Specialized Cyber Red Team Responsive Computer Network Operations
Total Page:16
File Type:pdf, Size:1020Kb
TALLINN UNIVERSITY OF TECHNOLOGY DOCTORAL THESIS 25/2019 Specialized Cyber Red Team Responsive Computer Network Operations BERNHARDS BLUMBERGS TALLINNUNIVERSITYOFTECHNOLOGY SchoolofInformationTechnologies DepartmentofSoftwareScience ThedissertationwasacceptedforthedefenceofthedegreeofDoctorofPhilosophy(cyber security)on2ndofApril,2019 Supervisor: Dr. Rain Ottis, Department of Software Science, School of Information Technologies, Tallinn University of Technology Tallinn, Estonia Co-supervisor: Dr. Risto Vaarandi Department of Software Science, School of Information Technologies, Tallinn University of Technology Tallinn, Estonia Opponents: Professor Dr. Hiroki Takakura, National Institute of Informatics, Tokyo, Japan Fregattenkapitän PD Dr. Dr. habil. Robert Koch, Bundeswehr University of Munich, Munich, Germany Defence of the thesis: 27th of May, 2019, Tallinn Declaration: Hereby I declare that this doctoral thesis, my original investigation and achievement, submitted for the doctoral degree at Tallinn University of Technology, has not been submittedforanyacademicdegreeelsewhere. Bernhards Blumbergs signature Copyright: Bernhards Blumbergs, 2019 ISSN 2585-6898 (publication) ISBN 978-9949-83-413-6 (publication) ISSN 2585-6901 (PDF) ISBN 978-9949-83-414-3 (PDF) TALLINNA TEHNIKAÜLIKOOL DOKTORITÖÖ 25/2019 Vastutegevusele orienteeritud punase meeskonna küberoperatsioonid BERNHARDS BLUMBERGS Contents LIST OF PUBLICATIONS 7 AUTHOR’S CONTRIBUTIONS TO THE PUBLICATIONS 8 LIST OF ACRONYMS 10 LIST OF FIGURES 11 LIST OF TABLES 12 1 INTRODUCTION 15 1.1 Problem Statement ............................. 16 1.2 Research Questions ............................. 18 1.3 Contribution ................................. 20 1.4 Thesis Structure ............................... 21 2 BACKGROUND AND RELATED WORK 22 2.1 Responsive Cyber Defence and Initial Attribution ............. 22 2.2 Computer Network Operations ....................... 25 2.3 Cyber Red Teaming ............................. 26 2.4 Cyber Attack Kill Chain ........................... 27 2.5 Cyber Red Team Technical Exercises .................... 29 2.6 Identified Gaps ............................... 30 3 DEFINING SPECIALIZED CYBER RED TEAM RESPONSIVE OPERATIONS 32 3.1 Responsive Cyber Defence Requirements ................. 32 3.2 Computer Network Operation Requirements ............... 35 3.3 Cyber Red Teaming Requirements ..................... 37 4 SPECIALIZED CYBER RED TEAM RESPONSIVE OPERATIONS 40 4.1 Operational Requirements ......................... 40 4.2 Techniques, Tools, Tactics and Procedures . ............... 41 4.2.1 Gaining Initial Access ........................ 42 4.2.2 Establishing Command and Control Channel ............ 45 4.2.3 Delivering the Impact ........................ 48 4.2.4 Countering the Cyber Attack Kill Chain ............... 50 4.3 Chapter Conclusions ............................ 53 5 ADVERSARY DETECTION AND RED TEAM ASSET PROTECTION 55 5.1 System Log File-Based Anomaly Detection . ................ 56 5.2 Cyber Deception-Based Detection ..................... 58 5.3 Cyber Red Team Operational Infrastructure Protection Considerations . 60 5.4 Chapter Conclusions ............................ 64 6 CYBER RED TEAM TRAINING 65 6.1 Cyber Red Team Exercise Design . ................... 65 6.2 Exercise Training and Mission Objectives . ................. 66 6.3 Cyber Red Team Structure and Chain-of-Command . .......... 68 6.4 Technical Environment, Exercise scenario and Legal Considerations .... 73 5 6.5 Training Assessment and Real-time Feedback ............... 78 6.6 Chapter Conclusions ............................ 80 7 CONCLUSIONS AND FUTURE WORK 81 7.1 Summary and conclusions ......................... 81 7.2 Answering the research questions ..................... 82 7.3 Future Work ................................. 85 REFERENCES 86 ACKNOWLEDGEMENTS 93 ABSTRACT 94 KOKKUVÕTE 96 Appendix 1 – Publication I 99 Appendix 2 – Publication II 117 Appendix 3 – Publication III 125 Appendix 4 – Publication IV 139 Appendix 5 – Publication V 147 Appendix 6 – Publication VI 155 Appendix 7 – Publication VII 165 Appendix 8 – Publication IX 173 Appendix 9 – Publication X 185 Appendix 10 – “Crossed Swords” Exercise Feedback Survey Results 197 Curriculum Vitae 210 Elulookirjeldus 214 6 LIST OF PUBLICATIONS The thesis is based on the following publications: Publication I: B. Blumbergs, M. Pihelgas, M. Kont, O. Maennel, and R. Vaarandi. Creat- ing and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels. In B. B. Brumley and J. Röning, editors, Secure IT Systems: 21st Nordic Con- ference, NordSec 2016, pages 85–100, Oulu, Finland, November 2016. Springer Inter- national Publishing Publication II: B. Blumbergs and R. Vaarandi. Bbuzz: A Bit-aware Fuzzing Framework for Network Protocol Systematic Reverse Engineering and Analysis. In Milcom 2017 Track 3 - Cyber Security and Trusted Computing, pages 707–712, Baltimore, USA, November 2017. IEEE Publication III: B. Blumbergs. Remote Exploit Development for Cyber Red Team Computer Network Operations Targeting Industrial Control Systems. In 5th International Confer- ence on Information Systems Security and Privacy, ICISSP 2019, pages 88–99, Prague, Czech Republic, February 2019. SCITEPRESS Publication IV: R. Vaarandi, B. Blumbergs, and E. Çalışkan. Simple event correlator - Best practices for creating scalable configurations. In 2015 IEEE International Multi- DisciplinaryConferenceonCognitiveMethodsinSituationAwarenessandDecision Support,pages96–100,Orlando,USA,March2015.IEEE Publication V: R. Vaarandi, B. Blumbergs, and M. Kont. An Unsupervised Framework for Detecting Anomalous Messages from Syslog Log Files. In IEEE/IFIP Network Opera- tions and Management Symposium, pages 1–6, Taipei, Taiwan, April 2018. IEEE Publication VI: A. Fárar, H. Bahsi, and B. Blumbergs. A Case Study About the Use and Eval- uation of Cyber Deceptive Methods Against Highly Targeted Attacks. In Proceedings of Cyber Incident 2017, pages 1–7, London, UK, June 2017. IEEE Publication VII: M. Kont, M. Pihelgas, K. Maennel, B. Blumbergs, and T. Lepik. Franken- stack: Toward Real-time Red Team Feedback. In Milcom 2017 Track 3 - Cyber Security andTrustedComputing,pages400–405,Baltimore,USA,November2017.IEEE PublicationVIII:M.Schmitt,L.Vihul,D.Akande,G.Brown,P.Ducheine,T.Gill, )ĺ ;in|schel von Heinegg, G. Hernandez, D. Housen-Couriel, Z. Huang, E. Talbot Jensen,K.Kittichaisaree,A.Kozik,C.Kreiss,T.McCormak,K.Nakatani,G.Rona,P. Spector,S.Watts,andB.Blumbergs. TallinnManual2.0ontheInternationalLaw ApplicabletoCyberOperations. CambridgeUniversityPress,Cambridge,UK,2017 (Thispublicationhasnotbeenincludedintheappendicesofthisthesisduetothe publishinghousecopyrightrestrictions.) Publication IX: D. Mucci and B. Blumbergs. TED: A Container Based Tool to Perform Secu- rity Risk Assessment for ELF Binaries. In 5th International Conference on Information Systems Security and Privacy, ICISSP 2019, pages 361–369, Prague, Czech Republic, February 2019. SCITEPRESS Publication X: B. Blumbergs, R. Ottis, and R. Vaarandi. Crossed Swords: A Cyber Red Team Oriented Technical Exercise. In 18th European Conference on Cyber Warfare and Se- curity, ECCWS 2019, Coimbra, Portugal, July 2019. ACPI. (Accepted paper) 7 AUTHOR’S CONTRIBUTIONS TO THE PUBLICATIONS Contributions to the publications in this thesis are: I In Publication I, as the main and leading author of this publication, the author pro- posed a problem that IPv6 based transition mechanisms can be abused for unde- tectable covert channel establishment. The author developed, described and proto- typed the IPv6 transition mechanism-based covert channels, created and published the nc64 and tun64 tools. The author designed the test network, implemented com- mon covert channel mechanisms for comparison, and provided the guidelines and requirements to the evasion detection team. Additionally, the author successfully applied the developed nc64 and tun64 tools in practice within the NATO CCD CoE executed cyber defence exercise “Locked Shields”. II In Publication II, as the main and leading author of this publication, the author identi- fied the problem of analysing and attacking the binary network protocols. The author developed, described and prototyped the bit-aware fuzzing framework Bbuzz for bi- nary network protocol reverse-engineering, which requires the minimum effort from the human expert to start the network protocol reverse-engineering or vulnerabil- ity identification. The author addressed the problem by introducing one bit as the smallest unit for fuzzing test-case creation, implemented automated network proto- col sample analysis and test-case creation. Additionally, the author used the devel- oped methodology and prototyped Bbuzz tool to successfully reverse engineer the NATO Link-1 binary protocol to inject fake aeroplane tracks on the radar screen. III In Publication III, as the main and the only author for this publication, the author dis- covered vulnerabilities in major industrial Ethernet protocols (PROFINET IO, IEC-104) and devices (Martem GW6e-TELEM). The author performs and describes the reverse- engineering of the industrial control system network protocols, discloses technical details on identified vulnerabilities, addresses their mitigation by reporting to the vendor and the security community, and proposes the methods for critical infor- mation infrastructure protection. Additionally, the author implemented the found vulnerabilities and designed the attacks into the NATO CCD CoE technical exercises “Locked