Building The Next Generation of Cyber Ranges with Targeted Chaos Engineering
In our last post, we discussed how to apply Chaos Engineering principles to cyber wargames and team simulation exercises in broad brush strokes. Using these principles, we are building out next-generation cyber ranges that encompass security concerns and business imperatives, mapped to likely scenarios. In a sense, it is chaos engineering with intent. We want to inject enough chaos and unexpected elements into the exercises to force teams to think on their feet and learn how to react to new threats.
We also want to ensure that scenarios encountered and exploits thrown at these teams are relevant in their domains, geographies and technology environments. A key element, too, is to include not just the infosec teams but also all other affected units - marketing and public relations, legal, finance, and even human resources. The goal is to leverage the best parts of chaos engineering to create an immersive and highly relevant experience that better prepares an organization for the jolting and uncomfortable experience of a successful cyberattack and resulting damage - the worst-case scenario. If they can handle the worst case, then all other cases are manageable.
So let’s consider a hypothetical case as an example. A large chain of hospitals faces a broad array of cyberthreats. What types of attacks may come? Ready, set, go.
In fact, this hypothetical example is rooted in unfortunate reality. On September 28, 2020, a large chain of 400+ U.S. hospitals suffered a devastating ransomware attack. The attack reportedly forced the postponement of patient procedures and, by some accounts, a total manual shut down of the organization’s IT functions. Early reports indicated that it was a Ryuk variant. So let's start from there.
We know that healthcare institutions are now squarely in the crosshairs of ransomware gangs, likely because they tend to pay quickly and pay a lot. So we can start our cyberrange wargame by mounting ransomware attacks against the infrastructure of a healthcare organization. To make this attack realistic, we will use the actual Ryuk ransomware. Ryuk tends to enter systems through spam emails or rogue attachments and is often ferried in by the Emotet malware.
The basic playbook is known but still hard to stop; Ryuk uses obfuscated PowerShell scripts to connect to remote IP addresses and download a reverse shell. Ryuk executes anti-logging scripts to hide its tracks. Once Ryuk is installed, the malicious operator uses it to scan the internal network and identify vulnerable hosts on the network that have the right level of privileges to execute an attack. Ryuk then shuts down backup services and launches the ransomware attack. This can happen in a matter of weeks or over the course of an hour.
That’s the technical details and we set up the attack tactics and techniques in SafeBreach to run the simulation against an infrastructure and application environment very close to what the client likely is running inside their own firewall. A key part here is that using modern cloud native technologies like containers and Kubernetes, we can generate and tear down virtual environments on our cyberrange more quickly and easily. This allows us to adapt the cyberrange to more closely fit the three key client parameters - industry, geography, and technology footprint.
All the attack information and system responses are then piped into a SIEM to aggregate and view the necessary log files and other telemetry that describes what happens as a Ryuk attack progresses. Participants also have access to a full suite of security tools for in-depth investigation, e.g. EDR, Forensics, etc. To make this realistic, we can factor in the ability of Ryuk to hide its tracks in logs and limit Indicators of Compromise (IOCs) to those that would most likely appear in a real attack. This also helps the security operations teams learn how to spot a Ryuk attack as it would actually happen in the wild. All of this lives in an integrated system that can be visualized, monitored, and analyzed after the attack to see what damage Ryuk had done.
During the first attack simulation, the health care team can then make adjustments to security controls and configurations in their simulated environment. Then, with SafeBreach, we continue to run the attack scenarios to see the impact of the changes. This provides a strong and rapid feedback loop to help security operations teams understand the impact of their actions - what works and what doesn’t.
Because SafeBreach is quite flexible, with tens of thousands of attacks in its Hacker’s Playbook compendium, we can develop and run attack scenarios in a short period and even focus the attacks on more recently released exploits that few security teams have experienced in the wild. This effectively compresses the learning curve compared to previous cyber range exercises, and allows teams to iteratively learn more by being exposed to more in an environment that is similar to their daily workspace and tooling.
To make our new cyber range realistic for non-technical participants, we include business-facing risks and scenarios. For example, we like to include public relations and marketing teams so they can experience and react to the attacks. These teams are crucial in helping an impacted organization communicate the attack to the outside world and to clients, and in responding to negative press coverage that will likely kick off after the attack is revealed. We even simulate a a positive or negative news cycle based upon participant actions, or inactions. The marketing and PR leads need to communicate closely with the CISO team and the CEO to plot an appropriate communications strategy.
For legal teams, the attack kicks off a discussion of legal compliance. This means planning out who to notify and how quickly and what to say in a notification. Many states and countries have strict notification regulations for breaches that compromise customer information. The notification rules do not always mandate public disclosure but often enterprising reporters check for mandated company breach notification filings with government agencies and use those as a source for story ideas. In addition, legal teams have to determine what is the best path forward to minimize legal risk. We include legal teams in this part of the exercise, as well and have game rules where a breach triggers adverse effects, such as threats of a lawsuit from angry customers. Legal teams need to think through the ramifications of their actions and come up with a plan.
Since this is a healthcare organization, we would need to include chief medical officers and other professional leads to craft a breach response strategy that can be quickly communicated to the organization. The crucial part here is that the people play a critical role in defending an organization. Something as simple as learning whether to immediately shut down your systems when a ransomware attack is underway can prevent mass infections in a matter of minutes. We witnessed IT security teams in the NotPetya attack on Maersk frantically notifying everyone they could turn off their laptops to avoid the attack. A very good internal response strategy may have been in place but drilling the necessary steps and identifying potential barriers of bottlenecks in advance can yield a better outcome.
There are other wrinkles for non-technical personnel and their roles and responsibilities are dependent on the type of organization. Creating these types of attack scenarios for non-technical players does not require a specialized technology stack: existing SOAR, email and collaboration tools are what teams would use in a crisis and are the best tools to use.
The ability to quickly modify and run these attack scenarios enables the type of directed Chaos Security Engineering we discussed above. Generating chaotic, unpredictable environments and scenarios requires variability and variance. Learning to deal with chaos requires chaos. That said, you need enough structure and rigor to allow teams to function and to learn from repeating simulations, improve their responses, and solidify systematic and practiced approaches to dealing with dangerous situations. The cyber range of the future will deliver that but, above all, be fun and engaging. It will stretch the minds and response muscles of participants and their organizations, preparing them for a world of cyber security that grows more chaotic by the month.