Lessons from a Simulated Breach on Critical Infrastructure: Part OneBy: David Lorti
Justin Turner contributed to this article.
One of Dell SecureWorks' Counter Threat Unit security researchers, Justin Turner, leads a U.S. Army Reserve mobile support team focused on cyber forensic analysis. In that role, he recently completed a week-long training engagement on critical infrastructure security sponsored by The U.S. Department of Homeland Security (DHS).
Our CTO, Jon Ramsey, mentioned Justin's experience during a recent all-hands company meeting. Digging into the details of the experience, I could quickly understand why. This was a fascinating exercise that Justin participated in with lessons that go well beyond utility companies and cooperatives, energy producers, transmission companies, water treatment facilities and the like.
Justin's DHS-sponsored training took place at the Idaho National Labs where training courses range from introductory classes to advanced sessions on critical infrastructure and security.
Justin participated in the five-day advanced course. During the first three days, the training focused on understanding the landscape of industrial control systems, types of equipment, and equipment and security configurations. The training included discussion on communications protocols, common security issues and vulnerabilities, what security professionals should look for, and evaluation of the various networks (external, internal or DMZ, and control system network) involved in critical infrastructure environments.
Setting the stage for the simulation
On the fourth day, the training held an intense 12-hour Red Team/Blue Team simulation which was designed to simulate the real world as much as possible. Training attendees were split into the two teams with 40 attendees on the Blue Team and 10 attendees on the Red Team. Justin was on the Red Team. The simulation was to start at 7 a.m. sharp. Both teams were able to collaborate with members the prior evening to plan out their strategies and tactics.
At 7 a.m., the Blue Team was allowed to have their first touch on the network. The Red Team wouldn't be allowed to start their efforts until 30 minutes later. The Blue Team divided into multiple system administration and change management groups, and quickly began work similar to any network management team. They started with network enumeration, patch checking and configuration checking. Each action was consistent with how a utility operator might structure their operations, and the steps they would take to incorporate a new or unknown network segment into their existing environment.
A Few Ground Rules
The Red Team was given a few ground rules prior to the start of the exercise:
- The team could only conduct cyberattacks - no physical attacks.
- Even though the entire simulation was on a controlled, isolated network, the Red Team could not use any live malware. This rule effectively prevented Justin from using any of the malware he had brought with him.
Throughout the 12-hour simulation, each team had to accomplish certain goals. For instance, by 9:30 a.m., the Red Team had to have completed a mapping of the full external network. Other objectives included a steganography challenge, compromising the wireless network, enumerating the corporate network, SQLi, and "lost computer" machine forensics. According to Justin, the objectives served two purposes. First, perform simulated activities a security professional might need to do in the real world. Second, they created depth to the scoring for the "game" portion of the event.
However, the Holy Grail of the exercise for the Red Team was to breach the Control System Network and control or destroy critical infrastructure (safely, in lab).