The Devil You Know
The new converged security threat may sound like a Hollywood movie, but it’s all about deception. Red Teaming however, is the real thing.
Over the years I’ve come into contact with a lot of industries, and I have to say that shipping and maritime is a nice one. By and large those who work in it are—by comparison with others—polite, straightforward, friendly, not always particularly tech-savvy, but usually ready for a laugh. Hence, when it comes to the new security paradigm, we’re really in trouble.
On a cold, wet day in December I went to the Transport Security Expo in London and stayed until the bitter end, through all the endless presentations about how piracy is still very important even though it’s declined massively. I stayed because I wanted to hear the only presentation of the day that offered any insight at all into the most dangerous security threat of all in maritime—cyber attacks.
The man giving the presentation was Dan Solomon, Consulting Lead for Cisco’s Cyber Security Centre of Excellence and head of the Cyber Risk and Security Services division at Optimal Risk, and he didn’t disappoint. Dan advised the depleted audience to go onto a ‘war footing’ and proceeded to outline some of the type of attacks that threaten the industry—including Permanent Denial of Service (PDOS) which can crash hard drives and render hardware useless.
You might have expected a roomful of maritime people delivered this kind of message would have been galvanised, and if so, it’s you who would have been disappointed. Discussion of how to respond to a declining physical threat everyone understands which relates only to seafarers, on ships in specific geographical areas gets everyone really fired up. But talk about cyber and suddenly it’s all unlikely and incomprehensible.
According to FireEye, who provide automated threat forensics and dynamic malware protection against advanced cyber threats, it’s not just maritime people who react like this. “Many times we try to explain to customers in terms of what is happening in the real world,” said Stephanie Boo, FireEye’s regional director for Southeast Asia. Customers sometimes say “this sounds really very much like a Hollywood movie plot.”
And they’re right. Because in the new security paradigm we are facing what Solomon describes as ‘Converged Risk’, and this combination of the physical and the cyber is something that most people have never experienced outside the movie theatre.
The idea of converged cyber and physical attacks is actually a staple of Hollywood. As far back as 1969 The Italian Job was famous for those little red, white and blue minis haring through the Turin gridlock loaded down with stolen gold. But how did they create the traffic jam in the first place? That required the assistance of Professor Peach changing the programme for the traffic control system. To get Professor Peach in though, required a physical diversion, a deception. And that’s at the heart of the threat, and why we find it so very hard to deal with. We may find IT hard to understand, but we find deception even harder.
There is an approach which can help though and Dan Solomon is a strong proponent of it. Called Red Teaming, it is not security testing as it’s generally understood. Red Teaming is goal based and crucially, the team doing it have an attackers perspective. “The Red Team approach is test it, prove it or learn why your perceptions are misaligned,” says Solomon. “Red Teaming takes you away from the idea that it’s all about IT and demonstrates that employees and processes are just as vulnerable. Once you’ve been a victim it forces you to recalibrate, because you don’t want to go through it again.”
It may sound extreme but Solomon is clear that it’s essential in order to build resilience. “The state of industrial cyber security is shocking, there’s widespread ignorance and complacency, cultural myopia, analytical bias all leading to an assumption that the risk is low,” he says, “most people don’t understand deception, and it’s all about deception.”
Red Teaming is just one of the services that Solomon’s outfit Optimal Risk provide and its work in shipping and maritime is growing. Whilst most of what Solomon’s team do for—and to—their clients is necessarily confidential the basic approach is something he’s prepared to talk about. It’s the same approach that was used on a major port recently.
The goals of the Red Team will be agreed with the board of the company well in advance after which Solomon’s team go to work. According to Solomon the easiest way to generate cyber intelligence is via the ‘cyber footprint’. That gives the team a framework of who to target, what systems there are and some of the details of vulnerabilities, both physical and human. “The intelligence gives us the basic information we need in order to conduct physical and cyber reconnaissance and surveillance on various people who we feel will be vulnerable, and allows us to begin building up a picture of the site,” Solomon explains. “That gives us a number of options and we can develop parallel plans in case one is less successful than another.”
As part of the reconnaissance Solomon’s team will have identified the layout and what’s housed in what buildings on the site—harder than it sounds very often, unless some of this information is carelessly made available and picked up in the cyber intelligence gathering. At the same time patterns of movement and the procedures of certain guards on certain buildings will be ascertained. What the team is trying to do is to build up as full a picture as possible, fusing cyber intelligence and what’s happening on the ground—human eyeballs.
“We’ll also try and get someone recruited, we tried to get someone into the port as contract staff or as temporary staff. If that works then it’s really game over. If it doesn’t then it still gets people onto the port to go for interview and to meet people. They can then gather information about where they’re taken, where they meet in certain buildings and with whom. It all contributes to building the picture.”
The port Red Team had a variety of aspects to it including gaining access to buildings in order attack the network and exploit that breach. “It was very important that we got into the communications room, so once we’d identified which building that was in, we zeroed in on the guard there,” says Solomon. “We started looking at him specifically with the intention that he could be drawn away from his post for a period of time so that we could get in and out of the building without being recognised.”
The details of how the team achieved that aren’t something Solomon wants to go into, but they include what he describes as the ‘dark arts’ which whether it’s honey-trapping or simply duping someone can be humiliating for the victim. Sometimes the approach is micro-planned, but according to Solomon it can also be a lot more spontaneous once the team are on the site. “You have to be opportunist and be able to think on your feet, even though you might have prepared for certain scenarios. You’ll have equipment in your pockets that will help you to run a ruse.”
In the case of the port distracting the guard involved manipulating the CCTV feeds, and once inside the team started inserting USB sticks into various terminals and cloning the WiFi. The physical and human side of the operation then gives way to the cyber expertise. “Once those USB sticks are inserted they have malware on their system which will allow us to take command and control of the systems we’ve identified. At that point we really don’t have to run a lot of complex phishing attacks, but because Red Teaming has to combine these things we usually do more than we need to.”
Sometimes the team will try four or five different approaches, phishing people at different levels, then there are very targeted attacks when only two or three people, or even just one person who is key are targeted. In other scenarios there may phishing APT attacks that will look for a broader audience, dozens, in a certain community, or even just to catch anyone in the organisation. “Some of these elements are necessary to achieve our goal and some are just steps we’ve agreed with the client so we can test these things to see how vulnerable they are, just to help their awareness campaign.”
Whether it’s a remote attack that has provided access to information or a physical intrusion, once inside the team then accelerates and develops its network access. “It doesn’t matter what order it comes in, it’s a fusion of physical, human and IT vulnerabilities that are all exploited, sometimes in parallel, sometimes in sequence.” Ultimately the team gets itself into a situation where it has command and control and eyes and ears on the system, and begins to escalate its privileges, taking over domain controllers or databases by getting right back to the shell command as an administrator. If successful the Red Team can then do just about anything they choose including locking people out of the system, and creating new administrative rights and identities that have access to certain types of information. That information can then be exfiltrated and changed.
“From there it’s very, very hard to go in—unless you’re a complex organisation with a lot of tools—and find out where the attackers have got to, where they’re sitting, how they got there and what was touched on the way,” warns Solomon. “You start reaching everyone’s computer, you’ve infected the email, everything that’s being shared in terms of information is being seen. A forensic job of cleaning up the systems at that point would in some cases be impossible.”
At this stage of the attack it’s possible for the team to reach the operating technology environment. Once there an attacker can begin malicious sabotage activity—switching things on and off. “We don’t do that,” says Solomon firmly. “But we do prove that we can get through to the control board of those kind of applications.”
Solomon gives an example of a team who demonstrated their access by opening and closing valves and altering pressure settings which a genuine attacker could have used to cause a significant explosion. “If you can do that and the client doesn’t have advanced monitoring systems then they have no idea you’re there. They’re looking at the dashboard and wondering who’s authorising this and then suddenly they begin to think, ‘who’s got control of this?'”
But there’s another very sobering aspect to Solomon’s port Red Teaming which highlights why shipping and maritime companies unpreparedness for cyber attack could have far-reaching consequences. One of the most common ways to attack a target is by looking for vulnerabilities in its supply or customer base. In this case a major ship operator proved to be the weak point.
By looking at the digital footprint and gathering cyber intelligence about that organisation Solomon’s team identified what they thought could be a weakness.
“We looked at the points which were most likely to be less sophisticated in terms of security and those places are traditionally underdeveloped countries. So we started probing and found some common vulnerabilities in one of their portals.”
Solomon says that from there it was just step by step intrusion into the back end of that domain.” From there we could see all the databases that sit on that domain. We accessed information there which we used to follow the trail all the way to the central domain. One of those applications led us to the RFQ system. From there anything was possible.”
At least one of the possibilities is that attackers could amend documents like Bills of Lading, much like Solomon’s team did, and then see who notices. “Changing the paperwork to read ‘1 piece of machinery (thermonuclear device)’ could be something a hacker would do just to have a laugh at the expense of the operator or the port, but believe me, the USA will notice,” Solomon warns. “If a more serious attacker wanted to shut down trade between a port and the USA, they could alter the bills and alert US customs that they have control of the system and the proof is that what’s inside the container doesn’t correlate. The US are going to take that kind of threat extremely seriously.”
If that scenario is frightening then Solomon is doing his job, and the impact on organisations who fall victim—however willingly—are profound. “This gives you a critical new angle on the potential scenarios you are facing. It shows you that the bad guys don’t care about pain. Pain means their message has been heard. We take your worst fears, the sum of all fears that you perhaps haven’t even woken up to yet and we will make them real enough for you to be hurt by them in a controlled way, and then build resilience against them.”
Solomon doesn’t believe that there is a particular profile of company that would benefit most from Red Teaming. In the current threat landscape the exercise will benefit any organisation, even those undertaking lots of different security testing in different ways. What Solomon’s team really does is expose you to the kind of calculated deception that the shipping and maritime industry doesn’t have in its DNA, but it does something else too, and that’s create what Solomon calls ‘guilty knowledge’.
“We make you a victim and that is not a pleasant experience, but once you’ve been a victim you are determined not to be one again. The Red Team experience aligns the organisation on the vulnerabilities and the work that has to be done and what has to be changed. When you’ve actually shown the board what is possible, that creates guilty knowledge. You have been shown, so there’s no excuse any longer.”
And Red Teaming gets results. Solomon says that post Red Team the immediate tactical remediation can be conducted in a matter of weeks in IT terms, so the benefits are almost immediately felt. Organisations can realise a mammoth 400 per cent improvement in security in a very short space of time, and though the longer term strategic aspects will take much longer, the buy-in from management the Red Team exercise achieves is crucial to driving them through.
The consequences for senior management and boards around world when their organisations are attacked are becoming harsher. Target CEO Gregg Steinhafel walked following its data breach, now Sony is being sued by former employees on the basis that it had suffered other hacks in the past and failed to respond adequately to secure employee data.
As an essential link in so many supply chains, ship operators and maritime companies could be exposed on many different levels. The vulnerability of ships is a particular concern considering the volume of different crew, support staff from equipment manufacturers and even port and coastguard staff who regularly go aboard. A crew member placed aboard for a short voyage via a manning agency, someone posing as a satcom engineer, or even coastguard personnel are all possibilities. Red Teaming may be the only way to really understand how maliciously deceptive the attackers actually are.
Being a victim of Solomon’s Red Team is undoubtedly a difficult experience, but the organisations which come out the other side are several magnitudes more aware and more resilient for the experience. If—as many experts are warning—a successful cyber attack on shipping and maritime is just a matter of time, we need to become both of those things.
And as the old saying goes, better the devil you know.
Images credit © Paramount Pictures; Getty, Optimal Risk
This article appeared in the January 2015 issue of Futurenauticsread online and subscribe