Lessons from a Simulated Breach on Critical Infrastructure: Part ThreeBy: David Lorti
Justin Turner contributed to this article.
Learnings that go well beyond security of critical infrastructure
The final day of training featured a deep dive into what happened, how each team engaged the other, the strategies and tactics used and most importantly, lessons learned.
Given the focus on critical infrastructure security, one might expect learnings would only apply to this narrow but important area. However, the knowledge gained expanded well beyond and applies to any IT organization trying to protect its networks, systems and data.
Your own physical security practices can be used against you
Access to security cameras became a huge liability for the Blue Team.
IT must consider if security cameras could be compromised by an actor with network access. Given the extensive use of cameras, this represents a potential issue that many security organizations have not fully considered. Security organizations will have to determine how these systems are connected into the network and ensure they cannot be manipulated. Whether this can be accomplished by putting camera systems on an isolated network, changing passwords frequently or hardening web services is an important matter for IT to discuss.
Basic password protection practices are not in use
Throughout the simulation, the Red Team discovered "unsalted" passwords. This is actually a very common problem across many organizations. In fact, LinkedIn partly attributed a recent, very public breach (LinkedIn data leak) to not salting passwords. Salted passwords change how passwords are stored. Salted refers to passwords whereby additional characters/values are stored elsewhere. This makes it much harder for bad actors to crack. Nowadays, passwords should be stored using a translation table.
Know thy network
The exercise raised concerns about IT security professionals really needing to understand the network they were trying to protect. The Red Team was able to exploit devices the Blue Team did not know about, raising the question of how IT defends a network it does not fully know. IT security professionals must have a clear map of their network infrastructure, systems and where data is housed, or they won't be able to effectively defend it.
The real threat is more patient and insidious
In this exercise, the Blue Team knew they were getting attacked. A real attacker would take a much more patient approach in order to gain and maintain access to your network infrastructure. And that same attacker might work to cover their tracks so they are never detected by your defenses. An attack is not likely to be a Blitzkrieg, but more a low-level stealth guerilla war where the adversary pokes your defenses and pulls back.
As well, the Red Team was not populated based on skillsets. In fact, only four or five members had any previous experience with exploitation or hands-on skills in this area. So, imagine a more sophisticated and resourced adversary and what they could do to your defenses, especially over time and with all the patience desired.
You have less time than you think
An incredibly important lesson for both teams was the realization they have much less time than they thought when dealing with an actor trying to access their systems. Neither of the teams really grasped how quickly an attacker could get into the network and how quickly changes to firewalls and other policy changes were needed whenever a threat was detected. Both teams realized that something as simple as a firewall change would have to be performed quicker than they ever imagined.
Encryption of data at rest
The "lost" laptop was a great example of the critical importance of using encryption for data at rest combined with strong passwords. Even though the data was adequately encrypted, the user made a very poor (and all too common) choice when setting his password. IT organizations must implement encryption practices and password policies that reduce the likelihood of a security breach from a lost device.
The description of specialized training is not the real story, for the lessons learned above apply to all industries.
These learnings illustrate sharp realities. Your security must have a solid grasp of the basics: what your network looks like, what password and authentication practices are being used, how your subnetworks are configured and secured from being used against you, and an understanding of the sophistication, resourcefulness and patience an adversary may employ against you. This last understanding cannot be based simply on seminars and light reading, but rather on battle-tested real-world simulation, continual retraining and a commitment to protecting your organization that always exceeds the commitment an adversary has to compromise it.
In your story, you are the Blue Team. And it is critical the Blue Team wins every time.