Cyber warfare: an unorthodox view from the battlefield

Transcript

1. Picture-Alliance/dpa Cyber warfare an unorthodox view from the battlefield 18th

   September, 2015 – Gjøvik, Norway

2. In short Presentation title 2 yyyy-mm-dd Three things:  Cyber

   warfare: an unorthodox view from the battlefield Cyber Commands Unorthodox Battlefield

3. In Short Presentation title 3 yyyy-mm-dd The agenda Follow the

   white rabbit…

4. In Short Presentation title 4 yyyy-mm-dd What is a tactical

   network? The users

5. The devices: Tactical Network Presentation title 5 yyyy-mm-dd Node A

   <Dismounted> UHF WLAN Node C <Mobile> VHF UHF WLAN SatCom Node B <Relay> SatCom VHF HQ Node D <Deployed> SatCom VHF UHF WLAN

6. Scenario  Tactical Ground Report System Distributed Security Policies Presentation

   title 6 yyyy-mm-dd Node C Node A Soldier localization Adversary localization Vehicle localization Live camera Aerial photos Node B

7. The architecture Nodes Tactical Network Presentation title 7 yyyy-mm-dd Node

   A <Dismounted> UHF WLAN Node C <Mobile> VHF UHF WLAN SatCom Node B <Relay> SatCom VHF HQ Node D <Deployed> SatCom VHF UHF WLAN SV-1 TSI Node «Software» TSI Node «Software» Controller «Software» Service Mediator «Software» Packet Handler «Software» Message Handler «Function» Session Management «Function» Message Exchange «Function» Message Adaption «Function» Message Forwarding «Function» Message Transport «Function» Packet Forwarding «Function» Packet Scheduling «Function» QoS Handling «Function» Routing «Function» Security Handling «Function» Service Registry «Function» Contextual Monitoring «Function» Policy Management «Function» Metadata Handling «ResourceArtifact» BS «ResourceArtifact» IS IF I003 IF E001 IF I001 IF I005 IF I002 IF I004 IF E002 Service-Oriented Architecture <Security>

8. Reference Architecture Functionalities: Presentation title 8 yyyy-mm-dd International Politics?

9. Reference Architecture Simplifying this thing: Presentation title 9 yyyy-mm-dd Packet

   Handler Message Handler Service Mediator Controller 1 2 3 4 Policy management Security handling

10.  Implementing the cross-layer message exchange Reference Architecture Presentation title

    10 yyyy-mm-dd Presentation title Packet Handler Message Handler Service Mediator Controller 1 2 Network Simulator SOA Platform Operating System p = Runtime.getRuntime().exec("host -t a " + domain); p.waitFor();

11. Presentation title 11 yyyy-mm-dd TSI Tactical Service Infrastructure <Experiments> <Design>

    <Prototyping> <Services> SV-1 TSI Node «Software» TSI Node «Software» Controller «Software» Service Mediator «Software» Packet Handler «Software» Message Handler «Function» Session Management «Function» Message Exchange «Function» Message Adaption «Function» Message Forwarding «Function» Message Transport «Function» Packet Forwarding «Function» Packet Scheduling «Function» QoS Handling «Function» Routing «Function» Security Handling «Function» Service Registry «Function» Contextual Monitoring «Function» Policy Management «Function» Metadata Handling «ResourceArtifact» BS «ResourceArtifact» IS IF I003 IF E001 IF I001 IF I005 IF I002 IF I004 IF E002 The approach:

12. Security requirements Presentation title 12 yyyy-mm-dd Protecting the Architecture NISLab

    show starts now!

13. In Short Presentation title 13 yyyy-mm-dd What if we X-Ray

    the architecture?

14. In Short Presentation title 14 yyyy-mm-dd What if we X-Ray

    the architecture? <Packets> <Messages> <Services> <Controller> <Attacker> Hygiene: Flossing and brushing

15. In Short 15 Hygiene, hum? … that thing you do

    again, again and again…

16. Extending the TSI Node to expose:  SOA Platform 

    Operating System Security at the Reference Architecture Presentation title 16 yyyy-mm-dd SOA Platform Controller Service Mediator Message Handler Packet Handler Operating System <Policy Management> <Security Handling> 1 2 Cryptography Tactical Platform Guard Tactical Support Guard Policy Manager Privilege Management Policy Manager Policy Enforcement Point Policy Decision Point Policy Administration Point Detection Diligence Protection Planning Response QoS <domains> TSI Node PEP PEP PEP a b c <a,b,c> Shall we claim being protected?

17. Security requirements Presentation title 17 yyyy-mm-dd A bag of cyber-attacks

    Cyber-attacks Shall we claim being protected?

18. 18 Presentation title yyyy-mm-dd The experts The experts Hey YOU,

    check out this cyber-attack! Hey Marthe, what about a run? Hey Messi, lets play some football?

19. Security requirements Presentation title 19 yyyy-mm-dd What the hell let’s

    give it a try! <You>

20. What just happened? Presentation title 20 yyyy-mm-dd Observe Orient Decide

    Act You

21. What just happened? Presentation title 21 yyyy-mm-dd Observe Orient Decide

    Act You Basic abstraction for mission/operation

22. OODA-loop modelling battles Presentation title 22 yyyy-mm-dd In the battlefield

    with an equal capable adversary  Who manages to get inside the adversary decision loop WINS! Observe Orient Decide Act Observe Orient Decide Act YOU Adversary Faster tempo and rhythm will generate confusion and disorder … <Faster tempo> <Disorder>

23. OODA-loop Presentation title 23 yyyy-mm-dd What if the battlefield is

    a football field?  Same story… Faster tempo and rhythm will generate confusion and disorder … <Faster tempo> <Disorder>

24. Tactical fractal Presentation title 24 yyyy-mm-dd Observe Orient Decide Act

    Observe Orient Decide Act Observe Orient Decide Act Observe Orient Decide Act

25. Tactical fractal Presentation title 25 yyyy-mm-dd Observe Orient Decide Act

    Observe Orient Decide Act Observe Orient Decide Act Observe Orient Decide Act Observe Orient Decide Act Handheld <Dismounted> Drone <Relay> Laptop <Mobile> Looks like a fractal, QUACKs like a fractal, But don’t let it FOOL you, it is a TACTICAL FRACTAL!

26. Security requirements Presentation title 26 yyyy-mm-dd Ok, time for a

    DDoS attack! (Distributed Deny of Service)

27. Security requirements Presentation title 27 yyyy-mm-dd The cyber-attacks

28. Related tools:  Eavesdrop  Adversary listening data flows 

    SIGINT probing troops localization  Spyware  Malicious software within the network  Jamming  SIGINT creating noise in the channels  Logic bombs  Piece of code defining a malicious function  Stuxnet and Etc…  New techniques being created right now! Cyber warfare Presentation title 28 yyyy-mm-dd

29. In Short Presentation title 29 yyyy-mm-dd History of cyber conflict

    1980s: Realization 1998-2003: Take off 2003 to now: Militarization 1986: Cuckoo’s egg 1988: Morris worm 1998: Solar Sunrise 1998: Moonlight maze 2007: Israel invaded Syrian airspace 2010: Stuxnet Today

30. Militarization at work 30 yyyy-mm-dd 0 Days Market Experts Spy

    Companies Governments Investments Tools + Infra + exploits Cyber Commands? Digital arms race… Stuxnet started this?

31. Security requirements Presentation title 31 yyyy-mm-dd Motivation behind stuxnet: To

    bomb or to CYBER bomb, this is the question!

32. Stuxnet in short 32 yyyy-mm-dd Zero Day + 1 2

    3 4 -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALMm7bbrJurAWtEJ b9RfjRHMPP/XXjfmVXFc68no+I6jhZksPqKOshwv/pnGDdPOwO3B4k28EDX2YQK5 j8zFgNF/yC4tmjKfirsy6hSC4G/LPZ3VHPFDUp9JefGUA0gskVHHjzKQp8LAJWQ0 8cfyrNWWh6IK++WzC5C/bwh1XVTLAgMBAAECgYB1zJIgZe04DPVqYC8lURL8cfRm MeIlFZJ3MSdlo4fUmtddCYfB8dxRxok96cnrzRZ0/7jjblamdPQDC6rvdaqmfLFx nJ/RVhCj6HqDMrQnv/9tnl6UQmkaYSnYvTn2GgmpqvBf9RUQk4+kjwgRgdqKxaIz oH8j0ZxMh2DOZuzJMQJBAOJwEnbG085q2k1Qg8PQz0cpVG9QCE3sJUNs0hMPC7dk IzknFtidlpCf6NMboJ2Nt9dzmJmKLqWb3oauyQRQA6MCQQDKin0wElLV1268IbcF RXhkVlxcg5fDEazeNL9p1z5vmwaq0IcLtSPrIaect2hacCkfJoREhcA+f9YIpcod lby5AkEApyXla0ofpXqYxIOPkGc96qCmlDh2uNZ9N0VH2Qu9MVW47oJdSe8h6oYv /k2hhUvMjjzlQ0mOX28slyzEc+uAkwJAWlAsiE3zX+UjPIJwIMqcZ2lW3+3Rsyrj gWXV4HUZIxzmeS5ouWC5NnSYT7o8ru8KdxhurDtTwMqx/sMmf9CwCQJAIDbMwwIs XStw0y/M9+hdPUkccVoHyXKPTensyX/miAUwHZN/oadGUUOZO7XBKb1uNFv1uowU 29bGgXa+mvb6aA== -----END PRIVATE KEY----- Implement Sign it Deploy it Running Air gap Control System Code to break things silently Main Thread .dll Injected code .LNK exploit <Stolen>

33. Security requirements Presentation title 33 yyyy-mm-dd Stuxnet is a different

    beast: Passed the access control! Can we use the OODA-loop to catch this? Delivering the .dll .dll running? Attacking from within… The future? Authenticated and authorized…

34. In Short Presentation title 34 yyyy-mm-dd «Software» TSI Node «Software»

    Controller «Software» Service Mediator «Software» Packet Handler «Software» Message Handler «Function» Session Management «Function» Message Exchange «Function» Message Adaption «Function» Message Forwarding «Function» Message Transport «Function» Packet Forwarding «Function» Packet Scheduling «Function» QoS Handling «Function» Routing «Function» Security Handling «Function» Service Registry «Function» Contextual Monitoring «Function» Policy Management «Function» Metadata Handling «ResourceArtifact» BS IF I003 IF E001 IF I001 IF I005 IF I002 IF I004 IF E002 Remember our sexy architecture? Disclaimer: hot stuff, prohibited for under 18 Let’s rethink how to protect it…

35. In Short Presentation title 35 yyyy-mm-dd Let’s go to the

    future… What would make you proud?

36. Presentation title 36 yyyy-mm-dd Let’s help the Avengers… <MISSING> <Processing

    power> How to improve the overall security?

37. Remember Presentation title 37 yyyy-mm-dd Observe Orient Decide Act Observe

    Orient Decide Act Observe Orient Decide Act Observe Orient Decide Act Observe Orient Decide Act Observe Orient Decide Act Observe Orient Decide Act How to model nested loops?

38. Challenges Presentation title 38 yyyy-mm-dd Observe Orient Decide Act Observe

    Orient Decide Act Team Stark Team Ultron Protected Hacked Faster tempo… How? How? How? 1 2 3

39. Just A Rather Very Intelligent System (JARVIS) Presentation title 39

    yyyy-mm-dd What if you have planted stuxnet at your adversary. How to play with it?  Three scenarios:  You are attacked  You are attacking  Both are playing…  What it means loose battle?  What about winning?  How intrusive the whole thing is? JARVIS: Just A Rather Very Intelligent System JARVIS 2016: same stuff but damn Secure!

40. Presentation title 40 yyyy-mm-dd The beginning. Roberto Rigolin Ferreira Lopes

    [email protected] “Forget it all. Don't be afraid. Do what you get the most pleasure from. Develop your talents wherever they may lead. Damn the torpedoes - full speed ahead!” ― Richard Feynman