Friday 22nd June – ITS FASAN room 2
ROLE PLAY “Cyber crisis management”
Role Play game “Cyber Crisis Management” is a tool designed to promote and stimulate attention on the issues of cyber security. The participants will play as the management of a small energy provider that runs a smart city operating in the city of Fribourg (Germany): this company will be object of an IT attack perpetrated Organized by a competitor in order to access company data and in particular to find confidential documents, including those of a large competition in which both companies are participating.
|09.30/11.30||09.30||Opening Remarks – Commander Carmelo ROMEO|
|09.40||Chairman Introduction TBD|
|09.50||STEP 1: * Attack on the internet perimeter *
Various activities are carried out to identify the company assets directly exposed on the internet. These assets are searched for vulnerabilities that allow access to the internal network. In this phase, however, there is no serious breach that allows access. Anyhow, the attack is not only focused on the systems of the energy producer, but also on the internet provider that offers connectivity. In this case, instead, a serious problem is found that allows access to the network devices that provide connectivity.
|10.10||STEP 2: * MiTM Attack *
Thanks to the breach found on the provider, the network configuration is changed and the traffic is duplicated so that it can be analysed Organized by attackers. During this analysis, attackers discover that some production equipment make communications through channels not protected Organized by encryption. This allows attackers to discover the administrative passwords of these devices, thus guaranteeing access.
|10.30||STEP 3: * DDoS Attack *
From 9 AM of this morning (21/05) our company is receiving a very large number of TCP SYN packets that are filling our internet link. From what we could understand, there seems to be an attack distributed from various parts of the world that send on our main systems a traffic of 10 gigabits per second. We tried to contact our provider but unfortunately the attack is causing serious problems for them and, even Organized by applying firewalling rules, IP addresses that are driving the attacks change too fast and we cannot stop them. The main problem is that this attack is basically blocking our VPNs towards the energy production sites and therefore we cannot remotely control the equipment on site. In addition, our load forecasting systems cannot contact the market for the purchase / sale of energy and therefore it is possible that, until we can solve the problem, we will be substantially cut off from the sale, because we cannot book the sales lots. We are moving to another provider so that we can activate secondary connectivity, trying to solve the problem within 48 hours.
|10.45||STEP 4: * Malware *
4 months after the DDoS attack, malware was detected on some PCs Organized by the company. An in-depth analysis made it possible to identify how this was introduced and disseminated in the company. The secretary inadvertently opened a false PDF invoice that proceeded to exploit a client side vulnerability Organized by essentially installing the same malware on the PC. This was subsequently replicated within the network thanks to some weak credentials that we had on the active directory, compromising numerous workstations and some servers. The reverse engineering carried out Organized by a third-party malware company made it possible to identify that this was planned to spread on 21/05, recovering some confidential documents and subsequently sending them through an encrypted UDP connection to a host residing in Russia. Unfortunately, due to the DDoS attack, IDS / IPS systems have not detected the transfer of 10GB of documents to the internet. We hypothesize that the DDoS attack may have been used as an owl attack to deter us from what was actually doing the malware on our internal network.