Son Of Sun Tzu

To content | To menu | To search

Tag - cyber

Entries feed - Comments feed

Friday 10 June 2016

How To Turn Wargamers Into Red Teamers, and Red Teamers Into The Actual Enemy

Earlier "today" ( Thursday 9th June ) I had the pleasure of listening to a free "Red Teaming 101 Webinar" by Mark Mateski of the Red Team Journal. ( The next event is on the 7th of July, and is listed here: http://redteamjournal.com/events/ ) This was an enjoyable high-level webex seminar about the idea of red teaming in general, very much on the "contrarian perspective" being a useful and under-used tool by organisations, and a quick run through of the overall concepts.

This inspired me to finally get down this idea that I've been ruminating on for a while. This piece is a drastically modified version of the article "Serious Wargames Needs Serious 'scout team' Wargamers" that appeared in issue 289 of The Nugget, "The Journal of Wargames Developments". Wargames Developments is a "loose association of like-minded wargamers dedicated to the continued development of wargames of any type whatsoever".

That original piece was in reply to Tim Price's piece in the previous issue: "Red Teaming, Black Games and Failure in our Wargames", lamenting the lack of diversity in professional wargaming meaning that the play of the "red team" was unhelpful. However I was inspired to modify my article, and publish it in a wider context, due to the Red Team Journal blog post "Operational Code Analysis for the Real-World Red Team, Part I" ( http://redteamjournal.com/2016/04/operational-code-analysis-for-the-real-world-red-team-part-i/ ). When announcing that piece via Twiiter, the author Mark Mateski quoted his article "Know thy enemy? Good luck with that! ( Yes, I'm exaggerating, but only a bit. )".

In the article Mark enumerates a very useful list of 37 questions to ask yourself, or your on-hand experts, about the opponent you are modelling in order to create a model of their "operational code", the operational code being that opponents way of working, of thinking, of fighting. That way you can simulate that operational code within your red team exercise, and effectively emulate the opposition.

Which brings us back to the original article by Tim Price. In this article Tim highlighted the lack of an effective opposition within the serious games he'd been involved with, where the people playing the opponent clearly were thinking and acting in the usual way for their standing, culture, and the situation - which considering that this was a military simulation was usually in a similar way to the organisation they were attacking. While it might win the game this approach isn't very useful when trying to understand the enemy, which is the point of playing the wargame / simulation in the first place. Tim Price pointed to the use of experienced amateur wargamers as a solution to this, players who've spent a great deal of time looking for winning strategies outside of the "rules", players who have little regard for any artificial constraints to victory.

However I put forward that Tim is correct only up to a point, and considering his experience this wasn't a decision I made lightly. Partly serious wargamers are ideally suited to this situation, people who are used to adversarial situations and everything that goes with them, from the importance of a reserve force to the necessity and value of logistics. Those serious wargamers are who you want, as Tim said, "they are programmed to seek winning strategies" However I think Tim omitted an equally valuable characteristic of the right kind of wargamer, which the members of Wargames Developments brings to mind... the wargamers needed must be more interested in understanding the game, they must be most interested in solving the puzzle the game represents, than in winning the game. For those wargamers representing the opponent, for those wargamers playing the red team, their overall aim needs to be to determine how to win this kind of game, rather than winning this particular incidence of it. They need to be a true OPFOR, the aim is not to win this game but to win all games against this opponent, and ideally to understand how this particular type of game can be won.

Now I'm only on the periphery of serious gaming, it's one of the career options I'm currently considering, but I was initially astounded that imitating the opponent isn't seen as best practice, and a diverse set of players and experts seen as a way to achieve that. To me it seems obviously non-sensical that putting forward the imitation of the enemy as the main pre-requisite is seen as some kind of underground or iconoclastic point of view. But then, taking a step back to consider the situation for a moment, there has been a similar discussion going on for some time in my field, the world of Penetration Testing. Penetration Testers are hired to attack a company's systems to look for security vulnerabilities, with the aim of illustrating and describing those security vulnerabilities before they're exploited by genuine attackers. However it's becoming increasingly clear that penetration testers tend to illustrate the security issues that penetration testers would exploit, those issues that are more intriguing to investigate or more exciting to describe, whereas a criminal hacker will pick on easy targets to make money; the opponents penetration testers are meant to be representing don't have time to play with puzzles, they are not looking for stories to tell - they have a job to do and money to make.

( If you're interested, this slide deck from a recent presentation at the RSA Conference is a good summary of the arguments: http://www.rsaconference.com/writable/presentations/file_upload/asd-w02-intelligent-application-security-rsa.pdf )

So if Serious Gaming doesn't get this, and neither does Penetration Testing... neither industry being notably short of smart people... does anyone have what I believe is the right point of view? In my experience the best example came from one of my other interests, American Football. To over-simplify there are two sets of players on a team: Offense - who play when you have the ball, and Defense - who play when the opponents have the ball. Team rosters are huge, partly due to how common injuries are in the game, therefore there are definitely "starters" on Offense and Defense, backed up by "second string" and "third string" players. Due to the wide variety of styles of play in the sport, the starters need to practice against the specific playing style of the opponent they'll face that week, and this is where the "scout team" comes in. The scout team consists of the second and third string players on your team imitating the style and plays of that week's upcoming opponent, for the benefit of the starters. As well as their ability to play the sport overall, scout team players are graded on their ability to imitate opponents, and this is what serious gaming needs.

I should stress, this is where players willing to be a "scout team" are required, rather than those with knowledge of all possible opponents or combat environments. And it is these "scout team" players that serious games need. They need open-minded wargamers who are more interested in winning the game than winning the battle the game represents, understanding the difference between the two is crucial.

Overall, it is those rare players capable of and willing to emulate an opponent that serious wargaming needs to make up a "scout team", which to me is taking the profession much more seriously that merely winning or losing whatever battle is being played. So while my angle was different to Tim Price's, my conclusion was the same... serious wargames need serious hobby wargamers.

Back to Mark Mateski's piece on operational code. As I say, there's a comprehensive set of questions in that article, but after that Mark appears to hit something of a block. He suggests a couple of techniques for helping the red team work under that operational code, but these are quite general and designed to suit every situation.

Sticking to the imagined scenario of my original piece, looking at serious games, expected to be an exercise of a few days, and military in nature and therefore directly confrontational, I see two useful ways to turn the answers from Mark's 37 questions directly into something a red team can use:

Firstly - "trait cards". Each of Mark Mateski's questions should elicit several statements on the operational code of the opponent that the red team is looking to emulate, anything from "use deception whenever possible" to "prefer indirect over direct fire" or "sacrifice soldiers rather than ground" and so on. Eachanswer to those 37 questions should be distilled into a trait and written on a card, and assigned a number of points by the red team in conjunction with the experts being used to provide information on the operational code of the opponent. Whenever the red team carries out an action during the engagement, and I'm thinking of a wargame with something of a turn-based structure when actions are put forward by player teams and resolved by a combination of the wargame's system and its umpires, the red team can play appropriate trait cards in order to score points. Therefore the more successfully the red team emulates the opponent by following the cards, the more points they'll score.

This is a version of the idea from roleplaying games of "XP", or experience points, that I referred to in my original tweet displayed above. Expereince points are awarded by the person running the game, usually a GamesMaster ( GM ), in return for completing objectives, but most importantly in this context, they are also awarded for successful roleplaying, for a player acting in the same way that the character they are playing as would act. These trait cards would formalise that role-play aspect, and enable to red teamers to judge what kind of action they should take to emulate the opponent.

Secondly - a CARVER matrix based on the perceived operational code of the opponent. A CARVER matrix, to quote directly from Wikipedia, "was developed by the United States special operations forces during the Vietnam War. CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability and is a system to identify and rank specific targets so that attack resources can be efficiently used. CARVER was developed in WWII by the OSS for the French field agents as a simple, uniformly and somewhat quantifiable means of selecting targets for possible interdiction. CARVER can be used from an offensive (what to attack) or defensive (what to protect) perspective." This matrix could show the value, to the red team, of destroying different assets being operated by the blue team. Therefore the red team can now prioritise goals through the CARVER matrix, and choose which actions to use to reach those goals through which trait cards they can play.

This method is relatively simple, and stops the red team trying to win the game... it's now intuitive for them to act with a single objective in mind: accumulating points. This gives the red team a method to turn the answers to Mateski's 37 questions into actions, and gives the blue team in the wargame a version of the opponent that is in some way following the real world opponent's operational code.

As with all attempts at gamifying a process in order to improve adherence to it, there will be a gap between the actual operational code of the opponent and how that is portrayed by the red team in the wargame. Turning a vague statement that the enemy will employ deception whenever possible depending on available time and resources into a card stating "employ deception in an attack, score five points" means assigning complex decisions a value on a linear scale, but I think what you would lose in complexity you gain in focus.

And if the trait card points or CARVER matrix turn out to be wildly incorrect, to the extent that the red team aren't emulating the opponent in the wargame, then just change the values. Red teamers, especially the leaders, and especially if they have ready access to experts on how the opponent being emulated thinks, should be able to spot when the numerical model has too great a gap from the perceived operational code of the opponent, or the actual operational code of the opponent, to be useful; and therefore they will modified the scoring on the cards and in the matrix.

Unfortunately I've yet to have an opportunity to practice this idea, but I see this as the way to turn the perception of an operational code into an actionable set of ideas that a red team can use during an exercise, and therefore this will effectively guide the red team into achieving their true aim: emulating the opponent. Also it gives wargamers, acting as a red team, a way to naturally and intuitively play a wargame in a way that is of use to the blue team, while naturally and intuitively using their desire to win.

And one last thought, considering the expected competitive nature of red teamers... have two red teams in play, neither knows the constituents or deliberations of the other team, just what actions they've taken and how many points they've scored.

Monday 2 May 2016

Why legal firms should consider moving to the Cloud.

A few days ago @munin highlighted a critical issue with Office365 and SAML assertions, and suggested that this is why high-stakes data shouldn't be in the Cloud. The tweets are here:

https://storify.com/SonOfSunTzu/no-it-doesn-t

Credit for discovery of the vulnerability goes to Ioannis Kakavas and Klemen Bratec, their write-up is cross-posted on their blogs:

http://www.economyofmechanism.com/office365-authbypass.html

https://bratec.si/security/2016/04/27/road-to-hell-paved-with-saml-assertions.html

In response to this issue being disclosed @munin asserted that this is why "high-stakes data" shouldn't be in the Cloud.

Now I see where @munin is coming from, I was, and to some point still am, a fan of on-premises data storage rather than it being out there on the Internet somewhere. However information security is so difficult, the required protective infrastructure is so expensive, and skilled people are so hard to find, that using Cloud services in order to obtain the required infrastructure and skills is the way to go. There are many, many reasons, but I think these are the big ones:

1 Law firms are notoriously reticent to spend on information security, and arguably it's not economically viable for them to obtain security of the level used on Office 365. I state this from personal experience, not just the fallout from the recent Mossack Fonseca breach. Thankfully this was recently discussed on the invaluable Risky Business podcast, episode 407 - http://risky.biz/RB407 - head 35 minutes in if you're short of time, but otherwise the whole podcast is worth listening to. Anyway, HD Moore stated:

"if you look into legal services ... any industry where you've got a lot of high paid professionals that are not IT, the IT aspects of the security side of the business generally gets neglected; they just don't value the IT people, the security people, as much as they should. So that's one of the reasons you see a lot of wide open law firms..." ( edited slightly for clarity )

2 Munin's statement that "Because diversity in setups prevents large-scale attacks from working" is wrong. Theoretically this is incorrect, diverse but equally poor or out-dated setups, through the prevalence of easy to use tools such as MetaSploit, or the almost universal success of repeatable tactics such as phishing, mean that diversity is not of use here. Practically I think the sheer number of successful attacks, and the results from published Breach Investigation Reports, show that either through the large number of attackers, the low security of targets, or both, mean that facing new infrastructure isn't slowing anyone down. This is mainly due to the right skills being hard to find. Again, the timing of Risky Business was fortunate, as Space Rogue ( Chris Thomas, Strategist for Tenable Network Security ) said later on in that episode: "it comes down to people ... security people are hard to come by, they cost a fortune, and if you want decent security you need someone who knows what they're doing".

3 This disclosure was rewarded because of Microsoft's bug bounty programme... I assert that it's far less likely for a law firm to run such a programme.

4 Using this specific issue as an example, it was fixed in seven hours, I can't imagine a Law Firm's IT department being capable of achieving anything near to that.

Overall, if putting high-stakes data in the Cloud isn't the "best way" it is the "least worst". Wanting to keep to high-stakes data out of the Cloud is understandable, but particularly in the case of law firms, it's a little like saying its safer to keep your life savings under your mattress rather than in a bank: yes, you're not part of a big and attractive target, but your security is going to be much, much worse.

Footnote - of course, you need the right Cloud service... as pointed out on Risky Business 407, Mossack Fonseca are selling their own secure cloud document service: http://www.mossfon.com/service/evolusoft/