Episode 75 - Red-teaming learning outcomes - it's about making it hard for an attacker, not making impossible

Summary: Karan Khosla, Director of Privasec provides case study insight into the Privasec’s red-teaming operations. Hosting a Cyber Risk Meetup round-table luncheon in Sydney, the cybersecurity specialists exposed a number of large enterprise executives to a broad range of red-teaming vulnerabilities, where physical and information security systems were readily breached or circumvented to achieve the ‘capture the flag’ goal. In this case, proof was shown by applying a Privasec sticker at the target location, be that access to senior staff offices, server rooms and including achieving full network administration level access. Despite four case studies being presented, we’re just going to focus on one - a critical infrastructure operator in the utilities sector. Calling in Privasec to assist determine what a local disrupter could do in terms of disrupting services or cause actual harm. The mission was to access ten (10) sites to identify and locate a SCADA based control room, how it can be accessed and then what could be done once there. Following 15 – 20 days reconnaissance and site surveys during the day and night, the team established daily or predictable patterns and how could they be manipulated. Drones were flown over the site to identify any other potential areas of access or activity. The red team then began the process of attacking, be that to blend in and appear to have a legitimate reason for being onsite. This may include appearing as maintenance personnel, with readily available apparel bought from a local hardware store. Other potential entry points include fire exits and using an ‘under the door’ tool, allowing doors to be readily opened. Access was gained in this manner. On entry, there were uniforms available, as well as access cards and the team was able to look exactly like an employee. The next mission was to find the control room – but rather than do it the hard way, once inside the red team simply ‘asked’ other staff where it was and they were directed and kindly escorted to the control room. A sneaky cover was that a security assessment was actually being conducted. Just no-one actually bothered to have this verified. Indeed, a security officer was finally alerted to these ‘sneaky auditors’ however, with the production of a fake letter on company letterhead, the security officer took this as verification and went further by escorting the team around, pointing out security issues he had observed but were not being fixed. The exercise is a clear learning outcome to alert staff to remain aware and to have confidence in challenging for correct credentials whilst in the workplace. There is a responsibility of safety on all staff to remain vigilant and aware. A culture of security compliance and ‘looking out for each other’ is a good standard to reach for. Complacency will allow or indeed, facilitate security breaches, should it be allowed to creep in. Some case studies involved red teams breaching security within 15 minutes and demonstrated a poor and 'unreasonable' security posture. Organisations should focus on making it hard for an attacker, not about making impossible. Having a holistic, protective security approach is the best way. For more information visit https://privasec.com.au/ For future Cyber Risk Meetup events in Sydney, Melbourne and Singapore visit www.cyberriskmeetup.com