Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

epg-public - cyber exercises

advertisement 
APCO North Central Conference
Table Top Exercise Program Guide (EPG)
Scenario: PUBLIC
Revision 1.2 – 15 April 2009
CONFIDENTIAL
Author: James P, Cavanagh, cyber exercises, jim@cyberexercises.com
Instructions to reviewers/editors. Add your name, agency or organizational affiliation and email at the end of the list and, with
TRACK CHANGES on make your edits and when you are finished send the final email for jim@911tips.org with TTX: Public in the
subject line.
Contributors:
Table of Contents
Table of Contents
Cyber Table Top Exercises......................................................................................................................... 1
Public Gathering Cyber Table Top............................................................................................................. 1
Objectives ................................................................................................................................................. 2
Purpose ..................................................................................................................................................... 2
Exercise Agenda ........................................................................................................................................ 2
Scenario Walkthrough .............................................................................................................................. 3
Response ................................................................................................................................................... 5
Debrief ...................................................................................................................................................... 5
Appendix A: Prep/Reading List
Appendix B: After Action Activities
Appendix C: Materials Checklist
Glossary
Cyber Table Top Exercises
On Sunday, April 26th, 2009 at 0900 in La Crosse, Wisconsin three cyber table top exercises will be
staged as a pre-conference exercise of the Association of Public safety Communications Officials' (APCO)
North Central Conference. Like many table top exercises these exercises will deal with an active shooter
incident on campus with hostages, emergency response to an unprecedented natural disaster and
terrorist disruption of a public gathering. Unlike most table top exercises, however, these exercises will
focus on the cyber aspects of the three scenarios.
The objective of these exercises is to transfer knowledge about key aspects of the underlying
technologies, how they are exploited and disrupted and how risks can be mitigated. The overall program
will be moderated and facilitated by Wisconsin Emergency Management's Terrorism Exercise Training
Coordinator and La Crosse County's Emergency Management Coordinator with each of the three
individual exercises being conducted by Knowledge Transfer Agents (KTAs) who are practitioners with
technology and cybersecurity credentials in their respective scenarios. Additional knowledge transfer
will be performed through cross-disciplinary participation from schools, cities, counties, hospitals and
other interested and impacted parties whose participation is being actively solicited. In order to get the
most impact from the program each registered participant will have an opportunity to review and edit
the Exercise Planning Guide (EPG) prior to the exercise and their inputs will be noted through end notes
in the guide with their name, agency or company affiliation and email address.
Public Gathering Cyber Table Top
Individuals who have entered the US fall into two categories: terrorists who have
become neutralized because they like their new home and they have become
assimilated and terrorists who are awaiting instructions. In this scenario the second
group of terrorists, with some assistance from a member of the first group, execute a
coordinated attack on a regional law enforcement and public safety conference and
confound response efforts by exploiting wired and wireless systems.
The terrorists’ apparent objective: to confound and embarrass a wide range of public
safety and law enforcement agencies in a public way thereby terrifying and
terrorizing the community. As usual the terrorists are attempting to generate the most terror for the
lowest cost. Among other technologies terrorists use prepaid cell phones and wireless IED-like devices
to disrupt a regional public safety conference and kill a US government counter-terrorism official as well
as inexpensive improvised systems to mislead 911 with faked calls originated from VoIP and appearing
to come from the dead general’s home. This exercise will explore how such technologies can be used by
terrorists, by law enforcement and how they can be detected and overcome.
http://www.leaps.tv/apcottx/epg/epg-public.pdf
Page 1
APCO North Central Conference TTX: Public Gathering Scenario
Objectives
1. Offer opportunities for subject-matter experts to provide information regarding current and
emerging technologies and the associated challenges (intentional or otherwise) to the effective
use of those technologies.
2.
Prepare and conduct three facilitated table-top exercises designed to explore various means
that perpetrators could use to disrupt public safety communications. The exercises will be
offered in a rotated schedule so that every workshop attendee may participate in all three
exercises, or select those that offer topics specific to their needs and interests.
3. Provide exercise review presentations to the full workshop to allow participants to share
thoughts and ideas regarding potential responses to the cyber-terrorism attacks as well as overall exercise design and conduct feedback.
Purpose
Pre-conference attendees from the thirteen APCO North Central Region represented States will be
offered an opportunity to examine and share concerns and insights regarding the intentional criminal
exploitation of new and emerging technologies in the public safety communications profession. A
tabletop exercise will serve as the core component of a subject-matter expert facilitated workshop and
will feature multiple scenarios in a break-out session format to allow for exposure to diverse concerns
and potential solutions to common issues.
Exercise Agenda
This exercise will be divided into three phases, each of which will be 30 minutes in length. The first thirty
minutes of the exercise scenario will be a detailed, step-by-step walkthrough of the technical aspects of
the attack emphasizing the exploitation of wired and wireless
technologies and the Internet in both the planning and
execution phases of the attack. There will be a very minimum of
emphasis on the terrorist’s motivation, ideologies, etc. other
than to answer basic questions as to why they have chose to
attack a gathering of law enforcement and public safety
persons.
The second phase will be an interactive collaboration of the 911
and law enforcement response. Participants will be divided into
groups based on their agency or organizational affiliations and
will spend ten minutes determining their responses to the
attack and the final twenty minutes a representative of each
group will briefly describe their responses. In the brief ten minutes allowed they will be encouraged to
coordinate their activities with other groups. No attempt will be made in the first or second phases to
answer questions regarding countermeasures or solutions: those will be left for the Debrief section of
the exercise.
http://www.leaps.tv/apcottx/epg/epg-public.pdf
Page 2
APCO North Central Conference TTX: Public Gathering Scenario
In the Debrief phase of the table top exercise the facilitator will guide participants through the process
of discovering countermeasures and additions to routines that could, at minimum, detect and identify
risks and, at the best, to counteract and diffuse the risk.
Scenario Walkthrough
TIME
-484 days to
-409 days
-282 days
-214 days
-213 days
-209 days
-209 days to
-181 days
-181 days
1
Nine el Kebeer Awee Jihad (KAJ)1 cell members infiltrate the US via US-Canadian border crossings,
at different times and in different places. They settle in the central US, taking low paying industrial
and agricultural jobs and use public library computers every Saturday at 4:30 pm to look for signal to
move to action.2
KAJ cell member Ahmad marries a “local girl”, leaves the jihadist movement and is assimilated into
American life. He never reveals his past.3 This reduces the number of cell members to 84.
US Government counter-terrorism agency disrupts Tanzanian cell of KAJ. KAJ vows revenge on
Internet post to Arab language websites, ZarabTV and al Jazeera TV channels and on YouTube5.
Using the Internet, Skype6 and freely available encryption and steganographic software tools KAJ
activated the cell provide only very vague instructions. Cell members then, independently of central
command and control, began the planning phase.7
By this point KAJ cell members, using Google, had identified the primary government agency person
responsible for the Tanzanian cell disruption as General David Woods. KAJ had a complete resume
from LinkedIn8, as well as several articles and other references from military and civilian publications.
They also had a complete listing of family members, a large volume of personal information on
college student son Trevor (from Facebook, MySpace and other sources) and teen daughter
Stephanie (from Facebook and MySpace) and detailed activities from Twitter9.
KAJ continues to monitor Internet information on General Woods and to consider many plan
options10.
KAJ finds a new Google entry for a public safety conference in La Salle, Wisconsin for which General
Woods is to deliver the keynote address.
El Kebeer Awee Jihad is a fictional jihadist organization. Kebeer Awee Jihad in English literally means “Very Big Holy War”.
Use of cell phones - even pre-paid - personal email accounts – even free accounts - or other communications methods would
leave a stronger electronic trail and create chatter that might be picked up by intelligence agencies. Checking for a specific
personal listing on an Arabic dating site or listing of a certain item on eBay might be the signal to begin more active
communications.
2
Even though one of the hallmarks of the jihad movement is patience there is a risk to leaving cell members too open to the
temptations available in the land of the Great Satan.
3
These type of situations are allowed for – though not condoned – when considering cell staffing. Eight is still more than enough
for cell activities to be effective.
4
5
As of 5 March 2009 YouTube had over 100 million viewers who watch an average 101 videos each.
6
The free global Internet phone service Skype includes encryption.
7
This portion of the table top exercise will be described with screen shots of web sites used by terrorists in this exercise.
8
As of 2 April 2009 LinkedIn contained 103,964 persons who marked their industry as “military”.
9
Twitter users send out messages called Tweets to alert friends and contacts as to their whereabouts, activities, thoughts, etc..
Fortunately for General Woods’ family this KAJ cell is located in the Midwest US and will only travel outside their geographic
area under extreme circumstances (as they know it is possible that other cells are geographically closer and probably working in
parallel) and that this is not an organized crime table top exercise: in general Islamic terrorists do not generally harm or kidnap
family members of targets.
10
http://www.leaps.tv/apcottx/epg/epg-public.pdf
Page 3
APCO North Central Conference TTX: Public Gathering Scenario
-181 days
-171 days
-170 days
-182 days
-142 days
-142 days to
0 day
-111 days
-89 days
-80 days
-79 days
-61 days
-42 days
-41 days
-39 days
-2 days
KAJ continues to gather information and to plan the precise attack they will execute.
KAJ cell members do physical surveillance on the Big River Conference Center where the
conference will be held. They avoid taking pictures or being seen on surveillance video.
KAJ members individually access the conference venue web site and get jobs which give them
access to the conference site.
Cell member Aadil11 gets a job working directly for Big River Conference Center as a maintenance
supervisor. In this role he has security clearance, physical access and a way of gaining knowledge of
the physical infrastructure of the location.
Cell members Iqbal and Ibrahim get jobs with contractors which provide services to Big River
Conference Center. Igbal is a full time cleaning person who is in the facility for 6-8 hours every night
when there is a concert, conference or other activity. Ibrahim’s job is as a laborer with a contractor
which sets up trade show booths.
Iqbal works at the Big River Conference Center.
Ibrahim works the Gallactic Cheese Convention giving him access to knowledge about access
procedures, security and electrical power.
Ibrahim works the Regional Tractor Show giving him further information and a way to check the
consistency of the security procedures. He finds them inconsistent12.
KAJ decides to blow up the conference center at the beginning of the keynote address by General
Woods. This will provide maximum impact and TV coverage because the room will be filled with 911,
police and other law enforcement personnel, as well as their target.
KAJ cell member Amin, the munitions expert begins to assess available materials and to plan the
type of bomb he will construct. One of his most useful tools in this process is the Internet: Google,
YouTube and Usenet have hundreds of dead-ends but Amin’s prior bomb-making training allows him
to winnow down a reasonable short list and to begin limited testing in remote areas;.
Anticipating the type of materials that will be required for bomb making Amin gets a job at Radio
Shack, KAJ cell member Iqbaal13 gets a job at Home Depot and Ibrahim changes jobs to a farm
supplier who sells fertilizer and other chemicals.
Testing complete Amin instructs Ibrahim to begin acquiring certain chemicals at the rate of one
pound per day and instructs other cell members to begin making small purchases from a variety of
sources.
KAJ member Iqbal takes a car trip to an adjacent state and purchases disposable cell phones14 for
cash, one at each of several locations located miles apart.
KAJ contacts Ahmad, who had left the cell 8 ½ months ago. Ahmad works as a delivery person in a
flower shop. KAJ needs a favor. All they need is to borrow the delivery truck on a Sunday – a day the
florist is closed – to “move apartments”. Ahmad agrees to make the truck available.
Using the borrowed delivery truck KAJ members deliver eight large potted ficus trees which are
A’adil in Arabic means “just”. In A’adil’s opinion he is living out the life for which his mother intended. Delivering Allah’s justice
directly to the infidels.
11
There is some disagreement within the security community whether it is better to have absolute discipline in procedures (which
allows changes or abnormalities to be spotted more readily) or to change procedures periodically to avoid exploits of regular,
standardized procedures. In this exercise we do not know if the inconsistencies were planned or a result of bad planning. In
either case this may be a confounding element for KAJ.
12
This is not a mis-spelling. This is a second cell member named Iqbaal. Iqbaal means :prosperity” in Arabic and is a fairly
common name.
13
Disposable cell phones present a particular problem for law enforcement because of the ease and low cost with which they
can be purchased and the difficulty involved in tracing them.
14
http://www.leaps.tv/apcottx/epg/epg-public.pdf
Page 4
APCO North Central Conference TTX: Public Gathering Scenario
0 day
1 day
located in the main hall, three on each side and two on the stage. They are not detected amidst the
deliveries and activity related to setting up the conference show floor and all of the vendor’s
equipment, booths and other equipment. The ficus trees will not be watered from the Friday delivery
until the Sunday keynote address. The ficus trees have, in their base, bombs with detonators wired to
disposable cell phones.
Fifteen minutes after the start time of the keynote address each of the eight remaining Kebeer Awee
Jihad cell members made a call to a potted plant at the appointed time, from a different remote
location. Boom.
KAJ claimed credit for the blast in a 911 call to the 911 PSAP in LaSalle, Wisconsin from what
appeared to be General David Woods home in Maryland. The message, recorded using a voice
scrambler15, says “This is Kebeer Awee Jihad. We killed General Woods because he is an enemy of
Islam. Allah akbah. And we will do it again, insh’allah.” The call was made using a special hacker
version of VoIP software that mask call information and was made through an intermediate server,
known as a proxy server, in Finland making the call very hard for law enforcement to trace.
Response
The second phase, the Response phase, will be an interactive collaboration of the 911 and law
enforcement response. Participants will be divided into groups based on their agency or organizational
affiliations and will spend ten minutes determining their responses to the attack and the final twenty
minutes a representative of each group will briefly describe their responses. In the brief ten minutes
allowed they will be encouraged to coordinate their activities with other groups. No attempt will be
made in the first or second phases to answer questions regarding countermeasures or solutions: those
will be left for the Debrief section of the exercise.
Debrief
In the Debrief phase of the table top exercise the facilitator will guide participants through the process
of discovering countermeasures and additions to routines that could, at minimum, detect and identify
risks and, at the best, to counteract and diffuse the risk.
Voice scrambling technology is widely available at little or no cost for a variety of applications from “just plain fun” to law
enforcement, skip tracing and a variety of other applications.
15
http://www.leaps.tv/apcottx/epg/epg-public.pdf
Page 5
Appendix A
Appendix A: Prep/Reading List
The following web sites and reading are highly recommended in order for the exercise participant to get
the most from this exercise.
Expert: Skype calls nearly impossible for NSA to intercept by Russell Shaw
http://blogs.zdnet.com/ip-telephony/index.php?p=919
Can They Hear You Now? How the FBI eavesdrops on Internet phone calls (and why it sometimes can't).
By David S. Bennahum. http://www.slate.com/id/2095777
Introduction to Encryption (A 20 minute online tutorial) by James P. Cavanagh
http://www.webtorials.com/abstracts/Introduction to Steganography.htm
Steganography Revealed by Kristy Westphal http://www.securityfocus.com/infocus/1684
Introduction to Steganography (A 20 minute online tutorial) by James P, Cavanagh
http://www.webtorials.com/abstracts/Introduction to Encryption.htm
Police warning on Facebook model stalker. The Daily Telegraph
http://www.news.com.au/technology/story/0,28348,25245503-5014239,00.html
Attempted MySpace kidnapping in Florida by Trench Reynolds
http://www.mycrimespace.com/2007/02/19/attempted-myspace-kidnapping-in-florida/
Mom tries to have son kidnapped on MySpace by Trench Reynolds
http://www.mycrimespace.com/2007/04/10/mom-tries-to-have-son-kidnapped-on-myspace/
Your Privacy is an Illusion: Twitter tracking takes work, fun out of stalking By Mary Jane Irwin
http://gawker.com/tech/your-privacy-is-an-illusion/twitter-tracking-takes-work-fun-out-ofstalking-304933.php
Student Gets 15 Years for YouTube Bomb-Making Video by Mark Hefflinger
http://www.dmwmedia.com/news/2008/12/19/student-gets-15-years-youtube-bomb-makingvideo
Bomb-Making Manuals: Explosive Content
http://www.adl.org/poisoning_web/bomb_making.asp
Learning Bomb-Making Secrets By Joseph Straw
http://www.securitymanagement.com/article/learning-bomb-making-secrets
Surge in Sale of Disposable Cell Phones May Have Terror Link By BRIAN ROSS and RICHARD ESPOSITO
http://abcnews.go.com/WNT/Investigation/story?id=1499905
Build a remote cell phone bomb detonator like MacGyver
http://digg.com/odd_stuff/Build_a_remote_cell_phone_bomb_detonator_like_MacGyver
Voice Scrambler Products – both hardware and software
http://www.google.com/search?hl=en&q=voice+scrambler
Caller ID Spoofing ANI Spoofing - VOIP Security
http://www.metacafe.com/watch/849275/caller_id_spoofing_ani_spoofing_voip_security/
911 service not prepared for new generation of pranksters By David Chartier
http://arstechnica.com/telecom/news/2009/02/911-service-not-prepared-for-new-generationof-pranksters.ars
Ringleaders in "Swatting/Spoofing" Conspiracy Sentenced
http://www.usdoj.gov/criminal/cybercrime/rosoffSent.htm
Appendix B
Appendix B: After Action Activities
The following activities are recommended to reinforce and add depth and perspective to the knowledge
gained in this exercise.
1) Establish two free accounts on the global Skype (www.skype.com) voice service and
communicate from different devices, including Internet cafes, kiosks and cell phones. Be sure to
exercise the entire range of Skype capabilities, including Skype-out for making Skype to PSTN
calls.
2) Download and install encryption software on two computers and send encrypted messages. One
method would be to enable encryption within your word processor software. A good test is to
enable similar encryption in two different word processing packages and exchange messages.
Another way would be to use a simple program such as Pretty Good Privacy (PGP)
(http://www.pgpi.org/) on two different machings.
3) Download and install steganographic software on two computers and send hidden messages.
For an additional understanding of spy and terrorist craft use public computers such as public
library or Internet café or kiosk systems. Embed a “secret” message within a “container”
message such as a digital photograph and post the photo to a large, anonymous web site. Why
not put something on a dating site or eBay? There are a number of steganographic programs in
the public domain. A variety of choices are available on
http://www.topology.org/soft/crypto.html. If you use this site please bear in mind that there is
a general – though unsubstantiated – belief within the criminal and terrorist community that
this web site is actually operated by the US government and that the cookie installed upon entry
is a tracking cookie.
4) Post a video on YouTube (www.youtube.com). It can be anything you want and you can delete it
after several people have viewed it. The point of this exercise is how easily and anonymously
this can be done. Use fake credentials to sign up.
5) Sign up for LinkedIn (www.linkedin.com) and search for military and law enforcement personnel
by name, title, rank, etc.
6) Go to YouTube (www.youtube.com) and search for videos on bomb making. Search Google for
bomb making instructions. Look for bomb making instructions on USENET. Have your
department expert verify whether the instructions provided would yield a working device.
Appendix C
Appendix C: Materials Checklist
o
Screen shots for Internet activity
o
E-size drawing of conference center.
o
Large format monitor to connect to facilitator’s computer.
Glossary
Glossary
Encryption Systematic scrambling of
information such that it can be unscrambled
later. Objectives are privacy and source
validation.
Facebook Social networking site and source of a
lot of personal information including friends,
activities, how to get in touch, etc. See also
MySpace.
Google The largest, though not only, nongovernmental index of Internet content. Google
software robots (bots) scour Internet sites
constantly and index the information for easy
access by Google users.
LinkedIn LinkedIn (www.linkedin.com) is a very
popular business networking web site and is
used by civilian and military personnel to obtain
and maintain professional contacts.
MySpace Social networking site and source of a
lot of personal information including friends,
activities, how to get in touch, etc. See also
Facebook.
PGP Pretty Good Privacy. An open source
encryption package developed by .Phil
Zimmerman and subject to a variety of legal
challenges.
PSAP Bombing. PSAP "bombing" is a term
describing making fictitious 9-1-1 calls with
intentionally inaccurate, or "spoofed", call-back
number or other call-related information.
PSTN Public Switched Telephone Network. The
US term for the traditional telephone network.
Skype Global phone service that is free of
charge for Skype-to-Skype calls, includes
encryption and is designed to traverse security
firewalls.
Steganography Hiding of information within
other information or symbol(s).
Twitter Twitter is a free social messaging utility
for staying connected in real-time. Twitter uses
send short update messages, called Tweets, to
each other users (tweeters) to keep them
updated on current activities.
YouTube A video hosting site that allows the
posting of videos by subscribers. YouTube is
only the most name recognizable of several
dozen of these type of sites on the Internet.
Related documents
Department of English
Department of English
organizational behavior and human resource management
organizational behavior and human resource management
COMPARISON OF CAREER TEXTS
COMPARISON OF CAREER TEXTS
ACS 105 - ACS205
ACS 105 - ACS205
Handout: Training Method Examples
Handout: Training Method Examples
PRODUCING ELECTRONIC MATERIALS
PRODUCING ELECTRONIC MATERIALS
cL~M~of- tV~~Att~~Ct
cL~M~of- tV~~Att~~Ct
Maritime English I
Maritime English I
StudentEx.Outline
StudentEx.Outline
Download
advertisement