Podcast: Episode #16 - Duane Laflotte: Simulating Real-World Attacks on OT with Red Teaming

April 6, 2023

We had the pleasure of hosting Duane Laflotte on our podcast. Self-described as a "boogeyman" of the internet, he's often hired to test and break into systems for security purposes. With over 20 years of experience in the industry, he's worked with Fortune 500 companies and organizations within the U.S. military. During their episode, Duane and Aaron discussed offensive security in OT.

Duane talked about the roots of red teaming stemming from military training and physical security, where understanding how to defend a post was taught by first learning how to attack it. In the world of cybersecurity, this same approach is taken, but instead of being trained by West Point, he learned through his experiences navigating the internet in the 90s. His job is to dismantle the carefully constructed technological systems that businesses rely on, piece by piece, to find any vulnerabilities. This becomes even more complex as new devices are added to the internet, such as refrigerators and fish tanks, increasing the surface area for potential attacks.

During a recent red team engagement, Duane was tasked with attacking a company that knew they were being targeted. In this scenario, they conducted a full social engineering analysis, gathering information about the company's employees, including their addresses, car models, house values, and even their children's schools. Using this information, they crafted a spear-phishing email targeting the Human Resources department. However, when the company reviewed the email before it was sent, they were shocked by the level of personal information that had been obtained. Despite this reflecting what nation states do, the company asked the red team was asked to abort the social engineering approach due to the sensitivity.

Duane noted that one of the biggest challenges of cybersecurity in large organizations is the sheer number of moving parts involved. Unfortunately, security is often not considered a feature, and companies prioritize factors such as “How fast can we process transactions?” or “How many customers can we handle on the website?.” As a result, many companies fail to consider whether they would detect an attack like Kerberoasting on their internal domain. The prevailing attitude is often "it's making money, don't touch it, leave it be." This mindset can be challenging to overcome from a security standpoint.

It is important for businesses to adopt a defense-in-depth approach to cybersecurity. We see this strategy implemented in the physical world with the use of bollards, guards, cameras, and key cards to protect public buildings and large organizations. However, in the digital realm, this approach often falls apart, with many relying solely on a single firewall for protection. It’s crucial to recognize the value of security through obscurity as a layer of defense, much like how the military hides tanks to prevent detection. The challenge is shifting people away from this paradigm and encouraging them to use digital security measures.

When auditing schools and medical facilities, we often encounter bureaucracy that compromises password security. For instance, some school districts mandate that student passwords only be one character long, which is unacceptable in terms of security. In medical facilities, outdated computer systems can be a security risk. For example, a state-of-the-art MRI machine may be connected to a Windows 7 computer that is no longer supported by Microsoft. Although such systems were sanctioned by the companies that sold them, they can pose a significant threat to cybersecurity. Therefore, it is essential to mitigate these risks and ensure that all systems, regardless of their purpose, are up-to-date and secure.

The conversation also highlighted the need for security to be considered from the beginning of the design process and throughout the entire development lifecycle, not just as an afterthought. Unfortunately, security often takes a backseat to features in the design process. Duane reflected on a project where his red team made the recommendation to look at a particular platform for a certain vendor, but the client did not want them to touch it. Then a couple months later the client called back to say that platform had been infected with ransomware.

On the IoT side of things, Duane recounted a project that involved breaking into an organization's network via a TV. The organization was aware that their Wi-Fi network would be the first target of the red team, and they decided to change their Wi-Fi password every 24 hours to stay ahead. However, the red team was able to crack the password and gain access to the network on the first day. Once inside, they looked for ways to stay undetected, and they found an IoT device, a TV, which they used to their advantage.

The red team bought the same TV and tore it down to its parts, taking out all the circuit boards and firmware. They found an exploit that allowed them to connect to the Android Debug port, and they added a small piece of code that would reach out to them with the new Wi-Fi password every time it was changed. This way, they could stay on the network undetected.

The red team was diligent about putting the lobby TV back on the Wi-Fi every time the password was changed. At the end of the engagement, the organization was surprised to learn that the red team had been able to get back on the network every day. The red team's experience highlights the potential security risks posed by IoT devices. It can be challenging to know which devices are secure, what they are listening to, and how exploitable they are. Even personal devices can be a cause for concern, and it's essential to stay vigilant and up-to-date with patches and updates.

For business owners, every penny counts. Risk-based decisions need to be made at every corner, regardless of whether it's a small, medium-sized, or the largest business in the world. These business owners might know a little bit about technology, but they can’t be experts in all areas. They might want to think about cybersecurity like insurance, and it’s important to know how much is needed. It’s best to distill the information down to the basics and ask simple questions. For example, it's a good idea to ask a supply chain vendor or software provider if they do code reviews or if they have had a security review done on a particular device. If the answer is not satisfactory, it's best to reconsider the purchase. The field of cybersecurity moves so fast that it's impossible to be an expert in everything. The recommendation is to focus on what one does best and reach out to experts who understand other areas. For instance, a restaurant owner, pharma company, or military should focus on what they do best but engage security experts to understand the security aspects. Engaging security people upfront when developing or architecting new environments is better than bringing them in later to clean up a mess or secure a product or power grid.

Wrapping up Duane's interview, he was asked about his hopes and concerns for cybersecurity in the next five to ten years. Duane expressed hope that more intelligent systems would be developed to defend networks as humans cannot keep track of everything. He noted that most cybersecurity software vendors claim to use machine learning, but it is mostly not effective. However, he believes that systems like Chat GPT could be used to create quasi-intelligent systems that could help defend networks. Duane also expressed concerned about the potential for artificial intelligence to be used for attacks. He explained that even with current technology like Chat GPT, viruses can be rewritten in programming languages like Go and Rust, making it easier to bypass antivirus software. He fears that in the future, there will be intelligent attack systems that can spread strategically across networks and attack employees' homes simultaneously. Duane sees this as an ongoing arms race between defenders and attackers.

This summary only scratches the surface of the insightful and thought-provoking conversation between Duane and Aaron. To truly appreciate the depth and richness of their discussion, we highly recommend listening to the full episode here.