Post by Atlantica » Fri Mar 13, 2015 5:11 am
On MT RP's, how should cyberattacks be RP-ed?
Just for funsies, I'm gonna go into a little more detail to give some examples and some counters...
Mainstream Media/Movie Cyberattack:
"We're hacking their systems to take them offline!" *Five Minutes Later...* "Looks like the hamsters are dead! Let's go!"
Real World Cyberattack:
Stuxnet (And a lot of this is supposition);
Four years ago, a worm was discovered inside Iranian industrial control systems that was designed to subtly destroy the uranium centrifuges they controlled but the origins of the worm were likely much earlier, possibly as much as a decade. However many years it was, Israeli or American Intelligence came across the idea of using cyberwarfare to delay or destroy the Iranian nuclear industry before it really got started. In order to go about this, they needed a lot of planning and we'll start with that.
First they needed to know what industrial control units the Iranians were using. They would have tracked this down through purchase records, looking through garbage bins for sales receipts, manuals, or look at what Iranian intelligence was trying to get their hands on. Then they would have gone out, bought said unit themselves, and torn it apart to figure out how it worked and what the vulnerabilities were. Then they can write the virus portion of the worm.
Next is a target/chump (AKA Spear Phishing). They need a way into the facility because the first rule of IT security is that if it's Important (Capital I) you do not connect it to the Internet. Again, you do not connect anything Important to the Internet. Period. Full stop. Don't listen to the managers, don't listen to the CEO, listen to the former Air Force penetration tester who taught my systems admin class; Do Not Connect Anything Important to the Internet. Otherwise it is considered to be hacked. Not if - It already has been. Interestingly, the Iranians knew this and thus didn't have these machines connected to the Internet. Thus the chump.
The target was likely a manager probably in the middle somewhere of the organizational chart. You know the type; Just smart enough to get the job, just dumb enough to be a pain in the ass every day. The kind of guy who will open the attachment on a carefully crafted email that purports to be pictures of his daughter at her birthday (and might just be, given American satellite imaging resolutions) but with a secondary payload of the worm.
Now the worm is going to sit there on his and perhaps others systems for who-knows-how-long because one target isn't really enough. You need a shotgun for things like this. The more targets you potentially hit, the more chance that one of those stupid, willful, stubborn middle managers who has been told better by IT but will do it anyway because it's convenient will take his thumb drive with those pictures of his daughters birthday party on it, load the spreadsheet or the movie or whatever onto it, and plug it into the supposedly isolated systems that are connected to those industrial controllers. Then, and only then, it will spread out and start the dirty deed.
For the next few months those centrifuges will spin and spin and spin too fast or wobble or too slow or mysteriously fail in the middle of the night. And then they break. Because you need 20,000 of the buggers to make the uranium you need. Every one destroyed puts you a little more behind.
That is a real cyberattack with real consequences. Forget what they show on TV; Real attacks don't take minutes, they take months, years. Because even with precision knowledge of the computers, the human side of the attack is often the most difficult. You need to find out who the chump is (Spear Phishing), and why they are the chump.
How to RP it?
Well, if you're serious about it, you could spend a whole year doing the run-up to the attack itself (and it could still fail). The intelligence agent on the street going through the manager's garbage at 2 in the morning looking for an owners manual, every day, for a year, until he finds it and the receipt for birthday supplies. The guys at the NRO (National Reconnaissance Office) who points a satellite at that guy's backyard and takes some pretty pictures. The Director who pieces the whole thing together. The stupid chump who falls for it. The maintenance guy who complains about a lack of parts (which is how Stuxnet 'worked').