So, first thing is what do we mean by operationalize? This is a big word for the principle of taking over the adversaries systems. As a key factor to conflict the desired state is to control the ability of the adversary to respond or have the ability to exact losses from the adversary. Since we are using the insurgency metaphor for much of our discussion the idea is to use the adversaries tools, resources, and capabilities against them. To do this command and control of the network is the most important aspect of continued operations in cyber warfare.
There are a few important tasks to gaining command and control. The first is knowing the features of the target network. How large is the network? Where and what are the systems of the network? Be careful and wary of falling into the trap of thinking that servers and personal computers are the only thing of interest. What is the subnet and network configuration? How many nodes per subnet and other metrics will allow you evaluate the strategies used by designers if any. Other interesting elements are is the network a single vendor or monoculture environment? Are all the routers, switches and hubs from Cisco? Are all the servers, clients and applications from Microsoft? In these monoculture environments especially where strict controls are in place the gaps of administrator knowledge can be opened into opportunities.
As a quick note if there is a hierarchical or operational pattern instantiated on a network it then becomes trivial to find the keystones or pattern of intersections necessary to compromise the network. More important than causing disruption or destruction (find the keystone and pull it) is the idea of finding the nodes of command and control and use the adversaries network to augment your efforts.
If this all is so easy why is it not seen more often? For one point it is seen fairly often as a form of espionage. The catastrophic and cataclysmic if fairly unknown in anything but SCADA networks. Dr. Joseph Weiss reported to congress that he has at least 250 deaths that can be attributed to large scale SCADA failures. Bruce Schneier once stated that we won’t see these kind of network attacks because they are non-trivial and serve no purpose. The reality is that if an intelligence-gathering tool is extremely successful it is doubtful that it would be exposed for one attack. As an example during World War 2 encryption secrets were not exposed and attacks that were known to be in the works not countered to keep the secrets. Cyber likely has may of these types of dark alleys.
Being in a position to take over a network completely is right up there with flapping your arms to fly to the moon. In sufficiently large-scale networks of the enterprise variety characterized by internal routing, bridging, and multiple subnets this is a large task. Thankfully the normal adversary is going to alleviate some of that burden by using simple network management protocols, applications like Uni Center, or Sun Remote Services. As such a key point starts to emerge. To exploit at one layer attack the next or lower layers. As an example if you were exploiting an application you might attack at the session or network layers using replay or man in the middle attacks. This like many other strategies are not hard and fast rules but guidelines. Using SNMP can allow for quick access but even slovenly administrators will turn off or secure SNMP. That leaves a couple of patterns that are interesting.
One pattern is that of the standard Microsoft Domain Controller network. This represents centralized command and control. Depending on the level of control exacted on the network the domain controller represents the primary authentication mechanism. As such if exploited other items can be exploited within the network using this primary device. Usually heavily considered in the security planning it must still expose itself for such mundane tasks as DHCP. Though in larger networks this can be distributed as a task.
The second pattern is the ad hoc network. Usually defined by a lack of definition it still has substantive characteristics. It can have short legs of connectivity to singular function machines. It will usually be laid out as a spider-web rather than a hierarchical network. The ad hoc network may use local resources such as predefined network addressing based on function. Within this type of network usually the naming convention is one way to figure the types of systems. As an example if the network is named after Star Trek characters start with Kirk or Spock but not “red shirt”.
The daring reader with technical aplomb may be saying, but “HOW” do you exploit a domain controller. The technical aficionado skipped right past that. To exploit the domain controller you must have access to an interface on the domain controller. That interface can be a production (everybody has access), a management interface (controlled), wireless (for disaster recovery) or some other type of network connection. An interesting connection point is the storage area network (SAN) interfaces which may be wide open in many ways to simply connecting. Since the SAN in many implementations has controllers and basically embedded computers it may be a juicy little highly privileged target. When thinking about cyber warfare it is sometimes more important to think sideways about a problem rather than head on.
1 comment for “How to wage cyber warfare: Operationalizing the network, Part 6”