For people entering offices in early morning, their desktop computer screens still dark, the world looks peaceful. The day hasn’t quite begun.
But it’s an illusion. According to a team of Sandia and Los Alamos technical experts and instructors, there’s a battle raging 24/7 over the “minds” of those computers, analogous to the silent struggle waged by interlocked tree roots fighting for water, though trees stand as peacefully as blank desktop screens.
The technobattle is about information.
Each year, according to some estimates, millions of sites are hacked, says Alex Quintana (9317), teaching at a first Sandia-led workshop meant to forge cooperative links among computer analysts at DOE labs and other relevant agencies.
“Our intent is to build an interlab community of skilled analysts so that we can cooperatively respond to network incidents,” says Kevin Nauer (9312), who led efforts to bring about the four-day cyber training session last week. “Attackers work in linked groups; we should respond the same way, notifying each other of incoming attacks and borrowing expertise from groups we know can best handle a particular problem.”
The interlab effort would use encrypted communication channels between partnering sites.
“To address technical issues collaboratively, we need relations of trust and personal contact so that there’s no hesitation in calling on the right analyst at another lab to help with an attempted cyberattack,” says Kevin.
The idea originated when other, smaller DOE sites were nearly compromised by external attacks, says John Abbot (9329). “We sent people to help, the other sites were happy, and [Chief Information Officer] Art Hale and [director of Computing and Network Services Center 9300] Rob Leland got interested in a more formal interlab arrangement. Kevin came up with the idea of cross-site training and an infrastructure to enable collaboration.”
Attack and defend
The training sessions, consisting of lectures and a game of attack-and-defend on simulated networks, took place in two isolated, windowless rooms in Tech Area 1. There, 40 computer analysts from DOE labs and other agencies were instructed on how to better recognize and deal with the complex world of computer threats and how to coordinate a response.
Different DOE sites have their own pockets of expertise, says Kevin, and labs under attack should be aware of and use all the joint resources available. One lab may excel at intruder detection and another, for example, reverse engineering — taking code and working backward to figure out the code’s intent.
Knowledge of Latin — helpful in reading some scientific literature — is useless in understanding the terms of cyberspace. There, hackers — kids, criminals, or sophisticated foreign teams — trying to break into lab computer systems use hopelessly distorted alphabets, words like “snortsnarf” and varied number groupings, along with truncated commands that require decoding to figure out.
“To counter this, we need seasoned analysts with different skills from various DOE/NNSA sites to work together to respond to these attacks” says Cyber Security Services Senior Manager Carol Jones (9310).
Yet, for all the incomprehensibility of code to ordinary computer users, attackers may follow a rule to “act openly and hide in what is normal,” Alex tells the students.
For example, if a password is secured so well that a hacker can’t find it, the interloper may lock the machine. To the user, this may seem just another small, inexplicable computer behavior not worth pondering. But it forces the user to reboot. Then the hacker, watching remotely, can see the credentials used to start up the computer.
Even opening a meeting request from an external source may open a computer to secret invasion.
In another trick, hackers may remotely turn on a computer’s video or voice recording capability and capture what’s being done or said in a room.
They may exploit trust relationships between users to pass malware from one computer to another.
“And they may implement countermeasures,” says Alex, “to detect our response to their attack, in order to modify their next assault.”
A USB thumb drive can not only record everything on a computer but implant malware as well.
Who are those guys?
So, who are the citizens standing at the gate to bar entry to these malefactors?
To judge from the trainees, they come from every age group, many ethnic groups, with dress and hairstyles one would have to say are not exactly corporate.
They are clean-shaven, sport beards, moustaches, van dykes, and mutton-chop whiskers; are shaven bald or maintain long hair tied in ponytails; wear restrained, checked sport shirts or brightly colored polo shirts and a variety of jewelry, and range from pale to sunburned.
The variety in responder dress, if similar to the variety in their approaches to code, may mean that these anti-cookie-cutter spirits will leave very few holes uncovered for adversary entrance. In other words, there is strength in diversity.
Each site paid its own way to Sandia, a testimony to the desirability of the training.
Because of the need to maintain a continuing cyberguard presence at each participating site, only some of each site’s analysts could attend the training session. But that’s fine with Sandia organizers, who envision a training session held every six months. “New problems and techniques arise all the time,” says John. “The next group of participants will bring back different knowledge from the current ones.”
Sandia would like to share the leadership and operation of TRACER FIRE cyber training with other DOE sites.
Says Kevin, “We’d like to have a training session every six months with rotating hosts, so every participating site gets a turn to lead and contribute to improving the strength of DOE/NNSA’s cyber security.”
This cyber exercise, says Rob, is one example of how Sandia is working to become a model laboratory for cyber security as defined in the Laboratory Strategy for Responding to the Nation’s Cyber Dilemma.