Red teaming for lifeline infrastructures

Published by Juan Mosso on

From supporting societies’ most basic human needs to enabling its most ambitious endeavors in commerce, science, and technology, lifeline services and critical infrastructures underpin modern civilization’s well-being and development. Without them, it would not be possible for governments to ensure people and businesses’ health, safety, and economic security [1]. Lifelines and critical infrastructures are so critical that a disruption or destruction of one of their core functions will directly affect the security and resilience of many other sectors and components within and across modern civilizations.

Up to 1990s, lifeline services and critical infrastructures were taken for granted. Governments as well as people were confident that water, energy, communications, health, transport, banking, or defense sectors would always deliver products and services in line with demand and their mission. Then, suddenly, a set of isolated catastrophic events occurred in Japan, in 1995 [2] and in the United States of America (U.S) in 1991 [3] that suddenly changed things and triggered the interest and response from governments globally. In light of these events, because nation’s lifelines and critical infrastructures around the world cannot be separated from public well being, it could be said that many populations around the globe are standing on a time bomb, specially those living in big cities.

In a context of many long lasting state of conflicts with no simple and unambiguous conditions that would lead to its conclusion, Cyber threat actors around the world will exploit the opportunities rising not only from existing high levels of interconnection and interdependence between critical infrastructure components but also from the growing integration of information and communications technologies (ICT) between them to project power. Cyber offensive capabilities can be transformed into cyber weapons with the potential of disrupting lifeline services and critical infrastructure and creating Cyber and even kinetic effects with the potential to harm entire populations without intervention from a nation-state defence establishment. Japan 1995 and and U.S 2001 attacks on public transportation illustrate the capacity of Cyber threats actors to subvert nation’s critical infrastructures to achieve weapons of mass destruction (WMD) effects without actually using WMD. Targeting lifelines services and critical infrastructures is essential for threat actors in limiting counties’ ability to protect people, that is why nations should protect them.

Cyberspace has a great impact on the Westphalian international state system by creating an anarchic and lawless virtual territory, undermining the current world order [4]. The use of Cyber power by nation-states, and by non-state actors too, correlates with Robert J. Art’s four functions of power, “defense, deterrence, compellence, and swagger” [5]. Cyber-diplomacy became a core component of international relations in an effort to manage Cyber risk. It is at the heart of building a comprehensive and effective nation-state defense strategy for the times to come [6], where all players are carefully considered, being them nation-states, transnational corporations, or even individuals. States, just like non-state actors, are keen to employ cyber strategies and capabilities as well as other forms of military force, economic power or social influence in trying to impose their interests. Cyber space is now a domain of conflict and operations [7] where countries, as well as criminal organizations, develop their capabilities to operate. Therefore, like in other political and military domain, Cyber space strategy is essential and offensive capabilities and operations need to be discussed due its relevance for defense. Cyber space coercion and deterrence strategies are being developed by many to drive adversary action or to shift its behavior. The development and employment of Offensive Cyber Capabilities (OCC) [8] in trying to reach strategic goals and impose power superiority [9] is now a reality. Cyber deterrence capabilities can be implemented by nation-state government organizations, by the military, by private companies, or by any motivated threat actor with the required Cyber capabilities and resources.

Nations are challenged to defend public’s health, safety and welfare from attacks that may occur in cyberspace from adversaries that seeks to harm national interests not only during times of crisis or conflict but also during peace. To this end, Governments, Military, and private sector organizations should collaborate in developing Cyber space capabilities, and in integrating those capabilities into the full array of tools that government s uses to defend national interests. Lifeline and critical infrastructures private owners and operators are now involved in Cyber space strategy and operations, so they are now an integral part of different conflict hypothesis and scenarios. Nations are shifting their cyberspace strategies from purely reactive postures to postures of persistent active Cyber engagement, integrating private sector companies into de national defence instrument [10], under the umbrella of applicable law and public-private collaboration.

Advanced Red Teaming could play an essential role in supporting states’ Cyber defense and diplomacy approaches and efforts in protecting Lifeline and critical infrastructures. On one hand, Red teams can strengthen deterrence by denial strategies in helping improve states’ Cyber defence capabilities to boost resilience and increase the cost of attacks, making them less viable. On the other hand, Red Teams can help in responding to Cyber threat in an effort to control the spread and limit the impact of attacks.

Due to final responsibility for lifelines and critical infrastructures security is on states’ hands, because private sector owners and operators play a paramount role, Red Teams should be thought as mixed, public-private efforts with the mission of helping states enforce comprehensive national cyber defense strategies and capabilities. Based on that idea, advanced Red Teaming strategies and capabilities could then play a central role in:

  1. Avoiding organizations, public or private, being a weak link in Cyber space, and
  2. Building cyber offensive capabilities to support active cyber defense.

However, the art and science of Red Teaming are immature. Current Cyber active defense capabilities are not keeping pace with the challenge imposed by Cyber space complexity and dynamics, specially in the context of lifeline services and critical infrastructures. In facing the challenge, Red Teams need to build advanced Cyber offensive capabilities to continuously challenge plans, operations, concepts, organizations, and defense capabilities drove not only by adversaries motivations and capabilities but also by internal risk-driven thinking. A series of operational and tactical-level considerations are presented in this work to bring ideas down to earth in addressing how to imagine, design, plan, integrate, and conduct Cyber Offensive Operations (COO) to maximize strategic and operational success by the effective and timely preparation of the operational environment (OE) and the integration and synchronization of offensive Red Team capabilities and operations. Presence-based operations characterized by constant contact and generally conducted remotely, clandestinely from remote networks and systems, are discussed in the context of key offensive processes like adversary intelligence gathering, OE preparation for attack, and targeting to accomplish strategic level objectives. Event-based operations are also analyzed to understand how short-term, tactical objectives are supported by means of almost instant and highly localized effects projection in and through Cyberspace [11].

While Red Team operational planning is far beyond the scope of this work, some important general considerationshave been made to introduce the lector to relevant issues regarding the strategic concerns. I.e.:

  • The reality of conflict, a constant contact phenomena (-> constant planning),
  • Lifeline services and critical infrastructures as targets of APT,
  • The relevance of doctrinaire concepts such as the Center of Gravity (CoG), joint operations, mission intent, critical factors, among others.

Mosso’s “Offensive Reference Model” (ORM) [12] as well as the U.S DOD “Common Cyber Threat Framework” [13] are good references to better understand operational frameworks.

Finally, this work is general analysis, an introduction to the subject. It is only the starting point of a series of future works aiming at deepening the challenges linked to the development of Red Teams for lifeline services and critical infrastructures.

References

[1] Federal Emergency Management Agency (FEMA). “COMMUNITY LIFELINES IMPLEMENTATION TOOLKIT. Comprehensive information and resources for implementing lifelines during incident response”. November 2019. https://www.fema.gov/sites/default/files/2020-05/CommunityLifelinesToolkit2.0v2.pdf

[2] Robyn Pangi. “Consequence Management in the 1995 Sarin Attacks on the Japanese Subway System“. February 2002. https://www.belfercenter.org/sites/default/files/legacy/files/consequence_management_in_the_1995_sarin_attacks_on_the_japanese_subway_system.pdf

[3] U.S Government. “THE 9/11 COMMISSION REPORT. Final Report of the National Commission on Terrorist Attacks Upon the United States“. ISBN 0-16-072304-3. https://www.govinfo.gov/content/pkg/GPO-911REPORT/pdf/GPO-911REPORT.pdf

[4] Jonathan F. Lancelot. “Cyber-diplomacy: cyberwarfare and the rules of engagement, Journal of Cyber Security Technology.” DOI: 10.1080/23742917.2020.1798155. 2020. https://doi.org/10.1080/23742917.2020.1798155

[5] Art RJ. “Understanding International Relations: the value of alternative lenses: the four functions of force(5th ed.)“. Kaufman DJ, Parker JM, Howell PV, et al., Eds. New York, NY: McGraw-Hill Companies; 2004.

[6] André Barrinha & Thomas Renard. “Cyber-diplomacy: the making of an international society in the digital age, Global Affairs.” 3:4-5, 353-364. DOI: 10.1080/23340460.2017.1414924. 2017. https://doi.org/10.1080/23340460.2017.1414924

[7] The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). “NATO Recognises Cyberspace as a ‘Domain of Operations’ at Warsaw Summit“. 2016.https://ccdcoe.org/incyder-articles/nato-recognises-cyberspace-as-a-domain-of-operations-at-warsaw-summit/

[8] Matthias Schulze. “Cyber Deterrence is Overrated Analysis of the Deterrent Potential of the New US Cyber Doctrine and Lessons for Germany’s Active Cyber Defence”. 2019. https://www.swp-berlin.org/10.18449/2019C34/

[9] USCYBERCOM. “How understanding cyberspace as a strategic environment should drive cyber capabilities and operations”, November 30 2016. Unclassified. https://nsarchive.gwu.edu/document/19781-national-security-archive-2-uscybercom-how

[10] Dr. Sven Herpig, Robert Morgus, Dr. Amit Sheniak. “Active Cyber Defense- A comparative study on US, Israeli and German approaches. What is Active Cyber Defense?“. 2020. https://www.kas.de/documents/263458/263507/Active+Cyber+Defense+-+A+comparative+study+on+US,+Israeli+and+German+approaches.pdf

[11] Daniel Moore. “Targeting Technology: Mapping Military Offensive Network Operations.” Department of War Studies King’s College London London, United Kingdom. 10th International Conference on Cyber Conflict CyCon X: Maximising Effects. 2018. T. Minárik, R. Jakschis, L. Lindström (Eds.) 2018 © NATO CCD COE Publications, Tallinn. https://ccdcoe.org/uploads/2018/10/Art-05-Targeting-Technology.-Mapping-Military-Offensive-Network-Operations.pdf

[12] Mosso Juan Manuel. “Intelligent Cyber Defense“. Bacchuss Cyberdefense. 2015. https://arxiv.org/pdf/1506.03830.pdf

[13] Office of the Director of National Intelligence (ODNI). “The Cyber Threat Framework (CCTF)”. 2021. https://www.dni.gov/index.php/cyber-threat-framework