Information Systems See Red
IDART has three attach resource centers where team members can set up mock systems to demonstrate concepts for customers.
Laboratory team goes on the offensive to improve defense.
IDART has three attach resource centers where team members can set up mock systems to demonstrate concepts for customers.
With computer network defense calling for an integrated approach, one government organization is helping public and private enterprises improve their infrastructures by putting them to the test. Armed with research and insight about threats and vulnerabilities, its experts take aim at systems and attack the problem of information security. While playing the bad guy, their mission is to point out weaknesses with the objective of making organizations stronger.
Technologies that support connectivity are advancing at a mind-boggling rate, but work in the information systems security realm has not kept pace. As a result, the risk of cyberattacks continues to grow, and agencies as well as businesses must constantly and consistently assess their security plans to ensure protection. Security must be based on a system of systems that includes firewalls and virus detectors; well-trained, vigilant personnel; and secure facilities.
The Information Operations Red Team and Assessments program at Sandia National Laboratories, Albuquerque, New Mexico, helps organizations evaluate their information, communication and critical infrastructures. Program personnel provide insights about system design issues, vulnerabilities and threats so that government and industry information technology managers can make better decisions about development, security and system usage. The program focuses on the malevolent intent of adversaries then provides techniques, tools, research and training that can be employed to make systems more secure.
One of the primary elements of the program is the Information Design Assurance Red Team (IDART), a group that provides independent assessments of information systems. Reviews are performed from an adversary’s point of view and identify the consequences of an attack. IDART conducts evaluations at various stages of information system development—from concept through fully operational domains. Types of systems evaluated include networks, process control and wireless, and assessments range from examining security policies and procedures to infrastructure interdependencies.
Ruth Duggan, program manager, IDART, explains that the team models adversaries and comprises approximately 20 core members who are regularly involved in Red Team exercises. A subset within this group works on strategic planning for projects and research. IDART also draws on the expertise of more than 120 people within Sandia who are knowledgeable about specific topics.
As part of the national laboratories system, IDART does not compete for business with private companies that offer information security assessments. Evaluations are conducted at an organization’s request, not as part of a bidding process, Duggan explains.
IDART’s customers range from federal government agencies such as the U.S. departments of Defense, Interior, Treasury and State to the commercial sector, including information technology, e-commerce and manufacturing firms. Clients request assistance at various levels of information systems implementation, she says. In some cases, an agency is designing new systems and seeks assistance and testing prior to implementation. At other times, an organization already may have installed and secured a system and wants a sophisticated Red Team to test it. The team prefers to be involved in the system design phase because it is at this point that its members have the greatest opportunity to affect change, she says.
Analyses are conducted using a standard engineering six-step approach. Initially, IDART identifies the problem, examines the threats and determines the information systems’ missions to evaluate an adversary’s goals. During the data collection phase, the team works with the customer to analyze the system’s architecture. The system under scrutiny then is characterized from several points of view to find likely single points of failure or high-value targets that would allow enemies to achieve their goals. Results of this analysis are provided to the customer and include details about an adversary’s techniques. Finally, if requested, IDART demonstrates the attacks to the customer under controlled conditions. In addition, the team can develop experiments to test hypotheses about how systems perform while under attack.
The analyses generally take eight to 12 weeks; however, IDART has an ongoing relationship with some customers. Teams conduct three types of investigations. A targeted vulnerability analysis of information systems examines how information is used, stored and transmitted in operational, prototype, administrative, supervisory control and data acquisition systems, as well as in hybrid setups typically used in critical infrastructures. The design assurance analysis assists in planning information systems and information assurance technologies. It provides feedback about how adversaries might manipulate the system to affect performance. Finally, in its Red Team effort, IDART researches, develops and applies adversary models and methods that stress systems. A Red Team also can test systems’ defenses.
To conduct this last type of analysis and evaluation, Red Team members research threats in various ways. Some visit hackers’ Web sites to gather information. Primarily, however, the team examines case studies of attacks that happen “in the wild” to determine the required capabilities. Although individual hackers pose threats, the team principally focuses on the dangers that small nation-states pose given their superior resources. This could include hacker coalitions, Duggan says.
Red Teams are customized to meet the requests and requirements of each customer. Each team comprises IDART personnel and Sandia experts who specialize in areas such as cryptography, advanced network systems survivability and agent-based systems. To meet some customers’ needs, the team also may include specialists in physical security and operations support.
Duggan explains why experts in these other areas are necessary to the Red Team’s work. “As an adversary, I can’t learn everything, so what I’m going to do is, if you will, hire the expertise that I need. As an adversary, I have a goal, and I’m going to gather the expertise in order to accomplish my malicious goal. If we have an information system that has a particular operational context, we will go and get expertise in that operational context so that we better understand the ramifications of an attack and also what roadblocks we can expect,” she explains.
For example, if the Red Team was asked to assess the security of an energy production facility, the team would call upon Sandia experts that are involved in energy production and distribution systems design. These specialists provide information about items such as the systems and language that are unique to the environment. Red Team members then brainstorm with them about strategies.
“An adversary will usually have a goal to take out the mission of a particular system. So for energy production and distribution, it would be to keep them from producing or distributing energy. While we could just look at it from, ‘Well, what do I know about that industry from the Internet,’ that’s not as deep as we like to go in our analysis,” Duggan says.
An IDART team may use social engineering techniques during an analysis to assess security. Team members may contact someone within an organization, pretend to be help desk personnel checking a network problem and ask for verification of a user name and password. This technique for gaining sensitive information can be especially effective if a caller uses impressive credentials. In large organizations this is a likely scenario because employees do not know the names of the entire staff, Duggan says.
The cost of launching an attack also is taken into consideration because it indicates what type of adversary may use it. For example, if a system break-in would cost $100,000, it is unlikely that an individual hacker would be the culprit, Duggan notes. If the hacking technique is available on the Internet and requires little or no funding, it may be employed by an individual.
Systems assessments go beyond examining network security such as passwords, virus detectors and firewalls. From a physical security standpoint, for example, Duggan points out that it is important to know where the wiring closets are located. “Sometimes we find that the data control center is tightly secured with access controls and tokens, but the customer has the wiring closet in a common access area,” she says.
IDART likes its customers to be part of the team during the assessment because they are the people who must implement a plan based on the results of the assessment. “If they understand exactly what we did and how we got there, then they’re better able to do that. They’re involved as much as they would like to be,” she says. While typically Red Teams comprise three to five IDART members and one to three customer representatives, the number varies depending on the scope of the work, she adds.
Analyses are conducted in three attack research centers. Within these facilities, Red Team members can set up mock systems or testbeds to demonstrate the concept of attacks without interfering with a customer’s operating system. Team members also use these centers to conduct research about the targeted systems and types of threats. When necessary, IDART uses additional test environments at Sandia.
Duggan maintains that information system vulnerabilities have not changed significantly during the past several years. On the top of her list is the persistent and prevailing notion in many organizations that the work is complete once security processes, procedures and technologies have been put into place. Installing a firewall is not enough. Systems administrators must stay abreast of security patches. Awareness training programs must be offered regularly. “Security is a process. It requires continual investment, and it has to become an integral part of doing business,” she says.
Many organizations do not truly appreciate how dependent they have become on information technology systems, so they do not continually invest in security as they should, she adds. Although organizations in general are improving in this area, new challenges are on the horizon that make this even more important. Wireless technologies as well as the increased use of remote access capabilities are going to bring more challenges in the future, Duggan shares.
Industry is beginning to integrate security into the design of hardware and software. However, Duggan proposes that consumers can be the driving force in this area by demanding more secure products. It must be part of the purchase requirement, she says.
IDART’s support of the Defense Department has included helping information assurance program developers at the Defense Advanced Research Projects Agency to stress and improve their systems while in development. As a result, the products from that program should be stronger, Duggan relates.
Although many of the team’s clients are organizations that are seeking to ensure security prior to installation or that simply want an assessment of current systems, Duggan shares that some require solutions to ongoing security problems. For example, one client was being attacked weekly. After working with the Red Team, the customer has been able to address cyberattacks without security breaches. As a result, the team has an ongoing relationship with this customer, Duggan states.
The debate continues about whether people inside or outside of an organization pose the greater threat, but Duggan says the team’s experience shows that a malicious insider can do a lot more damage to an organization than a malicious outsider. “Insiders already have all the information that they need about the systems, and they know where the skeletons in the closet are,” she explains. Whether insiders are more likely to attack systems depends on the mission of the organization. If a breach could affect a large portion of the population—for example, through a power company—or create a lack of confidence in a particular business sector such as banking, the culprit is more likely to be an outsider, she adds.
Duggan points out that a third category also exists, and that is the contractor or consultant who works for an organization for a time and can gather information about its systems. A person can attack from the outside with knowledge that only insiders would normally possess. This category also includes outsourcing situations where work is performed by vendors who deliver goods to a facility.
During the past several years, IDART has helped between 50 and 100 organizations. Many have been repeat customers that the team has worked with for years.
Additional information on the Information Design Assurance Red Team is available on the World Wide Web at http://www.sandia.gov/idart/index.html.