Sunday, March 16, 2014

Temple Mountain Moto

From time to time I get the craving to race around the desert at high speed. There is just something about putting on the body armor and helmet and racing for hundreds of miles around the desert at break-neck speed with my buddies. Temple Mountain is our most common destination.

Why do I like it so much? Because it is the exact opposite of my 'regular' life. Two days in the dirt and I am good for two months. Really, it is the perfect weekend. It relieves all the stresses of modern, monitored life.  It goes down like this.

Pick up friends. Drive South to Temple Mountain. Set up camp. Moto past dark. Build big fire. Sleep. Moto. Drive home.

Location and Routes
We base camp at Temple Mountain where there are good bathroom facilities and there is plenty of space to spread out. Temple Mountain has great trails immediately around the base of the mountain. The area has a very old, cool mine and related ruins and junk.  Temple Mountain was formerly the big supplier of uranium for Uncle Sam's nukes. Now it is BLM land loaded with old dirt roads and trails that lead to hundreds of the old mines. And no cell signals - bonus!

This is one of the larger abandoned mines in the area.

Temple Mountain to Muddy River / Caneville
This is a good ride. Straight from camp, you ride on the paved road about 14 miles to Little Wild Horse Canyon where you hit dirt and ride a really fun, fast sandy road through canyons and through super cool landscapes to the Muddy River. The only reason to cross the Muddy is to get to Caneville (made famous by Nitro Circus) where you can ride what is essentially God's skate park for dirt bikes. Think 200 foot-high hard sand half-pipes and you get the idea.

I *believe* off road vehicles are allowed on the highway between Temple Mtn and Little Wild Horse. At least that is what I keep telling myself…

Back of the Swell
This is a really fun ride. The first half is wide enough for Jeeps, but then it gets narrow and much more technical. Don't be intimated by the first climb on the trail, which has a 100 foot drop on one side, is steep, and has lots of rocks. If you get through that you can easily enjoy at least the first half of the trail. Keep going and you'll enjoy a very technical, but doable ride. It ends up at Hidden Splendor Mine, which sports a gravel airstrip in the middle of nowhere. Really…an airstrip in the middle of nowhere! Surreal.

Information Security Explained in One Simple Diagram

Assets motivate adversaries to exercise threat realized through attack vectors against assets. Controls protect assets and reduce exposure to threat by counteracting attack vectors.

Monday, March 10, 2014

How to Construct a Threat Statement

Scientists begin experiments with a hypothesis. Researchers begin their papers with a thesis statement. It is similarly useful to begin a threat analysis with a threat statement. The threat statement establishes the scope of the threat and guides the analyst in his threat research. Consider this threat statement, “Unauthorized disclosure of sensitive data.” Partially mapping out the scope of this statement, it looks something like this diagram shown below.

This scope of analysis is a bit large. Consider how large it would be for an enterprise with sensitive information spread across hundreds of systems! However, it is not unapproachable. Every journey, however long, begins with a single step. In this case, that step is to define the threat into a series of more narrow threat statements, such as this one, “Unauthorized disclosure of sensitive data through theft or loss of off-site stored data backup tape by outsider.” The map of this statement is much narrower.

This threat statement, unauthorized disclosure of sensitive data through theft of off-site stored data backup tape by outsiders, is narrowly scoped. It identifies the threat agent (outsider); it specifies the assets in question (data backup tapes; and the method through which the threat may be realized (theft and loss). This narrowly scoped threat analysis can be completed quickly and compared with other related threats analyses for decision-making.

Analyzing narrowly defined threats does not preclude solving larger scope threat questions such as the first one stated above, unauthorized disclosure of sensitive data.  The solution is necessary to protect sensitive information assets.  However, the answer to these broad scope threats is the sum of the solutions to the more narrowly scoped threat statements.

A well-bounded threat statement consists of four key elements: the asset category that is the focus of the threat agent’s objective, the end state condition the threat agent seeks to achieve within the context of the asset, the threat agent’s privilege level as it relates to the target, and the compromise approach the agent will use to realize the threat.

Target Asset / Asset Category
The target asset is the focus of the threat agent’s objective.  It is the system or category of systems the adversary seeks to compromise.  By restricting the threat statement to a specific asset or asset category, we establish boundaries for analysis of attack methods and related controls.  While the target may be a specific asset, modeling an asset category allows the analysis to be reused across multiple assets.

Other targets include Internet connection, core router, internal web application, Windows XP operating system, Oracle 10g database, Windows 2003 Server, a specific web application, such as, Active Directory, or even USB flash drives.

The end state is the condition the threat agent seeks to achieve within the context of the target asset.  It is his goal as it relates to the system he is attacking.  Including the end state in the threat statement narrows the analysis on attack vectors used to achieve the end state. 

Some other end states include application administrator access, network denial of service, unauthorized operating system access, remote system control, physical possession of storage media, and access to internal network communications.

The threat statement should specify the threat agent’s privilege level as it relates to the target system. The types of attack methods available to a threat agent and the complexity and risk exposure of executing the attack methods are partially dependent on the agent and his privilege level as it relates to the target system. For example, physical compromise of a system within a secured data center is easier for an administrator with authorized access to the data center than for an outsider who has no data center access privileges.

Other privilege levels include an outsider with no access to non-public target resources, an insider who has access to the target system owner’s private network or physical facilities but no local area network or physical access to the target system, and a privileged insider who has direct physical or local network access to the target system.

The compromise approach specifies the category of methods the threat agent will use to realize the threat. The compromise approach in our example threat statement is theft of authentication credentials.  This limits the scope of attack methods to those such as horizontal credential guessing, vertical credential guessing, keystroke logging, phishing, social engineering, and network communications intercept through CAM table flooding or ARP spoofing.

Threat Agent Profile: Government Cyber Warfare

Cyber warfare encompasses nation-state activities taken against enemy computer systems and networks with the intent of controlling, compromising, or disabling function through electronic methods. The potential impact of cyber warfare is perhaps best described by an unnamed Chinese general who stated in 1996, “We can make the enemy's command centers not work by changing their data system. We can cause the enemy's headquarters to make incorrect judgment(s) by sending disinformation. We can dominate the enemy's banking system and even its entire social order.”[1]

In 2007, according to a Gartner report, thirty nations were developing cyber warfare capabilities and predicted that 30% of all nations will have cyber warfare capabilities by 2012.[2]  The United States is leading the world in investment in cyber warfare infrastructure.   In 2006 the U.S. announced the creation of the Air Force Cyberspace Command.  During the announcement of the division, Secretary of the Air Force Michael Wynne said “The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commander and the American people can rely on for preserving the freedom of access and commerce, in air, space, and now cyberspace.”[3]

Cyber Warheads – Stuxnet
Until early 2010, what a cyber weapon would actually look like, when it would be first used, and against whom and what it would be launched against remained in the realm of conjecture. On June 17, 2010, the Belarus-based security firm VirusBlokAda Ltd discovered a new piece of malware resident on an Iranian-based client’s system that made cyber warfare manifest. Stuxnet isn’t just a one-off piece of malware. It is a framework for development of future cyber-warheads. 

In short, the function of Stuxnet is to damage the Iranian Natanz nuclear fuel enrichment plant and, possibly, the Iranian Bushehr nuclear power plant. Nuclear fuel enrichment plants use centrifuges to produce low enriched uranium. Stuxnet reprograms the Siemens industrial control system used at the Natanz enrichment facility to cause the IR-1 centrifuges to spin at rates and in patterns harmful to the centrifuges. Stuxnet also shutdown related warning and safety controls that would alert plant operators of the odd centrifuge behavior.

While Stuxnet infections did not remain isolated to Iran, data collected by Symantec through its monitoring infrastructure revealed that Iran hosted 58% of the total infected systems. Indonesia and India followed distantly with 18% and 10% of the total infected hosts.[4] And, it seems to have achieved at least some of its intended effect. In late 2009 to early 2010 Iran replaced about 1,000 IR-1 centrifuges at their Natanz facility.  On November 23, 2010, the leader of Iran’s Atomic Energy Organization, Ali Akbar Salehi, confirmed reports of cyber attacks against Iran’s nuclear facilities: “One year and several months ago, Westerners sent a virus to [our] country’s nuclear sites.” On November 29, 2010, Iranian President Mohmoud Ahmadenejad confirmed the reports in a news conference. “They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts.”[5]

Natanz Hijacking Requirement Stuxnet Solution
The location of the Natanz industrial control systems is not known, so the software would have to crawl systems autonomously and auto detect if it was on one of the control systems. Stuxnet contains four zero-day vulnerabilities for spreading through network communications and through USB drives and for escalating local privileges. Additionally, it copies itself to remote computers through network shares. Once on a system, Stuxnet examines its host to determine if it in fact is a system used to control IR-1 centrifuges known to be in use at Natanz.
The industrial control systems (ICS) are not connected to any network that is connected to the Internet, so the malware has to jump the network air gap. Stuxnet contains a zero-day vulnerability for infecting systems through USB media.
The malware has to operate undetected for a long period of time to prevent detection before achieving its objectives. Stuxnet employs advanced rootkit techniques and malicious binary driver files are signed using stolen valid digital certificates to avoid detection. It also contains features to bypass security products.
The malware would need to be able to update without having to call back to a command and control server. Stuxnet-infected systems update each other using a peer-to-peer mechanism. Infected systems search for each other on their LAN. When one Stuxnet install detects another, they exchange version information. If the versions are not the same, the older instance is updated from the newer one.
The IR-1 centrifuge attack code would need to work against the exact configuration of the programmable logic controllers used at Natanz. Stuxnet contains the first-ever programmable logic controller rootkit that hijacks the control system and disables alarms and modifies alerting messages to remain undetected by plant operators.

Compromising the industrial control systems of the Natanz fuel enrichment processing facilities was no trivial task. Once released, the malware had to autonomously achieve some seriously daunting tasks. Ralph Langner, the pre-eminent Stuxnet expert, summed up Stuxnet best. “Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield. The technology is that much superior to anything ever seen before, and to what was assumed possible.”[6]

With Stuxnet out of the bag, Governments around the world are scrambling to respond; assessing the exposure of their own critical infrastructure to Stuxnet-like malware and, no doubt, developing their own cyber warheads for use against all sorts of industrial control systems.

One of the prime target of cyber weaponry is critical infrastructure controlled through electronic Supervisory Control and Data Acquisition (SCADA) systems. The SCADA systems allow remote monitoring and control of a broad deployment of physical world infrastructure. In the hands of asset owners and operators SCADA systems greatly increase operational efficiencies and capabilities. In the wrong hands SCADA systems could disrupt or corrupt delivery of essential services. Consider how SCADA systems are used across a few industries:
Railroad – Automatic Train Control (ATC) systems provide remote computerized monitoring of train position, control of train speed, and rail switching.
Water – Water Works organizations use SCADA systems to monitor water quality, flow, pressure, and operational status. They also use SCADA systems to control water production, distribution, and blending. Back in 2008, a California municipality published details of their SCADA water systems on its web site, going as far as showing a screenshot of their SCADA Human-Machine Interface (HMI).Probably not a great idea.

Nuclear Fuel Enrichment Processing – SCADA systems are used to control the complex nuclear fuel enrichment process.
Power Generation – Power generators use SCADA systems to monitor boiler temperatures, turbine performance, and environmental conditions and to control power generation equipment in real-time.
Power Distribution – Power distributors use SCADA systems to manage power supply into their distribution network, manage flow, and monitor supply and demand.

As most SCADA systems are not directly Internet-accessible, the likely SCADA system compromise path is to compromise a system that has access to the network on which the SCADA system resides and use that as a staging point for the attack against the SCADA system. With advanced malware kits that provide hackers persistent, stealthy remote control this possibility is very real.

[1] Cyber Threats and the US Economy, Statement for the Record Before the Joint Economic Committee on Cyber Threats and the US Economy, John A. Serabian, Jr., Information Operations Issue Manager, CIA, February 23, 2000. 
[2] Gartner, 5 June 2007, Cyberwarrior: Re-examine the Risks as Cyberwarfare Evolves, Herbert Strauss
[5] “Iran says cyber foes caused centrifuge problems,” Reuters, Nov 29, 2010.