TEAMING AND ATTACK STRUCTURE

No matter the structure of the attack, an operational protocol is crucial to the success of the test. As with any test there must exist procedures outside the direct experiment to ensure stability, safety, and accuracy of the results. There are risks that must be planned for to address the uncertainties that lie within the test itself.

TABLE 7.1

Pros and Cons of Multi-Phased Attacks (Parallel)

Type Pros Cons Indicators for Use Challenges

Parallel Shared and Isolated

• Efficient use of time, given each group should be the same duration • Leverages specific skill sets, given the use of different testers for each group

• Collects a plethora of security information about the target

• Does not reflect atypical threats, given the exchange of information • Places more reliance on the target’s management and White Team • Time is more important than tactics • Focused on

exploiting all (or as many as possible) forms of security vulnerabilities (e.g., people, process, and technology) • Disruption of business-related activities, given the number of fronts being attacked Parallel Shared Only

• Can use a smaller number of consultants

• Requires specific types of imposed limitations to control scope and impact

• Desire for comprehensive testing without great concern for type of threats • Ensuring data security, given the amount of information being collected and shared Parallel Isolated Only

• Provides for the opportunity for evaluating risk to specific elements • Option to use different consulting firms • Requires greater effort for any post-engagement risk analysis • Reflective of typical threats specific to each group • Focused on specific groups without addressing potential relationships • Used to compare different departments with the same responsibilities (i.e., geography, business units, etc.)

• Ensuring data is not shared between the testers

The existence of a sound operational plan and controlled communication pro- tocol between all parties helps a great deal to protect each organization and add value to the test. Following is a very simple teaming framework for establishing a project management protocol, which assists in dealing with unexpected events in the engagement—Red, White, and Blue—external, control, and internal, respectively.

RED TEAM

The Red Team performs the test. Based on the type of test and the level of knowledge their client is willing to provide, they may be involved in the establishment of the engagement with the White Team to make certain expectations, guidelines, and

TABLE 7.2

Pros and Cons of Multi-Phased Attacks (Serial)

Type Pros Cons Indicators for Use Challenges

Serial Shared and Isolated

• Comprehensive testing process • Leverages one (or

limited number of) consultant(s) • More attention on

each phase (i.e., clear milestones in the engagement) • Potentially time consuming given each phase is performed one after another • Requires a great deal of work by the White Team

• Focus on tactics rather than time • Target’s architecture’s complexity, geography, or organizational structure is diverse • Desire more control

over the evolution of the test’s threat model • Concern over collaboration of threats • Dealing with multiple sets of deliverables and perspectives • Requires more upfront planning Serial Shared Only • Focuses on the escalation of threats • Gain the perspective of a single-minded individual • Skills of consultant may not apply to all groups of test (i.e., good at Internet, not good at physical sec.) • Concern for specific threats, specifically Über hackers • Target sharing the information with the Red Team that is in alignment with established goals Serial Isolated Only • Effective for executive management overseeing diverse environments • Assumes different threats • Cannot use the same consultant • Assumes no

collaboration of threats

• Want greater control over each phase and the injection of specific types of information • Controlling the exchange of information between testers

procedures are well communicated. The goal of the Red Team is relatively simple: to attack the target firm within the established scope of the engagement and com- municate to the White Team any critical issues that may represent a risk to the target organization. For example, if during a test, a critical vulnerability is identified that could lead to an excessive impact on the target, the Red Team should communicate this to the White Team to express the volatility of the situation and gain permission before exploiting and possibly causing excessive damage or downtime of their customer’s network or systems.

In some cases, when faced with the alternatives, there are situations where the engagement is temporarily halted to assist the client in mitigating the vulnerability. This type of redirection can be complicated from a logistical perspective. For example, stopping and assisting in the correction of a critical vulnerability may be beyond the original scope and complicate billing and timing issues influencing the availability of resources or other nuances that may disrupt the engagement. However, the breadth of the vulnerability could render the rest of the test insignificant because the depth of the exposure is so encompassing. It is necessary for the Red Team to provide the following information: vulnerability explanation, testing focus, and mitigation.

• Vulnerability Explanation. Detail the vulnerability and the impact that could result from exploitation. This can include characteristics such as downtime, exposure of critical business systems such as billing or trans- action systems, customer impact, partner exposure, or the inadvertent disclosure of private or proprietary information previously defined as beyond the scope of the engagement. In many cases, the vulnerability represents a threat the customer intentionally made clear was something he was not prepared to include in the overall test.

• Testing Focus. Beyond detailing the extent the proposed attack could have, it is necessary to explain what would be the disadvantages of not per- forming the test. Penetration testing is a layered approach founded on an initial vulnerability that usually leads to more opportunities to gain greater access. Without exploiting the identified vulnerability there may exist a cascade of other related exposures that cannot be tested. It is necessary for the customer to make a decision to accept the risk of the potential impact to obtain greater insight as to other weaknesses or forgo the test and accept the possibility of other unidentified exposures within the environment. • Mitigation. Finally, for the client to fully weigh the options compared to

risk and cost, the Red Team should provide a collection of high-level recommendations for repairing the hole. The details of the recommenda- tions will be limited because it is simply the perspective based on the external representation of the vulnerability.

What may seem like a simple fix from the outside view could result in wide costly modification to the customer’s environment. It is at this point where the two companies must address the issue of impact. If the test was being performed with zero knowledge and the client requests help in supporting assessing the required procedures to eliminate the vulnerability, further insight into the customer’s network

may be required by the Red Team to provide a comprehensive solution. Therefore, if the engagement is paused and the client wishes to address the vulnerability based on the potential risk, the information provided to the Red Team may render the entire engagement ineffectual based on the original intent and structure of the test. To avoid the situation of providing information to the Red Team and influencing the scope of the engagement, the White Team has the opportunity to identify other security resources outside the Red Team to collect the information and work directly with the company to address the vulnerability. In some cases, this allows the Red Team to continue other avenues of attack, for example, on a completely different location, to maintain continuity of the project.

WHITE TEAM

The White Team is a mixture of customer representatives and the managing staff of the consulting firm. The White Team is the liaison between the attackers and the target providing control over the attack and monitoring the reaction of internal staff to the test. Essentially, the White Team is the field commander managing the test to ensure it remains within the established guidelines. Additionally, the team provides an opportunity to deal with unexpected results. Following are some examples of specific issues where the White Team can become very helpful: piggyback attacks, reverse impact, and detection.

• Piggyback Attacks. Some organizations are constantly under attack from real hackers because of their size or what they represent. It is not uncom- mon for hackers to monitor a target’s network, waiting for the opportunity to gain access. For example, in the early days of firewalls, if the firewall was rebooted the system would be completely open to the Internet for a brief time until the firewall daemon was fully operational. Knowing this, many hackers would monitor or attempt to overload the firewall in hopes that it would force a reboot, allowing temporary access to internal systems. Whether intentional or by the grace of good timing, hackers can mask their attack in the malaise of a controlled test. From the perspective of the target organization, it could simply be part of the test. The White Team can monitor the activities of the Blue Team to take the opportunity to simply determine if a monitored event was in fact the act of the Red Team. • Reverse Impact. Stated earlier, the Red Team should notify the White Team if a critical vulnerability is identified and report on the various risks associated with the weakness. The same holds true for the White Team. There are circumstances where the Red Team is unaware of the massive impacts they are having on the target’s systems and may continue the operation, potentially harming their customer in ways previously stated as undesirable during the planning of the test. In the event the target is experiencing unmanageable difficulty with the attack, the White Team acts as a conduit to the Red Team to throttle the attack in accordance with the measurable experiences of the Blue Team. In most scenarios, the attack is paused to determine what actually happened before attempting to con- tinue the test.

• Detection. Although some tests are performed surreptitiously to avoid detection there are cases where this is not critical to the success of the engagement. For example, a client may wish to test the ability of the technology and internal resource to measure the response to an attack. However, some want to gauge the granularity of the systems and people when presented with a very “quiet” attack technique. During engagements of this type the White Team can provide a signal to the Red Team to let them know when they have been detected and to use other methods. In some cases, the ability to perform the attack without detection is much more valued by the client than actually exploiting a vulnerability.

While working as a security consultant for a large E-commerce firm, assisting with their policies and security program, the firm was brutally attacked. The hacker had effectively gained control of their credit card processing systems and was collecting historical information in addition to live data being entered by hundreds of customers on the Internet buying merchandise.

Although the attack was identified in a reasonable time period, the necessary steps required to stop the attack would have ceased all transactions and had the potential of remaining that way for several days. When faced with this potential loss in revenue the client decided to allow the hacker to continue until another method could be employed to stop the hacker and maintain continuity of cus- tomer transactions.

Ultimately, the vulnerability was closed on other systems and the transac- tions diverted to the more secure applications. However, this did not happen for nearly 24 hours and after the hacker had obtained several hundred credit card numbers along with private customer information.

Even though this event raised ethical questions about the commitment to securing the customer’s information, it pales in comparison to more publicized attacks and similar reactions of larger companies in recent years.

BLUE TEAM

The Blue Team is the internal employees who, traditionally, are not aware the test is taking place. If someone knows the test is being performed, it is best to make her part of the White Team. Given the possible vastness of internal resources who are unaware of the test being performed, the Blue Team usually represents a group of employees to be observed more closely who are typically associated with security or IT administration. There are three primary objectives for establishing a Blue Team: incident response, vulnerability impact, and counterattack.

1. Incident Response. Organizations have different methods for dealing with attacks and responding to incidents. In some cases, firms seeking pene- tration-testing services are more interested in measuring the ability of

their security team to react to a threat than the actual attack itself. This perspective represents a divergence of thought behind ethical hacking not usually practiced except for the most security-conscious companies. Com- panies of this type see the value of internal security capabilities and culture beyond the technical representation of security for their firm.

A standard penetration test, one without focus on true value, will rarely, if at all, offer any visibility into a company’s true security posture. Taking into account the human element is a practice many in the security industry would agree is a considerable ingredient of a healthy security posture. Planning a test with an ample amount of attention paid to measuring the psychological impacts has proven to be one of the most valuable aspects of penetration testing.

Many organizations focus heavily on the technical characteristics of an attack, impose restrictions and limitations, and have expectations based on their understanding of security and an attack. Usually the limited understanding of security leads to a company not taking into consideration that technology has proven repeatedly that it cannot withstand a sophis- ticated attack alone. Culture, the human element of an attack, plays an enormous role in the ability to survive a direct attack by a determined hacker. Firms that seek a greater overall picture from the attack, specifically ones that wish to test the resistance to an attack of all layers of security—physical, technical, and physiological—will reap the most value and overall impact on their security when they focus on the unsuspecting employees.

NOTE7: INCIDENT MANAGEMENT IS MORE THAN JUST TECHNOLOGY

A very large distributor of computers and networking technology had used internal resources and external security consultants to increase their security for the online ordering systems to begin to better leverage the Internet for purchasing and to cut operational costs. They implemented several layers of technical solutions, ranging from multiple different firewalls and managed IDS solutions, to encryption and auditing techniques. In early 2001, they discovered an enor- mous amount of goods was being sold to a student in Europe using the cost code of a reseller in North America. With the help of the FBI, they determined that the equipment was being reshipped to an Eastern European country formerly part of the Soviet Union, a country normally out of bounds for obtaining this type of equipment directly from the United States.

Although they had implemented several forms of traditionally accepted strong security technologies, they had no security policies or defined procedures for dealing with an attack. Once the technology failed to protect them they were powerless to stop the onslaught until finally asking for help from an outside source. The attack lasted for several weeks because they were unaware how to thwart the attack. The technical solutions detected the attack and notified them of what was going on, but the method of the attacker and ability to react proportionately to the attack was well beyond their capability.

Once the vulnerability was addressed and the attack was no longer effective, the company contracted a consulting firm to test their exposures through a penetration test. Not realizing technology was not the culprit in the massive failure of security and their inability to react appropriately identified as the ultimate weakness, they simply had the vulnerability of the Internet sites eval- uated without considering the lack of human ability that ultimately led to the huge impact of the original attack.

2. Vulnerability Impact. As with the other two teams, the ability to determine how badly a vulnerability can affect the network’s operations falls within the role of the Blue Team. Although unaware of the actual test and forced into a reactionary state, it is up to the White Team to observe the reaction of the systems and people in charge of those systems to gauge the degree of a vulnerability being exploited. If the vulnerability represents a threat to the operations of the business or falls beyond the scope of the engage- ment, the White Team can notify the Red Team to stop or divert their energy. In contrast, the White Team can query the Red Team to see what type of progress has been made even when the Blue Team has not reacted in any way that would imply awareness of the attack.

3. Counterattack. A hugely debated concept is counterattacking. When under attack, a company can attempt to stop it by instituting updated controls, but, in the case of a counterattack, will attempt to inflict damage on the hacker. Usually, this consists of a DoS against the hacker to simply stop him from continuing and providing a window of opportunity to close the exploited hole. There are several issues relating to the counterattack:

Clear Identification. If a company is under the assumption it is prepared to assault an identified hacker, it must be absolutely certain it has correctly identified the source. Obviously, if it is incorrect the inad- vertent attack on an unwitting third party could lead to legal ramifica- tions and poor publicity. Another deterrent is that every owner of systems and networks utilized by a hacker has the right to prosecute if the hacker is located and captured. Therefore, an established com- pany practicing illicit vigilantism could be held accountable for its actions by the same entities.

Capability. Most companies do not have the necessary expertise to launch an attack, much less one aimed at a knowledgeable adversary. Not fully