cyber warfare: an unorthodox view from the battlefield
TRANSCRIPT
Picture-Allia
nce/dp
a
Cyber warfarean unorthodox view from the
battlefield18th September, 2015 – Gjøvik, Norway
In short
Presentation title
2
yyyy-mm-dd
Three things: Cyber warfare: an unorthodox view from the battlefield
Cyber Commands
Unorthodox
Battlefield
In Short
Presentation title
3
yyyy-mm-dd
The agenda
Follow the white rabbit…
In Short
Presentation title
4
yyyy-mm-dd
What is a tactical network?
The users
The devices:
Tactical Network
Presentation title
5
yyyy-mm-dd
Node A
<Dismounted>
UHF WLAN
Node C
<Mobile>
VHFUHFWLAN SatCom
Node B
<Relay>
SatComVHF
HQ Node D
<Deployed>
SatComVHF UHFWLAN
Scenario Tactical Ground Report System
Distributed Security Policies
Presentation title
6
yyyy-mm-dd
Node C
Node A
Soldier localizationAdversary localization
Vehicle localizationLive camera
Aerial photos
Node B
The architecture
Nodes
Tactical Network
Presentation title
7
yyyy-mm-dd
Node A
<Dismounted>
UHF WLAN
Node C
<Mobile>
VHFUHFWLAN SatCom
Node B
<Relay>
SatComVHF
HQ Node D
<Deployed>
SatComVHF UHFWLAN
SV-1 TSI Node
«Software»TSI Node
«Software»Controller
«Software»Service Mediator
«Software»Packet Handler
«Software»Message Handler
«Function»Session
Management
«Function»Message Exchange
«Function»Message Adaption
«Function»Message
Forwarding
«Function»Message Transport
«Function»Packet
Forwarding
«Function»Packet
Scheduling
«Function»QoS Handling
«Function»Routing
«Function»Security Handling
«Function»Service Registry
«Function»Contextual Monitoring
«Function»Policy
Management
«Function»Metadata Handling
BS
IS
IF I003
IF E001
IF I001
IF I005
IF I002
IF I004
IF E002
Service-Oriented Architecture<Security>
Reference Architecture
Functionalities:
Presentation title
8
yyyy-mm-dd
International Politics?
Reference Architecture
Simplifying this thing:
Presentation title
9
yyyy-mm-dd
Packet Handler
Message Handler
Service Mediator
Controller
1
2
3
4
Policy management
Security handling
Implementing the cross-layer message exchange
Reference Architecture
Presentation title
10
yyyy-mm-ddPresentation title
Packet Handler
Message Handler
Service Mediator
Controller
1 2
Network Simulator
SOA Platform
Operating System
p = Runtime.getRuntime().exec("host -t a " + domain); p.waitFor();
Presentation title
11
yyyy-mm-dd
TSITactical Service Infrastructure
<Experiments>
<Design> <Prototyping>
<Services>
SV-1 TSI Node
«Software»TSI Node
«Software»Controller
«Software»Service Mediator
«Software»Packet Handler
«Software»Message Handler
«Function»Session
Management
«Function»Message Exchange
«Function»Message Adaption
«Function»Message
Forwarding
«Function»Message Transport
«Function»Packet
Forwarding
«Function»Packet
Scheduling
«Function»QoS Handling
«Function»Routing
«Function»Security Handling
«Function»Service Registry
«Function»Contextual Monitoring
«Function»Policy
Management
«Function»Metadata Handling
BS
IS
IF I003
IF E001
IF I001
IF I005
IF I002
IF I004
IF E002
The approach:
Security requirements
Presentation title
12
yyyy-mm-dd
Protecting the Architecture
NISLab show starts now!
In Short
Presentation title
13
yyyy-mm-dd
What if we X-Ray the architecture?
In Short
Presentation title
14
yyyy-mm-dd
What if we X-Ray the architecture?
<Packets>
<Messages>
<Services>
<Controller>
<Attacker>
Hygiene:Flossing and brushing
In Short15
Hygiene, hum?
… that thing you do again, again and again…
Extending the TSI Node to expose: SOA Platform Operating System
Security at the Reference Architecture
Presentation title
16
yyyy-mm-dd
SOA PlatformController
Service Mediator
Message Handler
Packet Handler
Operating System
<Policy Management>
<Security Handling>
1
2
Cryptography
Tactical Platform Guard
Tactical Support Guard
Policy Manager
Privilege Management Policy Manager
Policy Enforcement Point
Policy Decision Point
Policy Administration Point
DetectionDiligenceProtectionPlanningResponseQoS
<dom
ains
>
TSI Node
PEP
PEP
PEPa
b
c<a,b,c>
Shall we claim being protected?
Security requirements
Presentation title
17
yyyy-mm-dd
A bag of cyber-attacks
Cyber-attacks
Shall we claim being protected?
18
Presentation title yyyy-mm-dd
The experts
The experts
Hey YOU, check out this cyber-attack!
Hey Marthe, what about a run?
Hey Messi, lets play some football?
Security requirements
Presentation title
19
yyyy-mm-dd
What the hell let’s give it a try!
<You>
What just happened?
Presentation title
20
yyyy-mm-dd
Observe
Orient
Decide
Act You
What just happened?
Presentation title
21
yyyy-mm-dd
Observe
Orient
Decide
Act You
Basic abstraction for mission/operation
OODA-loop modelling battles
Presentation title
22
yyyy-mm-dd
In the battlefield with an equal capable adversary Who manages to get inside the adversary decision loop WINS!
Observe
Orient
Decide
Act
Observe
Orient
Decide
ActYOU Adversary
Faster tempo and rhythm will generate confusion and disorder …
<Faster tempo>
<Disorder>
OODA-loop
Presentation title
23
yyyy-mm-dd
What if the battlefield is a football field? Same story…
Faster tempo and rhythm will generate confusion and disorder …
<Faster tempo>
<Disorder>
Tactical fractal
Presentation title
24
yyyy-mm-dd
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Tactical fractal
Presentation title
25
yyyy-mm-dd
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
ActObserve
Orient
Decide
Act
Observe
Orient
Decide
ActHandheld
<Dismounted>Drone
<Relay>
Laptop
<Mobile>
Looks like a fractal, QUACKs like a fractal,But don’t let it FOOL you, it is a TACTICAL FRACTAL!
Security requirements
Presentation title
26
yyyy-mm-dd
Ok, time for a DDoS attack!(Distributed Deny of Service)
Security requirements
Presentation title
27
yyyy-mm-dd
The cyber-attacks
Related tools: Eavesdrop
Adversary listening data flows SIGINT probing troops localization
Spyware Malicious software within the network
Jamming SIGINT creating noise in the channels
Logic bombs Piece of code defining a malicious function
Stuxnet and Etc… New techniques being created right now!
Cyber warfare
Presentation title
28
yyyy-mm-dd
In Short
Presentation title
29
yyyy-mm-dd
History of cyber conflict
1980s: Realization
1998-2003: Take off
2003 to now: Militarization
1986: Cuckoo’s egg1988: Morris worm
1998: Solar Sunrise1998: Moonlight maze
2007: Israel invaded Syrian airspace2010: Stuxnet
Today
Militarization at work30
yyyy-mm-dd
0 Days Market
Experts
SpyCompanies
Governments
Investments
Tools + Infra
+ exploits
Cyber Commands?
Digital arms race…
Stuxnet started this?
Security requirements
Presentation title
31
yyyy-mm-dd
Motivation behind stuxnet:
To bomb or to CYBER bomb, this is the question!
Stuxnet in short32
yyyy-mm-ddZero Day+
1
2
3
4
-----BEGIN PRIVATE KEY-----MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALMm7bbrJurAWtEJb9RfjRHMPP/XXjfmVXFc68no+I6jhZksPqKOshwv/pnGDdPOwO3B4k28EDX2YQK5j8zFgNF/yC4tmjKfirsy6hSC4G/LPZ3VHPFDUp9JefGUA0gskVHHjzKQp8LAJWQ08cfyrNWWh6IK++WzC5C/bwh1XVTLAgMBAAECgYB1zJIgZe04DPVqYC8lURL8cfRmMeIlFZJ3MSdlo4fUmtddCYfB8dxRxok96cnrzRZ0/7jjblamdPQDC6rvdaqmfLFxnJ/RVhCj6HqDMrQnv/9tnl6UQmkaYSnYvTn2GgmpqvBf9RUQk4+kjwgRgdqKxaIzoH8j0ZxMh2DOZuzJMQJBAOJwEnbG085q2k1Qg8PQz0cpVG9QCE3sJUNs0hMPC7dkIzknFtidlpCf6NMboJ2Nt9dzmJmKLqWb3oauyQRQA6MCQQDKin0wElLV1268IbcFRXhkVlxcg5fDEazeNL9p1z5vmwaq0IcLtSPrIaect2hacCkfJoREhcA+f9YIpcodlby5AkEApyXla0ofpXqYxIOPkGc96qCmlDh2uNZ9N0VH2Qu9MVW47oJdSe8h6oYv/k2hhUvMjjzlQ0mOX28slyzEc+uAkwJAWlAsiE3zX+UjPIJwIMqcZ2lW3+3RsyrjgWXV4HUZIxzmeS5ouWC5NnSYT7o8ru8KdxhurDtTwMqx/sMmf9CwCQJAIDbMwwIsXStw0y/M9+hdPUkccVoHyXKPTensyX/miAUwHZN/oadGUUOZO7XBKb1uNFv1uowU29bGgXa+mvb6aA==
-----END PRIVATE KEY-----
Implement
Sign it
Deploy it
Running
Air gap
Control System
Code to break things silently
Main Thread
.dll Injected code
.LNK exploit
<Stolen>
Security requirements
Presentation title
33
yyyy-mm-dd
Stuxnet is a different beast:
Passed the access control!
Can we use the OODA-loop to catch this?
Delivering the .dll.dll running?
Attacking from within…
The future?
Authenticated and authorized…
In Short
Presentation title
34
yyyy-mm-dd
SV-1 TSI Node
«Software»TSI Node
«Software»Controller
«Software»Service Mediator
«Software»Packet Handler
«Software»Message Handler
«Function»Session
Management
«Function»Message Exchange
«Function»Message Adaption
«Function»Message
Forwarding
«Function»Message Transport
«Function»Packet
Forwarding
«Function»Packet
Scheduling
«Function»QoS Handling
«Function»Routing
«Function»Security Handling
«Function»Service Registry
«Function»Contextual Monitoring
«Function»Policy
Management
«Function»Metadata Handling
BS
IS
IF I003
IF E001
IF I001
IF I005
IF I002
IF I004
IF E002
Remember our sexy architecture?
Disclaimer: hot stuff, prohibited for under 18
Let’s rethink how to protect it…
In Short
Presentation title
35
yyyy-mm-dd
Let’s go to the future…
What would make you proud?
Presentation title
36
yyyy-mm-dd
Let’s help the Avengers…
<MISSING>
<Processing power>
How to improve the overall security?
Remember
Presentation title
37
yyyy-mm-dd
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
ActHow to model nested loops?
Challenges
Presentation title
38
yyyy-mm-dd
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Team StarkTeam Ultron
ProtectedHacked
Faster tempo…
How?
How?
How?12
3
Just A Rather Very Intelligent System (JARVIS)
Presentation title
39
yyyy-mm-dd
What if you have planted stuxnet at your adversary. How to play with it?
Three scenarios: You are attacked You are attacking Both are playing…
What it means loose battle? What about winning? How intrusive the whole thing is?
JARVIS: Just A Rather Very Intelligent System
JARVIS 2016: same stuff but damn Secure!
Presentation title
40
yyyy-mm-dd
The beginning.
Roberto Rigolin Ferreira [email protected]
“Forget it all. Don't be afraid. Do what you get the most pleasure from. Develop your talents wherever they may lead.
Damn the torpedoes - full speed ahead!” ― Richard Feynman