Red Teaming Approaches, Rationales, Engagement Risks and

Red Teaming Approaches,

Rationales, Engagement Risks and Methodologies

2012 Information Systems Security Organization (ISSA)

Information Security Forum

Dave and Buster's

180 E Waterfront Dr

Homestead, Pennsylvania

Presenters:

Mark Yanalitis CISSP, IT Infrastructure Architect, PNC Bank

Bill Johnson CPP, Director of Corporate Security and Employee Safety, Highmark Inc. d/b/a Mark Yanalitis

CC Some Rights Reserved

Goals for today

•

Define Red Teaming and its’ rationale

•

Discuss differences between commercial and full-spectrum Red Teaming

•

Discuss differences between commercial and full-spectrum methodologies

•

Examine common engagement risks

•

Application of Red Teaming methods

•

A companion document exists as supplemental reading resource for this presentation

Red Teaming Approaches, Rationales, Engagement Risks and Methodologies d/b/a Mark Yanalitis


2 Friday May 4 th , 2012

Red Teaming Definitions

“An array of activity where the overall goal is to understand the adversaries perspective in order to identify one's own vulnerabilities and challenge one 's own assumptions.” 1

“Authorized, adversary-based assessment for defensive purposes.“ 2

“Review of control design and threat-based penetration testing to simulate actual attacks.” 3




Commercial v. Full Spectrum

Lets explore the motivating factors for commercial and full-spectrum red teams

Commercial engagements

• Threat-based modeling

• Compliance mandates

• IT Audit adjunct testing

• Goal is quick penetration

• Cost and time driven

• Automation dependency

• Survey the known

Full-Spectrum engagements

• Capabilities-based or hybrid modeling

• Simulations

• Goal is understanding

• Risk analysis driven

• Human in the loop

• Expand the knowable by parsing the unknown

Friday May 4 th , 2012



4

Commercial

Methodologies

Full Spectrum

Client Engagement

Master Service

Agreement

Statement of Work

Rules of

Engagement

Bond of Indemnity

Identify Scope

Reconnaissance

Targeting

Scan & Attack

Reload

Compromise

Report

Source: Sandia National Laboratories IDART, 2011




5

The Intelligence Process


Adversary (Full Spectrum Red Team) Time Expenditure

5%

Intelligence and

Logistics

20%

30%

40%

Live System

Discovery

Detailed

Preparations

Testing and Practice

Attack Execution

5%

4 Schudel, G. and Wood, B. (RAND, SANDIA & GTE: 2000)



6

Intelligence Cycle

A full-spectrum red team will focus upon likely adversarial courses of action as well as current capabilities.

Internally to the team, a need exists to have common doctrinal understanding of resource identification, intelligence collection, collection management, training, and leadership.

Red Teaming Approaches, Rationales, Engagement Risks and Methodologies

Friday May 4 th , 2012 d/b/a Mark Yanalitis


7

Intel Fusion Approach

Finished Product

Phase

6

Revision Tracking and Real-Time

Group Review

Phase

5

Desktop

Publishing and

Word Processing

Phase

4

Collaborative

Works

Production of

Graphics, Values, and On-line Briefs

Note-taking and

Organization of

Ideas

Structural

Argument Analysis

A red team collects and produces intelligence at variable rates and differing fidelities.

The red team leader must be prepared for these eventualities.

Phase

3

Interactive Search and Retrieval of data

Graphic and Mapbased visualization of data

Modeling and

Simulations

Phase

2

Clustering and linking Relational databases

Statistical Analysis to reveal Anomalies

Detection of changing trends

Detecting of Alert

Situation

Phase

1

Conversion of paper documents to digital form

Automated Foreign

Language translation

Processing Image,

Video, audio, signal data

Auto-extraction of data elements from text and images

Standardizing and converting data formats

5 Adapted from Steele, Robert, D. (New Craft of Intelligence: 2002)




Bias in the Intel process

Sources of cognitive error

Sources of cognitive error can be found in individual minds, the collective agreement of the team, team composition, and in the quality of support given to the effort. Each individual team member carries both a cognitive bias as the known outsider pre-judged by their own past experiences, as well as the bias of their culture.

Organizational and environmental bias indicators

The assignment is not taken seriously

The team or sponsor becomes too removed from the decision-making process

A lack of interaction with the blue team

Insufficient access to the details of the target

Loss of team confidences

The team fails to capture the details of the adversary, and instead mirrors itself

The red team does offers no challenge to the blue team

Thin top cover: the lack of a robust channel to act on findings in a timely manner, or consider findings with any seriousness.

Applied post-event after many bodies already have been thrown at the problem

The wrong team targeting the wrong problem (Threatbased team vs. a capabilities based problem)

A lack of clarity on the urgency of issues at hand

The red team approach is a one-time activity

6 Defense Science Board. Task Force Report on The Role and Status of Red Teaming Activities: (DoD: 2003 )




Role play the Adversary

Lets explore the difference between a threatbased adversary model and capabilities-based adversary model.

Threat – A threat represents a known quantity, a known effect singular in origin, essentially a Pathogen-Antigen model. A threat is an X-Y direct, or inverse relationship.

Capability – Actors (or a confederation of multiple actors) capable of achieving a singular goal either due to access to resources, or some form of institutional support. The force multiplier effects of capability-based actors behave like an algebraic expression where leading factors have orders of magnitude, possibly even having orders of operation.




10

Adversarial Modeling

In the full-spectrum

Red Team context, the sponsor may need more than one type of red team to realistically model the capability. In the commercial world, modeling capabilitybased actors is the exception, not the norm.

The Universe of Actors and Actions

Red Team A

Red Team B

Adversary

B

Adversary

A

Adversary

C

Source: Sandia National Laboratories IDART, 2011




Adversarial Prototyping

‥

Naive

Novice

Advanced

Novice

Professional

Hacker

Organized

Crime or

Cyber-

Terrorist

Foreign

Intelligence


Relative sophistication across adversaries


7 Op. Cit. Schudel, G. and Wood, B. : 2000 d/b/a Mark Yanalitis


12

Threat Profiling



8 Duggan, et. al. SANDIA, 2007 d/b/a Mark Yanalitis


13

Attack Trees


9 Schneier, Bruce. Modeling Security Threats (Dr. Dobb’s Journal: 1999)



14

Corporate

Network

Smart Grid Attack Diagram

The Internet

DDR PSTN DID

1-(724)-got-powr

128K CSU/DSU

Link over carrier


10 Penn State University SIIS Laboratory. (Network and Security Research Center: 2010)



15

Smart Grid Attack Tree


11 Ibid. Penn State University SIIS Laboratory: 2010



16

When to Use Red Teaming

Don't use RT methods for, Do use RT methods for,

Complex systems or complex

Simple systems or processes system of systems

Hostile and well-defined

Undefined environments

Low consequence systems environments

System with unknown consequences

Problems already identified Adaptable adversaries

Compliance and certification suffices

When unready to receive an extreme answer

Informing on security trade-offs

Training and doctrine

12 Atkins, William. Read Teaming – It's Good to be Bad. (Missouri S&T ACM SIG in Security: 2010)




17

Ok, you try it now.

Target: A reciprocating high-speed gas compressor



Source: BPI Compression 2011 d/b/a Mark Yanalitis


18

Case Study Client Situation

A new foreign multi-national corporation (OCONUS) enters

Southwestern PA as a result of a purchase and repackage of a number of leases sold by Chesapeake Energy. Almost all of these functional wells remain capped, and lack the infrastructure to get the gas to market.

The corporations‘ local CONUS office has orders to open several fields and secure the infrastructure needed to handle gas compression and transfer. The local office issues an RFP, and engages a low-bid contractor solution. The preferred corporate contracted insurer does not feel the site protection solution adequately protects their underwriting investment of leased equipment. The insurer will not offer favorable rates until the site security concerns resolve to their satisfaction.

Home office Corporate Security comes into the conversation late, and recommends that the site protection solution for the compressor be turned over to a Red Team/Blue Team for evaluation.




19

The red team simulation revealed complete destruction of the compressor and block house site plan in 10 minutes. What was the solution? Where are the vulnerabilities? why did the solution work?

It frequently rains here

Flood light and

CCTV camera

No buried fence

½ ton pickup

A cinderblock

Fender Jack

Stump Remover

Mentos

Duct Tape

Magnesium Ribbon

2 black Super Fan Suits

Five 2L bottles of Cola

One 2L bottle of Clorox

1 Large Sling Shot

Estimated 3 weeks of site observation and rehearsal




20

Case Study Red Team Solution

The full red team observed and collected intelligence on the target site for 3 weeks developing a number of information collections and applying information analysis techniques. They chose their best scenario.

During the preparation phase, the pair melted down Stump Remover , which contains Potassium Nitrate, the main ingredient in smoke bombs. By adding in some refined sugar, the two made 2 baseball size smoke bombs on a kitchen stove. Magnesium ribbon , bought at an online camping store with a stolen credit card, served as the wicks. The Cola was cut with 20% Clorox and the tops were taped over with

Mentos in the bottle necks then loosely capped. The two planned to tape the bottle bombs into the seats and floors of the truck on site, and tie in place the steering wheel.

Two red team members drove a rental car and a stolen pickup to the nearby target site. The red team members changed into black superfan suits (to prevent any hair, shoe, or clothing fibers from falling into the truck). The pair drove lights-out, a sanitized 3/4 ton stolen pickup truck (interior scrub-down, second stolen plate, and tire replaced with junk bald tires) to within 30 yards of the block house on a rainy night.

On site, the truck rear was jacked up. While one threw/shot the lit smoke bombs at the base of the fence near the camera, the other placed the cinder block on the accelerator and turned on the ignition, and put the truck in drive. When enough smoke obscured the camera, the jack was kicked out and the truck sped forward ramming the fence and crashing into the block house at high speed. The Mento/Cola/Clorox bombs burst inside the cabin of the truck spoiling the interior environment defeating most physical forensic analysis. The truck destroyed the compressor, and brought most of the block house down on the target. The two fled on foot to the get-away car, and then later burned their suits in to black plastic lumps and discarded them.




21

Case Study: Blue Team Counter-Measures




22

Case Study: Blue Team Counter-Measures




23

Thank you for listening, are there any questions or comments?




24

Use your powers for the greater good, not evil.

Fight the Good Fight




25

References

1 McGannon, Michael. Developing Red Team Tactics, Techniques, and Procedures. (Red Team Journal: APR 2004). Internet. Found at http://redteamjournal.com/

2 Sandia IDART Methodology. http://idart.sandia.gov/methodology/index.html

3 Price Waterhouse Coopers. Is your critical infrastructure safe? (PWC LLP:2010) Internet. Found at http://www.pwc.com/en_US/us/industry/utilities/assets/cyber-attacks.pdf

5.

4 Schudel, G. and Wood, B. Modeling the Behavior of a Cyber Terrorist. (RAND National Security Research Division proceeding of workshop. Appendix C: Santa Monica, California: 2000) 49-59. Internet. Found at http://www.csl.sri.com/users/bjwood/cyber_terrorist_model_v4a.pdf

.

5 Steele, Robert, D. The New Craft of Intelligence: Achieving Asymmetric Advantage in the Face of Nontraditional Threats. (U.S. Army

War College Strategic Studies Institute: 2002). 34-36.

6 Department of Defense Science Board. Task Force Report on The Role and Status of Red Teaming Activities (Office of the Under

Secretary of Defense For Acquisition, Technology, and Logistics. Washington, D.C. 20301-3140:2003). Internet. Found at www.au.af.mil/au/awc/awcgate/dod/dsb-redteam.pdf

7 Op. Cit. Schudel and Wood, 2000.

8 Duggan, David, P., Thomas, Sherry R., and Veitch, Cynthia K.K., and Woodward, Laura. Categorizing Threat - Building and

Using a Generic Threat Matrix. (SANDIA National Laboratories, Albuquerque NM. REPORT SAND2007-5791: September 2007).

Internet. Found at http://idart.sandia.gov/methodology/materials/Adversary_Modeling/SAND2007-5791.pdf

9 Schneier, Bruce. Modeling Security Threats - Attack Trees (Reprint Dr Dobb’s Journal: 1999. Counterpane Internet Security:

1999). Internet. Found at http://www.schneier.com/paper-attacktrees-ddj-ft.html

10 Penn State University SIIS Laboratory. Advanced Metering Infrastructure Security. (Penn State University Systems and Internet

Infrastructure Security Laboratory, Computer Science and Engineering (CSE) Network and Security Research Center (NSRC):

2010). Internet. Found at http://siis.cse.psu.edu/smartgrid.html

11 Ibid. Penn State University, 2010

12 Atkins, William. Read Teaming – It's Good to be Bad. (Missouri S&T ACM SIG in Security. SANDIA Critical Infrastructure

Systems Department, NM, 10 FEB 2010). Internet. Found at. http://acm.device.mst.edu/security-files/2010-02-10-Red_Teaming.ppt

‡ See the supplemental paper that accompanies this presetation titled : Yanalitis, Mark. RED TEAMING APPROACH,

RATIONALE, AND ENGAGEMENT RISKS (self-published: 2011).




26

Red Teaming Approaches, Rationales, Engagement Risks and

Red Teaming Approaches,

Rationales, Engagement Risks and Methodologies

Goals for today

Define Red Teaming and its’ rationale

Discuss differences between commercial and full-spectrum Red Teaming

Discuss differences between commercial and full-spectrum methodologies

Examine common engagement risks

Application of Red Teaming methods

A companion document exists as supplemental reading resource for this presentation

Red Teaming Definitions

Commercial v. Full Spectrum

Lets explore the motivating factors for commercial and full-spectrum red teams

Methodologies

The Intelligence Process

Intelligence Cycle

Intel Fusion Approach

Bias in the Intel process

Role play the Adversary

Lets explore the difference between a threatbased adversary model and capabilities-based adversary model.

Adversarial Modeling

Adversarial Prototyping

Threat Profiling

Attack Trees

Smart Grid Attack Diagram

Smart Grid Attack Tree

When to Use Red Teaming

Ok, you try it now.

Case Study Client Situation

Thank you for listening, are there any questions or comments?

Use your powers for the greater good, not evil.

References

Related documents

Products

Support

Red Teaming Approaches, Rationales, Engagement Risks and