[ISN] Sandia's Red Teams: On the Hunt for Security Holes

From: InfoSec News (alerts@private)
Date: Fri Sep 08 2006 - 01:02:54 PDT


Forwarded from: William Knowles <wk (at) c4i.org>

http://www.eweek.com/article2/0,1895,2011679,00.asp

By Chris Preimesberger
September 3, 2006

Is it possible for a cyber-terrorist to hack into a city's water
distribution system and poison thousands? Or disrupt air traffic
communications to cause two airplanes to collide? Or create a surge in
the power grid that would leave millions of people in the dark?

These are the types of questions pondered by the so-called Red Teams,
based at Sandia National Laboratories in Albuquerque, N.M.

On the fifth anniversary of the Sept. 11 terrorist attacks on New York
and Washington, these scenarios are front and center for Sandia, the
Department of Homeland Security and law enforcement agencies across
the United States.

The Red Teams' job is to anticipate cyber-terrorism, create
contingency plans that assume the worst and ultimately thwart a
pending attack by plugging existing holes.

Michael Skroch, leader of the Red Teams, said utilities and government
agencies are increasingly at risk as they replace custom IT systems
created in the 1950s and 1960s with less expensive, off-the-shelf
Windows and Unix systems that, incidentally, are easier marks for
hackers. The older systems were secure because they weren't well known
and had limited contact with other systems.

Thus, "It's clear that the threat and risk level has never been higher
for cyber-security," Skroch said.

Sandia is owned by the Department of Energy, is run by Lockheed Martin
and is located at Kirtland Air Force Base. Formed in 1945, Sandia's
overall mission is "to enhance the security, prosperity and well-being
of the nation."

The Red Teams are part of Sandia's Information Operations Red Team &
Assessments group. Each one comprises a small group (three to eight
people) of computer and systems experts who are the IT equivalent of
the Navy SEALs special-operations outfit.

The Red Teams provide independent assessments of information,
communication and critical infrastructure to identify vulnerabilities,
improve system design and help decision makers increase system
security.

Although often viewed as a singular entity, the IORTA group breaks
into several smaller groups to tackle individual Red Team projects.

In layman's terms, Sandia's Red Teams are hired by countries and
companies to anticipate and stop cyber-terrorism and other security
breaches before they happen.

The teams, which focus on the potential for attacks from adversaries,
apply a wide spectrum of methodologies, tools, research and training
to help achieve the customers' security goals.

The Information Design Assurance Red Team is part of the IORTA
program, which was begun in 1996.


Blind to cyber-threats?

To critics, groups like Sandia's Red Teams are pivotal because, they
say, the United States is asleep to the threat of cyber-terrorism,
just as it was to the Japanese threat in the months and years leading
up to the attack on Pearl Harbor in 1941.

Evan Kohlmann is one of the more vocal critics. Kohlmann, a terrorism
researcher at the University of Pennsylvania, is the author of
"Al-Qaida's Jihad in Europe: The Afghan-Bosnian Network," and he runs
the Globalterroralert.com Web site.

"The United States is gradually losing the online war against
terrorists," Kohlmann wrote in an article titled "The Real Online
Terrorist Threat" in the current issue of Foreign Affairs magazine.

"Rather than aggressively pursuing its enemies, the U.S. government
has adopted a largely defensive strategy, the centerpiece of which is
an electronic Maginot Line that supposedly protects critical
infrastructure (for example, the computer systems run by agencies such
as the Department of Defense and the Federal Aviation Administration)  
against online attacks," he wrote.

"The U.S. government is mishandling the growing threat because it
misunderstands terrorists."

Meanwhile, the DHS has also struggled with cyber-security. It hasn't
had a cyber-czar for a year and has been panned by Congress for its
internal computer security practices.

However, Skroch, manager of IORTA's Red Teams, said the critics are
off base.

"My immediate reaction to [Kohlmann's] assertions is that he may have
limited information, not being on the inside," Skroch told eWEEK.

"Not being inside the [anti-cyber-terrorist] group, he wouldn't be
able to see exactly what they were seeing. There is a great deal of
sensitive information that is never made public."

Another critic, Gabriel Weimann of the U.S. Institute of Peace, wrote
in a December 2004 special report that "the potential threat, indeed,
is very alarming. And yet, despite all the gloomy predictions, no
single instance of real cyber-terrorism has been recorded.

"Psychological, political, and economic forces have combined to
promote the fear of cyber-terrorism. This raises the question: Just
how real is the threat?"


Finding IT's Achilles' Heels

Rest assured, Sandia - and several hundred clients - believes the
threat is real. Red Team members search for vulnerabilities in IT
infrastructures and find solutions or patches before a cyber-terrorist
abuses the weakness. This practice is referred to as "red teaming."

"Our experience has shown that one fixed methodology is insufficient
to properly assess a given system, component or scenarios," Skroch
said.

"We have a spectrum of assessment methodologies and assessment types
that we apply as needed to most efficiently meet customer goals and
provide consistent, measurable and actionable results."

IORTA claims there are eight natural categories of red teaming that
are combined to drive all their assessments, from high-level
evaluation of risk through sophisticated analysis. The eight
categories are design assurance, hypothesis testing, benchmarking,
behavioral red teaming, gaming, operational red teaming, penetration
testing and analytic red teaming.

One type or a combination of types is selected to achieve optimum
results for a Red Team sponsor.

The IORTA process and its subprocesses were composed and refined from
those developed at Sandia and its 50-year history of design-assess
techniques.

The Red Teams also use external techniques such as fault trees and
event trees, processes such as the COBIT (Control Objectives for
Information and related Technology, a standard framework for
information security) governance framework, as well as tools such as
open-source computer and network security tools that are appropriate
for a given assessment.

They refine their own techniques through continued R&D activities,
Skroch said.

One recent example was a request from the Environmental Protection
Agency to assess IT system security at all water distribution plants
in the United States that serve more than 100,000 people.

Theoretically, a local or regional water system could be compromised
via a Trojan horse or another attack and be forced to add an incorrect
measurement of chemicals to untreated water—for example, an amount far
above the maximum safety zone. The resulting excess could poison the
water.

But, "When we looked into this, we said, 'Whoa—we can't do that,'"  
Skroch said. "There was no way we could visit and assess all 350 such
facilities.

"So we selected five key systems - including [the Washington Aqueduct]
- and produced our normal detailed assessments. From that, we
distilled our methodology into an audit-type assessment tool called
[Risk Assessment Methodology for Water, or RAM-W] that could be
performed by the infrastructure owners once they received basic
training on the process.

"We developed the core training and transferred that to [the] industry
so they could train the 350 sites."

For example, since 9/11, security procedures at the Washington
Aqueduct have been under new review and evaluation based on guidance
and directives from the DHS and the Sandia Red Teams.

"As a result, [the] aqueduct now has strengthened its guards against
intrusion [including computer hacking], and we have increased our
vigilance," an aqueduct spokesperson said.

"Our security program uses a systems approach with controls on
physical access, chemical storage and operational systems to safeguard
the water."

As a DHS-designated Critical Infrastructure Facility, the aqueduct is
provided with up-to-the-minute threat information and security
enhancements "that won't be visible to the casual observer," the
spokesperson said.

Sandia found many areas for improvement in these and about 30 other
Red Team engagements of critical infrastructure. Many of them can be
found in a paper, which Sandia delivered at multiple security
conferences and is available on the IORTA Web site, titled "Common
vulnerabilities in critical infrastructure control systems."

"From the RAM-W reports, [the EPA was] able to come up with a set of
Red Team research-based recommendations for those water districts, so
they could know how and where to invest their money in security tools
and policies," Skroch said.

Another ongoing project involves the detection of explosives, weapons
or other military contraband being shipped into the country through
U.S. ports.

"Security technologies are often brittle to threats," Skroch said.  
"Those developing security solutions usually forget that their
technology or solution will itself become a target. For instance, when
you put a lock on a door, a criminal may give up, attack the lock or
find ways to go around the lock.

"Locksmiths know there are ways to pick a lock. It seems that many
security vendors forget that their systems may be attacked once placed
in the field."

Sandia also is contributing to systems that detect localized
biological and chemical attacks in military and civilian event
settings.

These projects utilize Red Teams to understand what types of threats
must be detected and also to ensure that each chemical or biological
system is hardened against possible attacks that might stop it from
working.

Skroch would not elaborate on what the Red Teams are doing on these
projects but said they are working on both the IT and the physical
natures of the problems.


Red Teams' Toolbox

IORTA utilizes both hardware and software tools in its efforts. "Some
tools are used for analysis, others for planning attacks, while other
tools are used to reach out and touch our target," Skroch said.

"Our team's preference for tool environments are Linux-based operating
systems for a number of reasons. However, we regularly use Windows
platforms as needed," he said.

"In one approach, we regularly operate with open-source tools
available on the Internet. There are a lot of great tools there and
the communities that surround each are doing great things.

"We are very careful to not apply these tools to operational or
sensitive networks, because there could be additional features in some
of the tools. We will rewrite functionality of certain tools from
scratch in-house to apply to such networks."

Skroch said the Red Teams also develop their own tools and scripts as
needed on the fly.

"Red Teams portray a dynamic threat - it's no surprise we encounter
unanticipated security barriers or situations," Skroch said.

"So, when we're in the field attacking a system, we have to develop
our own scripts, hardware or social engineering attacks to penetrate
information systems." Whether the Red Teams and their tools are
successful remains to be seen. Ultimately, it's unknown how a
cyber-attack would unfold.

Gregory Rattray, faculty member of the U.S. Air Force Academy, wrote
on the academy's Web site that cyber-terrorism is likely to become a
"more significant national security concern."

And although terrorists face multiple hurdles in launching a digital
attack, "U.S. efforts to mitigate cyber-terrorism will have to advance
incrementally."

In other words, the Sandia Red Teams have their work cut out for them.

-=-

Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved. 



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*




_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Fri Sep 08 2006 - 01:24:42 PDT