11 – Aftermath and Lessons Learned

A. DEFENDERS: Effectiveness

    The hospital network defenders actually had a good threat analysis completed that carefully considered real cyber threats, but then failed to use it in designing their security plan or in the controls that were actually implemented. Risk assessment is supposed to consider the attackers viewpoint and weigh their possible gain against their cost in order to create a determination of likelihood.

    It is an extremely “upstream” process that predicates and determines the general direction of all the other controls. If it is done incorrectly, it can influence every other element of the security plan. In this case, this upstream failure doomed all their other efforts by failing to realize the true nature of the threats they faced.

    The security plan appears to have been created in “boilerplate” fashion, copied from a template for all sites. This is okay as long as those parts are covering “common controls” that are specified by a central body, but not for any site specific parts. And if the common controls are done poorly, they will of course be done poorly for the entire enterprise. In this case, the security plans were in a shambles, representing paperwork only and full of errors even at that level. Most of the security plans showed little or no awareness of cyber attacks as a threat.

    Session limiting controls were in place, but had little effect on limiting exposure because the timeouts were too long (at 15 minutes) and the controls were not supported by other strong controls such as physical security and security awareness. This problem was exacerbated by the fact that public hospitals have computers in non-restricted spaces. Session limits and security awareness need to be raised to more stringent levels in areas with public accessibility, and/or some other security measures, such as segmentation of the network and firewalls should be used. Proximity cards could be used to force logoffs when a user leaves a system.

    Wireless controls were in place, but had little effect in slowing down the penetration of the attackers because the technical level of the controls was not as advanced as the technical level of the attackers. Many of the standard wireless security measures (such as SSID cloaking and MAC address filtering) are trivial to defeat when the attackers have the correct knowledge and tools. WEP encryption is not safe in any configuration and can now be cracked in a matter of minutes, instead of hours. WPA encryption in conjunction with enterprise level authentication was needed.

    Password strength settings were clearly defined in the security control, and well enforced by policy settings on the windows systems, but they were not strong enough to prevent them from being cracked quickly and easily because of the LM hash format. The defenders knew about this weakness but had not taken action to update the plan, perhaps lulled to sleep by the false sense of security behind their strong perimeter defense.

    This control was missing entirely and allowed rogue equipment to be plugged into live network ports and access the wired network with no intervention required.

    Physical protections were nearly 100% aimed at the main “computer room” and systems in publicly accessible areas were ignored. If the publicly accessible systems were handled differently, segmented from the rest of the network and treated with great concern, this might be okay. They were not.

    System updates were being done by an automated centralized tool, but not with a fast enough turnaround and many systems were apparently being missed by the tool and not tracked adequately. Even had they been done as fast as possible, with zero-day vulnerabilities becoming almost normal, this defensive component was becoming futile against professional attacks.

    Anti-Virus software was deployed well and used properly, but easily bypassed when the attackers used customized malware without known signatures.

    Intrusion detection was being done, but not very well. With all the other weaknesses in the defensive scheme, this element became critical for detecting the attackers’ presence inside the perimeter after successful penetrations. This was not well understood and the concept of IDS was poorly implemented and under utilized.

SANS teaches a PICERL process for incident handling that includes the following:

  • Prepare
  • Identify
  • Contain
  • Eradicate
  • Recover
  • Lessons Learned

When the “Prepare” phase of this process is done poorly, the rest of the process suffers and it becomes more difficult to detect and respond to an incident. When the “Identify” phase fails, the rest of the process becomes irrelevant until the incident is actually identified. This can be catastrophic.

Federal law specifies that each government agency must follow the Certification and Accreditation process. In accordance with this, the defenders had spent much time and energy on developing an all-encompassing set of policies that governed their network security. Some of these policies were clearly defined and some were not. Some of them were correct solutions for security issues and some were not. Most of the time, whether the policy was clear and correct or not, they were not creating effective defenses against attacks. The end result was that the PHA spent millions of dollars and employed hundreds of “security specialists” to produce policy and procedure based paperwork, and to perform security inspections that mostly focused on making sure policy and paperwork were in place and failed miserably to actually remedy the real security weaknesses.

In the end, the defenders had been forced to completely shut down their entire network of computer systems at the worst possible moment and it would take months to recover to a fully operational state. The cost of all this was immeasurable. The highest cost of all of course was in human lives lost by the hospitals that might have been saved had the hospitals been able to respond to the crisis in anything resembling a normal fashion. It is difficult to estimate how many lives were cost simply by the magnification effect of the cyber attack alone (ignoring any casualties that would have been sustained by the bio-weapons attack with no cyber attack), but numbers were suggested in the range from many hundreds to many thousands. The stunning success of the attacks created havoc and insecurity that had long term effects on the stock markets and overall economy. There was an overwhelming political response and general uproar as everybody tried to assign blame and attach their own agendas to the flood of public opinion. A military mobilization and strikes against various related targets followed. When the dust of the immediate crisis began to settle, there was a massive wave of firings and resignations within the PHA and a full blown festival of lawsuits ensued. Victims and their families filed both criminal and civil suits against every figurehead in the government that could in any way be associated with the PHA. All of the PHA administrative staff and most of the senior network management and officials responsible for security were included. Class action lawsuits continued for years afterward and took many years to be completely settled.

C. DEFENDERS: Lessons Learned
While the policy and paperwork approach offers a complete and comprehensive methodology for performing network security, it is worthless without realistic application toward actual threat scenarios.

The risk assessment component can drive the entire process in either the right or wrong direction. In this case, the components of threat analysis that include the viewpoint of the attackers (penetration testing, studying hacker techniques, attackers’ psychology and motivation, war-gaming scenarios…) were entirely missing from the security planning process. A corrected threat analysis must then focus attention on the critical components of the defense to prevent successful attacks. In this case, most of the security controls discussed here are such critical points and must be reinforced as much as possible.

Even with the best possible defensive posture, the attackers might be able to penetrate a network and great attention must be given to intrusion detection (and extrusion detection ) processes that are capable of detecting an attacker presence on the network AFTER a successful penetration. Response teams need to be trained in handling incursions in process, not just forensic analysis after the fact. A silent attacker presence scenario (where the attackers complete their penetration and decide to lie quietly in wait inside your network until the right moment arises to capitalize on their position or leverage it into an attack on another trusted network) may be even more dangerous than the outcome portrayed here. It has been suggested that current real cyber attackers are in fact doing just that.

D. ATTACKERS: Effectiveness

  • Perimeter Attack
    This attack vector was 100% successful and while the decision to stop and wait for a zero-day vector was a good one, it may not have been needed. In all likelihood, considering the weakness of the defenders intrusion detection ability, direct attacks using old exploits that would have been seen immediately might have been successful too. This would have required using some other tactics, including disabling automated defenses such as HIPS and AV, but these techniques are possible. Detected intrusions would also require very quick pivot attacks to create entrenched positions on other systems before the defenders could react, but this also does not seem to be much of a problem. As long as the current situation with zero-day exploits stays in place, this will continue to be a viable attack vector.

  • Wireless Attack
    This attack vector was wildly successful because of the weaknesses in the WEP encryption protocol. As defenders continue to learn and adjust to WPA and strong authentication, this vector will diminish. Bluetooth and other wireless mechanisms are now growing rapidly and offer many new vectors, just as 802.11 did in its early stages. The future success of wireless attacks will depend on migrating to new tactics and tools as the landscape shifts.

  • Bypass Attack
    This vector was 100% successful and is likely to remain there for some time. Signature based defenses are simply too easy to defeat. The best alternative at the moment seems to be anomalous behavior recognition and that too can be defeated by mimicking the appropriate behavior.

  • Walk-in Attack
    While this vector was also 100% effective, it might be the easiest to defend against. However, the defenders failure to adequately adjust security defenses between private systems and systems in publicly accessible spaces left them wide open. The strongest advantage this attack has is the wide variety of attack options and social engineering opportunities available. Once physical security is completely tightened down, this vector can always shift toward extortion and bribery efforts.

The penetration and disruption mission was a complete success. Everything the attackers tried worked well.

“What the ancients called a clever fighter is one who not only wins, but excels in winning with ease.” Sun Tzu

F. ATTACKERS: Lessons Learned
Using the multi-pronged attack was great for training the field operatives, but involved far higher risk of discovery than was necessary. Future attacks will be designed to be more focused on single weaknesses that have been identified by reconnaissance and perhaps even other missions (whether successful or failed).

Future attacks will be more stealthy in nature and will involve nearly impossible to detect extrusion techniques to export both enterprise data and command and control information for virtual botnets operating inside the defensive perimeter. Such a silent presence is likely to be far more valuable to a national security penetration team, unlike the terrorists who wanted to immediately use (and therefore eliminate) the inside position gained.

Leave a Reply

You must be logged in to post a comment.