FEATURES & COMMENTARY
Albuquerque, N.M. — Over the past two years, a group at Sandia National Laboratories known informally as the Red Team has, at customer invitation, either successfully invaded or devised successful mock attacks on 35 out of 35 information systems at various sites, along with their associated security technologies.
Their work – challenged only by a new style of defense, also developed at Sandia, called an “intelligent agent” – demonstrates that competent outsiders can hack into almost all networked computers as presently conformed no matter how well guarded, say spokespeople for the group, formally known as the Information Design Assurance Red Team or IDART.
Networked computers might include e-commerce, transmitted or Net-stored financial data (from credit cards, money-machine cards, and bank accounts), as well as medical data.
Sites investigated by Sandia’s self-described “bad guys” include information systems from two very large corporations and several key government agencies, says team leader Ruth Duggan from the Red Team lab in a restricted area of Sandia, a Department of Energy national security laboratory.
“We found specific weaknesses in every system,” Duggan says.
IDART was started in 1996 by Michael Skroch, now on assignment with DARPA (Defense Advanced Research Projects Agency). DARPA was one of the team’s principal sponsors before Skroch was asked to join that organization as a program manager.
The Red Team’s mode, says team member Ray Parks, is to “role-play the position of an adversary” – a point of view sometimes unexpectedly difficult for system designers to adopt.
In August, DARPA is sponsoring the Red Team to teach a short course to invited government agencies on how to design better information systems by understanding how to think like an attacker.
While the Sandia group’s actions are entirely legal, its adoption of an “outlaw” mindset combined with a willingness to do relatively deep analyses of ways an information system can be penetrated (whether through the Internet or by an insider) has helped test and develop concepts in security technology. Some of these concepts are so advanced they are not yet available in the marketplace.
The typical IDART group, which may consist of three to eight hackers, sometimes explains to clients in advance exactly how and when they will attack. System defenders have time to prepare specific, automatic, and even redundant defenses for their software, platforms, firewalls, and other system components. Yet results disconcert clients every time: their defenses are breached.
“Right now, information system defenders have a very difficult job,” says Duggan. “Our goal is to improve the security of information systems to make the attacker’s job difficult instead.” But the group has a long way to go. “Fortified positions do take us longer to break in,” she says, “but on the order of minutes, not hours.”
“In the past, I’ve been a system defender,” says longtime team member David Duggan. “It’s frankly nice to be on the winning team.” His guileless smile belies the chill of his words. “If I’m an intruder and I merge with background noise, how can you tell I’m there?”
The extraordinarily broad abilities of cyber attackers – from professional hackers to terrorists to state- and corporate-sponsored aggressors – to penetrate any system they desire can result in pilfered information, corrupted data, a change in the order of operations, or a flat denial of services. Any of these, to an individual, is an annoyance. To major corporations, they could result in billions of dollars misplaced or stolen, or in loss of reputation. In a medical or military emergency, an adversary who could intercept messages, corrupt data, and deny access to services could cause catastrophic damage.
To forestall such problems, the Red Team prefers to be called in on the design stage of a system, though it can attack a system already in place to ferret out weak points. “Our job is to understand how systems can be caused to fail, and then to help the customers improve the surety of their systems,” says Sam Varnado, Energy and Critical Infrastructure Center Director.
The group attacks from templates it creates of different types of hackers. The Red Team’s favorite adversary is the cyber terrorist, an adversary model principally developed by Brad Wood, who led the Red Team for two years. Says David Duggan, “We role-play cyberterrorists as people who go after low-hanging fruit in cyberspace, i.e., places people forget to defend. Why attack a firewall when a modem is wide open?” The group assumes cyberterrorists are risk-averse and don’t want to be caught. “The typical hacker, on the other hand, may not care about being caught after he’s done his deed, and maybe even wants the notoriety.”
The Red Team asks company executives about their “worst nightmares” to deduce the targets the company or agency most wants protected. The team assumes cyberterrorists can learn how the system is designed. The Red Team uses only “open-source” attacks – that is, attacks that are publicly available – announced in advance. It still breaks in. Then team members share data on their attack: places, times, and length of defense.
The point, say Red Team members, is not to keep score, but to keep good data. The group tries to demonstrate credibly how an adversary might attack, and then discuss with the customer what it did – a big difference between Sandia and “Red” teams from private companies that run the equivalent of simple computer programs used to test vehicles. Instead, “We find ways the systems can be used other than the way they were intended,” says David Duggan. “We may use their security against them,” says team member Julie Bouchard.
The problem in devising defenses is no one has adversaries sitting under a microscope with probes attached, waiting to be studied.
Another big problem, members of the group say, is that most software these days is written overseas or without validation. Trojan Horses that go off when the adversary chooses to trigger them could be placed in it. Asked why such events haven’t already happened, group members speculate it may be better for adversaries to keep US systems up, in order to extract data from them.
The Red Team participates in attacks that might range from a week to five months. The nature of the work can still raise hackles among defenders, who may sometimes fail to appreciate a friendly attacker. One group member tells clients to say to themselves, “The Red Team is my friend,” and repeat it twice more when tempers grow short.
Sandia does not release the name of IDART’s clients, but describes the IDART process at its web site of http://www.sandia.gov/idart/ . A paper on its work: “New Paradigms in Network Security: Using Red Teams as a measure of systems assurance,” will be presented in Cork, Ireland, at the New Security Paradigms Workshop 2000, sponsored by the Association of Computing Machinery (ACM), Sept. 19-21.