Event RPE: The Dangers in DreamValley
RPE: The Dangers in DreamValley
Date: March 24-26, 2020 | Location: DreamPort Facility in Columbia MD
SPECIAL NOTE: This event is only possible because of the extraordinary contributions of our partners at Dell, VMWare, World Wide Technology (WWT)
In June of 2019 we ran the event "The Defense at Pemberton Mill" where we invited technology vendors to install their solutions into the ACME Corporation Factory at our DreamPort headquarters facility. During this event, our red team personnel attacked ACME repeatedly over the course of a week and the participating vendors issued reports on what attacks they detected after a short window of training time.
Ask yourself a question. On your drive to work, school or wherever you were headed this morning, how many micro-processors or controllers made your commute and morning possible? Say besides your cellphone with its Siri, Instagram, Facebook or Google search bar. Your alarm clock or radio? Your TV, Thermostat, smoke detector or the wireless meters read by the power company technician driving by? Maybe the coffee maker? Front Door camera? Maybe your computer checking email before you dash out? How about from your doorway to your destination?
When you stepped outside, don't forget the multiple systems under the hood in your car (anti-theft, anti-lock brakes, tire pressure monitor). But what about autopilot self-driving, WIFI connectivity for the kids and passengers in the back seat, GPS connectivity, EZ-Pass or RFID-based toll payment, maybe even the app that ordered your rideshare, breakfast or even the overpriced coffee desert beverage you told yourself you would stop buying.
Wait, we are not done. The traffic lights that held you up, the automated license plate recognition system, cameras monitoring traffic flow, pressure sensors counting cars, the monitoring system of sewage lines you drove over, the subway and train control and monitoring and payment, collections systems to gather demographic data for advertising purposes. the elevator controller and the badge access that got you in the building.
How many of these systems are Internet connected or even simply wireless enabled? Sadly, if it can be seen by an attacker, it's a target. While the smartphone apps for ordering food or rides delivered to your door are not essential to daily life or our personal and national security, the United States Department of Homeland Security (DHS) writes that:
"There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."
Well, today we are announcing that ACME Corporation has moved to a newly 'city' we call DreamValley. For our upcoming event, we have constructed a scale model city called DreamValley. DreamValley is a bustling city full of citizens with daily routines just like we describe above. Sadly, in DreamValley, attackers have targeted the city infrastructure with the hopes of causing damage to not only DreamValley itself but the ACME Corporation as well.
In this event we are studying solutions (software and hardware) to monitor critical infrastructure by deploying them in a scale model city. For the purposes of this event in DreamValley we have several elements we define as critical infrastructure. There is a beltway of 'self-driving vehicles', an electric grid providing light for all the buildings, traffic signals and street signs, a man-made lake and city-wide WIFI and even a train system. With each passing week, new services may be provided in the hopes to make life easier and safer for the citizens. All city services in DreamValley are monitored and controlled by the City Control Center network.
Thanks to tremendous collaboration, expertise and donations from our partners we have created a combination virtual and physical City Operations Center (OPS) for DreamValley where experts can monitor the critical services and be able to respond if a service malfunctions or 'goes down'. Also, in OPS is the network security team who can monitor the network security of OPS and respond to cyber threats if they are detected. At this time, we will release that at a minimum, the following PLC models are used in DreamValley (we will not be releasing exact model information):
- Siemens S7
- Mitsubishi FX
- Allen Bradley MicroLogix
- Schneider Electric M221
This is DreamPort, we aren't building a scale model toy. Each critical infrastructure service is controlled by a separate programmable logic controller (PLC) with unique logic that provides a basic service and may even use input from sensors to react as each day wears on.
We are going to attack DreamValley.
More specifically, we are going to hold an offense versus defense RPE where we invite information technology (IT) and (OT) operational technology vendors to install their solutions to monitor DreamValley infrastructure and enable OPS network security (BLUE TEAM) while we have a Red Team (RED TEAM) conduct a coordinated assault against the city. We will be observing BLUE TEAM personnel and technology solutions to determine if they are able to detect attacks perpetrated by RED TEAM.
We will support a maximum of 4 hardware/software solutions in the OPS network at a single time. This means there will be 4 network taps available for live capture and participating vendors or teams may also install their software solution or provide network access for management and operation so long as they can agree to work alongside other vendor software on the same subnet. There will not be any ability to install a network tap outside of OPS for monitoring in-bound Internet traffic (this effect is achieved by one of the 4 taps we will provide). Critical Infrastructure monitoring solutions may be physical or virtual based but in order to participate, you must allow a third-party BLUE TEAM member to login/run or utilize your tool for monitoring and reporting purposes. No third-party will be permitted access to source code, algorithms or intellectual property of your solution.
Please note, we may hold the actual event spread across multiple days depending on participant interest. The BLUE TEAM may be comprised of United States Government personnel that will work together with participating solutions for IT or OT security.
During the actual execution, you should be prepared to operate your solution (or develop and operate if you are up to the challenge of rapid development in the spirit of our RPE concept) and issue alerts when you detect attacks either as they occur or after the fact. Please note, there will be NTP time synchronization available even if no Internet is available the entire time.
We will say that Blue Team personnel will have at a minimum the following services available:
- Centralized Logging
- Intrusion Detection (not all subnets will be monitored)
- Netflow (not all subnets will be monitored)
Unlike in previous events, we will not be releasing a map of DreamValley operational and control networks in advance, but we will say that at a minimum the following subnets are present:
- Internet access (will be available for portions of the event, not all)
- Public access (for citizens in DreamValley)
- City OPS (A Microsoft Windows domain driven environment also hosting PLC systems)
- BLUE TEAM
What happened to ACME Factory?
The ACME factory will be running during this event. It will not be on the same subnet as OPS but will have its own PLC and HMI systems online and connected. Assets in the ACME Factory are considered valid targets for exploitation.
If you will be joining us for the first time, the ACME Factory is a predominately Windows 7 based environment that runs at least the following services:
- 3D printing
- Automated conveyor Belt
- Siemens HMI
- Siemens S7
Coming soon, we will announce availability for participants to install their solution into OPS for a finite time period to monitor traffic for the purposes of network baseline. You may perform network scanning of the environment but may not actively probe any PLC (we are working on standards and processes to permit this, we promise). You can keep the PCAP you gather during this period for any purposes you see fit but please note, no attacks will occur during the training period.
We have not yet determined how long you may monitor OPS but will guarantee a minimum of 5 days (given that we can support multiple SPAN ports at a time). During this time, OPS will operate as normal, PLCs executing logic as programmed and employees using their desktops to perform their duties which includes normal web browsing.
You must provide your own hardware and storage to perform this network monitoring, all you will be provided is a network cable and administrative access credentials.
There are 2 outcomes from this event. First BLUE TEAM personnel will be judged on their ability to detect attacks using the following metrics:
- Did the team detect an attack scenario?
- If so, what technology (or technologies) were used for detection?
- Did the team properly characterize the attack?
- What was the time delay between scenario execution and detection?
- Was the team able to develop indicators of compromise (IoC) for the attack if it was to occur again?
- Did the team discover any configuration, software or hardware vulnerabilities before, or during the event?
There will not be any required format for reporting attacks a free-form text file, email or form will be fine. We will provide specific instructions on the morning of the first day of our event specifying exactly how to report attacks you identify.
Additional criteria for IT or OT solutions include:
- Did the solution log a false positive event?
- Does the solution have an API that offers remote query of information (at a minimum this includes assets, version information and vulnerabilities discovered)?
RED TEAM personnel will be judged on their ability to successfully penetrate any DreamValley service. While we are keeping a few services under wraps until we get closer to the event, at a minimum the following attacks are possible:
- Did the attacker get an OPS employee to run malware?
- Did the attacker gain remote access to an OPS station?
- Did the attacker correctly profile all PLCs in OPS?
- Did the attacker cause a disruption in the electric grid (defined as a loss of light to houses or buildings)?
- Did the attacker cause a crash of vehicles on the beltway (defined as one or more cars leaving the beltway track or crashing into one another)?
- Did the attacker cause the man-made lake to overflow?
- Did the attacker modify digital signage within the city?
- Did the attacker alter the behavior of traffic lights within the city?
RED TEAM personnel will have restricted access to non-standard operational tools provided by a participating vendor but must agree to usage agreement ensuring the tools remain onsite at DreamPort and never leave our facility.
- PLC experience (see above for model information)
- Python requests
- Pypcap/Pyshark etc.
- AWS/Digital Ocean/Linode VPC setup and operation
- MetaSploit, PowerShell Empire, Veil Framework (etc.)
- Network Probing (Nmap, Masscan, snmp)
- Vulnerability Scanning
- PLC experience (see above for model information)
- ElasticSearch, LogStash, Kibana
- Zeek (formerly Bro), Suricata
- Network monitoring, Netflow
- Vulnerability Scanning
- SSH, PowerShell
There is no one single expected solution for this RPE. We are interested in BLUE TEAM participants ability to discover attacks against both PLCs and PCs/Switches/Routers. We are interested in solutions for performing real-time network monitoring that must include support for operational technology (OT) in addition to more traditional information technology. We are also interested in RED TEAM participants ability to develop tools to provide non-destructive events against PLC and critical infrastructure systems.