Transcript Red Teaming Approaches, Rationales, Engagement Risks and

Red Teaming Approaches,
Rationales, Engagement Risks
and Methodologies
2012 Information Systems Security Organization (ISSA)
Information Security Forum
Dave and Buster's
180 E Waterfront Dr
Homestead, Pennsylvania
Presenters:
Mark Yanalitis CISSP, IT Infrastructure Architect, PNC Bank
Bill Johnson CPP, Director of Corporate Security and Employee Safety, Highmark Inc.
d/b/a Mark Yanalitis
CC Some Rights Reserved
Goals for today
• Define Red Teaming and its’ rationale
• Discuss differences between commercial and
full-spectrum Red Teaming
• Discuss differences between commercial and
full-spectrum methodologies
• Examine common engagement risks
• Application of Red Teaming methods
• A companion document exists as
supplemental reading resource for this
presentation
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
2
Red Teaming Definitions
“An array of activity where the overall goal is to
understand the adversaries perspective in order
to identify one's own vulnerabilities and
challenge one 's own assumptions.”1
“Authorized, adversary-based assessment for
defensive purposes.“2
“Review of control design and threat-based
penetration testing to simulate actual attacks.”3
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
3
Commercial v. Full Spectrum
Lets explore the motivating factors for
commercial and full-spectrum red teams
Commercial engagements
Full-Spectrum engagements
•
•
•
•
•
•
•
• Capabilities-based or
hybrid modeling
• Simulations
• Goal is understanding
• Risk analysis driven
• Human in the loop
• Expand the knowable by
parsing the unknown
Threat-based modeling
Compliance mandates
IT Audit adjunct testing
Goal is quick penetration
Cost and time driven
Automation dependency
Survey the known
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
4
Methodologies
Commercial
Full Spectrum
Client Engagement
Master Service
Agreement
Statement of Work
Rules of
Engagement
Bond of Indemnity
Identify Scope
Reconnaissance
Targeting
Scan & Attack
Source: Sandia National Laboratories IDART, 2011
Reload
Compromise
Report
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
5
The Intelligence Process
Adversary (Full Spectrum Red Team) Time Expenditure
5%
20%
Intelligence and
Logistics
Live System
Discovery
40%
Detailed
Preparations
Testing and Practice
30%
Attack Execution
5%
4
Friday May 4th, 2012
Schudel, G. and Wood, B. (RAND, SANDIA & GTE: 2000)
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
6
Intelligence Cycle
A full-spectrum red team
will focus upon likely
adversarial courses of
action as well as current
capabilities.
Internally to the team, a
need exists to have
common doctrinal
understanding of
resource identification,
intelligence collection,
collection management,
training, and leadership.
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
7
Intel Fusion Approach
Finished Product
Revision Tracking
Phase
and Real-Time
6
Group Review
Phase
Publishing and
5
Desktop
Production of
Graphics, Values,
and On-line Briefs
Phase Collaborative
Works
4
Note-taking and
Organization of
Ideas
Word Processing
Interactive Search
Phase
and Retrieval of
3
data
Clustering and
Phase
linking Relational
2
databases
Conversion of
Phase
paper documents
1
to digital form
Structural
Argument Analysis
Graphic and MapModeling and
based visualization
Simulations
of data
Statistical Analysis Detection of
to reveal Anomalies changing trends
Detecting of Alert
Situation
Automated Foreign Processing Image,
Language
Video, audio,
translation
signal data
Auto-extraction of Standardizing and
data elements from converting data
text and images
formats
5
Friday May 4th, 2012
A red team collects
and produces
intelligence at
variable rates and
differing fidelities.
The red team leader
must be prepared
for these
eventualities.
Adapted from Steele, Robert, D. (New Craft of Intelligence: 2002)
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
8
Bias in the Intel process
Sources of cognitive error
Organizational and
environmental bias indicators
Sources of cognitive error can
be found in individual minds,
the collective agreement of the
team, team composition, and
in the quality of support given
to the effort. Each individual
team member carries both a
cognitive bias as the known
outsider pre-judged by their
own past experiences, as well
as the bias of their culture.
The assignment is not taken seriously
The team or sponsor becomes too removed from the
decision-making process
A lack of interaction with the blue team
Insufficient access to the details of the target
Loss of team confidences
The team fails to capture the details of the adversary, and
instead mirrors itself
The red team does offers no challenge to the blue team
Thin top cover: the lack of a robust channel to act on
findings in a timely manner, or consider findings with
any seriousness.
Applied post-event after many bodies already have been
thrown at the problem
The wrong team targeting the wrong problem (Threatbased team vs. a capabilities based problem)
A lack of clarity on the urgency of issues at hand
The red team approach is a one-time activity
6
Friday May 4th, 2012
Defense Science Board. Task Force Report on The Role and Status of Red Teaming Activities: (DoD: 2003)
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
9
Role play the Adversary
Lets explore the difference between a threatbased adversary model and capabilities-based
adversary model.
Threat – A threat represents a known quantity, a known
effect singular in origin, essentially a Pathogen-Antigen
model. A threat is an X-Y direct, or inverse relationship.
Capability – Actors (or a confederation of multiple actors)
capable of achieving a singular goal either due to access to
resources, or some form of institutional support. The force
multiplier effects of capability-based actors behave like an
algebraic expression where leading factors have orders of
magnitude, possibly even having orders of operation.
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
10
Adversarial Modeling
In the full-spectrum
Red Team context,
the sponsor may
need more than one
type of red team to
realistically model
the capability. In the
commercial world,
modeling capabilitybased actors is the
exception, not the
norm.
The Universe of Actors and Actions
Red Team A
Adversary
Red Team B
B
Adversary
A
Adversary
C
Source: Sandia National Laboratories IDART, 2011
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
11
Sophistication
Adversarial Prototyping
Foreign
Intelligence
Organized
Crime or
CyberTerrorist
Professional
Hacker
‥
Advanced
Novice
Naive
Novice
Relative sophistication across adversaries
7
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
Op. Cit. Schudel, G. and Wood, B. : 2000
d/b/a Mark Yanalitis
CC Some Rights Reserved
12
Threat Profiling
8
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
Duggan, et. al. SANDIA, 2007
d/b/a Mark Yanalitis
CC Some Rights Reserved
13
Attack Trees
9
Friday May 4th, 2012
Schneier, Bruce. Modeling Security Threats (Dr. Dobb’s Journal: 1999)
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
14
Smart Grid Attack Diagram
Corporate
Network
The Internet
DDR PSTN DID
1-(724)-got-powr
128K CSU/DSU
Link over carrier
10
Friday May 4th, 2012
Penn State University SIIS Laboratory. (Network and Security Research Center: 2010)
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
15
Smart Grid Attack Tree
11
Friday May 4th, 2012
Ibid. Penn State University SIIS Laboratory: 2010
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
16
When to Use Red Teaming
Don't use RT methods for,
Simple systems or processes
Undefined environments
Low consequence systems
Problems already identified
Compliance and certification
suffices
When unready to receive an
extreme answer
12
Friday May 4th, 2012
Do use RT methods for,
Complex systems or complex
system of systems
Hostile and well-defined
environments
System with unknown
consequences
Adaptable adversaries
Informing on security trade-offs
Training and doctrine
Atkins, William. Read Teaming – It's Good to be Bad. (Missouri S&T ACM SIG in Security: 2010)
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
17
Ok, you try it now.
Target: A reciprocating high-speed gas compressor
Source: BPI Compression 2011
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
18
Case Study Client Situation
A new foreign multi-national corporation (OCONUS) enters
Southwestern PA as a result of a purchase and repackage of a
number of leases sold by Chesapeake Energy. Almost all of these
functional wells remain capped, and lack the infrastructure to get
the gas to market.
The corporations‘ local CONUS office has orders to open several
fields and secure the infrastructure needed to handle gas
compression and transfer. The local office issues an RFP, and
engages a low-bid contractor solution. The preferred corporate
contracted insurer does not feel the site protection solution
adequately protects their underwriting investment of leased
equipment. The insurer will not offer favorable rates until the site
security concerns resolve to their satisfaction.
Home office Corporate Security comes into the conversation late,
and recommends that the site protection solution for the compressor
be turned over to a Red Team/Blue Team for evaluation.
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
19
The red team simulation revealed complete
destruction of the compressor and block house site
plan in 10 minutes. What was the solution? Where
are the vulnerabilities? why did the solution work?
It frequently rains here
Flood light and
CCTV camera
½ ton pickup
A cinderblock
Fender Jack
Stump Remover
Mentos
Duct Tape
Magnesium Ribbon
2 black Super Fan Suits
Five 2L bottles of Cola
One 2L bottle of Clorox
1 Large Sling Shot
No buried fence
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
Estimated 3 weeks of site
observation and rehearsal
d/b/a Mark Yanalitis
CC Some Rights Reserved
20
Case Study Red Team Solution
The full red team observed and collected intelligence on the target site for 3 weeks developing a number
of information collections and applying information analysis techniques. They chose their best scenario.
During the preparation phase, the pair melted down Stump Remover, which contains Potassium Nitrate,
the main ingredient in smoke bombs. By adding in some refined sugar, the two made 2 baseball size
smoke bombs on a kitchen stove. Magnesium ribbon, bought at an online camping store with a stolen
credit card, served as the wicks. The Cola was cut with 20% Clorox and the tops were taped over with
Mentos in the bottle necks then loosely capped. The two planned to tape the bottle bombs into the seats
and floors of the truck on site, and tie in place the steering wheel.
Two red team members drove a rental car and a stolen pickup to the nearby target site. The red team
members changed into black superfan suits (to prevent any hair, shoe, or clothing fibers from falling into
the truck). The pair drove lights-out, a sanitized 3/4 ton stolen pickup truck (interior scrub-down, second
stolen plate, and tire replaced with junk bald tires) to within 30 yards of the block house on a rainy
night.
On site, the truck rear was jacked up. While one threw/shot the lit smoke bombs at the base of the fence
near the camera, the other placed the cinder block on the accelerator and turned on the ignition, and put
the truck in drive. When enough smoke obscured the camera, the jack was kicked out and the truck sped
forward ramming the fence and crashing into the block house at high speed. The Mento/Cola/Clorox
bombs burst inside the cabin of the truck spoiling the interior environment defeating most physical
forensic analysis. The truck destroyed the compressor, and brought most of the block house down on the
target. The two fled on foot to the get-away car, and then later burned their suits in to black plastic
lumps and discarded them.
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
21
Case Study: Blue Team Counter-Measures
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
22
Case Study: Blue Team Counter-Measures
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
23
Thank you for listening,
are there any questions or
comments?
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
24
Use your powers for the
greater good, not evil.
Fight the Good Fight
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
25
References
1
McGannon, Michael. Developing Red Team Tactics, Techniques, and Procedures. (Red Team Journal: APR 2004). Internet. Found at
http://redteamjournal.com/
2 Sandia IDART Methodology. http://idart.sandia.gov/methodology/index.html
3 Price Waterhouse Coopers. Is your critical infrastructure safe? (PWC LLP:2010) Internet. Found at
http://www.pwc.com/en_US/us/industry/utilities/assets/cyber-attacks.pdf 5.
4 Schudel, G. and Wood, B. Modeling the Behavior of a Cyber Terrorist. (RAND National Security Research Division proceeding of
workshop. Appendix C: Santa Monica, California: 2000) 49-59. Internet. Found at
http://www.csl.sri.com/users/bjwood/cyber_terrorist_model_v4a.pdf.
5 Steele, Robert, D. The New Craft of Intelligence: Achieving Asymmetric Advantage in the Face of Nontraditional Threats. (U.S. Army
War College Strategic Studies Institute: 2002). 34-36.
6 Department of Defense Science Board. Task Force Report on The Role and Status of Red Teaming Activities (Office of the Under
Secretary of Defense For Acquisition, Technology, and Logistics. Washington, D.C. 20301-3140:2003). Internet. Found at
www.au.af.mil/au/awc/awcgate/dod/dsb-redteam.pdf
7 Op. Cit. Schudel and Wood, 2000.
8 Duggan, David, P., Thomas, Sherry R., and Veitch, Cynthia K.K., and Woodward, Laura. Categorizing Threat - Building and
Using a Generic Threat Matrix. (SANDIA National Laboratories, Albuquerque NM. REPORT SAND2007-5791: September 2007).
Internet. Found at http://idart.sandia.gov/methodology/materials/Adversary_Modeling/SAND2007-5791.pdf
9 Schneier, Bruce. Modeling Security Threats - Attack Trees (Reprint Dr Dobb’s Journal: 1999. Counterpane Internet Security:
1999). Internet. Found at http://www.schneier.com/paper-attacktrees-ddj-ft.html
10 Penn State University SIIS Laboratory. Advanced Metering Infrastructure Security. (Penn State University Systems and Internet
Infrastructure Security Laboratory, Computer Science and Engineering (CSE) Network and Security Research Center (NSRC):
2010). Internet. Found at http://siis.cse.psu.edu/smartgrid.html
11 Ibid. Penn State University, 2010
12 Atkins, William. Read Teaming – It's Good to be Bad. (Missouri S&T ACM SIG in Security. SANDIA Critical Infrastructure
Systems Department, NM, 10 FEB 2010). Internet. Found at. http://acm.device.mst.edu/security-files/2010-02-10-Red_Teaming.ppt
‡ See the supplemental paper that accompanies this presetation titled : Yanalitis, Mark. RED TEAMING APPROACH,
RATIONALE, AND ENGAGEMENT RISKS (self-published: 2011).
Friday May 4th, 2012
Red Teaming Approaches, Rationales, Engagement Risks
and Methodologies
d/b/a Mark Yanalitis
CC Some Rights Reserved
26