SlideShare a Scribd company logo

Defcon 18-geers-baltic-cyber-shield

Mark Johnson
Mark Johnson
1 of 77
Download to read offline
Live-Fire Exercise: Baltic Cyber Shield 2010 Kenneth Geers Naval Criminal Investigative Service (NCIS) Cooperative Cyber Defence Centre of Excellence (CCD COE)
Overview • May 10-11, 2010 • International cyber defense exercise (CDX) • CCD CoE / Swedish National Defence College • Six Blue Teams – Northern European gov, mil, priv sec, acad • Red Team – 20 friendly hackers • Scenario – Cyber terrorists vs power generation companies
Baltic Sea Estonia Sweden
Tallinn, Estonia
2007: Street Disturbances
2007: Cyber Attack
CCD CoE
Introduction • Are cyber attacks a threat to national security? – Cyber terrorism, cyber warfare • Expert opinions • Dismissive to apocalyptic • What would the targets be? – Electricity, water, air traffic control, stock ex- change, national elections…
Trends • National critical infrastructures increasingly connected to the Net • Custom IT systems replaced with less expensive, off-the-shelf Windows and UNIX • Traditionally closed networks (eg SCADA) not designed for resiliency • OS familiarity may facilitate hacking
Nat’l Security Thinking • Cyber attacks: better understanding required – Some real-world case studies – Much information lies outside public domain – No wars yet between two Internet-enabled militaries • Must be able to simulate cyber attack and defense in a laboratory
Moving Target • Realistic CDXs are a challenge – Must simulate adversary, friendly forces, even the battlefield – Conclusions may be valid for a short time • IT, hacking are complex and dynamic – Rapid proliferation of computing devices, processing power, user-friendly hacker tools, practical encryption, Web-enabled intelligence collection
Half-Life • The military and computers… – Train tank drivers, pilots – Simulate battles, campaigns, complex geopolitical scenarios • How well can a sim model the real world? • Failure factors – Poor intelligence, miscalculations, incorrect assumptions, scoring system, political considerations – 2002: $250 million Millennium Challenge
Cyber Defense Exercise • Robust CDX requires team-oriented approach – Blue Team: friendly forces – Red Team: hostile forces – Green Team: technical infrastructure – White Team: game management
Blue Team • Real-life system administrators and computer security specialists – Primary targets for instruction • Goal – Defend network confidentiality, integrity, and availability (CIA) vs hostile RT – Scoring: automated and/or manual system
Red Team • The cyber attacker – BCS: “cyber terrorist” • Goal – Undermine CIA of BT networks • Tactics – On virtual battlefield, almost no limitations • “White box” vs “black box” testing – The question of prior knowledge
White Team • Manages and referees CDX – Writes game scenario, rules, scoring system – Makes in-game adjustments – Tries to prevent cheating • EX: firewall rule detrimental to game and/or unrealistic? – Declares the “winner”
Green Team • Designs, hosts network infrastructure • In-game ISP • Records traffic for post-game analysis • Manages automated scoring • Virtual machine technology • Possible with few resources, but… • Sim powerful adversary = many resources • EX: RT plan should indicate money, manpower • VPN technology • Teams can log in from anywhere
Scenario • Helps determine strategic significance • Estimate resources and cost – Lone hacker, org, nation-state? • Can a lone hacker be a nat’l sec threat? • Out-of-the-box thinking – Always helpful • Can only real-world attacks change threat perception?
Cyber War Philosophy • Cyber warfare is not traditional warfare • Tactical victories: reshuffling of bits • Any real-world effects? • Cyber attack • Not an end in itself • Extraordinary means to many ends • Espionage, DoS, identity theft, propaganda, infrastructure manipulation, ?
The Art of (Cyber) War Sun Tzu said: There are five ways of attacking with fire. The first is to burn soldiers in their camp; the second is to burn stores; the third is to burn baggage trains; the fourth is to burn arsenals and magazines; the fifth is to hurl dropping fire amongst the enemy.
www.hizbulla.org: October 25, 2000
Electronic Pearl Harbor?
July 19, 2010
Strategic Thinking 1. The Internet is vulnerable 2. High return on investment 3. Inadequacy of cyber defenses 4. Plausible deniability 5. Growing power of non-state actors 6. ?
CDX: Goals • RT vs BT • Credible simulation of net attack and defense • Acquisition / prevention of unauthorized access • Real-world impact • Political / military results? • Zip, minor annoyance, or national security crisis?
Nation-State Simulation • Mil / gov agencies are “full-scope” actors • Much more than computer hacking • Deep well of nat’l IT expertise • Crypto, prog, debug, vuln discovery, agent- based systems, etc • Supported in turn by experts in other disciplines • Natural sciences, physical security, supply chain, continuity of business, social engineering, etc
EX: Sandia Nat’l Labs • Robust RT • Kills: mil installations, oil companies, banks, electric utilities, e-commerce firms • Specialize in hidden vulns in complex environmts • Obscure infrastr interdep in specific domains • Former chief • “Our general method is to ask system owners: ‘What's your worst nightmare?’ and then we set about to make that happen”
CDX history • Every CDX is unique – Good and bad – IT evolves too quickly – Too many variables in cyberspace • Both lab-based and real-world • Cyber defenders may / may not be warned
Eligible Receiver (1997) • 35 NSA personnel • “North Korean” hackers • Target: U.S. Pacific Command • J. Adams in Foreign Affairs • “human command-and-control system” infected with “paralyzing level of mistrust” • “nobody in the chain of command, from the president on down, could believe anything” • Also revealed that many nat’l critical infrastr vulnerable to cyber attack
Water Security • 2006: Environmental Protection Agency • Could a hacker poison the water supply? • Sandia vuln assessm’t: distrib plants serving >100,000 • 350 such facilities = too many! • Thorough analysis: 5 sites • Risk Assessm’t Methodology for Water (RAM-W)
International CDXs • Internat’l architecture, internat’l responsibility • 2006 DHS Cyber Storm – Scen: non-state “hacktivists” – Gov collab w/ private sector • 2008 Cyber Storm II – Scen: Nation-state – Cy / phys attacks: coms, chem, RR, pipe infra • 2009 CDX: remote, mountainous Tajikistan – U.S., Taj, Kazakhstan, Kyrgyzstan, Afghanistan
Baltic Cyber Shield • 10-11 May 2010 – 7 northern European countries – 6 national BTs – 20-hacker internat’l RT • “Live-fire” CDX – Unscripted battle – Malicious code both authorized and encouraged • Within virtual battlefield
Insipiration • U.S. National Collegiate Cyber Defense Competition • International Cyber Defense Workshop (ICDW) • UCSB International Capture the Flag (iCTF) • Annual U.S. military CDXs • CCD COE-SWE CDX, Dec 2008
BCS 2010 Scenario • Exploration of “cyber terrorism” • Target: power supply company – CII / SCADA infrastructure • Blue Teams – SIT: sec insp failure / insider fears – Hired-gun, Rapid Response Team • Red Team – Attacks should intensify throughout CDX
BCS Goals 1. Hands-on BT training in CII defense – Cyber Defense Exercise 2. Highlight international nature of cyberspace – Technical, institutional, legal, political, etc 3. Improve future CDXs – “Lessons learned” – Survey
White Team • CCD CoE Tallinn, SNDC Stockholm • Scoring criteria • Based on network CIA • Office infrastructure , external services • + BT points • Thwarted attacks, “business requests,” innovative strategies and tactics • – BT points • Criticality of system, service, compromise • Admin/Root, SCADA PLC
Green Team • Swedish Defence Research Agency (FOI) • Linköping, Sweden • Hosted most CDX infrastructure • 9 racks, 20 physical servers each • BT nets designed by GT & WT • 12 miniature factories • Each:1 butane flame to “detonate” • RT / BTs accessed game via OpenVPN
Blue Teams • 6 BTs • 6-10 personnel each • Northern Euro gov, mil, priv sec, academia • Network: identical, pre-built, fairly insecure • 20 physical PC servers, 28 virtual machines • 4 VLAN segments: DMZ, INTERNAL, HMI, PLC • Many elements unpatched, vuln, misconfig, poor paswrds, keys, some pre-planted malware
Game Environment • 2x 2.2GHz Xeon processors • 2 GB RAM • 80 GB HDD • 2 10/100Mbit Ethernet interfaces • VMware Server 2.0.2 on Gentoo Linux • 2 segments: management / game
UNCLASSIFIED
BCS SCADA • Sim: power generation company – Production, management, distribution – GE PLCs – Cimplicity HMI terminals – Historian databases • 2 model factories per BT net
Model Factories
Model Steam Engine
GE PLC
Hardening the Network • BTs did not have prior access to CDX environment • Given somewhat outdated network docs • Could install / modify existing SW • Min #, type of apps & services required • Offensive BT cyber attacks prohibited • Vs RT or other BTs
Red Team • 20 volunteer angry environmntlst h4x0r5 – Attacks should begin slowly, intensify – No limit on hacker tools & techniques vs BTs – Could not attack CDX infrastructure – Attacks confined to CDX environment • Internally, four sub-teams – “Client-side,” “fuzzing,” “web app,” “remote” • Early CDX access, sim prior recon
Visualization • Network topography • Traffic flows • Chat channels • Team workspaces • Observer reports • Terrestrial map • Scoreboard
UNCLASSIFIED
RT Campaign • Four phases 1. Declaration of war 2. Breaching the castle wall 3. Owning the infrastructure 4. Wanton destruction
Declaration of War • Hacker ultimatum – RT must deface each BT website – “Cease operations & convert to green power…” • “…or face crippling cyber attack!” – Extremist environmental organization • “K3 c1b3r w4rf4r3 d1v1s10n” – RT defaced 5 of 6 sites w/in 30 minutes
Phase One • WT allowed RT to compromise only: – 1 server in each BT DMZ – 1 INTERNAL workstation • Still, RT created steady stream of incident reports • EX: in 1 hour, RT had live A/V feed from BT workspace • WT had trouble scoring all incidents
Phase Two • RT: compr as many DMZ / INTERNAL as possible – First day: 42 kills, incl web, email servers – MS-SQL SCADA rept server • Historical CDX challenge – Balanced, sustained RT pressure on all BTs – WT directive: for each vuln, all BT sys checked • For Red Team, was BCS config too easy? – Maybe not: 2 BTs kept RT out of INTERNAL nets
Phase Three • Steal BT “crown jewels” – Human Machine Interface (HMI) • Power managment • SCADA infrastructure • RT claimed only limited victories – Only 1 of 12 model factories set on fire • Intentional or accidental?
1300Z: Boom!
diff: RT vs State Actor • RT did not understand factory processes • How to blow them up? • Hypothesis • The one factory blown up was due to fuzzing attack vs Modbus protocol • More RT / GT communication, training could help
Phase Four • “Wanton destruction” • Attack / destroy any BT system • Desperate attempt to cause max taret dmg • Not a wise CDX decision • RT DoS’d previously conquered systems • EX: Custom-config Cisco router DoS • Prevented WT from accurately scoring game
Vulns and Exploits • RT compromised 80 BT computers • Publicly-known vulns • MS03-026, MS04-011, MS06-040, MS08-067, MS10- 025, flaws in VNC, Icecast, ClamAV, SQUID3 • Hacked web applications • Joomla and Wordpress • SQL injection, local / remote file inclusion, path traversal, XSS vs Linux / Apache / Mysql / PHP
Vulns and Exploits 2 • Account cracking, online brute-forcing, DoS with fuzzing tools, password hash dumps, “pass-the- hash,” Slowloris vs Apache, NTP daemon and Squid3 web proxy DoS, SYN flood • Backdoors: poison ivy, Zeus, Optix, netcat, custom- made code; Metasploit used to deploy reverse backdoors • Crontab changes: eg, drop firewall rules • One zero-day client-side exploit for most browsers
And the Winner is… • Essential services moved to custom-built, higher- security virtual machine – NTP, DNS, SMTP, WebMail • Domain Controller: IPsec filtering • “Out-of-band” communications – Did not trust in-game e-mail • Preexisting malware found and disabled • After initial MS-SQL loss, no Conf/Integ points lost
Successful BT Strategies • Linux – AppArmor, Samhain, custom short shell scripts • Windows – AD group policies, CIS SE46 Computer Integrity System, KernelGuard, central collection of logs • All OSs – White/blacklisting, IP blocking/black hole routing
Goals Met? 1 1. Successful “live fire” CDX – BTs tasted defense of CII / SCADA – “Cyber terrorist” scenario explored – Very little down-time reported 2. International composition of teams – >100 personnel, >7 countries – Numerous cross-border relationships strengthened
Lessons • More WT manpower – Coms, scoring, observation, adjudication – 1 WT per BT, 2 WT for RT (trust issues) • One pre-CDX “mechanics” day – Strength-test all connectivity, bandwidth – Make rules and scoring crystal clear • “Dumb users” req’d or no client-side attacks – Wasted browser 0-day (affected SCADA sim)
Lessons 2 • No VMWare Server Console – Too big, too slow, too particular • BTs should have some net admin rights • Authoritative team leaders from start – Big project = some clashing agendas, egos • Lawyer on WT • No “wanton destruction” phase
Final Thought • CDX challenges ≈ real world challenges • IT • Complicated, dynamic, polymorphic, evolving • Defenders may not see same attack twice • Intangible nature of cyberspace • Victory, defeat, battle damage can be highly subjective • Sub Rosa Cyber War
Estonian Cyber Defense League
References Adams, J. (2001). “Virtual Defense,” Foreign Affairs 80(3) 98-112. “Air Force Association; Utah's Team Doolittle Wins CyberPatriot II in Orlando.” (2010, Mar 10). De-fense & Aerospace Business, p. 42. Bliss, J. (2010, Feb 23) “U.S. Unprepared for ‘Cyber War’, Former Top Spy Official Says,” Bloomberg Businessweek, online. Caterinicchia, D. (2003, May 12) “Air Force wins cyber exercise.” Federal Computer Week, 17(14), p. 37. Chan, W. H. (2006, Sep 25). “Cyber exercise shows lack of interagency coordination.” Federal Com-puter Week, 20(33) p. 61. “Cyber War: Sabotaging the System.” (2009, Nov 8). 60 Minutes: CBS. Geers K. (2010). “The challenge of cyber attack deterrence.” Computer Law and Security Review 26(2) pp. 298-303. Geers, K. (2008, Aug 27). “Cyberspace and the Changing Nature of Warfare.” SC Magazine. Gibbs, W. W. (2000). “RT versus the Agents.” Scientific American, 283(6). Goble P. (1999, Oct 9). “Russia: analysis from Washington: a real battle on the virtual front.” Radio Free Europe/Radio Liberty. Gomes, L. (2003, Mar 31). “How high-tech games can fail to simulate what happens in war.” Wall Street Journal. Gorman, S. (2009, Aug 17) “Cyber Attacks on Georgia Used Facebook, Twitter, Stolen IDs.” Wall Street Journal. “International cyber exercise takes place in Tajikistan.” (2009, Aug 6). BBC Monitoring Central Asia. (Avesta website, Dushanbe)
References cont’d Keizer, G. (2009, Jan 28). “Russian ‘cyber militia’ knocks Kyrgyzstan offline.” Computerworld. Lam, F., Beekey, M., & Cayo, K. (2003). “Can you hack it?” Security Management, 47(2), p. 83. Lawlor, M. (2004). “Information Systems See Red.” Signal 58(6), p. 47. Lewis, J.A. (2010) “The Cyber War Has Not Begun.” Center for Strategic and International Studies. Libicki, M. (2009). “Sub Rosa Cyber War.“ The Virtual Battlefield: Perspectives on Cyber Warfare. Meserve, J. (2007, Sep 26). “Sources: Staged cyber attack reveals vulnerability in power grid.” CNN. Orr, R. (2007, Aug 2). “Computer voting machines on trial.” Knight Ridder Tribune Business News. Preimesberger, C. “Plugging Holes.” (2006). eWeek, 23(35), p. 22. “Remarks by the President on Securing our Nation's Cyber Infrastructure.” (2009). The White House: Office of the Press Secretary. “Tracking GhostNet: Investigating a Cyber Espionage Network.” (2009). Information Warfare Moni-tor. Verton, D. (2003) “Black ice.” Computerworld, 37(32), p. 35. Verton, D. (2002). The Hacker Diaries: Confessions of Teenage Hackers. New York: McGraw-Hill/Osborne. Wagner, D. (2010, May 9). “White House sees no cyber attack on Wall Street.” Associated Press. Waterman, S. (2008, Mar 10). “DHS stages cyberwar exercise.” UPI. “‘USA Today’ Website Hacked; Pranksters Mock Bush, Christianity.” (2002, JUL 11). Drudge Report.
Live-Fire Exercise: Baltic Cyber Shield 2010 Kenneth Geers Naval Criminal Investigative Service (NCIS) Cooperative Cyber Defence Centre of Excellence (CCD COE)

Recommended

Avila 3 b
Avila 3 bAvila 3 b
Avila 3 bMichael Chastain
 
Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management FailsRichard Stiennon
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is ImpossibleRichard Stiennon
 
Lecture5
Lecture5Lecture5
Lecture5Majid Taghiloo
 
DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015Andrzej Bartosiewicz
 
Cyberterrorism
CyberterrorismCyberterrorism
CyberterrorismVarshil Patel
 
Exp w22 exp-w22
Exp w22 exp-w22Exp w22 exp-w22
Exp w22 exp-w22SelectedPresentations
 
Global Cyber Security on Earth + in Space
Global Cyber Security on Earth + in SpaceGlobal Cyber Security on Earth + in Space
Global Cyber Security on Earth + in SpaceDIGIJAKS
 

Recommended

Avila 3 b
Avila 3 bAvila 3 b
Avila 3 bMichael Chastain
 
Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management FailsRichard Stiennon
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is ImpossibleRichard Stiennon
 
Lecture5
Lecture5Lecture5
Lecture5Majid Taghiloo
 
DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015Andrzej Bartosiewicz
 
Cyberterrorism
CyberterrorismCyberterrorism
CyberterrorismVarshil Patel
 
Exp w22 exp-w22
Exp w22 exp-w22Exp w22 exp-w22
Exp w22 exp-w22SelectedPresentations
 
Global Cyber Security on Earth + in Space
Global Cyber Security on Earth + in SpaceGlobal Cyber Security on Earth + in Space
Global Cyber Security on Earth + in SpaceDIGIJAKS
 
Global cybersecurity on earth + in space
Global cybersecurity on earth + in spaceGlobal cybersecurity on earth + in space
Global cybersecurity on earth + in spaceDIGIJAKS
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO CompliancePECB
 
Lect 07 computer security and privacy 1 4 q
Lect 07 computer security and privacy 1 4 qLect 07 computer security and privacy 1 4 q
Lect 07 computer security and privacy 1 4 qRamy Eltarras
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Federation for Identity and Cross-Credentialing Systems (FiXs)
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreRadware
 
Cat Memes 2011-2012
Cat Memes 2011-2012Cat Memes 2011-2012
Cat Memes 2011-2012Traction
 
Yuferitsyn, anton information
Yuferitsyn, anton informationYuferitsyn, anton information
Yuferitsyn, anton informationMark Johnson
 
Yuferitsyn, anton complaint
Yuferitsyn, anton complaintYuferitsyn, anton complaint
Yuferitsyn, anton complaintMark Johnson
 
780 Online Documentaries
780 Online Documentaries780 Online Documentaries
780 Online DocumentariesMark Johnson
 
Sorokin, alexandr information 01
Sorokin, alexandr information 01Sorokin, alexandr information 01
Sorokin, alexandr information 01Mark Johnson
 
Svechinskaya, kristina and rastorguev, stanislav
Svechinskaya, kristina and rastorguev, stanislavSvechinskaya, kristina and rastorguev, stanislav
Svechinskaya, kristina and rastorguev, stanislavMark Johnson
 
Computers as weapons of war
Computers as weapons of warComputers as weapons of war
Computers as weapons of warMark Johnson
 
Parlementariers
ParlementariersParlementariers
ParlementariersMark Johnson
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RT
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RTRT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RT
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RTOPAL-RT TECHNOLOGIES
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom PresentationEric Gallant
 

More Related Content

What's hot

Global cybersecurity on earth + in space
Global cybersecurity on earth + in spaceGlobal cybersecurity on earth + in space
Global cybersecurity on earth + in spaceDIGIJAKS
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO CompliancePECB
 
Lect 07 computer security and privacy 1 4 q
Lect 07 computer security and privacy 1 4 qLect 07 computer security and privacy 1 4 q
Lect 07 computer security and privacy 1 4 qRamy Eltarras
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreRadware
 

What's hot (6)

Global cybersecurity on earth + in space
Global cybersecurity on earth + in spaceGlobal cybersecurity on earth + in space
Global cybersecurity on earth + in space
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yours
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO Compliance
 
Lect 07 computer security and privacy 1 4 q
Lect 07 computer security and privacy 1 4 qLect 07 computer security and privacy 1 4 q
Lect 07 computer security and privacy 1 4 q
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
 

Viewers also liked

Cat Memes 2011-2012
Cat Memes 2011-2012Cat Memes 2011-2012
Cat Memes 2011-2012Traction
 
Yuferitsyn, anton information
Yuferitsyn, anton informationYuferitsyn, anton information
Yuferitsyn, anton informationMark Johnson
 
Yuferitsyn, anton complaint
Yuferitsyn, anton complaintYuferitsyn, anton complaint
Yuferitsyn, anton complaintMark Johnson
 
780 Online Documentaries
780 Online Documentaries780 Online Documentaries
780 Online DocumentariesMark Johnson
 
Sorokin, alexandr information 01
Sorokin, alexandr information 01Sorokin, alexandr information 01
Sorokin, alexandr information 01Mark Johnson
 
Svechinskaya, kristina and rastorguev, stanislav
Svechinskaya, kristina and rastorguev, stanislavSvechinskaya, kristina and rastorguev, stanislav
Svechinskaya, kristina and rastorguev, stanislavMark Johnson
 
Computers as weapons of war
Computers as weapons of warComputers as weapons of war
Computers as weapons of warMark Johnson
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RT
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RTRT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RT
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RTOPAL-RT TECHNOLOGIES
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 

Viewers also liked (15)

Cat Memes 2011-2012
Cat Memes 2011-2012Cat Memes 2011-2012
Cat Memes 2011-2012
 
Yuferitsyn, anton information
Yuferitsyn, anton informationYuferitsyn, anton information
Yuferitsyn, anton information
 
Yuferitsyn, anton complaint
Yuferitsyn, anton complaintYuferitsyn, anton complaint
Yuferitsyn, anton complaint
 
780 Online Documentaries
780 Online Documentaries780 Online Documentaries
780 Online Documentaries
 
Sorokin, alexandr information 01
Sorokin, alexandr information 01Sorokin, alexandr information 01
Sorokin, alexandr information 01
 
Svechinskaya, kristina and rastorguev, stanislav
Svechinskaya, kristina and rastorguev, stanislavSvechinskaya, kristina and rastorguev, stanislav
Svechinskaya, kristina and rastorguev, stanislav
 
Computers as weapons of war
Computers as weapons of warComputers as weapons of war
Computers as weapons of war
 
Parlementariers
ParlementariersParlementariers
Parlementariers
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through Cooperation
 
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RT
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RTRT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RT
RT15 Berkeley | Real-time simulation as a prime tool for Cybersecurity - OPAL-RT
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to Defcon 18-geers-baltic-cyber-shield

2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom PresentationEric Gallant
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Peter ODell
 
2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel Avila2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel AvilaReenergize
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Security B-Sides
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSKenny Huang Ph.D.
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Codero
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxFarzanMansoor1
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Andrew Hammond
 
Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...IT Arena
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
 

Similar to Defcon 18-geers-baltic-cyber-shield (20)

2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
 
2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel Avila2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel Avila
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoS
 
Cyber Attack Analysis
Cyber Attack AnalysisCyber Attack Analysis
Cyber Attack Analysis
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
 
What is Ethical hacking
What is Ethical hackingWhat is Ethical hacking
What is Ethical hacking
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptx
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...
 
Quant & Crypto Gold
Quant & Crypto GoldQuant & Crypto Gold
Quant & Crypto Gold
 
Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 

More from Mark Johnson

Sorokin, alexandr information
Sorokin, alexandr informationSorokin, alexandr information
Sorokin, alexandr informationMark Johnson
 
Sorokin, alexandr complaint
Sorokin, alexandr complaintSorokin, alexandr complaint
Sorokin, alexandr complaintMark Johnson
 
Pakhomova, margarita complaint
Pakhomova, margarita complaintPakhomova, margarita complaint
Pakhomova, margarita complaintMark Johnson
 
Semenov, artem et al complaint
Semenov, artem et al complaintSemenov, artem et al complaint
Semenov, artem et al complaintMark Johnson
 
Rafikova, sabina complaint
Rafikova, sabina complaintRafikova, sabina complaint
Rafikova, sabina complaintMark Johnson
 
Oprea, marina et al complaint
Oprea, marina et al complaintOprea, marina et al complaint
Oprea, marina et al complaintMark Johnson
 
Opinca, victoria and turuta, alina complaint
Opinca, victoria and turuta, alina complaintOpinca, victoria and turuta, alina complaint
Opinca, victoria and turuta, alina complaintMark Johnson
 
Miroshnichenko, maxim and sidorenko, julia
Miroshnichenko, maxim and sidorenko, juliaMiroshnichenko, maxim and sidorenko, julia
Miroshnichenko, maxim and sidorenko, juliaMark Johnson
 
Misyura, marina complaint
Misyura, marina complaintMisyura, marina complaint
Misyura, marina complaintMark Johnson
 
Klepikova, yulia and demina, natalia complaint
Klepikova, yulia and demina, natalia complaintKlepikova, yulia and demina, natalia complaint
Klepikova, yulia and demina, natalia complaintMark Johnson
 
Karasev, ilya complaint
Karasev, ilya complaintKarasev, ilya complaint
Karasev, ilya complaintMark Johnson
 
Kireev, alexander complaint
Kireev, alexander complaintKireev, alexander complaint
Kireev, alexander complaintMark Johnson
 
Gataullin, adel complaint
Gataullin, adel complaintGataullin, adel complaint
Gataullin, adel complaintMark Johnson
 
Garifulin, nikolai and saprunov, dmitry complaint
Garifulin, nikolai and saprunov, dmitry complaintGarifulin, nikolai and saprunov, dmitry complaint
Garifulin, nikolai and saprunov, dmitry complaintMark Johnson
 
Fedorov, alexander information
Fedorov, alexander informationFedorov, alexander information
Fedorov, alexander informationMark Johnson
 
Fedorov, alexander complaint
Fedorov, alexander complaintFedorov, alexander complaint
Fedorov, alexander complaintMark Johnson
 
Codreanu, dorin complaint
Codreanu, dorin complaintCodreanu, dorin complaint
Codreanu, dorin complaintMark Johnson
 
Akobirov, konstantin complaint
Akobirov, konstantin complaintAkobirov, konstantin complaint
Akobirov, konstantin complaintMark Johnson
 
Adigyuzelov, kasum complaint
Adigyuzelov, kasum complaintAdigyuzelov, kasum complaint
Adigyuzelov, kasum complaintMark Johnson
 
Beyrouti, jamal et al complaint
Beyrouti, jamal et al complaintBeyrouti, jamal et al complaint
Beyrouti, jamal et al complaintMark Johnson
 

More from Mark Johnson (20)

Sorokin, alexandr information
Sorokin, alexandr informationSorokin, alexandr information
Sorokin, alexandr information
 
Sorokin, alexandr complaint
Sorokin, alexandr complaintSorokin, alexandr complaint
Sorokin, alexandr complaint
 
Pakhomova, margarita complaint
Pakhomova, margarita complaintPakhomova, margarita complaint
Pakhomova, margarita complaint
 
Semenov, artem et al complaint
Semenov, artem et al complaintSemenov, artem et al complaint
Semenov, artem et al complaint
 
Rafikova, sabina complaint
Rafikova, sabina complaintRafikova, sabina complaint
Rafikova, sabina complaint
 
Oprea, marina et al complaint
Oprea, marina et al complaintOprea, marina et al complaint
Oprea, marina et al complaint
 
Opinca, victoria and turuta, alina complaint
Opinca, victoria and turuta, alina complaintOpinca, victoria and turuta, alina complaint
Opinca, victoria and turuta, alina complaint
 
Miroshnichenko, maxim and sidorenko, julia
Miroshnichenko, maxim and sidorenko, juliaMiroshnichenko, maxim and sidorenko, julia
Miroshnichenko, maxim and sidorenko, julia
 
Misyura, marina complaint
Misyura, marina complaintMisyura, marina complaint
Misyura, marina complaint
 
Klepikova, yulia and demina, natalia complaint
Klepikova, yulia and demina, natalia complaintKlepikova, yulia and demina, natalia complaint
Klepikova, yulia and demina, natalia complaint
 
Karasev, ilya complaint
Karasev, ilya complaintKarasev, ilya complaint
Karasev, ilya complaint
 
Kireev, alexander complaint
Kireev, alexander complaintKireev, alexander complaint
Kireev, alexander complaint
 
Gataullin, adel complaint
Gataullin, adel complaintGataullin, adel complaint
Gataullin, adel complaint
 
Garifulin, nikolai and saprunov, dmitry complaint
Garifulin, nikolai and saprunov, dmitry complaintGarifulin, nikolai and saprunov, dmitry complaint
Garifulin, nikolai and saprunov, dmitry complaint
 
Fedorov, alexander information
Fedorov, alexander informationFedorov, alexander information
Fedorov, alexander information
 
Fedorov, alexander complaint
Fedorov, alexander complaintFedorov, alexander complaint
Fedorov, alexander complaint
 
Codreanu, dorin complaint
Codreanu, dorin complaintCodreanu, dorin complaint
Codreanu, dorin complaint
 
Akobirov, konstantin complaint
Akobirov, konstantin complaintAkobirov, konstantin complaint
Akobirov, konstantin complaint
 
Adigyuzelov, kasum complaint
Adigyuzelov, kasum complaintAdigyuzelov, kasum complaint
Adigyuzelov, kasum complaint
 
Beyrouti, jamal et al complaint
Beyrouti, jamal et al complaintBeyrouti, jamal et al complaint
Beyrouti, jamal et al complaint
 

Defcon 18-geers-baltic-cyber-shield

  • 1. Live-Fire Exercise: Baltic Cyber Shield 2010 Kenneth Geers Naval Criminal Investigative Service (NCIS) Cooperative Cyber Defence Centre of Excellence (CCD COE)
  • 2. Overview • May 10-11, 2010 • International cyber defense exercise (CDX) • CCD CoE / Swedish National Defence College • Six Blue Teams – Northern European gov, mil, priv sec, acad • Red Team – 20 friendly hackers • Scenario – Cyber terrorists vs power generation companies
  • 3. Baltic Sea Estonia Sweden
  • 8. Introduction • Are cyber attacks a threat to national security? – Cyber terrorism, cyber warfare • Expert opinions • Dismissive to apocalyptic • What would the targets be? – Electricity, water, air traffic control, stock ex- change, national elections…
  • 9. Trends • National critical infrastructures increasingly connected to the Net • Custom IT systems replaced with less expensive, off-the-shelf Windows and UNIX • Traditionally closed networks (eg SCADA) not designed for resiliency • OS familiarity may facilitate hacking
  • 10. Nat’l Security Thinking • Cyber attacks: better understanding required – Some real-world case studies – Much information lies outside public domain – No wars yet between two Internet-enabled militaries • Must be able to simulate cyber attack and defense in a laboratory
  • 11. Moving Target • Realistic CDXs are a challenge – Must simulate adversary, friendly forces, even the battlefield – Conclusions may be valid for a short time • IT, hacking are complex and dynamic – Rapid proliferation of computing devices, processing power, user-friendly hacker tools, practical encryption, Web-enabled intelligence collection
  • 12. Half-Life • The military and computers… – Train tank drivers, pilots – Simulate battles, campaigns, complex geopolitical scenarios • How well can a sim model the real world? • Failure factors – Poor intelligence, miscalculations, incorrect assumptions, scoring system, political considerations – 2002: $250 million Millennium Challenge
  • 13. Cyber Defense Exercise • Robust CDX requires team-oriented approach – Blue Team: friendly forces – Red Team: hostile forces – Green Team: technical infrastructure – White Team: game management
  • 14. Blue Team • Real-life system administrators and computer security specialists – Primary targets for instruction • Goal – Defend network confidentiality, integrity, and availability (CIA) vs hostile RT – Scoring: automated and/or manual system
  • 15. Red Team • The cyber attacker – BCS: “cyber terrorist” • Goal – Undermine CIA of BT networks • Tactics – On virtual battlefield, almost no limitations • “White box” vs “black box” testing – The question of prior knowledge
  • 16. White Team • Manages and referees CDX – Writes game scenario, rules, scoring system – Makes in-game adjustments – Tries to prevent cheating • EX: firewall rule detrimental to game and/or unrealistic? – Declares the “winner”
  • 17. Green Team • Designs, hosts network infrastructure • In-game ISP • Records traffic for post-game analysis • Manages automated scoring • Virtual machine technology • Possible with few resources, but… • Sim powerful adversary = many resources • EX: RT plan should indicate money, manpower • VPN technology • Teams can log in from anywhere
  • 18. Scenario • Helps determine strategic significance • Estimate resources and cost – Lone hacker, org, nation-state? • Can a lone hacker be a nat’l sec threat? • Out-of-the-box thinking – Always helpful • Can only real-world attacks change threat perception?
  • 19. Cyber War Philosophy • Cyber warfare is not traditional warfare • Tactical victories: reshuffling of bits • Any real-world effects? • Cyber attack • Not an end in itself • Extraordinary means to many ends • Espionage, DoS, identity theft, propaganda, infrastructure manipulation, ?
  • 20. The Art of (Cyber) War Sun Tzu said: There are five ways of attacking with fire. The first is to burn soldiers in their camp; the second is to burn stores; the third is to burn baggage trains; the fourth is to burn arsenals and magazines; the fifth is to hurl dropping fire amongst the enemy.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 31. Strategic Thinking 1. The Internet is vulnerable 2. High return on investment 3. Inadequacy of cyber defenses 4. Plausible deniability 5. Growing power of non-state actors 6. ?
  • 32. CDX: Goals • RT vs BT • Credible simulation of net attack and defense • Acquisition / prevention of unauthorized access • Real-world impact • Political / military results? • Zip, minor annoyance, or national security crisis?
  • 33. Nation-State Simulation • Mil / gov agencies are “full-scope” actors • Much more than computer hacking • Deep well of nat’l IT expertise • Crypto, prog, debug, vuln discovery, agent- based systems, etc • Supported in turn by experts in other disciplines • Natural sciences, physical security, supply chain, continuity of business, social engineering, etc
  • 34. EX: Sandia Nat’l Labs • Robust RT • Kills: mil installations, oil companies, banks, electric utilities, e-commerce firms • Specialize in hidden vulns in complex environmts • Obscure infrastr interdep in specific domains • Former chief • “Our general method is to ask system owners: ‘What's your worst nightmare?’ and then we set about to make that happen”
  • 35. CDX history • Every CDX is unique – Good and bad – IT evolves too quickly – Too many variables in cyberspace • Both lab-based and real-world • Cyber defenders may / may not be warned
  • 36. Eligible Receiver (1997) • 35 NSA personnel • “North Korean” hackers • Target: U.S. Pacific Command • J. Adams in Foreign Affairs • “human command-and-control system” infected with “paralyzing level of mistrust” • “nobody in the chain of command, from the president on down, could believe anything” • Also revealed that many nat’l critical infrastr vulnerable to cyber attack
  • 37. Water Security • 2006: Environmental Protection Agency • Could a hacker poison the water supply? • Sandia vuln assessm’t: distrib plants serving >100,000 • 350 such facilities = too many! • Thorough analysis: 5 sites • Risk Assessm’t Methodology for Water (RAM-W)
  • 38. International CDXs • Internat’l architecture, internat’l responsibility • 2006 DHS Cyber Storm – Scen: non-state “hacktivists” – Gov collab w/ private sector • 2008 Cyber Storm II – Scen: Nation-state – Cy / phys attacks: coms, chem, RR, pipe infra • 2009 CDX: remote, mountainous Tajikistan – U.S., Taj, Kazakhstan, Kyrgyzstan, Afghanistan
  • 39. Baltic Cyber Shield • 10-11 May 2010 – 7 northern European countries – 6 national BTs – 20-hacker internat’l RT • “Live-fire” CDX – Unscripted battle – Malicious code both authorized and encouraged • Within virtual battlefield
  • 40. Insipiration • U.S. National Collegiate Cyber Defense Competition • International Cyber Defense Workshop (ICDW) • UCSB International Capture the Flag (iCTF) • Annual U.S. military CDXs • CCD COE-SWE CDX, Dec 2008
  • 41. BCS 2010 Scenario • Exploration of “cyber terrorism” • Target: power supply company – CII / SCADA infrastructure • Blue Teams – SIT: sec insp failure / insider fears – Hired-gun, Rapid Response Team • Red Team – Attacks should intensify throughout CDX
  • 42. BCS Goals 1. Hands-on BT training in CII defense – Cyber Defense Exercise 2. Highlight international nature of cyberspace – Technical, institutional, legal, political, etc 3. Improve future CDXs – “Lessons learned” – Survey
  • 43. White Team • CCD CoE Tallinn, SNDC Stockholm • Scoring criteria • Based on network CIA • Office infrastructure , external services • + BT points • Thwarted attacks, “business requests,” innovative strategies and tactics • – BT points • Criticality of system, service, compromise • Admin/Root, SCADA PLC
  • 44. Green Team • Swedish Defence Research Agency (FOI) • Linköping, Sweden • Hosted most CDX infrastructure • 9 racks, 20 physical servers each • BT nets designed by GT & WT • 12 miniature factories • Each:1 butane flame to “detonate” • RT / BTs accessed game via OpenVPN
  • 45. Blue Teams • 6 BTs • 6-10 personnel each • Northern Euro gov, mil, priv sec, academia • Network: identical, pre-built, fairly insecure • 20 physical PC servers, 28 virtual machines • 4 VLAN segments: DMZ, INTERNAL, HMI, PLC • Many elements unpatched, vuln, misconfig, poor paswrds, keys, some pre-planted malware
  • 46. Game Environment • 2x 2.2GHz Xeon processors • 2 GB RAM • 80 GB HDD • 2 10/100Mbit Ethernet interfaces • VMware Server 2.0.2 on Gentoo Linux • 2 segments: management / game
  • 48. BCS SCADA • Sim: power generation company – Production, management, distribution – GE PLCs – Cimplicity HMI terminals – Historian databases • 2 model factories per BT net
  • 52. Hardening the Network • BTs did not have prior access to CDX environment • Given somewhat outdated network docs • Could install / modify existing SW • Min #, type of apps & services required • Offensive BT cyber attacks prohibited • Vs RT or other BTs
  • 53. Red Team • 20 volunteer angry environmntlst h4x0r5 – Attacks should begin slowly, intensify – No limit on hacker tools & techniques vs BTs – Could not attack CDX infrastructure – Attacks confined to CDX environment • Internally, four sub-teams – “Client-side,” “fuzzing,” “web app,” “remote” • Early CDX access, sim prior recon
  • 54. Visualization • Network topography • Traffic flows • Chat channels • Team workspaces • Observer reports • Terrestrial map • Scoreboard
  • 55.
  • 57.
  • 58. RT Campaign • Four phases 1. Declaration of war 2. Breaching the castle wall 3. Owning the infrastructure 4. Wanton destruction
  • 59. Declaration of War • Hacker ultimatum – RT must deface each BT website – “Cease operations & convert to green power…” • “…or face crippling cyber attack!” – Extremist environmental organization • “K3 c1b3r w4rf4r3 d1v1s10n” – RT defaced 5 of 6 sites w/in 30 minutes
  • 60. Phase One • WT allowed RT to compromise only: – 1 server in each BT DMZ – 1 INTERNAL workstation • Still, RT created steady stream of incident reports • EX: in 1 hour, RT had live A/V feed from BT workspace • WT had trouble scoring all incidents
  • 61. Phase Two • RT: compr as many DMZ / INTERNAL as possible – First day: 42 kills, incl web, email servers – MS-SQL SCADA rept server • Historical CDX challenge – Balanced, sustained RT pressure on all BTs – WT directive: for each vuln, all BT sys checked • For Red Team, was BCS config too easy? – Maybe not: 2 BTs kept RT out of INTERNAL nets
  • 62. Phase Three • Steal BT “crown jewels” – Human Machine Interface (HMI) • Power managment • SCADA infrastructure • RT claimed only limited victories – Only 1 of 12 model factories set on fire • Intentional or accidental?
  • 64. diff: RT vs State Actor • RT did not understand factory processes • How to blow them up? • Hypothesis • The one factory blown up was due to fuzzing attack vs Modbus protocol • More RT / GT communication, training could help
  • 65. Phase Four • “Wanton destruction” • Attack / destroy any BT system • Desperate attempt to cause max taret dmg • Not a wise CDX decision • RT DoS’d previously conquered systems • EX: Custom-config Cisco router DoS • Prevented WT from accurately scoring game
  • 66. Vulns and Exploits • RT compromised 80 BT computers • Publicly-known vulns • MS03-026, MS04-011, MS06-040, MS08-067, MS10- 025, flaws in VNC, Icecast, ClamAV, SQUID3 • Hacked web applications • Joomla and Wordpress • SQL injection, local / remote file inclusion, path traversal, XSS vs Linux / Apache / Mysql / PHP
  • 67. Vulns and Exploits 2 • Account cracking, online brute-forcing, DoS with fuzzing tools, password hash dumps, “pass-the- hash,” Slowloris vs Apache, NTP daemon and Squid3 web proxy DoS, SYN flood • Backdoors: poison ivy, Zeus, Optix, netcat, custom- made code; Metasploit used to deploy reverse backdoors • Crontab changes: eg, drop firewall rules • One zero-day client-side exploit for most browsers
  • 68. And the Winner is… • Essential services moved to custom-built, higher- security virtual machine – NTP, DNS, SMTP, WebMail • Domain Controller: IPsec filtering • “Out-of-band” communications – Did not trust in-game e-mail • Preexisting malware found and disabled • After initial MS-SQL loss, no Conf/Integ points lost
  • 69. Successful BT Strategies • Linux – AppArmor, Samhain, custom short shell scripts • Windows – AD group policies, CIS SE46 Computer Integrity System, KernelGuard, central collection of logs • All OSs – White/blacklisting, IP blocking/black hole routing
  • 70. Goals Met? 1 1. Successful “live fire” CDX – BTs tasted defense of CII / SCADA – “Cyber terrorist” scenario explored – Very little down-time reported 2. International composition of teams – >100 personnel, >7 countries – Numerous cross-border relationships strengthened
  • 71. Lessons • More WT manpower – Coms, scoring, observation, adjudication – 1 WT per BT, 2 WT for RT (trust issues) • One pre-CDX “mechanics” day – Strength-test all connectivity, bandwidth – Make rules and scoring crystal clear • “Dumb users” req’d or no client-side attacks – Wasted browser 0-day (affected SCADA sim)
  • 72. Lessons 2 • No VMWare Server Console – Too big, too slow, too particular • BTs should have some net admin rights • Authoritative team leaders from start – Big project = some clashing agendas, egos • Lawyer on WT • No “wanton destruction” phase
  • 73. Final Thought • CDX challenges ≈ real world challenges • IT • Complicated, dynamic, polymorphic, evolving • Defenders may not see same attack twice • Intangible nature of cyberspace • Victory, defeat, battle damage can be highly subjective • Sub Rosa Cyber War
  • 75. References Adams, J. (2001). “Virtual Defense,” Foreign Affairs 80(3) 98-112. “Air Force Association; Utah's Team Doolittle Wins CyberPatriot II in Orlando.” (2010, Mar 10). De-fense & Aerospace Business, p. 42. Bliss, J. (2010, Feb 23) “U.S. Unprepared for ‘Cyber War’, Former Top Spy Official Says,” Bloomberg Businessweek, online. Caterinicchia, D. (2003, May 12) “Air Force wins cyber exercise.” Federal Computer Week, 17(14), p. 37. Chan, W. H. (2006, Sep 25). “Cyber exercise shows lack of interagency coordination.” Federal Com-puter Week, 20(33) p. 61. “Cyber War: Sabotaging the System.” (2009, Nov 8). 60 Minutes: CBS. Geers K. (2010). “The challenge of cyber attack deterrence.” Computer Law and Security Review 26(2) pp. 298-303. Geers, K. (2008, Aug 27). “Cyberspace and the Changing Nature of Warfare.” SC Magazine. Gibbs, W. W. (2000). “RT versus the Agents.” Scientific American, 283(6). Goble P. (1999, Oct 9). “Russia: analysis from Washington: a real battle on the virtual front.” Radio Free Europe/Radio Liberty. Gomes, L. (2003, Mar 31). “How high-tech games can fail to simulate what happens in war.” Wall Street Journal. Gorman, S. (2009, Aug 17) “Cyber Attacks on Georgia Used Facebook, Twitter, Stolen IDs.” Wall Street Journal. “International cyber exercise takes place in Tajikistan.” (2009, Aug 6). BBC Monitoring Central Asia. (Avesta website, Dushanbe)
  • 76. References cont’d Keizer, G. (2009, Jan 28). “Russian ‘cyber militia’ knocks Kyrgyzstan offline.” Computerworld. Lam, F., Beekey, M., & Cayo, K. (2003). “Can you hack it?” Security Management, 47(2), p. 83. Lawlor, M. (2004). “Information Systems See Red.” Signal 58(6), p. 47. Lewis, J.A. (2010) “The Cyber War Has Not Begun.” Center for Strategic and International Studies. Libicki, M. (2009). “Sub Rosa Cyber War.“ The Virtual Battlefield: Perspectives on Cyber Warfare. Meserve, J. (2007, Sep 26). “Sources: Staged cyber attack reveals vulnerability in power grid.” CNN. Orr, R. (2007, Aug 2). “Computer voting machines on trial.” Knight Ridder Tribune Business News. Preimesberger, C. “Plugging Holes.” (2006). eWeek, 23(35), p. 22. “Remarks by the President on Securing our Nation's Cyber Infrastructure.” (2009). The White House: Office of the Press Secretary. “Tracking GhostNet: Investigating a Cyber Espionage Network.” (2009). Information Warfare Moni-tor. Verton, D. (2003) “Black ice.” Computerworld, 37(32), p. 35. Verton, D. (2002). The Hacker Diaries: Confessions of Teenage Hackers. New York: McGraw-Hill/Osborne. Wagner, D. (2010, May 9). “White House sees no cyber attack on Wall Street.” Associated Press. Waterman, S. (2008, Mar 10). “DHS stages cyberwar exercise.” UPI. “‘USA Today’ Website Hacked; Pranksters Mock Bush, Christianity.” (2002, JUL 11). Drudge Report.
  • 77. Live-Fire Exercise: Baltic Cyber Shield 2010 Kenneth Geers Naval Criminal Investigative Service (NCIS) Cooperative Cyber Defence Centre of Excellence (CCD COE)