weak verification & control of movement between port areas
• Introduction of integrated security systems increased vulnerability particularly through COTS solutions
• Sophistication of systems is still low, compared to airports, in particular access control to critical areas
• Poor levels of integrated monitoring, and control room resourcing
• Dynamic contingency planning in based on analysis of out-of-date scenarios
• Low levels of resilience in critical networked information systems
• Insufficient encryption, biometric protection, and poor counter-espionage counter-measures
• High vulnerability to BYOD threat
12
Be Prepared. For Anything
Converged Vulnerability
Red Teaming: Testing your Preparedness, Building your Resilience
13
Be Prepared. For Anything
Worst Fears?
Permanent Denial-of-Service [PDoS]
A3acks in the future will range from rendering hardware useless by crashing hard drives, machine-‐level PLCs and by increasing the voltage within CPU’s.
A3acks aim to push hardware to its extreme performance, or conduct ac,ons for which it was not designed as well as the more obvious corrup,ng of internal program and data structures
Recovery will require replacement with new hardware, exposes the vulnerability of not holding redundant capacity.
In many cases it is not prac,cal to hold spare parts for major pieces of infrastructure. The resultant down,me could be catastrophic for some businesses, without suitable redundancy and capacity
PDoS attacks will include:
• Over-‐vol,ng
• Over-‐clocking
• Over-‐usage
• Power Cycling
• Phlashing
Red Teaming: Testing your Preparedness, Building your Resilience
14
Be Prepared. For Anything
Lets Imagine................
1. Systems go down while containers are in port and all work stops effec,vely un,l it is resolved?
2. A compromised system meant that you cannot trust what is in a container from a par,cular carrier or country?
3. If other countries, in par,cular the US, were not prepared to accept shipments from this port.
4. If the country had only one major deep-‐sea port and:
• Food and fuel not being unloaded. Contemplate the impact over a 3 day period
• If a PDoS takes down systems permanently, systems will need to be replaced which could take days. If hardware is affected then the impact could be weeks.
• Overland distribu,on con,ngencies will need to be enacted.
• Other countries dependant on exports and onward distribu,on will be affected, and the problem becomes an interna,onal crisis with geo-‐poli,cal implica,ons.
What would happen if:
1. Port could not handle cargo for 8 hours
2. Port could not handle cargo for 2 days
3. Port could not handle cargo for 4 days
4. Port could not handle cargo for 2 weeks
Red Teaming: Testing your Preparedness, Building your Resilience
• What did the port gain from the red team Ø It created awareness
Ø Demonstration of reality: a game changer
Ø Hard Lessons benefits without the pain
Ø Very quickly absorbed into organisational perceptions
Ø Demonstration of interdependencies
Ø Learning by doing: Failings in response as well as security
Ø Immediate tactical priorities for remediation
Ø Priorities for re evaluation of policy
Ø Priorities for physical security
Ø Priorities for security investment 15
Be Prepared. For Anything
Consequences
• What happened next?: Ø Change of Approach
Ø Impact on Confidence
Ø Changes to Business Practices
Ø Security Investment & Focus
Ø Awareness of High-Impact Threats
Ø Review of Risk ‘Agenda’ [& recalibration of appetite]
Ø Revise Enterprise Risk Management
Red Teaming: Testing your Preparedness, Building your Resilience
Dealing With Decep,on
Roadblocks
Symptoms of Delusion
Insurance
Compliance
Silver Bullets
Cultural Myopia Accep,ng Mediocrity
Analy,cal Bias
Perspec,ves on ‘Cold War’
Ignorance
Leadership Risk-‐Informed
Intelligence
Reac,ve approach Vulnerability Scanning
Analy,cal Failure
Formalised Policy & Planning Board-‐level Consensus
Outdated methods Budgets
Forewarning
Tackling Uncertainty
Effec,ve Capability
Misaligned Strategy Converged Threat Awareness
Complacency
Compe,ng Priori,es
Iner?a
Silos
Cost
Assessing Probabili,es
Risk
Outdated Assump,ons
Informa,on Assurance
Be Prepared. For Anything
A War Footing
ü ‘Raise your gaze’ and seek better vision
ü Anticipation of the unexpected
ü Embrace the Plausible, not just the Probable
ü Practice makes Perfect
ü Develop a ‘Forensic’ approach to Causes of Security Failure
ü Be Reluctant to Simplify Plans and Preparation
ü Declare an Absolute Commitment to Proactivity
17
Be Prepared. For Anything
Dan Solomon Director, Cyber Risk & Security Services Tel: +44 7850 761834 Email: [email protected] Crisis, Risk & Security Specialists
Red Teaming: Testing your Preparedness, Building your Resilience
Mike O’Neill Managing Director Tel: +44 7768 354009 Email: [email protected] Crisis, Risk & Security Specialists
Thank You
PHYSICAL SECURITY
RED TEAM BLUE TEAM
CYBER SECURITY
Consultancy & Planning Surveys & Audits Response & Protec?on
Threat Modeling & Forensics Advanced Cyber Defence
Risk Analysis
Reinforcing Your Security
Building Your Resilience Tes?ng Your Preparedness
Exercising Your Response