Largest Simulated Cyber Attack To Date

Orome1 noted that the government will be running simulated cyber attacks as part of the Department of Homeland Security's Cyber Storm III exercise. It says "The exercise will be controlled from the Secret Service headquarters, where organizers from various agencies will be sending out 'exercise injects,' information that a player will receive that indicates that a certain event has taken place as part of the narrative set up by the organizers. This goes a bit beyond a paper narrative, including fake log data, drives that may contain fake malware, and fake event history, and is dynamic, meaning that it can change dependent on the actions the players take." ...which makes me wonder how effective this test would actually be.

Obligatory

[Pojut]

The only winning move is not to play. Now get me a WOPR with cheese!

Re:Obligatory

[jimpop]

This sounds like the perfect oppty for Catering, Coffee, and Donuts. I wonder if that is their true motivation.

Re:Obligatory

[WrongSizeGlass]

If they had provided a URL I'm sure we could have /.'d them and helped with the 'simulation'. ;-)

Re:Obligatory

yeah there were simulated trade tower attacks prior to 9-11. That didn't work out too well for us serfs. I'll say no thankyou to simulated cyber attacks please.

Re:Obligatory

[mvojtko]

Well, how do you think they test nuclear weapons? You afraid that those won't work either? :) Mark http://recipesforbarbecuechicken.com/

Uh Oh

[AppleOSuX]

Should we expect a real attack at the same time?

Re:Uh Oh

[robot256]

Reminds me of Spaced Invaders...aliens landing on Halloween were not taken seriously by anyone, but luckily they weren't a threat anyways. Might not be true if someone launched a full-scale cyber attack at the same time as this exercise.

Re:Uh Oh

[RMH101]

...depends if someone tells /b/

Re:Uh Oh

[Even+on+Slashdot+FOE]

Don't give people ideas. They might use them.

Re:Uh Oh

Don't worry, anonymous already knows.

External & Internal attacks?

I hope they're not just testing over the wire attacks, that new janitor with the thumb drive could do some damage...

Re:External & Internal attacks?

[dragonhunter21]

From the summary, it appears as though they're using drives with fake malware on them to keep operators on their toes. This should be fun.

Re:External & Internal attacks?

[Iamthecheese]

what's fake malware? Is it a program that puts "you have been hacked" on windows desktops? Does it require similar permissions as regular malware? Will it trip virus scanners and automated lockdowns?

it's like a high tech game of D+D

are they playing in their mom's basement?

Re:it's like a high tech game of D+D

[_Sprocket_]

"I invoke... Internet Killswitch."

"Why are you invoking the Killswitch? There's nothing to stop here."

"I'm stopping the HACKERS."

[Situation Room laughter]

Re:it's like a high tech game of D+D

[HTH+NE1]

"Hey, uh, your intranet's DNS servers are under DDoS attack."
"How could they be attacking our servers? I had Mordenpyren's Magical Firewall installed!"

I wonder if it is possible to subvert this sim

[JonySuede]

I wonder if a real attacker could subvert this simulation to hide a real attack. The "exercise injects" canals seems like a good way to inject malicious payload.

Re:I wonder if it is possible to subvert this sim

[Tekfactory]

Um, shouldn't.

In the real world there is a helpdesk code for 'only an exercise' that was created years ago.

The only thing more dangerous about an exercise is distribution of security resources themselves, and it would be the same on exercise day as training day as Security Conference(Black Hat DC, FOSE) as $NationalHoliday.

Re:I wonder if it is possible to subvert this sim

[jpapon]

On that note, you have just been added to a government watchlist. You're not supposed to wonder these things out loud!

Re:I wonder if it is possible to subvert this sim

[_Sprocket_]

From the article:

However, the scenario won't use a virtual network. Instead, the exercise will be controlled from the Secret Service headquarters, where organizers from various agencies will be sending out "exercise injects," information that a player will receive that indicates that a certain event has taken place as part of the narrative set up by the organizers. This goes a bit beyond a paper narrative, including fake log data, drives that may contain fake malware, and fake event history, and is dynamic, meaning that it can change dependent on the actions the players take.

They're getting an exercise scenario storyline but the big difference is that now someone is creating props to go with it. And they create new props and storyline as the game progresses. I don't see how you expect this would provide a way to "inject malicious payload[s]."

Now's the time

Can anyone think of a good time to run a real cyber attack against DHS?

Let me guess the results in advance

[vlm]

I can guess the results in advance of this pointless "test".

We did well enough that none of us should be fired. Or we selected a fall guy months ago whom is not playing along, and I guess with "great shock" at the result its time for him to "spend more time with his family".

We did poorly enough that we all need more money. Conveniently I happen to have a brother-in-law in sales at a contractor that provides a magic bullet that claims to do everything we need...

There has never been a public "test" like this with any other result. Therefore its not even "news".

I have participated in things like this (not in this situation or field) and the primary reason they occur is someone wants to send cash to a buddy at a contractor, and everyone else wants a day off eating catered food and enjoying some business travel.

Re:Let me guess the results in advance

[HungryHobo]

best. summary. ever.

Anyone care to bet against this being the approximate result?

Re:Let me guess the results in advance

[whoever57]

You missed the part about: "we need more control of the Internet, cellphones, computers, etc."

Re:Let me guess the results in advance

[Jawnn]

True words, sir. It's almost as if the new "cyber warriors" are nothing more than contractors being provided from new divisions of traditional "brick and mortar", or should I say "bombs and bullets" defense contractors.
Oh..., wait.

Re:Let me guess the results in advance

[rokstar83]

These types of exercises are a lot of times done with oversight from the GAO. The GAO does not pull punches when it comes to letting people know how badly they screwed up or how screwed we all are.

Re:Let me guess the results in advance

[oodaloop]

Yes, I also predict it will either pass or fail! There has never been another result of a test.

Re:Let me guess the results in advance

[vlm]

Which is why these types of exercises are very carefully framed and preplanned to get the desired result.

Don't forget, carefully planned and orchestrated failure, resulting in a live-fire FUD attack against the general public with the aid of some friendly journalists, might be the goal. Especially if the "ideal solution" happens to be taking away our rights, more laws, more regulation, etc.

Re:Let me guess the results in advance

[rokstar83]

Some of these agencies can't 'carefully plan or orchestrate' their way through a revolving door. You are giving these people way more credit/malice than you should.

Re:Let me guess the results in advance

[ginbot462]

Tell that to that cat in the box! (He's getting hungry, please visit him! I can't take the wailing.)

Re:Let me guess the results in advance

[oodaloop]

If when I open the box, the cat will be either dead or alive. Thank you for proving my point.

Re:Let me guess the results in advance

[tibman]

The result of most army training exercises is OPFOR wrecking the home team. Then after lessons learned and experiences build up, the OPFOR can be beaten. I don't understand why a civilian organization would be different? It should really be a matter of reorganizing and retraining the assets they already have.. not purchasing new stuff. If their planning and expectations were so terrible that they need new equipment, then by all means they should buy it.

Nobody should be fired because of a test, what a waste of resources. Train them until they are better than the opposing force. They will be at work atleast 40 hours a week whether they are being tested or not, nobody gets paid more for just doing their damn job.

Re:Let me guess the results in advance

It's moments like this that remind me how worthless slashdot comments are.

I've spent most of my career in private industry or consulting, but have worked for the government for the last few years, and am just down the hall from where one of *many* teams convened for the 2nd simulation.

From casual conversations with them after the test, I can say that our facility's cybersecurity gets more money based on the higher visibility that this exercise generates in senior-management circles. The money always comes with strings attached ("Implement X", "Shift to Y", "Pilot project evaluating Z"). A director got a serious lesson when he overrode policy & procedure and summarily shut down our subnet's connection to HQ against his staff warnings -- the test was designed to trigger secondary damage if it sensed that countermeasure or others (malware that start recklessly self-destructing if detected, if you will).

But all the fluff you just whinged on about is nonsense. The exercise spanned multiple facilities across the nation, was written for realism and contemporary threats (admittedly not A.P.T., which is what scares me most), didn't have a fall-guy, wasn't by itself grounds for promotion or firing, didn't involve vendors or magic bullets by anyone but Gartner (we've got a c-level preoccupation with Gartner's buzzword bingo, but that's another problem altogether). The last simulation made *TINY* mentions in the news, but results weren't interesting enough or quick enough in coming to merit reporting. The debriefs and results were largely shared between national and local teams, or led to presentations at peer gatherings among the tech or managerial staff. All the tech presentations focused on what worked or didn't, not vendors or boondoggles or silver bullets.

For 99% of those involved, it took less than half a day and didn't involve catered anything or travel. Most involved people ended up merely having to go back to their desks afterward and work a bit harder to catch up on backlogs of accumulated work.

And yet every one involved thinks it was tough, valid training. It smelled like an incident, it let the incident response paperwork become a live and meaningful tool rather than binders of unread / unreadable pap, and it called attention to things that worked and things that didn't.

Exercises like these are like Red/Blue team or CTF exercises: anyone that thinks they're 'fun' either hasn't been through one, or has a sufficiently warped sense of fun and a high enough enthusiasm for security work that they're not doing this for the benjamins. And calling it pointless, a waste of time or any other slur is beneath reply.

tl;dr: bullshit; exercise is what any skilled professional knows they must do to improve. Short of inviting real trouble, these exercises are essential.

Re:Let me guess the results in advance

[ediron2]

Kudos. Wish you were modded 5 instead of parent. Per my too-long rant above, you're far more right about this stuff than parent is.

Incidentally, the stuff that bit us on the ass last year tended to be much smaller than in our first such exercises. The most notable was a panicked boss overruling his techs and causing minor damage. But all in all, team members come away calmer, surer, more familiar with procedure (and more engaged when asked to edit procedure), and with relationships with CERT and peers at other agencies/facilities that they're quick to use when they see phantoms.

One last take-away: Without training, every pattern or surge or shadow looks scary. After training, fewer false positives are declared, because staff resorts to a few simple self-checks before calling a much calmer, more specific "Hi, I'm sending you a pcap... does this look wrong to you, too?" sort of report.

Re:Let me guess the results in advance

[Thinboy00]

The prediction was not one or the other, but both.

The Government

[alta]

I'm going to go ahead and preempt all the non USians here...

What government is "The Government"? Eh? The government of Moldova? Argentina? Kajikisitkishtanz? Tatooine?

Why do you Imperialists pigs thing that only US people visit this site? How do you know that the government of Romulus doesn't have it's own Department of Homeland Security?

Ok, sorry, had to get that out.
Disclaimer, I'm not in the US. I live in Dixie.

Re:The Government

[chill]

Disclaimer, I'm not in the US. I live in Dixie.

Help me find that one on a map. Is that the place that got its ass kicked by the U.S. about 150 years ago? The place that has been totally pacified with NASCAR, pickled pigs feet, cheap alcohol and the SEC?

Re:The Government

[AndrewNeo]

http://slashdot.org/faq/editorial.shtml#ed850

Re:The Government

[alta]

See my UID, it's really small. I've been around here for a while. It was a joke to preempt the whiners.

As far as I'm concerned we can firewall off the rest of the world ;)

Ok, not really.

Re:The Government

[alta]

http://lmgtfy.com/?q=dixie

kicked by the U.S. about 150 years ago

See what I mean? Imperialists pigs. I'm still living under their oppressive regime.

Nascar... Never sat through a race.
Pickled Pigs feet... That stereo type may have worked 149 years ago.
SEC? Yeah, you got me, roll tide.

I do have a Gadsden flag on my SUV. This one was almost lost to history but Obama has renewed our interest in it.

Re:The Government

Eh Loco! acá en Argentina no tenemos cyber ataques... (casi casi que no tenemos internet) ;-)

Re:The Government

[chill]

Fine, pork rinds, then. :-)

Tide? TIDE?!

GO GATORS!

Re:The Government

[alta]

Gators? Isn't that one of the teams we rolled over last year? Oh yeah, I forgot... The one where Teebow cried. (http://www.youtube.com/watch?v=qBO1LHUqD_0)

I'll be watching for a replay (sans Teebow) this weekend in Mobile. Beautiful weather for the game this weekend. Think we may just move the big screen outside ;)

You're welcome to join us. We're in Mobile. We're planning on having a house full.

Re:The Government

[alta]

Translating from memory...

Eh, Crazy! Here in Argentina we don't have cyber attacks. (We almost have no internet)

Re:The Government

[chill]

Thanks, and have fun. Honestly, I'm one of those people who believe college is for education, not sports. I'll also be in Chicago this weekend, listening to people try and explain how it isn't the Bears' weak opening schedule, they're just good. :-)

Re:The Government

[Thinboy00]

Why do you Imperialists pigs [...]?

Why is it always "[whatever]ist pigs"? Incidentally, I don't think the US has actively sought to colonize existing small countries for a very long time (ostensibly Iraq/the entire Middle East doesn't count since it is supposed to eventually "stabilize" at which point it will be freed, or whatever).

Re:The Government

[chill]

Tide 31, Gators 6

I bow before your superior college football program!

Congrats.

Dynamic != Static?

[Tekfactory]

"This goes a bit beyond a paper narrative, including fake log data, drives that may contain fake malware, and fake event history, and is dynamic, meaning that it can change dependent on the actions the players take." which makes me wonder how effective this test would actually be."

Why shouldn't the test adapt to moves the player's make, do you think a hacker is going to keep running off the same script when he knows he's been noticed?

Some of the worst botnets move their Command and controls nodes around and the people behind them release new code to adapt to what security researchers are doing to stop them. Including DoSing the researchers.

What idiot thinks we can fight a changing landscape of threats with a static defense?

No Really I can't tell from the context if that's Taco or the submitter, but paper narrative tests that the author mentions basically are just there to make sure you know your job or have memorized your DR plan, but they don't make you think.

I'd be more worried if all facets of the scenario didn't get played out because nobody said "I image the hard drive" and so they skip that part of the test. In that case it would be up to the folks running the exercise to move the scenario along by saying someone at another agency imaged the drive, here is a copy, maybe you should look at it.

It's a lot like preparing for a D&D game and having the players ignore half the story/encounters you wrote up.

Re:Dynamic != Static?

I am sitting here posting this from EXCON in CS3, there are clued folks here :)

Re:Dynamic != Static?

[vlm]

It's a lot like preparing for a D&D game and having the players ignore half the story/encounters you wrote up.

Oh, there's several ways around that, for sure:

"Despite all agreeing not to open the trapdoor to the dungeon, you have an uncontrollable urge and open it anyway."

"As you step away from my favorite trapdoor, you spy a giant, angry, immortal dragon heading your way. Care to reconsider that trapdoor?"

etc etc. I suspect the whole thing has been scripted out. Basically "high school musical" for nerdy govt MBAs, probably with less dancing and music. I hope.

Re:Dynamic != Static?

I am sitting here posting this from EXCON in CS3, there are clued folks here :)

Good to know! There are clued folks out here as well.. enjoy!

Re:Dynamic != Static?

[DerekLyons]

No Really I can't tell from the context if that's Taco or the submitter, but paper narrative tests that the author mentions basically are just there to make sure you know your job or have memorized your DR plan, but they don't make you think.

I suspect you haven't ever taken part in a large scale simulation like this. I have. Short (and long) version: you're wrong.
 
Not that there's anything wrong with ensuring that the participants know their jobs and/or have memorized their disaster recovery plan.
 

It's a lot like preparing for a D&D game and having the players ignore half the story/encounters you wrote up.

Preparing for a D&D game is to a simulation like this as an Estes rocket launch is to a Saturn V launch.

Re:Dynamic != Static?

[Tekfactory]

Of Man's reach exceeding his grasp...

No big sims are multi-agency and have casts of thousands, even single agency drills can be enourmous and complicated. Just getting through the phone tree for a single angency is more complicated than running a "I call Iron Mountain to locate my backups" test or restoring the last good backup for real on one of the test boxes.

But for the submitter who fails to see the value of a dynamic exercise, should I talk to him about planning a mini-D-Day invasion of Normandy? Because as you put it a lot of us probably haven't had to do that.

No, you talk to a level everyone understands, like Kennedy said.

And yeah, maybe you could have said Planning your vacation is to planning the Normandy Invasion, yes?

Re:Dynamic != Static?

[lennier]

I cast Magic Missile on the Sharepoint server!

Cyber Attack = ?

[mvar]

I don't get it really, what exactly is considered a cyber attack from the government's point of view? A DDoS at some sensitive service? And why would this sensitive service be accessible to the public internet anyway? Of course someone could compromise a workstation inside the network and stage his attacks from there, but then you should be really worried for other stuff (password policies, web filtering, firewalls etc). This sounds like another scare-tactic to gradually make people feel that the internet needs control. http://yro.slashdot.org/story/10/09/27/1221213/Obama-Wants-Broader-Internet-Wiretap-Authority

Re:Cyber Attack = ?

what exactly is considered a cyber attack from the government's point of view?

A single port scan. Why? Because their IPS says so.

Cyber Alert ( +1, Extra Jalapeno Elevated )

  Facebook is down.

  Twitter is slowing down.

  Glenn Beck is entertainer supreme.

Yours In Ft. Lauderdale,
K. Trout

Ah oh not a simulated cyber attack...

Rather than wasting money on "exercises" why not provide tools to help the entire industry find and fix software problems? Make tools like the stanford checker or something like it free in the interests of "national security".

"Exercises" make for good political headlines and as awesome as hackers was there really is no "cookie" command to make the evil cookie monster go away. There is no point in putting on a nice show by holding an exercise in linear time because in "cyberwar" the damage could have been done years ago in the form of a time bomb where any human "reaction" is already too little too late.

More Info

[Necrotica]

The original article is not quite right. The U.S. Department of Homeland security is sponsoring Cyber Storm. The United States, Australia, New Zealand, Canada, and the UK are participating. The focus is on response procedures for a significant event.

What is really going on?

11 september 2001, on the exact time of the planes flying into twintowers, NORAD held a test. On the metro bombings in London on July 7th in 2005, emergency held a test on the exact moment of the bombings.

What kind of "terrorrist attack" is happening as we speak?

Dynamic as is in...

[bragr]

if(player.win())
{
player.loseAnyway();
scaryPressRelease(REALLY_SCARY);
Legislation* cyberRegulation = new Legislation;
cyberRegulation->ramThroughCongress();
Bureau bigBrother = cyberRegulation->biggerGovernment()
}

No longer the largest simulated exercise

[mynameismonkey]

Sorry to burst everyone's bubble, but I just simulated an attack of far greater proportions. First, I simulated having the resources to simulate an attack of far greater proportions, then I simulated executing my far greater attack. If anyone is interested, the results showed that while I was adequately prepared to defend against a simulation, I need to beef up some protocols and institute some new processes.

cast firewall spell, roll 3d10

[Thud457]

Lamest game of DND EVER .

Re:cast firewall spell, roll 3d10

[kmoser]

More like DoS.

Aw, dating.

[Fict]

The World's Largest Simulated Cyber Attack is really growing up.

Don't do anything that makes you feel uncomfortable.

Frankenstein Complex

[angiasaa]

Hmmm.... So exactly when does this stop being a simulation? :P

Wouldn't a better test be something like...

[maliqua]

Taking a dev or similar production network and actually hiring the same people that would likely be used to attack your equipment to attack your honey pot and see what they actually do? I dunno i'm probably just being ignorant

"it can change dependent on the actions the player

[dave562]

Am I the only one hoping that Obama exercises his "internet kill switch" option?

What happens then?

"Good job Mr. President. Now our game is over. Way to ruin it for EVERYONE!"

Re:"it can change dependent on the actions the pla

[TandooriC]

Hope they don't create a self-aware SkyNet

Oh Boy, Not Again!

Remember, 911 happened during "excercises" too. To protect the USA from hijacked aircraft being used as tr-weapons.
Cyber-911 ? Anyone? Hello ( Is this thing on? ). Hello?