From: redteam@all.net
Reply-to: redteam@all.net
Organization: Red Team Mailing List
Subject: RedTeam Mailing List 980414
<pre>---------------------------------------------
From: Army Digitization Master Plan '96
	(http://www.ado.army.mil/admp/1996/09relatd.htm)

9.3.4.4 Red Teaming 

The fourth task is the operational Red Teaming of the system design. This
task is designed to determine system vulnerabilities through opposing
force-like actions (see Figure 9-4). Red Teaming of TF XXI information
systems will be incorporated into all digitization exercises leading to
Force XXI which appear to be potential Red Teaming opportunities. This task
will incorporate the results of the tasks assigned to SLAD and DISC4, as
described above, to make more global recommendations to the digitization
system design. 

Red Teaming will require a highly controlled process to ensure the effort is
complete and addresses all operational vulnerabilities (see Figure 9-5). The
C2 Protect Council of Colonels (C2PCOC) and the C2 Protect General Officer
Steering Committee (C2P GOSC)-with membership from the ADO, DISC4, DCSOPS,
and DCSINT-provides guidance, priorities, and resolution decisions. A number
of working groups support the necessary analyses and provide
recommendations. The ADO and the supporting TF XXI Red Team Working Group
provide the supervision and coordination mechanism to manage the process. 

Red Teams will be task organized as necessary to accommodate specific
events. Operations will be conducted in conjunction with scheduled testing,
training, and experimentation. There are four primary Red Team opportunities
in the near-term during: 

      Planned system tests. 
      DIL certification of TF XXI systems. 
      EXFOR train-up exercises/events. 
      TF XXI NTC Rotation 97-05. 

                           Figure 9-4 Red Team (Working) Definition

The ADO will provide day-to-day direction to organizations assigned to
conduct the actual Red Teaming efforts, which for TF XXI are focused on six
assigned sub-tasks: 

      Position/navigation vulnerability assessments. The Electronic Proving
      Ground (EPG) will determine the ability of the network to react to
      loss of the GPS signal and develop initial offsetting operator TTP.
      Non-traditional threat vulnerability assessments. The DISA Center for
      Information System Security will determine the vulnerability of the TF
      XXI network to hackers, viruses, and other non-traditional network
      threats.  Operational Security (OPSEC) assessment. The Land
      Information Warfare Activity (LIWA) will conduct a multi-discipline
      counter-intelligence (MDCI) OPSEC assessment to determine
      new/increased OPSEC vulnerabilities due to battlefield
      digitization/automation.  Security policy assessment. DCSINT will
      assess the need for revised and/or additional security policy due to
      digitization implementation.  Technical component analyses. ARL's SLAD
      will conduct technical experiments and analyses to determine unique
      vulnerabilities of the Tactical Internet's individual systems.
      SIGINT/MASINT (Measurement & Signal Intelligence) characterization
      assessment.  LIWA will determine patterns and signatures unique to the
      digitized force that may have intelligence value to hostile forces. 

                            Figure 9-5 Digitization Red Team Process

---------------------------------------------
And from: INFORMATION SYSTEMS RED TEAM ASSESSMENT PLAN
	(http://call.army.mil/call/exfor/ted/annexd.htm)

ANNEX D 

  INFORMATION SYSTEMS RED TEAM ASSESSMENT PLAN
                                         (August 1996)


1. PURPOSE. This Red Team Plan provides the basic tasks, responsibilities,
concepts, data collection requirements, and schedules for conducting
effective and focused Red Teaming efforts in support of Task Force XXI.
These efforts will be directed at specific objectives which are bounded,
well defined, useful, and achievable within timeframes and resources
available. A primary consideration of this plan is accomplishing these Red
Teaming objectives with minimum disruption of the broader digitization
objectives of Task Force XXI and minimum disruption to the Experimental
Force (EXFOR) which will undergo the Advanced Warfighting Experiment (AWE). 


2. DEFINITION. Red Teaming is an independent vulnerability assessment
activity which targets information or information-based systems and their
associated information support infrastructure for the purpose of assessing
system vulnerabilities, conducts risk management in analyzing those
vulnerabilities, implements appropriate fixes, and thereby increases the
Commander's ability to conduct combat operations. 


3. CONCEPT. During the Task Force XXI (TF XXI) AWE, the Army Digitization
Office (ADO) will direct and oversee Red Team activities conducted by five
Lead Agencies in support of six specified Red Team tasks during limited
timeframes at programmed equipment test sites, the DIL, EPG, Fort Hood, and
NTC to assess EXFOR information systems vulnerabilities and to develop
recommended fixes for these vulnerabilities. These vulnerability assessments
and recommended fixes are needed to guide necessary information systems
capability improvements for Force XXI. Due to the differences in technical
and operational focus of the assigned Red Team tasks, none of the six tasks
require action at every specified location or timeframe. As currently
planned, the POS/NAV Assessment Task and the Technical Component
Vulnerability Assessment Task (described below) require no actions at Fort
Hood or the NTC. However, they are included here for completeness and
general incorporation into the overall TF XXI AWE experimentation plan. The
six Red Team taskings are stated below in abbreviated form and are discussed
in more detail later in this document. 

      a. Task 1. Position/Navigation (POS/NAV) Vulnerability Assessment.
      (Lead Agency: EPG. 

      OBJECTIVE: Electronic Proving Ground (EPG) will determine the ability
of the network to react to the loss of the GPS signal and will then develop
initial offsetting operator TTP. 

      METHODOLOGY: Simulate jamming by physically disconnecting GPS from
appliqui during contractor tests and Tactical Internet assessment at Fort
Huachuca (March - Dec 1996). 

      PRODUCTS: Assessment report, recommended TTP, programmatic requirements. 

      b. Task 2. Hacker/Virus Vulnerability Assessment. (Lead Agency: DISA.) 

      OBJECTIVE: Defense Information Systems Agency (DISA) Center for
Information Systems Security (CISS) will determine the vulnerability of the
TF XXI Information Network (TFIN) to Hackers, Viruses and other non
traditional threats. 

      METHODOLOGY: In the context of three operational scenarios (an insider
threat, an intruder, and an overrun EXFOR terminal on the network) and at
specified times during EXFOR company trainup at Fort Hood, battalion trainup
at Fort Hood, and NTC rotation, the DISA led team will conduct: 

            A network sweep to size the problem.  A vulnerability sweep (or
	    reconnaissance) of the network.  A security sweep (not at the
	    NTC) to exploit the network by inserting malicious code.  A data
	    sweep to obtain specific information from the network. 

      PRODUCTS: A report on network weaknesses, needs for operator TTP, and
needs for system administrator TTP. An analysis and report on quick fixes. 

      c. Task 3. Operational Security (OPSEC) Assessment with a Computer
Security (COMPUSEC) Focus. (Lead Agency: LIWA.) 

      OBJECTIVE: Land Information Warfare Activity (LIWA) will conduct a
multidiscipline counter-intelligence (MDCI) OPSEC assessment to determine
new/increased OPSEC vulnerabilities due to digitization/automation of the
battlefield. 

      METHODOLOGY: During the EXFOR trainup at Fort Hood and the NTC
rotation, subject matter experts (SMEs) will observe and conduct surveys
of... 

            Operator procedures, 
            System administrator/integrator procedures, 
            Configuration controls, and 
            System access. 

      PRODUCTS: Recommended TTP requirements and recommended hardware/
software tools. 

      d. Task 4. Signals Intelligence (SIGINT) and Measurements & Signatures
Intelligence (MASINT) Characterization. (Lead Agency: LIWA.) 

      OBJECTIVE: LIWA will determine unique patterns & signatures of the
digitized Force that may have intelligence value to hostile forces. 

      METHODOLOGY: During the EXFOR trainup at Fort Hood and the NTC
rotation, a team of SMEs led by LIWA will conduct all source collection and
analysis on the digitization aspects of the EXFOR to develop intelligence
products (friendly order of battle, digitized unit pattern analysis, unit &
system associations, and unique signatures). 

      PRODUCTS: Recommended quick fixes and recommended TTP. 

      e. Task 5: Security Policy Evaluation. (Lead Agency: HQDA ODCSINT.) 

      OBJECTIVE: HQDA ODCSINT will assess the effectiveness of current
security policy and needs for revised and/or additional security policy due
to digitization implementation. 

      METHODOLOGY: During the EXFOR trainup at Fort Hood and the NTC
rotation, a team of SMEs will observe and conduct surveys of security
procedures and of network security policy implementation in the TFIN. At the
completion of Task Forces Lanes and NTC rotation HQDA SMEs will interview
selected members of the EXFOR to determine effectiveness of security policy
and its implementation. The team will also analyze the data collected during
Red Team tasks 2, 3, & 4. 

      PRODUCTS: A report on policies in place, their implementation,
successes, and shortfalls.  Recommendations for information system security
policy changes. 

      f. Task 6: Analysis of Tactical Internet Component Vulnerabilities.
(Lead Agency: ARL Survivability/Lethality Analysis Directorate.) 

      OBJECTIVE: Survivability/Lethality Analysis Directorate (SLAD) will
conduct technical experiments and analyses to determine unique
vulnerabilities of the individual systems of the Tactical Internet. 

      METHODOLOGY: Data will be collected by a team of SMEs during program
manager testing, during DIL certification, separate SLAD experiments in the
laboratory, and field experiments during train-up and NTC rotation. 

      PRODUCTS: System ECM/ECCM/IW performance characterization, analysis of
specific EW/IW vulnerabilities, and recommended fixes. 

4. BACKGROUND. 

      a. A recent Defense Science Board study pointed out the need for the
military to understand the vulnerabilities and limitations of their
supporting information systems. The concept of a "Red Team" to assess the
vulnerabilities of friendly systems was developed, and the Assistant
Secretary of Defense for Command, Control, Communications, and Intelligence
(ASD/C3I) stated the need for conducting Red Teaming in a memorandum to the
military departments and DoD agencies. The Army has wholeheartedly supported
the usefulness of Red Teaming from the standpoint of assessing
vulnerabilities and then taking corrective actions where vulnerabilities are
found. The primary body for overseeing the conduct of Red Teaming in the
Army is the Command and Control Protect (C2P) Council of Colonels (CoC) and
the recently established C2 Protect General Officer Steering Committee
co-chaired by the DCSINT and the DISC4. 

      b. Since the upcoming premiere event available for experimentation
with information systems is the Task Force XXI (TF XXI) Advanced Warfighting
Experiment (AWE), the C2 Protect Council of Colonels tasked the Army
Digitization Office (ADO) with coordinating a Red Team effort for the TF XXI
AWE. The Army Digitization Office is, by charter, responsible for overseeing
and coordinating the integration of all Army battlefield digitization
activities. Since April 1995, the ADO has been deeply involved in planning
for Red Teaming to be conducted in conjunction with the TF XXI AWE as well
as the experimentation, development, evaluations, fielding, and training
leading up to the primary AWE National Training Center (NTC) rotation in
March 1997. 

      c. The ADO Red Team Plan published in draft on 30 October 1995
provided the basic responsibilities, concepts, and schedules for conducting
Red Teaming efforts in support of Task Force XXI. The draft document was
used for initial tasking to the Lead Agencies to conduct the six assigned
tasks in an ADO memorandum of 8 November 1995. 

5. GENERAL ASSESSMENT PROCEDURES. 

      a. In general, the collection of data for the Red Team task
assessments will be accomplished by teams of subject matter experts (SMEs)
who will measure/document emissions from participating systems, will tap
onto the systems themselves to obtain specific data, will observe
operations/operators, and/or will conduct surveys of operators/managers.
SMEs will be augmented by non-SME general data collectors where possible.
Red Teaming activities will be conducted within the timeframes approved by
OPTEC for data collection unless specific activities are requested by and
coordinated with the EXFOR separately for training purposes. 

      b. Red Team operations will utilize existing testing and training
events that are part of or lead up to the Task Force XXI Advanced
Warfighting Experiment. There are four primary opportunities for conduct of
Red Teaming for Task Force XXI: planned system tests conducted in support of
the program managers by the associated contractors and/or government
activities before the equipment is fielded, the Digital Integration Lab
(DIL) certification tests at Fort Monmouth on candidate systems to determine
if they meet the interface/integration requirements of the digital
battlefield before they are allowed to participate in the EXFOR trainup and
experiments, the EXFOR trainup phase wherein the unit will undergo
familiarization and training with this newly fielded digital equipment, and
the NTC rotation phase which provides an opportunity for Red Teaming
activities in a highly controlled and structured operational evaluation
environment. 

      c. Red Teaming will be conducted only on a non-interference basis
during the actual NTC rotation by the EXFOR. Neither GPS nor the tactical
internet systems will be jammed during the NTC rotation. However, a number
of passive Red Teaming activities will still be conducted during the NTC
rotation, including OPSEC evaluation, security procedures evaluation, and
checking TTP compliance. Both active and passive Red Teaming measures can be
implemented during planned system testing, DIL certification, and train-up
of the EXFOR. At this time, the only plans for active Red Team activity that
might be on an interference basis during the trainup period are the security
and data sweeps of Red Team task 2. 

      d. To ensure that there is little chance of Red Team efforts (active
or passive) interfering with primary exercise objectives during trainup and
the NTC rotation, a "stop buzzer" methodology will be employed whereby any
of the leadership of the EXFOR, Red Teams, or observers/controllers can halt
Red Team activities immediately. This positive control will not only
preclude Red Team activities from accidentally being an obstacle to
important exercise flow, but it will also enable EXFOR or
observer/controller personnel to discern between network anomalies due to
Red Team actions and those due to other environmental or operational causes. 

      e. The Task Force XXI Battle Command Information Network (BCIN) will
be exercised (and therefore evaluated) as secret system high (although
limited to sensitive but unclassified data) in order to accommodate unit
operations most similar to those that would be used in an actual contingency
mission. Any other types of security experimentation (MLS, Fortezza, etc.)
will be handled as excursions. 

      f. Red Teaming in addition to that outlined in this plan will
obviously be required to support a complete vulnerability assessment of
digital information systems. This plan outlines only those Red Team
activities in support of the Task Force XXI objectives for which the ADO has
proponency. Additional Red Teaming will be conducted as the Army moves
toward Force XXI. 
---------------------------------------------
You might also want to look at: http://www.hokie.bs1.prc.com/ia/iamile.htm

prc.com is:
   Planning Research Corporation (PRC-DOM)
   1500 Planning Reasearch
   Drive
   McLean, VA 22102

   Domain Name: PRC.COM

As well as: http://www.fas.org/irp/congress/1996_hr/s9606055.htm

---------------------------------------------
http://wwwcsif.cs.ucdavis.edu/~cs253/Ascii/0404n.txt

Lecture 3 Notes;  April 4, 1997; Notetaker: Joel Baumert

        PENETRATION TESTING

Announcments:
  Web page up:  http://wwwcsif.cs.ucdavis.edu/~cs253/index.html
  Homework will be given on mon.
  Handout on wed.


Penetration testing (aka Tiger Teaming, Red Teaming):
  test security for a system/installation

  usually after a system has been implemented, but could be 
  testing design.

  failure doesn't guarantee security.

  When testing a system primarily looking for technical flaws
    on a standalone machine or on a test network.

  When testing a site you could test operations/procedures, site
    physical/system security.

    Procedures operations include:  how passwords are assigned, 
      how systems are maintained.

  This class will primarily focus on system security.


  success measured based predefined goal.
    Goal based on site policy (what are you testing? when is test
      successful?)

    could be measured in terms of the number of flaws found
      or number of design errors found.  It is not only important
      to not only find the flaws, but give some indication what the
      causes are and how to fix them.

    gaining priviledges (getting root on UNIX system).
    gaining access      (getting a shell when you shouldn't be able).

    test is usually bounded by constraints (time, money, physical access).

  ratings of security based on the level of resistance to penetration
    testing

    Orange Book (1985) - goverment specification for measuring security of
      system.

Three stages to penetration exercise:

1.  External attacker without access
      No physical access, don't know ip/phone

      Goal:  accumlate information about machine.

2.  External attacker with access
      Goal:  get on machine.

3.  Internal attacker
      know how the system works

      Goal:  aquire priveledges... read disallowed files...

Process:

        Knowledge (lear environment, system itself)
          configuration, system, installation
          government usually uses the design team to evaluate Orange book
rating
          look at design
            examine design verses goal
            network protocols
            inconsistancies

          build list of design issues
          look at implementation
            do programs do the things taht they are
              supposed to do
            read man pages looking for bounds problems
              do programs act like the man page says they do.

          figure out design should be and work from there

          look for implementation problems
            examine specs -> where are keys?

        Analyze and fix flaws
          classify flaws and develope fixes/workarounds for flaws

        Monitoring
          Some flaws cannot be fixed or are not worth fixing.  Develope
            monitoring to give indication of when site being attacked.

!! Record Everything !!

External Attacker
  Examine network protocols 
    TCP/IP, FTP/TFTP, telnet, r* protocols, SMTP, NNTP, HTTP, NFS/NIS,
finger
    do they check for security?

Security problems:
  Backdoors:
    sendmail (1986) belived to be patched everwhere.
      flaw... connect to port, type "wiz" followed by "shell"... -> root
shell

  TOCTTOU (time of check to time of use):
    exa.  program checks if the user should be able to access file... then 
          does stuff to the file if user does have access.  If between the
          check and the use an attacker changes the state of the system
          the attacker could access files that are disallowed.

Firewall -

  |                |
  |----Firewall----|
  |                |
  |          Internal Network
  |
  |
Internet

  The firewall dissallows connections from one network to another.
  Must be securely maintained.
  All trafic between networks must go through it.


Systems we will be using:
        Solaris
        Data General DG/UX (B2 security rating)
          resistant to penetration
          has access control (MAC)  
---------------------------------------------