Catch the recent “Politics, Power, and Preventative Action” podcast interview with RTJ founder Mark Mateski.

Cross-Domain Red Teaming

Cross-domain red teaming, also called multidimensional or full spectrum red teaming portrays real adversaries better than single-domain red teaming. Cross domain doesn’t refer to Microsoft domains or multilevel security domains. We’re talking about how attacks by real adversaries take advantage of three major security domains–cyber, physical, and human–to attack systems. Small digression–here at Sandia, we define systems as a combination of people, processes, and technologies–not as a computer system alone. Thus, cross-domain red teaming attacks systems through the people, their processes, and the technology (cyber or physical) to achieve the effect that the portrayed adversary would want.
      In 2003, Sandia’s assessment community embarked on a research program to understand how to portray real adversaries who move freely between the physical security domain and the cyber security domain. The Critical Infrastructure System of Systems Assessment Methodology (CISOSAM, pronounced “Shazaam”) research tried to understand the problem through a number of existing tools and methodologies–fault-tree analysis, adversary sequence diagrams, red team attack diagrams, and red team attack trees. The result of the research, in 2006, was a prototype software application that implemented a risk assessment methodology that explicitly accounts for both physical and cyber security while preserving the traditional security paradigm of detect, delay, and respond.
      Since that work, Sandia has recognized that at least one additional domain needs to be considered: the human domain of the people in the system. We’ve debated about adding a fourth domain–RF–to represent the radio frequency footprint of a system. For now, we consider RF to be contained within the physical domain because it is a physical process.
      Red teams currently use attack methods drawn from real adversary intrusion sets that are cross-domain. Two examples include spearphishing and war-driving. Spearphishing is the practice of crafting an email based on open-source intelligence (OSINT) about a particular person or class of persons in a target system. War-driving is the practice of using radio transceivers and computers to detect and attack technology that uses RF transmissions. The primary RF technology attacked in war-driving is the IEEE 802.11 family of wireless protocols, including WiFi and WiMax. Other targets of war-driving can include the IEEE 802.14 family which includes Bluetooth and Zigbee. Even radio frequency identification (RFID) can be a target of war-driving.
      In the case of spearphishing, the attacker starts in the cyber domain to obtain information about the human domain (OSINT), then moves back into the cyber domain to craft an exploit payload, which is sent in a human domain email to the target. When the payload executes, the attack moves back into the cyber domain. This happens relatively quickly and practitioners are so used to it we don’t think of the transitions, but they are there nonetheless.
      Each of these represents a chance to cause problems with a customer that we are red teaming. We could collect information that we have no authorization to collect–even though it is openly available. The customer may want the payload to be detectable, at least in theory, or they may allow custom payloads that will bypass rather than test defenses. The human target of the email can be part of a protected group (e.g. union-represented) which the customer wants exempted. The content of the email that entices the user into opening the delivery exploit may cause the target to contact some other human once the attached delivery fails–thus causing another person to get involved and potentially even leading to incident response including law enforcement. Finally, the customer may want the payload to be detectable or may allow for custom payloads. All of these transitions and steps in the attack need to be considered in rules of engagement and operational plans.
       In the case of war-driving, the attack starts in the physical domain, both in the RF sense but potentially in the sense of trespassing upon the physical location of the target. In our experience war-driving, we have been confronted by security guards because they thought we might be one of the vandals of cars in the parking garage–fortunately, they and other guards have no problem with antennae and laptops. Once a wireless network is detected, the attack shifts into the cyber domain as we analyze the type of RF transceiver (access point (AP) or ad-hoc), the network protocol (WEC or WPA) and the type of encryption. Cracking into a wireless network involves physically (RF) inserting cyber packets onto the airwaves. At some point, the attacker may gain access to the wireless network and engage in cyber attacks against other computers on that network. Each of these transitions and attack steps has implications with regard to rules of engagement and operational plans.
      The cyber domain is the one with which most red teamers are familiar. Some red teamers are familiar with the physical domain since they do close-access work. Finally, some red teamers are allowed to engage in attacking the human domain – the people and processes of the system.
      Real adversaries use a full-spectrum of attack techniques and take advantage of the overlapping of the three domains to bypass defenses, jumping back and forth between the domains. Red teamers need to able to do the same thing and the customers of red teamers need to allow that process.
      If you would like to discuss these issue in depth, Sandia National Laboratories and The Johns Hopkins University Applied Physics Laboratory are sponsoring a workshop, RT2010: Planning for Cross-Domain Red Teaming, on 2-4 August 2010 at JHU/APL in Laurel, Maryland. This workshop is intended for red team planners, managers, and leads and the customers of red team services within the U.S. Government. If you do not feel you are the right person to participate, feel free to pass this invitation on to the right person in your organization. This will be a real, working event from which all participants will take away useful tools for planning red teaming that seamlessly operates in the cyber, human, and physical domains. The workshop will take place at the Secret level and there will be a $50.00 fee to cover security and refreshments.
      Sandia has an informational web-site that points to the registration web-site which JHU/APL has set up for the workshop participants to register, pay, and get information on sending clearances, getting directions, and finding a hotel. The intended audience for this workshop is not the shooters but the planners, managers, project leads and customers of red teams. This is their chance to get templates for rules of engagement and operational plan that include network, close access, and social engineering. Even if you can’t go yourselves, please pass the information on to customers that have concerns about allowing red teams full authorization for full-spectrum red teaming. They can help by suggesting possible limits and workarounds to allow red teams to portray real adversaries as realistically as possible while staying legal.

Raymond Parks is the point of contact for Sandia’s Information Design Assurance Red Team.