Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
Table of Contents .............................................................................................................................ii Executive Summary......................................................................................................................... 1 CleanSweep: Technical Details....................................................................................................... 2 Introduction .................................................................................................................................. 2 Objective ...................................................................................................................................... 2 Rules of Engagement .................................................................................................................. 3 Scope ........................................................................................................................................... 4 Red Team .................................................................................................................................... 4 Analysis Environment .................................................................................................................. 5 Methodology................................................................................................................................. 5 Threat Model .............................................................................................................................. 15 Nightmare Consequences ......................................................................................................... 17 Adversary ................................................................................................................................... 18 Analysis...................................................................................................................................... 20 Attack Graph .............................................................................................................................. 21 Summary ....................................................................................................................................... 27 Observations .............................................................................................................................. 32 Recommendations ..................................................................................................................... 32 Attachment 1: Agenda ................................................................................................................... 33 Attachment 2: Cost Estimates ....................................................................................................... 35
August 2011
Page ii
Executive Summary
Overthecourseofthelastfouryears,theDOL wasapproachedbyvariousregulatory authorities(e.g.OIG,SEC,andFBI)concerned thatkeyeconomicdatawerepotentiallysubject tounauthorized,prematurerelease. Theeconomicdatainquestionaresubjecttoan embargoprocesswherebyDOLcontrolsthe timingofitsreleasetoreportersandthegeneral public.TheobjectiveforCleanSweepwasto identifypotentialvulnerabilitiesintheDOL PressLockuproomfacilityandassociateddata embargoandreleaseprocedures,provide mitigationoptionsforvulnerabilitiesidentified, andassistinmitigationverificationshouldDOL decidetoimplementrecommendedmitigation options. CleanSweepcustomersincludedstakeholders fromseveralorganizationswithinDOL: Operations,theOfficeofPublicAffairs(OPA), andtheBureauofLaborStatistics(BLS).Eachof theseentitieshaditsownuniqueperspective regardingthenatureoftheperceivedthreatand consequently,differingideasonpotential solutions.Thecommonconcernamongstthese stakeholdersrevolvedaroundtheunauthorized, prematurereleaseofembargoeddata. Likelyadversariesinthisscenarioareprofit driven,technicallysophisticatedindividualswho mayhaveconsiderableresourcesattheir disposal.Theirtechnicalproficiencyenables implementationofstealthysurveillance equipment.Thoughtheyarewillingtobendand potentiallyviolaterulesandlaws,violenceis unlikelyasanoperationalmethod. ThoughDOL,BLS,andOPApersonnelaredoing duediligenceintheireffortstomonitorthe presslockupfacility,theireffortsare complicatedbythepresenceofnonDOLIT equipmentandcommunicationslinesinthis facility.Theopaquenatureofthisequipmentto DOL,BLS,andOPAstakeholdersisamajor impedimenttoensuringthatembargoeddatais notreleasedpriortoauthorization. Thepresenceofequipmentownedbypress organizationsnecessitatesthataccesstoareas housingDOLcommunicationsanddata infrastructureismadeavailabletocontractors workingforthesepressorganizationsto conductmaintenance.Thisaccess,though controlledbyDOLpersonnelescortingsuch maintenancecontractors,createsopportunities foradversariestocompromisecriticalDOL communicationsanddatainfrastructure. Thefollowingactionswouldmitigateagainst risksidentifiedduringCleanSweep: ReplacecomputersandotherIT equipmentinthePresslockupfacility withDOLownedequipmentand removetheprivatedatalinescurrently inuse.Thiswouldeliminatetheneed fortheBlackBoxesaltogether. ProhibitanyoneotherthanDOL personnel(orcontractorsworkingfor DOL)fromenteringcommunications closetswithoutatechnically knowledgeableescort. Provide/traintechnically knowledgeableescorts. Modifyexistingpolicytorequire personalitemsbekeptinlockers outsideofthePressLockuproom. Divestmentshouldbeaprerequisite forroomentry. ThoughnotdirectlyaddressedintheSNLRed Teamanalysis,theapparentrootcauseforthe issuesdrivingthisassessmentisthepresenceof algorithmictradersinthepresslockupfacility. ModifyingDOLpolicyonwhatcriteriaqualifies applicantstoattendreleaseeventswouldlikely beofbenefit.
August 2011
Page 1
Introduction
Overthecourseofthelastfouryears,theDOLwasapproachedbyvariousregulatory authorities(e.g.OIG,SEC,andFBI)concernedthatkeyeconomicdatawerepotentially subjecttounauthorized,prematurerelease.Theeconomicdatainquestionaresubject toanembargoprocesswherebyDOLcontrolsthetimingofitsreleasetoreportersand thegeneralpublic.ThefocusofDOLmanagementconcernisthephysical,technical,and proceduralcontrolswhichconstitutethisembargoprocess.
Objective
SNLIDARTwastaskedtoidentifypotentialvulnerabilitiesinDOLpresslockuproom facilitiesandassociateddataembargoandreleaseprocedures,providemitigation optionsforvulnerabilitiesidentified,andassistinmitigationverificationshouldDOL decidetoimplementrecommendedmitigationoptions. InformationsharingwasperformedviaSNLexternalSharePoint(anSSLenabled collaborationapplication). SandiasIDARTteamexecutedthefollowingassessmentactivities: 1) DocumentReviewAnalysisofavailablesecurityprocesses,procedures,rules, securityequipmenttechnicalspecifications,floorplans,andotherartifacts relatingtotheembargoprocess.Conductopensourceresearchonpertinent subjects. 2) KickoffmeetingFacetofaceengagementwithkeystakeholdersintheembargo processtosetcommonexpectationsfortheassessmentoutcome,andfinalize scopeandtherulesofengagementforassessmentactivities. 3) VulnerabilityAssessmentIDARTTeammembersconductedaninspectionand evaluationofthephysicalattributesofthepresslockupfacilityandsurrounding areaswithintheFrancesPerkinsBuilding,theinformationtechnologyequipment containedwithintheLockupFacility,associatedcommunicationsinfrastructure, technicalsecurityequipment,andconductedinterviewswithDOLpersonnel taskedwithimplementingtheembargoprocess. 4) SandiaNationalLaboratoriestechnicalspecialistsexecutedexteriorandinterior surveysoftheradiofrequency(RF)spectrumintheareaofinterest,and conductedanotherradiofrequencyspectrumanalysisduringaninformation embargo/releaseevent.Thesepersonnelusedacombinationofproprietaryand publiclyavailablebutcontrolledequipmentandapplications.
August 2011
Page 2
Rules of Engagement
SNLIDARTactionswerelimitedtoobservationandassessmentduringCleanSweepno attemptsweremadetoactivelyexploitpotentialvulnerabilitiesidentified.DOLagreed toprovideaccessandsupporttoSNLIDARTteammembersduringassessment activities.TheseRulesofEngagement(ROE)weredevelopedbySNLIDARTpersonnelin concertwithDOLofficials,andwereformulatedtoensurethattheRedTeam assessmentactivitieswouldnotadverselyimpactDOLoperationswhileconcurrently providingresultsusefultoDOLmanagementforformulatingriskbasedcorrective measures,ifneeded. OfparticularnoteisthatITsystems(e.g.computers,monitors,I/Odevices,routers, switches)withinthepresslockupfacilityarenotownedbyDOL,withtheexceptionof theAirPatrolconsoleandLAN.Eachpressagencywithaccesstothelockupfacilityowns andmaintainstheirownequipment,includingthecommunicationslinestotheoutside world.TheSNLIDARTRedTeamwasthereforelimitedtovisualexamination(no physicalcontact)andobservation(visualandpassiveRF)whenthesystemswereused bypresspersonnelduringapressrelease. Notification:SandiapresentedproposedassessmentactivitiesforCleanSweeptoDOL officialsintheStatementofWork(SOW)createdpriortocommencementofthis project.ApprovaloftheCleanSweepSOWsignifiedDOLapprovalfortheassessment activitiesdocumentedtherein.SNLagreedtonotifyDOLofficialspriortothestartofany assessmentactivityandobtainDOLapprovalbeforebeginninganysuchactivity.Sandia willnotifyDOLattheconclusionoftheassessmentandverballyprovidetheresults.SNL IDARTandDOLpersonnelworkedjointlytodeveloptheassessmentscheduleof activities,providingconcurrenceonassessmentdates,times,andprocesses. DOLofficialsweremadeawareofandconsentedtotherequirementthatfederallaw enforcementbenotifiedshouldSNLIDARTpersonneldiscoversurveillancedevices duringtheirassessment. InformationProtection:InformationcollectedduringthecourseofCleanSweepwillbe retainedbySandiainelectronicworkpapers.Afinalreportthatincludesnotificationsof findings,recommendationsthatsummarizepreliminaryfindingsbasedonthesedata, andpossibleremediationactionsforinformationtechnologysecurityweaknessesor deficiencieswillbeprovidedtoDOLofficialsataresultsbriefing.Sandiawilldestroyall retainedcopiesoflogsanddataattherequestofDOL. TechnicalDetailsofthisSandiaassessmentreportcontainsOfficialUseOnlyinformation describingspecificvulnerabilitiesandattackstepsforpotentialexploits.Noclassified
August 2011
Page 3
Scope
Ideally,RedTeamswouldprefertoidentifyeveryweaknessinatargetsystem,explore andtestallvulnerabilities,andproduceareportprovidingacompletepictureofthe targetenvironmentssecurityposture.Inreality,aprojectsbudgetandscheduleplacea limitonthescopeofassessmentactivities. TheIDARTprocessaddsfurtherlimitstoprojectscopebyspecifyingthethreatmodel andassociatedadversariesandconstraints.Theselimitsareusedas"realitychecks"on RedTeamcoursesofactionandrecommendations.ForDOL,thethreatmodeloriginally specifiedanadversarialupperlimitofmoderatecapability,characterizedby individualsororganizationsseekingtoprofitfromprematureaccesstoembargoed economicdata.AsexplainedbyofficialsrepresentingtheDepartmentofLabor,the OfficeofPublicAffairs(OPA),andBureauofLaborStatistics(BLS),thescopeofthis assessmentwaslimitedtohowsuchanadversarymightexfiltrateembargoedeconomic datafromthepresslockupfacilityduringapressreleaseevent. TheRedTeamconcentratedonthefollowing: Physicalattributesofthepresslockupfacilityandsurroundingareaswithinthe FrancesPerkinsBuilding,200ConstitutionAvenueNW,Washington,DC. Businessprocessesassociatedwithpressembargoandreleaseproceduresas documentedbypolicy,andasobservedduringanactualpressreleaseevent RadioFrequency(RF)environmentfortheareaofinterest Computerandcommunicationsequipmentinthepresslockupfacility Communicationsinfrastructureforthepresslockupfacility TheRedTeamspecificallydidnotconsiderthefollowing: ThreatsandvulnerabilitiesassociatedwithDOLinsiders ThreatsandvulnerabilitiesassociatedwithDOLInformationTechnology(IT) systemsusedintheacquisitionofdataandproductionoffinishedeconomic analysis Surveillancevulnerabilitiesatotherlocationsassociatedwiththedataembargo andreleaseprocess Parallelembargo/releasefacilityandprocessfortelevisionjournalists
Red Team
Sandia/IDARTcreatedateamwhosememberspossessskillsspecificallychosento addressthevariousissuespresentedbythisproject,withRedTeammembers representingseveralSandiaorganizations.Theteamconsistedoffive(5)memberswith
August 2011
Page 4
Analysis Environment
AllCleanSweepactivitiesoccurredattheUnitedStatesDepartmentofLabor headquarters,locatedintheFrancesPerkinsBuildingat200ConstitutionAvenue, Washington,DCasdepictedinFigure1.Thesixstorysteelandlimestonebuildingcovers twosquareblocksnearthebaseofCapitolHill,andwascompletedin1974.1
Methodology
Forthisassessment,theRedTeamusedtheIDARTmethodologyillustratedinFigure2. TheIDARTmethodologyfollowsthestandardactivitiesshownontheleftofthefigure byperformingtheworkanddevelopingtheproductsshownontherightofthefigure.
August 2011 OFFICIAL USE ONLY Page 5
placedontheanalysisorontheRedTeam.Theresultsofthisphasearebasedon customerrequirementsandareusuallyproducedbyajointRedTeam/customerteam, althoughsometimestheRedTeamdevelopsrecommendationsthataresubmittedto thecustomerforapproval. DOLofficialsandSNLmanagementteammembersconductedinitialdiscussionsonthe issueofapotentialinformationleakofsensitiveeconomicdataduringtheembargoand releaseprocess,resultinginapreliminarysitevisitbySNLpersonnel.Subsequently,SNL IDARTProjectManager,HanLin,andProjectLead,ScottMaruoka,workedwithDOL officialstocreateaStatementofWork(SOW)capturinganddocumentingproject detailsregardingperceivedthreat,nightmarescenarios,associatedmilestonesand deliverables,andprojectscopeandconstraintstoIDARTactivities.
Data Collection
ThesecondphaseoftheIDARTMethodologyconsistsofdatacollection.Inthisphase, theRedTeamreviewsallavailableapplicabledocumentation,collectsopensource materialrelevanttothetargetsystem,andvisitsanoperationalcustomersiteiffeasible andappropriate.ThisphaseservestoprovidetheRedTeamwiththeappropriate backgroundinformationtomodeltheadversariesidentifiedintheThreatModel.The RedTeamdevelopsadetaileddescriptionalongwiththemissionandobjectivesofthe targetsystem.TheRedTeamalsoidentifiesitscriticalsuccessfactorsalistof objectivesthatwillserveasindicatorsofRedTeamsuccess.Thesubsequentsystem characterizationandanalysisphasesareverydependentontheaccuracyand completenessofthesystemdescriptiongeneratedinthisstep.Asnotedpreviously, IDARTactivitieswerelimitedtoobservationandassessmentduringCleanSweepso successindicatorswerenotapplicableasnopenetrationandexploittestswere conducted. CleanSweepdatacollectionactivitiesconsistedofdocumentreview,interviewsofDOL Operations,OPA,andBLSpersonnel,physicalinspectionofthepresslockupfacilityand adjoiningareas,wiringclosetsandtelecommunicationshubrooms,andobservationofa livepresseventinvolvingdataembargoandrelease. DOLprovidedthefollowingdata: 1) DOLLockupRoomWirelessDeviceDetectionUserGuidecombinedconceptof operations(CONOP)coversAirPatrolconsole,MantisHandheldBluetooth detector,andAirCheckWiFitesterequipment. 2) DOLLockupRoomTaskSummarystepbystepCONOPcoveringAirPatrol, AirCheck,andMantistools. 3) PressRoomActivitylogs10JAN201112APR2011chronologicallyordered documentationofPressLockupfacilitymonitoringactivitiesperformedbyBLS InformationAssurancepersonnel;samplereportform. 4) BlackBoxusersmanualandtechnicalspecifications. 5) EquipmenttoBlackBoxCablingguide.
August 2011
Page 7
6) InventoryofBlackBoxesinuse. 7) AHall/FillichiomemodatedMarch2,2011suggestingvariouschangesto securitypolicyandproceduresforthePressLockupfacility. 8) EvacuationandshelterinplacepolicyforthePressLockupfacility. 9) AdraftcopyofLockupfacilityrulesforpresspersonnelandtheiremployers. 10) AdraftcopyofLockupfacilityresponsibilitiesforDOLstaff. 11) NumerousphotographsofthePressLockupfacilityworkspaces. 12) FloorplansfortheFrancesPerkinsbuildingandthePressLockupfacility. 13) FindingsfrompreviousassessmentsconductedbyBLSIA. 14) Timelineofsecurityissuesandassociatedmitigationmeasureimplementation. 15) May2008letterfromOPAtonewsorganizationsdocumentingsecurityrulesfor thePressLockupfacility. 16) Meetingminutesfrom2008incidentresponse.
Characterization
Duringsystemcharacterization,theRedTeamcombinesalltheinputsfromthePlanning andDataCollectionphaseswithdomainexpertisetogenerateavarietyofdifferent viewpoints,suchasthoselistedintheIDARTMethodologydiagram.Someviewpoints maybesimpleasvendorsuppliednetworkmapsorphysicaldiagrams.Othersmayshow complextiminginteractionsbetweensystemcomponentsandexternalinputsources. TemporalView BasedoninterviewsofOPAandBLSpersonnelandfirsthandobservation,SNLIDART producedthetemporalviewillustratedinFigure3,DataEmbargoandReleasetimeline.
August 2011
Page 8
Figure 7. Cluttered press work area, showing what appear to be networking appliances to the left of the workstation and monitor. Note the two Black Boxes atop the network gear.
Theinteriorofthepresslockupfacilityissomewhatcrowded,andsomeofthework spacesusedbypresspersonnelareclutteredwithITequipment,asillustratedbyFigures 7and8.MembersoftheSNLRedTeamweresomewhatsurprisedtofindwhat appearedtobenetworkappliances(e.g.switchesandrouters)capableofsupporting infrastructurewellbeyondtheworkstationstowhichtheywereconnected.Sincethese devicesarenotDOLownedequipment,theRedTeamwaslimitedtovisualonly inspection,andcouldnotverifythatcomputerandnetworkappliancecasesandchassis containedonlystandardequipment.AsexplainedbyOPAandBLSstaff,theelaborate networkingconfigurationsaremeanttogivetheirownersanadvantageover neighboringcompetitorsintransmittingdatawhenitisauthorizedforrelease. Duringthelivepressreleaseevent,IDARTpersonnelinthepresslockupfacilitynoted theambienttemperaturebecameuncomfortablywarm,likelyduetothehuman occupantsandtheconsiderableamountofITequipmentpresent.Manyofthework areasfeaturedmorethanoneBlackBox,whicharesuppliedbyDOL.
August 2011
Page 12
Figure 8. Cluttered press work area, with Black Box under network appliance and obscured by telephone.
RFView SNLtechnicalpersonnelconductedexternalandinconferenceinspectionsoftheRadio Frequency(RF)environmentbothpriortoandduringalivepressrelease,todetectthe presenceofclandestinesurveillancedevicesinthearea.Nosuchdevicesweredetected. Abreakdownoftheseactivitiesconsistedof: 1) SearchandanalysisoftheRFspectruminthetargetareadelineatedasthepress lockupfacility.SeeFigure9. 2) Technicalandphysicalexaminationoffixtures,furnishings,andequipment locatedwithinthetargetarea. 3) Technicalandphysicalexaminationofelectronicandelectricalequipment, electricalwiring,andutilitypathways. 4) Technicalandphysicalinspectionoftheinteriorandexteriorsurfacesofthe perimeterwalls,floors,ceilings,andotherstructuralobjectswithinthetarget area. 5) Physicalinspectionoftheexteriorperimetertoincludeapplicablespacesabove andbelowthetargetarea.
August 2011
Page 13
Analysis
TheAnalysisphaseishighlyvariable,dependingontheproject'sbudgetandschedule, theThreatModel,andanyconstraintsidentifiedduringthePlanningphase.Thisphase canrangefromaQuickLookoverview(aswasconductedforCleanSweep),which identifiespotentialvulnerabilitiesandattackswithoutverificationtesting,toadetailed analysisinwhichthesystemorportionsofitaresubjectedtoadeepanalysiswithfull attackdevelopment,validation,andcountermeasuregeneration. TheintentionallylimitedscopeandrulesofengagementforCleanSweepdictatedthat nopenetrationtestingandexploitationofidentifiedvulnerabilitiesoccur.Basedupon informationderivedfromdocumentreview,interviews,anddirectobservationonsite, theRedTeamconductedatabletopattackbrainstormexerciseresultinginattack graphsdepictingpotentialattacksthatteammembersthoughthadviablepotentialfor success.
Threat Model
TheIDARTmethodologybeginsbydevelopingathreatmodeltobeusedforRedTeam operations.AsthescopeofoperationsforCleanSweepwaslimitedtoobservationand analysis,noattackexerciseswereconducted.Instead,threatandadversarymodeling providedthebasisforattackscenariovettingwhatwasrealisticintermsofperceived attackergoalsandcapabilitylimitations.Thismodeldefinestheadversariesalongwith theirskills,resources,andmotivations.Establishinganadversarymodelallowsanalysts topostulatemoreaccuratelyonwhattypesofattacktoolsorweaponswilllikelybe broughttobearagainstdefenders,andsoinstructastothemostappropriatemitigation strategiestoemploy.
Threats
Thefirststepindevelopingathreatmodelistoestablishwhichthreatsexisttothe targetsystemsmissionandwhichthreatsthetargetsystemisintendedtomitigate. Figure11showsgeneralsystemthreatsastheyrelatetooperationalenvironments.
August 2011
Page 15
Adversary
Sandiahasdevelopeddetailedmodelsthatidentifytheskill,resources,motivationsand threatsofvariousadversaries.Thatsaid,thesemodelscanrarelybesimplypluggedinto aproject.Sinceeverysystemthataredteamassesseshasuniquecharacteristics,the adversarymodelsmustbecustomizedforeachproject.Sandiasadversarymodelsallow forthat. TheRedTeamschoiceofadversarymodelsisdrivenbythreefactors: ThethreatsandnightmareconsequencesidentifiedbytheRedTeamand customer:Morecomplexnightmareconsequencesoften,butnotalways, requiremoresophisticatedadversaries. Thematurityofthesystem:MorematuresystemscanbenefitfromRedTeam emulationofmoresophisticatedadversaries,aslowerlevelthreatshaveoften alreadybeenaddressed.Lessmaturesystemsprofitmorefromless sophisticatedadversarialattack.Sinceeventrivialattacksarelikelytosucceed, thereislittlereasontoshowthathighlevelattacksaresuccessful. ProjectbudgetandscheduleandinformationavailabletotheRedTeam:Highly sophisticatedattackssuchasthoseatthenationstatelevel(Cyberterrorist organizations,MilitaryInformationOperationsunits,andForeignIntelligence Services)usuallyrequireindepthknowledgeofthetargetsystem.TheRed Teamcanacquiresuchinformationintwoways:synthesizeit,limitedbyproject budgetandschedule,orobtainitfromthecustomerorsystemvendor.Ifthese optionsarelimitedornotavailable,theRedTeamwillnotbeabletoadequately emulatethehigherthreatlevelsandwillchoosetoholdadversarycapabilities toalowerlimit.
August 2011
Page 18
Table 1: Generic Threat Matrix. Foregoing potentially loaded terms such as hacker or nation state actor, the Generic Threat Matrix provides a qualitative categorization of adversaries based upon attributes describing their capabilities in terms of technical and organizational capacity.
Thismatrixprovidesqualitativevaluestokeyadversaryattributes,enablingtheRed Teamtogaugethecapabilitylevelandattacktools,tactics,andprocessessuchan adversarywouldbringtobear5. InformationprovidedbyDOLofficialsandpersonnelandgleanedbytheSNLteam duringtheirassessmentactivitiesindicatesthefollowingadversarythreatprofileforthe presslockupfacilityanddataembargoandreleaseprocess: Intensity:MediumThethreatismoderatelydeterminedtopursueitsgoalandiswilling toacceptsomenegativeconsequencesresultingfromthatpursuit.Acceptable consequencesmayincludeimprisonment,butusuallynotthedeathofgroupmembers orinnocentbystanders. Stealth:MediumThethreatismoderatelycapableofmaintaininganecessarylevelof secrecyinpursuitofitsgoal,butisnotabletocompletelyobscuredetailsaboutthe threatorganizationoritsinternaloperations.
August 2011
Page 19
Time:WeekstoMonthsThethreatiscapableofdedicatingseveralmonthstoplanning, developing,anddeployingmethodstoreachanobjective. TechnicalPersonnel:TensThethreatiscapableofdedicatingasmall,independent groupofindividualstoprovidethetechnicalcapabilityofbuildinganddeploying weapons.Thereisfullcommunicationbetweenthemembersofthegroup. CyberKnowledge:HighThethreatiscapableofusingexpertproficiencyboth theoreticalandpracticalinpursuitofitsgoal.Thethreatisabletoparticipatein informationsharingandiscapableofmaintainingatrainingprogram,aswellasa researchanddevelopmentprogram. Access:MediumThethreatisabletoplanandplaceagroupmemberwithindirector limitedaccesswithinarestrictedsystem. TheKineticKnowledgecategorywasnotusedinthisanalysis,assuchcapabilitywasnot judgedtobenecessarytocompromisethetargetenvironment. Thesumoftheseattributesfallbetweenlevelsfive(5)andsix(6),bothwithinthe mediumrangeofthreatactor.Theteamassessedtheadversaryherelackedthe highlevelofintensitybecauseitisunlikelytheywouldemployviolentmeanstomeet theirgoalofexfiltratingembargoeddatapriortotheofficialreleasetime.Thisadversary hasahighratingforcyberknowledgecapabilitybecauseofthehighlytechnicalnature ofalgorithmictrading. Insummary,likelyadversariesinthisscenarioareprofitdriven,technicallysophisticated individualswhomayhaveconsiderableresourcesattheirdisposal.Theirtechnical proficiencyenablesimplementationofstealthysurveillanceequipment.Thoughthey arewillingtobendandpotentiallyviolaterulesandlaws,therearelimitstowhatthese adversariesarewillingtodotoachievetheirgoalsviolenceisunlikelyasanoperational method.
Analysis
InthissectionwediscusstheattacksthatweredevelopedandrunbyRedTeam personnel.UsingtheIDARTmethodology,theRedTeambeginsanalysisofthetarget systemandcreatesthevariousviewpointsdiscussedaboveintheError!Reference sourcenotfound.section.Next,theteamholdsabrainstormingsession,invitingSandia employeesthathaveexpertiseintheareasaddressedbythetargetsystem.TheRed Teamleaddescribesthetargetsystem,presentsandexplainstheviewpoints,and answersanyquestionsbeforebeginningthebrainstorming. Duringbrainstorming,verylittlefilteringisappliedtosubmittedideas.Ifanattackidea willobviouslynotworkorviolatestheROE,itmaybefilteredimmediately.Otherwise, allideasareaddedtotheattackgraphsandwillbefilteredlater.Thisallowsallideasto inspireotherideasthatmaynotbefiltered. Theresultofthebrainstormingsessionistheprojectsattackgraphadiagramthat suggestsstartstates,endstates,andattackpathsconnectingthetwostates.Manyof theattackstepswillbeinvalidated,andsomewillbefilteredbecausetheyarebeyond
August 2011
Page 20
Attacksareratedinseverityfromcritical,denotinganearcertainlikelihoodof occurrence,tolow,denotinganunlikelyevent.Table2,AttackStepRiskRanking System,capturesthesemetrics.Noneoftheattackstepswereidentifiedascriticalor important. Rating Critical Important Moderate Low Definition Anattackstepthathasanearcertainriskofoccurringinthe futureifithasnotalreadyhappened Anattackstepthatisverylikelytooccurinthefutureand mayalreadyhavetakenplace Anattackstepthatislikelytooccurinthefutureandcould alreadyhavetakenplace Anattackstepthatisunlikelytooccurinthefutureand probablyhasnotyetoccurred
Table 2: Attack Step Risk Ranking System. For each attack step we provide a statement of what was or could be done by an attacker.
Attacks
August 2011
Page 23
MitigationOptions: Modifyexistingpolicytorequirepersonalitemsbekeptinlockersoutsideofthe presslockuproom.Divestmentshouldbeaprerequisiteforroomentry.Cost:Low. Metaldetectoratpresslockupfacilityentry.Securitycheckpointsatbuilding entrancesaresomedistanceawayfromtheLockupfacility,andpresspersonnelare notescortedbetweenpoints.Cost:Medium. RemodelpresslockupfacilitywithRFshielding.AttenuatingmaterialblocksRF communicationsintooroutofthefacility.Cost:Medium/High ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOL ownedequipmentandremovetheprivatedatalinescurrentlyinuse.Cost:High. Retainstatusquo.Cost:Nil.
Attacks
August 2011
Page 24
August 2011
Page 25
MitigationOptions LimitthenumberofBlackBoxeseachpressorganizationmayuse.Cost:Nil. MountBlackBoxestowalloronraisedshelvessothattheequipmentiswithinplain view.Useuniform,colorcoded,DOLissuedcablesbetweenBlackBoxesandIT equipment.Cost:Low/Medium. Adopttamperevidentdecalsforinventorytags.Cost:Low. ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOL ownedequipmentandremovetheprivatedatalinescurrentlyinuse.Thiswould eliminatetheneedfortheBlackBoxesaltogether.Cost:High. Retainstatusquo.Cost:Nil.
August 2011
Page 26
Summary
ThoughDOL,BLS,andOPApersonnelaredoingduediligenceintheireffortstomonitor andcontrolthepresslockupfacility,SNLIDARTobservationsindicateopportunitiesfor securityimprovements,rangingfromrelativelylowcostchangestoexistingpolicyupto investinginnewITinfrastructureforthepresslockupfacility.Table2Comparisonof MitigationAlternatives,capturesthecriteriasuchascost,risk,andperformancefor eachoption.AlsoincludedareschedulingrequirementsrelativetoSNLfollowup activitiestoverify/validateeffectivenessofimplementation. PolicyIssues Thedataembargoandreleaseprocessiswellestablished,andenjoysanadvancedlevel ofmaturity.Requisitedatasecuritypoliciesalreadyexist,butmaylackoptimal implementation. Currentpolicyrequirespresspersonneltosurrendercellphonesinthepress lockupfacilitypriortothedistributionofembargoeddata.Animprovementto thisprudentrulewouldbetocollectcellphonesandotherpersonalitemssuch aspurses,briefcases,totebags,etc.priortograntingentrytothefacility,and securelystoringtheseitemsoutsideforthedurationofthepressreleaseevent. 1. Cost:Low.Approximately$2,200.00forhardwareandshippingplus labortoinstall. 2. Risk:Low.Potentialpushbackfrompress;potentialliabilityfor lost/damagedpersonalitems. 3. Performance:Mediumvalue. 4. Schedulepriority:Medium.Followupwouldconsistofobservingnew processinaction. AnotherpolicyrequiresthatnonDOLpersonnelbeescortedwhileaccessing wiringclosetsandcommunicationshubs.Ensuringthatonlytechnically knowledgeablepersonnelaregivenescortingdutieswouldbeasignificant enhancementtothispractice,aswouldbedocumentingprocessand procedures,andtrainingassignedescortsinsecurityconcepts(e.g.maintain visualcontactonchargesforthedurationofeachvisit,limitingthenumberof visitorsperescort,whotocontactandwhattodoshouldanincidentoccur, whatconstitutesanincident). 1. Cost:Medium.Personnelwagesassociatedwithassigningtechnicalstaff (vs.nontechnical,whopotentiallyhavelowerhourlycost)and development,documentation,andimplementationoftraining. 2. Risk:Medium.PushbackfromDOLemployeesregardingadditional assignments;lackofqualifiedpersonnel;prioritizingcurrentassignments vs.escorting;costofhiringnewstaff. 3. Performance:High.
August 2011
Page 27
4. Schedulepriority:High.Multistepsolutionrequiresearlystart;potential delaysforcontractnegotiationpertainingtoescortduties;policyand proceduredevelopment,documentationandimplementationof training. Pressorganizationsarecurrentlyallowedtousetheirownequipmentinthe presslockupfacility,withsomepartiesimplementingcomplexconfigurationsto includeinfrastructuregradenetworkingappliancesandutilizingmultiple,DOL suppliedBlackBoxes.Theresultingclutter,powerconsumption,heat generation,andgovernmentexpenseforsupplyingBlackBoxescouldbe reducedbychangingexistingpolicytolimiteachpressworkareatoastandard equipmentconfiguration(e.g.asinglecomputer,monitor,keyboard&mouse). 1. Cost:None. 2. Risk:Medium.Pushbackfrompressorganizations. 3. Performance:Medium.Reducesclutter,makingBlackBoxstatus identificationeasier;reducesheatgeneration,powerconsumption. 4. Schedulepriority:Medium.Thoughminimalinimplementationeffort, SNLprojectperiodperformance(PoP)endisMarch2012. AnotherpolicyoptionistocompletelydisallownonDOLequipment.Cost,risk, performanceandtechnicalramificationsofthispatharediscussedinthenext section. TechnicalIssues ThepresenceofnonDOLITequipmentandcommunicationslinesinthisfacilityisof concerntotheRedTeam.TheopaquenatureofthisequipmenttoDOL,BLS,andOPA stakeholdersisamajorimpedimenttoensuringthatembargoeddataisnotreleased priortoauthorization,andthepresenceofoutsiderequipmentopensattackvectors intotheDOLenvironment.BecauseDOLmaynotconducttechnicalinspectionofthis equipmentormonitordatatrafficforunauthorizedactivity,thereisnowaytoascertain withcertaintythatDOLdataisnotbeingexfiltratedwithoutDOLauthorization. Allowingpressorganizationownedequipmentandcommunicationlinesinthe presslockupfacilitycreatesaneedfornonDOLmaintenancepersonnelto accessDOLcommunicationsanddatainfrastructure.Replacingpressowned equipmentanddatalineswithaDOLownedsolutionwouldremove opportunitiesforadversariestocompromisecriticalDOLcommunicationsand datainfrastructure. 1. ImplementingaDOLownedITsolutionforthepresslockupfacility wouldentailthepurchasing,configuring,andmaintainingsuch equipment. 2. Anappropriatesolutioncouldbetailoredtoabarebones configurationtosavecostandreduceattacksurface.Serviceslimitedto Internetaccessshouldprovideadequatefunctionalityfortraditional journalists,whileredirectingtheburdenofenhancedcapabilityaway fromDOLandontothosewhodesireit.Applications(e.g.MSWord,
August 2011
Page 28
algorithmictradingapplications,etc.)wouldresideonpressorganization servers,andnotbetheresponsibilityofDOLtolicense,maintain,and patch. 3. Suchasolutionwouldlikelyreduceheatgenerationandenergycostsfor thepresslockupfacility. 4. DOLwouldhavecompletecontroloverpresslockupfacilityhardware andsoftwareandtheabilitytomonitoraswellasterminate/enabledata communications. 5. SuchasolutionwouldbesegregatedfromDOLEnterpriseenvironments. Cost:High.Approximately$66Kforhardwareandsoftware,$3.2K annuallyforlicenses,andbetween0.51.0FTEfor maintenance/administration(pleaseseeAttachment2:Cost Estimatesfordetails). Risk:High.Pushbackfrompress;futureincreasestolicensing costs;onusofdefendingnewenvironment;ensuringsegregation fromDOLenterpriseenvironment. Performance:High.EliminatesuncertaintiessurroundingnonDOL equipmentcapabilitiesandaccesstowiringclosets;reduces clutter,heatgeneration,powerconsumption;eliminatesBlack Boxcosts. Schedulepriority:High.Complex,multiphaseoptionrequires immediatestarttofacilitatecompletionpriortoendofSNLPoP. 1. Cost:High.Approximately$40K. 2. Risk:Medium.Aswithanytechnicalproject,unintentionalservice disruptionsmayoccur,withassociatedcoststoproductivityand equipmentreplacement;intheeventthatunauthorizedsurveillance devicesareidentified,lawenforcementmustbenotifiedimmediately. 3. Performance:High.WouldprovideDOLleadershipwithcleanbillof healthfortheircommunicationsinfrastructure(uptothatpointintime). 4. Schedulepriority:Medium.Shouldonlybedoneafterremovingpress ownedITequipmentandcommunicationlinesandimplementing qualified/trainedescorts. TheBlackBoxdevicescurrentlyemployedtocontrolthereleaseofembargoed datainthepresslockupfacilityaresimpleandfairlyrobust.However,the currentconceptofoperationsgoverningtheirusemakescompromisingor circumventingthiscontrolmechanismaplausibleoccurrence.Thecluttered natureofthefacility,plethoraofnonDOLequipment,andmultipleinstancesof BlackBoxesforsomepressorganizations,createsopportunitiestomask activitiesdesignedtoneutralizethesecontroldevices.
August 2011
Page 29
1. SealBlackBoxeswithtamperresistant/indicatinginventorylabels. Developandimplementpolicytomonitorlabelsfortampering. Cost:Low.From$9.00/250basicsealsor$1,200.00/20Kfor hologramseals;personneltime/wagesfordeveloping, documenting,andimplementingprocess;auditing/checkingfor tamperindications. Risk:Low/Medium. Performance:Lowforbasicseals/Mediumforhologramseals. Schedulepriority:Low. 2. MountBlackBoxestowalloronraisedshelvessothattheequipmentis withinplainview.Useuniform,colorcoded,DOLissuedcablesbetween BlackBoxesandITequipment. Cost:Low/Medium.Laborforinstallation;standardizedcabling. Risk:Low. Performance:Medium. Schedulepriority:Medium. Asnotedpreviously,surreptitioususeoftransmittingdeviceswasidentifiedasa potentialvulnerability.InstallingRFshieldinginthepresslockupfacilitywould mitigateagainstthisvectorbyattenuatingRFsignalstrength.Productssuchas foilbackedsheetrockarearelativelyinexpensiveimplementation. 1. Cost:Medium.Materials+labor. 2. Risk:Low. 3. Performance:High.Correctlyimplementedshieldingwouldgreatly reducetheeffectivenessoftransmitterattacksfromwithinthepress lockupfacility;thisoptionwouldeliminatetheneedforinroomRF monitoring. 4. Schedulepriority:High.
August 2011
Page 30
Observations
ROE Constraints of Note
TheSNLIDARTRedTeamwaslimitedtoobservationandassessmentactivitiesno activeexploitationexerciseswereperformedduringthecourseofCleanSweep.The scopeofallowedactivitieswaslimitedtothepresslockupRoomandassociateddata embargoandreleaseprocesses. 1. Otherareasassociatedwithpreparationofthetargetdatawerenotsubjectto observationandassessment. 2. OperationalITsystemsassociatedwithpreparing/producingthetargetdata werenotsubjecttoobservationandassessment. 3. AdversarymodelingspecificallyexcludedDOLpersonnelinsiderthreat.
Potential Avenues
ThefollowingactivitieswereproposedtoDOLbutnotsanctionedduringthisactivity1. 1. TechnicalevaluationandassessmentofBLSITenvironments. 2. TechnicalevaluationandassessmentofRFenvironmentatBLS.
Recommendations
Thereareareasforimprovementinpolicydevelopmentandimplementation,andfor technicalmitigationstrategiestobettersecurethePressLockupfacility. ShouldDOLdecidetopursuemitigationoptionsspecifictothePressLockupfacility,the RedTeamsuggeststhefollowingmeasurestakeprioritystatus: 1. DisallownonDOLownedITequipmentandcommunicationlinesfromthePress LockupfacilityoranywhereelseonDOLpremises. 2. RequiretechnicallycognizantescortsaccompanynonDOLpersonnelintowiring closetsandcommunicationshubs. 3. RequirenonDOLpersonneltosurrenderpersonalitemspriortoenteringthe PressLockupfacility.Externalstoragelockerscouldsecurebelongingsforthe durationofpressevents.
Current reporting from open and sensitive sources indicates computer targeted network exploitation (CNE) as the most prevalent method of unauthorized data exfiltration from a wide range of adversaries. It is the opinion of Red Team Cyber Security subject matter experts that the IT environments where the data are produced are more likely avenues for data loss than is the Press Lockup facility. CNE offers advantages such as anonymity to an adversary due to the difficulty of conclusively attributing malicious actions over the Internet to specific individuals vs. actions carried out in person in the Press Lockup facility. Compromise of IT systems provides an adversary long-term, unauthorized accesses to potentially valuable information with little chance of discovery.1
August 2011
Page 32
Attachment 1: Agenda
IDART Team
S-2203 Conference Room Will Atkins & Scott Maruoka
IDART Team
S-2203 Conference Room Michael Freund, Lyle Hansen Will Atkins Han Lin, Scott Maruoka S-2203 Office Han Lin, Scott Maruoka S-2203 Office
August 2011
Page 33
Interview with Rick Vaughn. Interview with Anthony Ferreira. Interviews with Carl Fillichio. SNL Team Members depart
Han Lin, Scott Maruoka S-2203 Office Han Lin, Scott Maruoka S-2203 Office Han Lin, Scott Maruoka S-2203 Office All
August 2011
Page 34
Vanguard Metal QS Assembly : Assembled Vanguard Metal QS Color : Grey Cost: $1,279.92; shipping: $880.00; Total: $2,159.92 Lockers and Storage Catalog: http://lockerscatalog.com/items.asp?Cc=LLOCKQSW&iTpStatus=0 Hallowell Wall Mounted Premium Box Locker Product ID: L236-1095 Weight: 50 LB Dimensions: 48 W X 18 D X 12 H Color: Grey Unassembled Cost: $1,440.00; shipping: $880; Total: $2,320.00 Lockers.com: http://www.lockersupply.com/ Penco Quick Ship: Vanguard Unit Packaged Lockers - Four-Wide Wall Mount - 68242 SKU #: PN1122 Dimensions: 13.625" H x 45" W x 18" D 43.0 lbs. Unassembled Cost: $1,463.92; shipping: 116.19; Total: $1,580.11
Tamper-evident Labels
Tamperco: http://www.tamperco.com/Tamper Void Tamper Evident Labels s/22.htm Tampervoid labels: $9.00/250 Hologram labels: $1,200.00/20K
August 2011
Page 36
References
Eugene Register-Guard (no author attributed),Labor building named for Madame Secretary, April 11, 1980, http://news.google.com/newspapers?id=jIMRAAAAIBAJ&sjid=3eEDAAAAIBAJ&pg=5679,291081 7&dq=frances-perkins-building&hl=en 2 New York Times (no author attributed), High Frequency Trading, August 9, 2011, http://topics.nytimes.com/topics/reference/timestopics/subjects/h/high frequency algorithmic tra ding/index.html?scp=1-spot&sq=High%20Frequency%20Trading&st=cse 3 Cisco, Cisco 2010 Annual Security Report, http://www.cisco.com/en/US/prod/collateral/vpndevc/security annual report 2010.pdf 4 Alperovitch, D. Revealed: Operation Shady Rat, McAfee Blog Central, http://home.mcafee.com/AdviceCenter/ExternalContent.aspx?id=cm malb 5 Dugan et al, Sandia National Laboratories, Categorizing Threat: Building and Using a Generic Threat Matrix, September 2007.
1
August 2011
Page 37