Uncategorized – Courtney Root's Blog

April 12, 2022January 6, 2022

Climate Change Impacts International Security

Image sourced from https://thebulletin.org/2016/09/climate-change-the-national-security-threat/

International security also known as global security is where states and international organizations work towards the survival of humanity (Buzan, 2009). This extends to the safety and security of people as well. There are multiple environmental conflicts that exist and will continue as climate change impacts the Earth. Those conflicts are the relationship between resources and environmental conflict, the conflict as a result of scarcity or abundance, conflict within resolution and peacemaking, and the destruction of the environment from military establishments (Jordan, 2021).

There are two main perspectives to look at environmental conflict, realist and institutionalist. A realist believes that the world exists in anarchy and cooperation is overlooked. Additionally, realists argue that environmental change contributes to internal conflict and interstate war (Jordan, 2021). From the institutionalist perspective, cooperation is possible by creating and adhering to rules and norms. Within this perspective, successful cooperation focuses on norms that have mutual interest and will take steps to avoid cheating the rules (Jordan, 2021). Beyond the hypothetical, there are examples of both these viewpoints existing in the real world.

Climate change has been occurring more rapidly over the last couple decades. Among the scientific community, there is a consensus that the temperature can only increase by a maximum of two degrees Celsius in order to avoid catastrophic damage to the environment (Busby, 2018). “As temperatures rise, the distribution of climate phenomena will shift. Floods that used to happen once in a 100 years will occur every 50 or every 20” (Busby, 2018). These changes in temperature will lead to changes in natural disasters. “Events such as droughts and coastal flooding, exacerbated by global warming, result in food and water shortages and mass human migrations that can destabilize governments and threaten U.S. national security interests” (Strawa, 2020).

As these disasters occur throughout the world, people will be forced to migrate towards other areas and states will fight over resources. Busby claims that the richer countries will most likely be able to cope better with the costs of moving people and obtaining resources, however; the poorer countries will be the ones that will create the global problems when they can no longer afford food and supplies necessary for their state’s survival.

As resources dwindle, states will make claims to resources. Escalation will lead to climate wars in order for states to obtain the resources needed for their people. In the United States, the Colorado River brings water to the entire southwest of the country. This year was the first time a water shortage was declared and the beginning of water cuts to certain areas (Sakas, 2021). Luckily, this is a domestic issue and the federal government has the authority to force an agreement around the water distribution. Any government can resolve internal conflict through setting rules, imposing taxes, and punishing defectors if necessary (Jordan, 2021, Lecture 2). However, developing rules and having states abide by them becomes much more difficult on an international level.

“India and Pakistan, for example, both draw a great deal of water from the Indus River, which crosses disputed territory” (Busby, 2018). This will cause a greater escalation than the example of the Colorado River due to the lack of a regulating body overseeing the two states. As needs increase, there will be more desperation to fight for the resource to increase the state’s survivability. These two examples relate to water, but this will apply to all natural resources as the scarcity continues to be exacerbated. In order to evade the dependence on other state’s resources, some states “will innovate to reduce their dependence on these minerals, such pressures will become more common as the clean energy transition progresses” (Busby, 2018). This will only delay the inevitable because there are some resources that these innovations cannot replace. Escalation of necessary resources for survivability will lead to climate wars for state’s to provide for their people.

As climate change increases the occurrence of natural disasters, resources are taken out of the equation for some states. “Declining agricultural productivity and other climate risks will compel people to move from the countryside to the cities or even across borders. Tens of thousands of people will have to be relocated” (Busby, 2018). These resources are necessary for a nation’s survivability and when they can no longer take care of their citizens, those citizens will seek refuge elsewhere. Busby goes on to question “for those that cross borders, will they stay permanently, and will they become citizens of the countries that take them in?

“In a response to this future, New Zealand has proposed a potential “new visa category for small numbers of climate refugees from Pacific island states” (Busby, 2018). This would be different from the refugees currently in the world who seek shelter due to war or poverty. Some states have closed borders though currently and may not welcome refugees due to the climate crisis. Additionally, if refugees migrate due to a climate incident, the incident will most likely affect a large area and thus a large number of refugees. “The EU has been facing a record numbers of migrants, asylum-seekers and refugees in recent history that ignited stronger border control and several difficulties in the management of these flows, expressed through mass detention of new arrivals, lack of organization and resources in refugee camps, dual negotiations with transit countries, increasing human trafficking networks and the lack of solidarity and agreement about the European relocation scheme” (Estevens, 2018). The EU is already struggling with the amount of refugees seeking asylum and climate change will cause humanity to migrate into a more dense population since certain areas of the world will now be uninhabitable.

As refugees migrate, “even if they settle in, some reports indicate cases of illegal work, work exploitation, involvement in prostitution and human organ trafficking networks” (Burgess, 2011, p. 15). “According to the Greek White Paper, illegal immigration is one of the main threats undermining national and international security” (Estevens, 2018). These refugees will need to find a way to make money and support themselves. If an influx occurs too rapidly, there will be a struggle with many political aspects including the legality of how the refugees are making money and influencing culture. Furthering this idea, Busby questions if there is a large migration of people, “will governments that acquire territory inside other countries gain sovereignty over that land?” There will be many political aspects that come into play with climate change causing migration and national security will affect how the states interact on an international level.

There are four main key issues when dealing with global governance in any arena: number of actors, cost and benefits, non-state actors, and leadership (Jordan, 2021). There is a way to have the institutionalist state of mind and create rules to follow to reduce worsening damage to the Earth. However, cooperation would be difficult to achieve because the number of actors is high when dealing with the entire planet and everyone involved has different interests. Lecture discussed two examples, the Montreal and Kyoto Protocols. The Montreal Protocol was successful due to the low number of actors, consensus on the science, and good benefit to cost ratio. The Kyoto Protocol was unsuccessful due to the large number of actors, no consensus on the science and exemptions for developing countries. “Both Russia and Canada have proposed charging for passage through the arctic if it was to thaw enough (Strawa, 2020). Both these countries have direct interest in this aspect to not comply with climate change regulation. With a bleak forecast of countries working together, it is unlikely that regulation will be able to be a preventative measure against climate change. Thus, escalations for resources and migrations due to climate change are a foreseeable part of the Earth’s future.

References

Buzan, B., & Hansen, L. (2009). Defining International Security Studies. In The Evolution of International Security Studies (pp. 8–20). Chapter 1, Cambridge: Cambridge University Press.

Burgess, J. P. (2011). Introduction: Security, migration and integration. In J. P. Burgess, & S. Gutwirth (Eds.), A threat against Europe? Security, migration and integration, (pp. 13–15). Brussels: Institute for European Studies

Busby, J. (2018, July). Warming world. Foreign Affairs.

Estevens, J. (2018). Migration crisis in the EU: Developing a framework for analysis of national security and defence strategies. Comparative Migration Studies, 6(1).

Jordan, J. (2021) “Non-Traditional Security: The Environment.” INTA-6103. Georgia Institute of Technology. Online Lecture.

Sakas, M. (2021, August 17) “The First-Ever Colorado River Water Shortage Has Been Declared. What Does That Mean for Colorado?” Colorado Public Radio, Colorado Public Radio. Strawa, A. W., Latshaw, G., Farkas, S., Russell, P., & Zornetzer, S. (2020). Arctic ice loss threatens national security: A path forward. Orbis, 64(4), 622–636.

This work is licensed under a Creative Commons Attribution 4.0 International License.

March 15, 2022January 6, 2022

Is Cyber Deterrence Possible?

Image sourced from https://www.strausscenter.org/events/accountability-as-deterrence-in-cyberspace/

Deterrence is the ability to dissuade an entity “from doing something by making them believe that the costs to them will exceed their expected benefit” (Nye, 2017). This can be difficult to accomplish because the main goal with deterrence is to change or prevent behaviors (Valeriano, 2018). Deterrence is a type of coercion that depends on credibility and potential retaliation, but in the cyber realm efforts are focused on changing behavior by attacking digital targets, information or networked installations (Valeriano, 2018). Deterrence is possible in cyberspace but very difficult to accomplish. The two main reasons deterrence is difficult to accomplish in cyberspace is secrecy and attribution.

Secrecy in the aspect of deterrence is the desire for states to keep their capabilities hidden from others. Within the mindset of the security dilemma, states do not want their adversaries to know how to defend or create countermeasures against any weapons they have created. “Information is the equalizer for many states. In theory, increased information allows a rising power to catch up, leaping technology by generations through stealing intellectual property or military plans” (Valeriano, 2018). For states that do not have the money or time to build and create new weapons, they turn to stealing necessary information. Stealing information can lead to great leaps in weapon development capabilities. In the documentary, The Perfect Weapon, a cybersecurity company, Crowdstrike, investigates a client that had been hacked. This client produces satellites and stores all their intellectual property of how the satellites are built on their systems. During their investigation, Crowdstrike employees found direct links to prove the hack was carried out by a Chinese military officer. This is a direct example that the Chinese wanted to equalize themselves. In turn, they hacked a U.S. company to steal proprietary information. The newly acquired information could have been used by the Chinese for creating their own satellites, but it could also be used to develop exploits against the satellites. With the information of the interworking of these satellites, the Chinese can now figure out how to hack the communication between the satellites in orbit and the dishes sending and receiving on ground.

Secrecy in cyberspace allows for states to have weapons in hiding until ready to launch an offensive attack. An example of this is the cyber exploit, Stuxnet. This was the first time an offensive cyber weapon was deployed by a nation state that caused physical destruction (HBO, 2021). There was supposed to be secrecy of how the Iranian nuclear plant was being developed, but the attackers found specifications and built a cyber weapon as a countermeasure to slow the building process. Specifically, this weapon was developed using multiple zero day attacks (HBO, 2016). A zero day vulnerability is a software vulnerability discovered and not disclosed to the vendor. Without the knowledge of this vulnerability, the vendor cannot patch the system and therefore, an attacker can develop an exploit leveraging the vulnerability (Kaspersky, 2021). In the case of Stuxnet, the developers of the exploit knew about multiple zero day attacks, which is rare in cyberspace. They chose to wait until this exploit to use the zero day vulnerabilities. There was meant to be secrecy of the Iranian nuclear facility, but that was not achieved. Thus, deterrence was not achieved by the Iranians and attackers were able to deploy a cyber attack and physically damage their assets.

The other reason deterrence is difficult to achieve is due to attribution. Attribution is the ability to hold an entity accountable for their actions (Jordan, 2021). Within cyberspace, due to technology’s use of VPNs and other factors, determining the starting location of a cyber attack can be near to impossible. “Credibility is critical for success in coercive operations. Holding true to commitments will enhance a state’s ability to coerce the opposition” (Valeriano, 2018). The need for credibility persists in cyberspace. There is a fine line where inferences of the culprit can be made due to the political climate or a state’s actions outside of cyberspace but finding evidence is difficult. This fine line is important because states want to have the credibility that they were able to pull off the attack; however, they do not want to be outright and cause retaliatory actions to take place. “Prompt, high-quality attribution is often difficult and costly, but not impossible” (Nye, 2017). When a cyber attack occurs, there usually is an investigation that looks through all the details including determining an entry point into the system and what kind of attack was used. However, a thorough investigation is not always possible. Instead, usually the quick solution to get the company or establishment back up and running is chosen without looking into further details about the attack. States will need to prioritize attribution and then response plans to succeed in deterring future cyber attacks.

An instance of deterrence being possible is the Snowden leaks. These “revelations compromised tradecraft, but they also advertised that the NSA probably had more exploits and tradecraft” (Gartzke, 2017). This was not done by a nation state willingly. The disclosure of secret information was difficult to expose in the aspect that it had to be accomplished by an insider threat.

Cross domain deterrence (CDD) exists when different domains are used in conjunction with one another to deter a threat. “The Pentagon now recognizes five operational environments or so-called domains (land, sea, air, space, and cyberspace)” (Schneider, 2019). Any combination of these five domains used for deterrence would be considered cross domain deterrence. “Cyber operations are generally covert and often difficult to attribute, they might not be perceptible enough for adversaries to factor into their action calculus” (Schneider, 2019). Land, sea, air and space are categories where attribution is easier to determine. When someone uses one of these methods as a form of attack, it is a physical attack. Whereas a cyber attack is not necessarily a physical attack when they go after information or denial of service instead of destroying property through code. Discussed in lecture, states are more likely to achieve policy end with a combination of cyber and a measure from another domain (Jordan, 2021). Deterrence is dependent on credibility and cyberspace lacks easily disclosing credibility for attacks. As states are looking to deter their adversaries, they know that cross domain deterrence is their best option to engage and be successful. However, this may lead to a slippery slope and cause escalation when only deterrence was the goal.

The United States does not have much policy in place about using cyber as a form of deterrence or retaliation. The U.S. is starting to discuss how policy would be implemented. Deterrence “policies would remain largely ambiguous, focus on investments in defense, and shy away from CDD options that might inadvertently escalate crises” (Schneider, 2019). There is currently a struggle of when cyber attacks turn into physical acts of war. Is it when the first cyber attack occurs? Is it when a physical retaliatory action takes place? How the United States responds to a cyber attack directly impacts the credibility of following through with a retaliatory action. This also brings up the notion of an attack occurring against a company versus a nation state. If any company were to retaliate offensively, it may be seen as an act of war on behalf of the nation state in which they reside. Additionally, if retaliatory actions against the wrong state take place, there may be a spiral of escalation. Therefore this debate exists because if states are unable to hold other states accountable for their attacks, then deterrence is unlikely to succeed. Adversaries are then not deterred and know they can attack without retaliatory actions.

There is much uncertainty when dealing with the “cyber operations — a product of its secretive and virtual nature — [which] serves as a hindrance to the utilization of cyber operations for deterrence” (Schneider, 2019). Cross domain deterrence leads to the discussion of whether incidental escalation will occur. Due to the secrecy and attribution difficulties tied to cyberspace, there are struggles for states to use cyber operations as a form of deterrence against their adversaries.

References

Gartzke, E., Lindsay, J. (2017). Thermonuclear cyberwar, Journal of Cybersecurity, Volume 3, Issue 1, Pages 37–48. https://doi.org/10.1093/cybsec/tyw017

HBO. (2016). Zero Days. Retrieved 2021, from https://play.hbomax.com/page/urn:hbo:page:GYLfqGgrcO7GLCwEAAAZF:type:feature

HBO. (2021). The Perfect Weapon . Retrieved 2021, from https://play.hbomax.com/page/urn:hbo:page:GX2pSUgq6241IugEAAACT:type:feature. 

Jordan, J. (2021) “Cybersecurity.” INTA-6103. Georgia Institute of Technology. Online Lecture.

Kaspersky. (2021) “What Is a Zero-Day Attack? – Definition and Explanation.” https://www.kaspersky.com/resource-center/definitions/zero-day-exploit. 

Nye, J. S. (2017). Deterrence and dissuasion in cyberspace. International Security, 41(3), 44–71. https://doi.org/10.1162/isec_a_00266

Schneider, J. G. (2019). Deterrence in and through cyberspace. Cross-Domain Deterrence, 95–120.

Valeriano, B., Jensen, B., & Maness, R. C. (2018). How rival states employ cyber strategy. In Cyber strategy: The evolving character of power and coercion (Illustrated ed., pp. 22–52). Oxford University Press. https://ebookcentral.proquest.com/lib/gatech/detail.action?docID=5341461

This work is licensed under a Creative Commons Attribution 4.0 International License.

February 15, 2022January 6, 2022

Example Security Incident Response Policy

Image sourced from https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ftse2.mm.bing.net%2Fth%3Fid%3DOIP.5wXNdnEY6i3CIN3liVFdRAHaHa%26pid%3DApi&f=1

Assumptions

These are the assumptions made for the <company name> in respect to how this incident response policy is developed.

There already exists employees a part of an incident response team, monitoring and response.
The Cyber Incident Response Team (CIRT) has a Security Information and Event Management (SIEM) tool that ingests networking traffic as well as successful/failed logins and has rules in place to create alerts.
There will also be an Intrusion Detection System/ Intrusion Protection System (IDS/IPS) and Endpoint Detection and Response tool (EDR) in place to help detect and prevent potential malicious activity from occurring on the network.
Web Servers are running onsite and are controlled internally.

Incident Response Policy

The incident response policy will include multiple parties to find and address the incident that will occur within the <company name> network. This policy will align with the SANS Institute Incident Handler’s Handbook.

The Cyber Incident Response Team will be incharge of monitoring the network activity internally and connecting points that fall on the perimeter of the company’s network. There is also a network team that is responsible for fixing internal networking issues and will be consulted if a networking issue is involved in an incident. There will also be outside contractors and vendors that may be consulted.

The manager of the incident response team, the Chief Information Security Officer, and the CEO will be notified of an incident at different points of the investigation. The manager of the incident response team will have the authority to declare an incident and minor remediation steps, like isolating user devices from the internal network, but not removing a production server from the internal network. The CISO has authority to declare any remediation steps.

Team structure and necessary relationships

The Cybersecurity Incident response team will be composed of security operations analysts and engineers that have varying knowledge of incident handling. This incident response team will be 24/7 and have coverage at all times to respond to identifying alerts.

The executive incident response team will include the incident response manager, the CISO, the networking team manager, and for some instances the CEO.

An outside vendor may be called when the CIRT manager believes the vendor may be able to give insight into the investigation or in the recovery stage to report. Additionally, in the aftermath, the CISO may need to contact the legal team and law enforcement to report the incident. In order to determine if contact is necessary, the CISO and CIRT manager should discuss legal obligations with the internal legal team.

Incident Response Procedures

This portion of the policy follows the SANS framework highlighting steps 2 through 7 and outlines the response for a website compromise.

2. Preparation

This phase of the policy is meant to prepare the team for identifying and responding to an incident found in the company’s environment.

This policy is meant to encompass procedures for the company to follow when addressing incidents.
This company will have periodic checking in place to scan their network and devices for potential compromises.
The Cyber Incident Response Team (CIRT) has a Security Information and Event Management (SIEM) tool that ingests networking traffic as well as successful/failed logins and has rules in place to create alerts.
There will also be an Intrusion Detection System/ Intrusion Protection System (IDS/IPS) and Endpoint Detection and Response tool (EDR) in place to help detect and prevent potential malicious activity from occurring on the network.
CIRT members will have ongoing training to better learn how to respond to detections and how to perform throughout the incident.
There should also be periodic vulnerability scans on servers to potentially find known vulnerabilities.

3. Identification

Identifying the indicator pointing to an attack involves knowing what is normal on the network and then being able to identify the abnormal to investigate further. This portion of the compromise may come in many forms. There may be an alert for many failed logins and then successful or network traffic to a suspicious external IP address. There may also be indicators of a malware download. These indicators may come through a SIEM, IDS, or anti-virus software.

During this identification process, CIRT members should be documenting indicators and evidence. CIRT members should be performing research based on the indicators like file hashes and IP origins. CIRT members should escalate to the CIRT manager once they believe there is an incident.

4. Containment

Once an incident is identified, the next phase is containment. This phase is meant to prevent further damage or exposure from occurring.

If a website has been compromised there is potential access has been granted to the attacker to be within the network and potentially plant malware or command and control software.

If there is a known compromised laptop/device then the CIRT manager will immediately authorize isolation of the device.
If there is a known compromised production server, then the CIRT manager will escalate to the CISO, who will determine based on the information provided if the server can be taken offline and remediated.
If the successful infiltration of the network is due to a compromised account, the account shall be disabled or forced password reset.

During the containment, forensic imaging of the device will take place to document the system as now evidence, including logs.

5. Eradication

This phase of the plan is the process of removing or remediating the issue, like changing passwords or deleting files and restoring to previous versions.

If there is an account compromise, CIRT should force password reset of the user’s account
If there is malware downloaded on the server or device, delete all files associated
If any environment variables or registry keys were modified, reset or remove the variables.
If restoring environment variables or registry keys or removing malware is not possible, then the computer will need to be reimagined.

6. Recovery

This part of the process includes returning the functionality of the compromised system back to normal.

There should exist a way to test the compromised device before returning it to the network to determine if remediation was correctly implemented and there are no other potential compromises.
There should also exist documentation that the testing occurred and was successful before returning the device to the network.

7. Lessons Learned

This part of the process is understanding what went right and what went wrong in the previous steps and devising steps to better the process. This part of the process is not meant to place blame on any missteps, it is meant to understand if all the processes in places were followed and if any changes should be made to them. The CIRT manager should receive information from their subordinates that were part of the incident and consolidate the information into an easy digestible document.

Communications Plan

This portion of the policy describes how effective communication will take place during the attack and afterwards.

3. Identification

During this phase, there will be communication between the CIRT members to help determine if the alert is an incident. The team member will report up to the manager of identifying features of the alert. Once determined that the alert is actually an incident, the CIRT manager will report the incident to the CISO depending on how severe the impact of the incident is.

4. Containment

During this phase, there will be communication between the CIRT members and the manager determining the spread of the attack and everything that is affected. As well as how they should be containing the incident and best practice.

5. Eradication

During this phase, there will be communication about steps being taken to remove the issue causing the incident. Additionally, there should be discussion on how to collect potential logs or files from the attacker as evidence. If there is a vendor specific attack, that vendor should be notified within this period, in order for them to perform an internal analysis.

Also at this phase, there should be discussion about bringing the incident to the attention of the internal legal team or law enforcement. The CISO will be the role designated with reaching out to these outside parties.

6. Recovery

During this phase, there will be communication between the CIRT members and the manager to make sure they are following best practices and discuss how to put the affected device back onto the network.

Additionally at this phase or within a reasonable time after identification of the incident, there should be discussion about alerting the media and customers that may have data exposed. This may need email or phone communication, even potentially retraining call center staff in preparation of the flood of concerned callers.

7. Lessons Learned

During this phase, there will be communication between the CIRT members and the manager to make sure there is documentation and evidence of all the events that occurred during the incident. The manager will add sections about lessons learned and how to improve processes. This may also be shared with the CISO and CEO.

References

Cichonski, Paul, et al. “Computer Security Incident Handling Guide.” National Institute of Standards and Technology, U.S. Department of Commerce, Aug. 2012, nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

Kral, Patrick. “Incident Handler’s Handbook.” SANS Institute Information Security Reading Room, 5 Dec. 2011, http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901. 

“SAMPLE INFORMATION SECURITY INCIDENT RESPONSE PLAN.” ISBA Mutual, EPlace Solutions, Inc., 2015, http://www.isbamutual.com/wp-content/uploads/2018/08/Cyber-Incident-Response-Plan.pdf.

This work is licensed under a Creative Commons Attribution 4.0 International License.

January 11, 2022February 11, 2022

Understanding The Diamond Model with Target Breach Example

The Diamond Model in cybersecurity is a concept used for intrusion analysis. There are four main aspects adversary, capability, infrastructure, and victim. Every cybersecurity incident will have at a minimum these four factors.

http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Background of the Target Breach

I will be examining the Target Corporation data breach that occurred in 2013. During this time, it was “estimated 70 million pieces of personally identifiable information” (Rowe) were stolen from the Target Corporation. In many cases, Target has been made an example of how security can impact a corporation; however, there is still only minor changes occurring to remedy cyber security threats. The following is an overview of what happened during the breach. A third-party vendor was working with Target on their refrigeration services for incorporating food into their sales. The third-party vendor was vulnerable to poor password security and an adversary was able to get into their system. The adversary was able to traverse the network and install malware on the cash registers that sent the credit card data to the adversary before being sent to be processed for purchase. The malware was on the network during the busy season around Thanksgiving. The breach was reported in December of 2013 and following there was an investigation as to what part of their system was vulnerable and was to prevent a similar cyber-attack in the future.

Applying the Diamond Model

Within the Diamond Model, there are four vertices, adversary, victim, infrastructure and capability. Additionally, there are two edges that exist, the connection between the adversary and victim, called the social-political meta-features, and then the connection between the infrastructure and the capability, called the technology meta-feature.

When applying the Target data breach to the Diamond Model, the necessary terminology can be given values. The adversary is unknown. During the investigation, the root cause of the breach, the capability, was the concern not the adversary. The victim is the organization Target and the customers who provided their credit card data to Target during their purchases. The social-political meta-features was the adversary drive to sell the information they were able to gather for money on the black market. The capability is the “stemmed from hijacked credentials stolen from Fazio Mechanical Services, a third party service provider.” (Plachkinova) Once inside the network there was not much network segregation, so the adversary would have been able to jump from the “point of sale terminals to mission critical back-end systems.” (Plachkinova)

The adversary was able to install malware on the point of sale terminals and pull the credit card data as it passed through the system during a sale. The infrastructure is then the ability to get the data off the infected machines. Due to the malware being installed on the point of sale machines and having insufficient whitelisting and malware detection, the adversary was able to have command and control over the systems to be able to send the credit card data out of the network, where they were able to retrieve it. (Rowe)

Policy Assessment

This incident occurred during a time when not many cyber security attacks had occurred yet, it was basically the beginning. At this time, Target did not have a Chief Information Security Officer employed or anything similar. They had no one in place on staff to be making decisions on how to make the information and network safe and secure from the possibility of cyber security attacks.

There could be many ways to try to regulate cyber security for organizations, but when looking at how to solve the solution we have to look at many different aspects. Many cyber security issues could be corrected through legislation on the international level; however, this is not feasible for many situations. It is unlikely to make all nations work together when many may want to allow such attacks to occur.

I believe this type of incident that occurred against Target could be handled on the organizational, industry, or the national level. The fastest way would be internal to the organization, which is how this was resolved in reality. An investigation occurred and Target made changes within their organization to improve their cyber security and try to prevent this from occurring again. This would allow them to make their own policy swiftly; however, that policy still may not be up to a certain standard the industry or nation would have. Part of this attack, the best option would be on the organization level, specifically the ability to define password regulations. Since this aspect was how the adversary was able to get into the Target network, Target should create password policy and phishing prevention techniques for their network and any third parties that connect into their network. Additionally, employees can be the company’s weakest leak. (Manworren) This can be addressed with an organizational policy and training developed to help prevent phishing attacks or knowing signs of an insider threat.

At the industry level, there can be more collaboration to define industry standards. At this level there is still no way to enforce these standards, but corporations involved are usually wanting to participate in was is decided. The other part of the adversary being able to install the malware and send back out, was due to not having network segregation and not enforcing strict whitelists for their point of sale devices. This is something that can be solved by being included in industry standards of when and how to use whitelists in certain situations as well as how an organization should implement network segregation to different areas.cyber

When analyzing a solution at the national level, this level would do a good job to be able to enforce consequences if an organization wasn’t in compliance. This level of action needed would take a lot of time and work to make happen. There is also the possibility of the politicians being incompetent and not including experts when creating the legislation that could create loopholes and work around.

References

Click to access diamond.pdf

https://landing.joinbrix.com/posts/target-security-breach-overview.html

https://cyware.com/educational-guides/cyber-threat-intelligence/what-is-the-diamond-model-of-intrusion-analysis-5f02/

https://jise.org/Volume29/n1/JISEv29n1p11.html

https://www.researchgate.net/publication/295394659_Why_you_should_care_about_the_Target_data_breach

This work is licensed under a Creative Commons Attribution 4.0 International License.

March 8, 2021May 10, 2022

Getting Started with Capture the Flag (CTF) Events

Let’s start off with some background. Capture the Flags in the cybersecurity industry are usually put on by companies to help find talent and to allow for hackers to practice their skills. These events usually have awards or prizes associated with completing the most tasks or finding the most “flags”. In my opinion, CTFs are more like scavenger hunts than the actual game of capture the flag. A player is given clues and must find the answers to get them to a hidden flag.

There are different styles of CTFs that can be played. One is Jeopardy where the board looks like the show Jeopardy and teams try to solves the questions to get points. Another is Question and Answer, where there can be different sections with questions related to that topic. An example of this may be having a section of reconnaissance and asking questions about certain organizations that can be found on the internet or company website. Another more rare style is what I would call immersive game play. This is where the people putting on the CTF have created a little world where you must travel around and be interactive with characters to solve different steps. Almost all CTFs have points associated with the different steps or answers and when a player completes a task they get the points and can move up in the ranking.

Starting out with one of these Capture the Flags can be daunting, especially not knowing anyone else or really what to expect. However, these are usually really great ways to learn more about your skills and grow them. As you play more, you can enhance you knowledge and learn more tools. Any one can sign up for these events so joining is the first step! Many events are set up for college students and entry-level professionals, but some event for high school students.

Some examples of the sections are like I mentioned before reconnaissance, this mainly includes being able to find information about a person or company that could be relevant to finding a weakness. Also, there may be topics on network scanning, which may include command line tools and correct flags like NMAP or searching through Wireshark files. Another topic could be stenography, where you may get files: sound, picture or video; and finding hidden messages. Finally, there may be converting messages from different encryption or bases (base 64).

Now this may sound overwhelming, but a lot of these actions, they can be solved using publicly available tools that you can download. Wireshark can be download and there exist tutorials of how to read the traffic captured. Cyber Chef is a tools that can decrypt or convert files.

https://www.wireshark.org/

https://gchq.github.io/CyberChef/

Cybersecurity companies sponsor these events or put them on to find people who may have the skills they want to hire. Additionally, some cybersecurity conferences have CTF events for attendees to participate. These are great ways to play in a CTF, but also attend different talks and learn more about cybersecurity topics.

As you participate in these events, don’t forget to add them to your resume! These show that you take time outside of work and classes to continue education and active community participation in cybersecurity.

Many CTF events have an introduction videos or talks to help get newcomers set up with how the game is set up. Additionally, depending on who is putting on the event, they may walk through a couple of the questions and answers to help you see how they solve the puzzle and get to the right answer. This can be great for those who have never been involved in one yet.

References

https://blogs.cisco.com/perspectives/cyber-security-capture-the-flag-ctf-what-is-it

https://startacybercareer.com/what-is-a-cybersecurity-capture-the-flag

January 3, 2021February 11, 2022

KringleCon 2020 Partial Write Up

KringleCon is a conference that is held yearly since 2010. It is put on by SANS Institute, which if you don’t know, is a really great company that develops educational material for certification courses. They are usually very expensive so most people try to have their companies sponsor their prep courses and exam fees.

This was my first year participating in this hack challenge and two things stood out to me as really great and enjoyable. One being that they have a discord channel with moderators. This allows for participants to join and ask questions as well as get hints and progress when they get stuck. I am one of those people where when I get stuck, I like encouragement after some research time. This feature gave me the desire to want to continue going through the different content. With that said, there is a lot of content and I was not able to get through all of the challenges. The second feature is they have their own music! It’s all on Spotify here. My favorite songs being “I Could Be Santa” and “I Saw Mommy Kissing Santa Claus”.

So follow along and I’m going to walk through some of the content that I was able to complete. All of the writing in blue are the commands I entered into the different terminals in the challenges.

WARNING: SPOILERS AHEAD

This image has an empty alt attribute; its file name is openingpage.png — https://2020.kringlecon.com/

First, make an account with a user name and create your character from the preset selection of different options. There is also an informational video for getting started with some helpful tips here. Then we can get started with some of the objectives and things found along the way.

Objective One: Uncover Santa’s Gift List

There is a photo of Santa’s Desk on that billboard with his personal gift list. What gift is Santa planning on getting Josh Wright for the holidays? Talk to Jingle Ringford at the bottom of the mountain for advice.

When you first appear in the KringleCon world, there is an elf that when clicked gives you some hints to download the billboard picture in the distance. This will pop open a new tab with the picture and on the desk there is a list with swirled writing. There is also a hint I found indicating to use a tool called Photopea. With is tool you can choose the “lasso” function to draw a circle ish shape around the spiraled writing and then use the “twirl” feature to make it readable.

We are looking for what John Wright wants for a present and we learn that he wants a Proxmark3. We can then input this into the object one in the settings and pass onto the next objective.

Objective Two: Investigate S3 Bucket

When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.

This objective starts in the area outside of the castle talking with Shinny Upatree.

This image has an empty alt attribute; its file name is outsidecastle_2.png

Starting with the Kringle Kiosk; it opens into the menu and you can go through the options and see what is exists. I liked being able to see where the different elves were located. Then there is a hint that option 4 is where the command line vulnerability exists and to use /bin/bash to find it.

Took me a couple tries to realize that the ampersand operator is needed for the interpreter to continue to execute the command.

& /bin/bash

This completes the mini task and we get a couple more hints from Shinny Upatree to complete the Investigate S3 Bucket.

This one I needed a lot of help from the discord channel. It took me a while to figure out how to even download the file needed. The gist of this objective is to use a script already created by changing input values to search for a hosted S3 bucket to automatically download a file. Then working through all the extensions to unzip all the way to the base txt file and read the note.

I added the word “wrapper3000” as indicated in the notes of what to do by using the vi interface tool. This is a command line tool that opens txt or other files in the terminal and you can edit them and save them if you need to make quick changes. I spent a lot of time trying different potential words because I didn’t realize that it was case sensitive. I had tried “Wrapper3000”, but not the same as that with a lowercase ‘W’. So once the new word is added, I was able to run the script and auto download the file.

./bucket_finder.rb wordlist –download

From here I ran a multiple of inherent command line tools to completely unzip the file: package.txt.Z.xz.xxd.tar.bz2

base64 –decode package > newpackage

unzip newpackage

bzip2 -d package.txt.Z.xz.xxd.tar.bz2

tar xopf package.txt.Z.xz.xxd.tar

xxd -r package.txt.Z.xz.xxd package.txt.Z.xz

xz –decompress package.txt.Z.xz

uncompress package.txt.Z

All of these steps were found by searching for the extension and how to unzip it and finding the command online. From here we can cat the file to read it.

cat package.txt

It prints to the terminal: “North Pole: The Frostiest Place on Earth”. Then we can input this as the answer to objective 2 in the settings.

Objective Three: Point-of-Sale Password Recovery

Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What’s the password?

The courtyard is in the back of the castle. Once getting back there, I started with theLinux Primer challenge. This challenge included finding munchkins and going through linux command lines like removing files and traversing folders. I forgot to take notes on this part, but overall decently easy steps and when I didn’t know a specific command, I looked it up.

Once done, Sugarplum Mary gives you a couple more hints to complete the objective.

This image has an empty alt attribute; its file name is courtyard_surgarplum.png

Then we can download “santa-shop.exe”. With this, we want to be able to get the source code to see if there is a hard-coded password. To do this, we need to extract the files from the exe. I had read through some of the discord, so I had a decent idea of what I needed to do. I searched online for the specifics of how to for a mac os.

I needed the command line tool npm to install the asar extension, which I only have brew installed on for my command line. This is another command line helper installer tool.

brew update

brew install node

Install asar globally

npm install -g asar

Make a directory to put the source folder

mkdir obj3-sourcecode

I then traversed to where the “app.asar” file existed, for me it was in the “app-64/resources/” folder. In this directory from the command line I could run the given command.

asar extract app.asar [insert full path to obj3-sourcecode folder]

I could then open the “main.js” file and right in it was the password.

“const SANTA_PASSWORD = ‘santapass’;”

Then we can enter “santapass” for the answer for objective 3.

Objective Four: Operate the Santavator

Talk to Pepper Minstix in the entryway to get some hints about the Santavator.

This objective is completed by wondering around the castle and picking up random objects and light bulbs to power the elevator. Not everything is going to be found on the bottom level. so you have to collect what you find on the bottom floor and then get to the other levels and get more.

There are three different light bulbs, red, yellow, and green and a key to access the back panel. directly the energy to the different colors allows for different buttons to become used. This is what mine ended up looking like – not the prettiest, but functional.

This image has an empty alt attribute; its file name is elevator_hiddenpanel-1.png

This allowed be to get to the different levels. However, I did not get far enough to get the finger print to access Santa’s office.

Now completing Objectives 1-4 was as far as I got in the Objectives. There were a couple other areas to play around.

This image has an empty alt attribute; its file name is diningroom.png

In the Dining Hall, there was an arcade game called The Elf Code to gather lollipops on each level and evade other objects. This was accomplished by using javascript to move your elf around the screen.

This image has an empty alt attribute; its file name is dininigroom_elfcode_1-1.png

This image has an empty alt attribute; its file name is dininigroom_elfcode_0.png

It gave you some hints of what it was expecting as input and then you would write the javascript code as the bottom and then run it. If successful, you could move on to the next round with increasing difficulty.

Another arcade game was on the Kringle Talks floor. To find it, you had to talk to Bushy Evergreen and open the UNprep door for the speakers. There was a hint to fun the strings command against the binary file found in the terminal next to Bushy Evergreen.

strings door

Then when scrolling through the output there is wording identifying the plaintext password:

So we run the door executable and enter the password when asked.

./door

Op3nTheD00r

And presto – the door is now open to enter the UNprep room. There were a couple other tasks that I did not complete like turning on the lights and getting the vending machine to work.

In here is the arcade game Snowball Fight.

This image has an empty alt attribute; its file name is snowballfight_battleship.png

This was basically the game Battleship that you could play with an AI at the difficulty level you chose. I played the old fashioned way – not trying to hack the AI and man I was not good!

Verdict

Overall, I thoroughly enjoyed this hack challenge! I wish I had taken more time to get through even more objectives and side plots. There was so much content that even spending many hours playing, there was still plenty more to keep enthused. Additionally, there were many learning opportunities to be able to search for where I was stuck on certain concepts through the internet or gain insight with the other players on discord.

I will definitely be playing again next year to continue learning new skills and engage with new content!

October 4, 2020August 16, 2022

About Me

Hey! I’m Courtney and I am a cyber security engineer. My previous passions growing up mainly included dancing. I lived and breathed it. I was dancing competitively for my high school and at my studio. I was so in love with dance, I knew I was going to continue dancing as my career. Then an injury struck; I was wrong. After attending a performing arts college for not even a semester, I was back at square one trying to figure out what my life would entail.

I changed colleges and after trying a couple different avenues, I ended up loving computer science! I received a Bachelor of Science in Computer Science from the University of Arizona in December 2017. Throughout my undergrad, I had two internships working for the Department of Defense where I helped develop two internal websites.

After completing my undergrad degree, I was picked up to work as a cyber security engineer for the Aerospace department within . My role within this team was to determine if the architecture and network security of aircrafts was meeting necessary requirements for aircrafts to become air-born while keeping its passengers safe. While working this job full-time, I pursued a Master of Cybersecurity from Georgia Institute of Technology.

I plan to bring you relevant content about the cyber security field. As well as, conferences and resources that I’ve found. As I have found starting out, sometimes finding the right resources can be hard and there is a lot of content to dig through to find what is useful.