Wednesday, last week. In a dimly lit lounge-sized room on 4th floor of Information System Authority (RIA), the air is thick with tension. In the brightness exuding from computer screens, 15 silhouettes are highlighted around the table. I’m not supposed to see them. This is Estonia’s cyber unit. And they are in war.
Right now, the Estonians are defending the computer networks of a Spain-sized fictitious NATO state named Berylia. Located off the coast of Greenland, this is a main drone producer for the alliance, legend says. A moment ago, an explosion went off in the drone control centre; intelligence data says the warhead was launched by a hostile neighbour Crimsonia.
What follows is an avalanche of cyber attacks, aimed at seizing websites and drones in flight. Not limited to that, the enemy wants to switch off all e-services and bring Berylia down on its knees.
«In the everydayness of life, Estonians might experience such an amount of cyber attacks during a three year period. Now, it all comes down in two days, full spectre and against all systems: UNIX, Windows, networks, websites, mobile,» describes Estonians’ chief Klaid Mägi, actually incidents management head at RIA.
The Blue vs the Red
What Mr Mägi doesn’t know is that, during the days ahead, 15 types of cyber attack methods will be tested on his team. Simultaneously with the Estonians, 15 other NATO member or partner state teams are fighting for the information systems of Berylia, each in their home countries. Put together, this is «Locked Shields 2015», a major cyber defence exercise for the alliance.
Whoever is tempted to think this is just some international championship for boys with ponytails is gravely mistaken. The teams are composed of computer networks specialists. In Estonia’s case, they hail from various network operators, e-healthcare, justice ministry, RIA and elsewhere in the public sector. In case of a crisis, they will have to defend their systems on the job. While the Estonians are civilians, in other NATO states the cyber defence units are often composed of military men.
«The main aim is to be prepared if again something major happens – like in 2007,» says Mr Mägi.
Back then, the two post Bronze Night weeks served as an alarm for NATO. One after another, cyber attacks took out websites of Estonian ministries, media portals, police and even the emergency phone number 112.
That time, they mainly used the DDoS attacks – overload, in plain language. Should the attacker, however, employ the full arsenal available today, it would no longer be a matter of web user inconvenience. Lives would be on the line.
Thus, the exercise organised by the Tallinn-based NATO cyber defence centre is more complex than one might ever dream.
To begin with, the green team i.e. system engineers will build a platform. Figuratively speaking, this is a cyber polygon which the red team will attack and every blue team defend. The yellow team will see to it that the game goes according to script; the white are tasked with guiding the exercise. The blue will assess the results.
Two weeks before the attacks begin, the blue will have 48 hours to check their system to detect hidden errors and make it stronger.
«Some indeed make it stronger, others break it up – like in real life. Once the exercise gets underway, the reds will attempt to attack them over the web, to find out all the weaknesses and make use of these,» describes Rahel Priisalu, the head of the greens.
The blue will have to tough it out and keep sending reports of how they are doing, like in a crisis they would report to the government. Key to success is wasting as little time and energy as possible to detect errors and fending off the attacks while prioritising activities. To be true to life, part of the exercise is communicating with the media and legal analysis.
«It’s been quite hard up to now as the attack is so intense,» admits Mr Mägi as I ask about how our guys are doing. «This means we must prioritise. They may take over a drone and use it to damage a power station. Therefore, there’s no question why drones and the power station need to be defended till the very last.»
Though the blue teams are located in separate states, the nerve centre of the entire exercise is set up in a banquet hall of a hotel in central Tallinn. It is here that the activities of the blue are converged, and from here the 50 member strong red team i.e. the attackers are orchestrated. In real time, a large screen receives vast amounts of data, including information on the extent of control possessed by each blue team over their domains, and under what stress level they currently are.
Hundreds of hours of attacks
The 50 cyber attackers, the reds, are an international bunch characterised by a peculiar baggage of knowhow – an ability to find the faults in systems.
«Attack skills do not develop overnight. The main place the reds come from is penetration testers – those who in practice deal with checking security,» described reds chief Mehis Hakkaja, in private life managing an information security company.
The half hundred reds are bringing the 400 participators and their close to 5,400 separate systems under considerable stress. All in all, each team is hit by about 800 hours of attacks. This will provide an excellent overview of the weak spots.
«We did well with blindside-attacks, meaning the typical attacks against enterprises: breaking into intranet and stomping around. From the web’s side, however, we were blocked more easily,» describes Mr Hakkaja.
To those troubled about the security of their systems, he advises to get acquainted with Internet Protocol version 6 weaknesses and APT attacks.
«In reality, as an attacker has more time, he actually does not need such a large team as I have here. In the cyber world, the proportions are badly out of whack. Even with little forces, lots of damage can be caused and this is why we need to be able to detect these attacks,» says Mr Hakkaja.
The winner of «Locked Shields 2015» was NATO cyber incidents handling team daily based in Mons, Belgium. Estonia came second, and defenders from Poland placed third.
---------------------------
COMMENTS
Artur Suzik
Colonel, commander of NATO cyber defence centre
---------------------------
We are trying to place participants in real stress situation. The attackers or the reds employ the entire cyber attacks spectre in existence at the moment. The defenders or the blue must maintain the functions of everyday services such as e-mail and web servers while dealing with mass attacks. At the end of the exercises, a very thorough technical report is compiled, complete with advice. Though not public, this is available to all the blue teams so they would know what kinds of problems occur with certain attacks and how to fight these.
---------------------------
Mehis Hakkaja
cyber expert, chief of the attackers
---------------------------
In a day, so broad a variety of attacks is probably seldom experienced. Rather, a wide choice of attacks occur either over a longer period of time or else these would need to be detected in advance. At exercises, the selection and intensity of attacks is naturally higher, but the sample of attacks is largely based on everyday experience. Lion’s share of attacks have to do with entering intranets – usually, this is due to an error or inattention by user. This is what typically happens to enterprises, and it is only noticed when the attackers have mapped the entire intranet and perhaps committed a theft.