Blog
/
Cyber Resilience

How I Hacked a Space Shuttle Launch — and Got Caught

Paul Dant
Senior Systems Engineer
November 11, 2022
23 min. read

There's a universal truth that explains why we're still losing in cyber: Everything has changed, yet nothing has changed! I've spent decades hacking everything from games to tent-pole film productions to nuclear energy facilities — all quite successfully — and I'll talk about some of those attacks here.

The patterns you'll quickly identify are as follows:

  • Hackers are not magic.
  • These attacks are a lot easier than they look.
  • Attackers are living off the land: Once in the network, the operating system provides just about everything needed to really mess up your day.

The ransomware attack playbook is decades old.

A note on cyber resilience

Cyber resilience is more than surviving an attack.

If we look to the ubiquitous Zero Trust theology, it tells us we need to accept that an attacker will — at some point, if not already — infiltrate the network. "Assume breach" is the specific wording, and I strongly support that principle.

If an attack renders 80 percent of your critical servers locked, with operations coming to a grinding halt, but you recovered from backup forty-eight hours later? You survived, but that's hardly resilience. What did 48 hours of downtime cost?

If you're resilient, there's no downtime. When the inevitable network infiltration happens, it's so incredibly constrained to a single compromised system that the attacker will move on to an easier target with a more favorable risk/reward outcome. In other words, breach containment. Making sure that the first compromised system — the "initial compromise," if you will — is the last system compromised. Easier said than done, right?

If there's a tldr; for this article, it's this: The key to preventing successful ransomware attacks is visibility and control of unauthorized lateral movement. Everywhere.

You're not going to stop every infiltration attempt, but you can dramatically reduce your risk of making that "do we pay them?" decision by cutting off the attackers' ability to move further into your network.

Yes, let's try to keep them out of the network to begin with; that's a given and exactly what "defense in depth" is about. Perimeter defenses, endpoint defenses, network defenses - they all have their appropriate role in a layered defense that must include compensating controls in the event that any or all of those defenses fail.

I was Zero Cool-ish

With this being the inaugural post of the series, why not go all the way back to my first exploit in 1991 to see how attackers are still using the same old tricks I was using as a kid hacker?

Looking back to hacker lore, Zero Cool managed to take down 1,507 systems. While I only managed to take down about 47 in my first attack, it's still quite an achievement given I did this before we'd even heard of Zero Cool.

paul-dant-young
Anonymous Penetration Tester

Spoiler alert: I won. But I also got caught, highlighting a critical aspect of hacking that separates the so-called script kiddies from the awesomely called 1337 hax0rs: You can't brag about being a hacker if you get caught. Inversely, it also taught me that bragging about being a hacker will, in fact, get you caught.

Before we dissect this attack, let's set the proper context. The simulated space shuttle mission in question was a science project my seventh-grade class participated in, featuring an actual shuttle construction, a specially chosen student crew that would spend almost two full days manning the shuttle, and a volunteer ground crew in the makeshift mission control center (ordinarily the science classroom).

And what's powering all of this? Computers! Specifically, a few dozen IBM PS/2s running Novell NetWare clients over IPX/SPX on a token ring network. It was a brilliant, innovative event that I wanted to be a part of and applied as the crew's Computer Officer. Inexplicably, I wasn't selected!

Clearly, the selection committee's decision was unacceptable, and they would have to pay. My vengeance would be two-fold. First, ruining the shuttle mission for everyone else is going to be really satisfying for a twelve-year-old hacker with a grudge. As important, though, is for them to learn to never overlook Paul Dant again. What a silly mistake they made.

Before we dissect this attack, let's look at an important tool for understanding the "how" and "why" of attacker behaviors.

The MITRE ATT&CK framework

Critical to demonstrating the way an attack typically progresses is the ATT&CK Framework, developed and maintained by MITRE. If you're not familiar with it, I highly recommend checking it out as you'll see it used a lot in mapping out attack methodologies.

The figure below represents a clean depiction of the typical phases of a Conti ransomware attack. The Conti ransomware group is no more, but their methodology lives on in Conti off-shoot groups. In fact, you'll start to notice that most ransomware attacks, regardless of the group behind it, follow this general map.

mitre-att&ck-conti-ransomware
MITRE ATT&CK map for Conti Ransomware Attack

Here's how to read it:

  • The top-most row, from left to right, represent tactics. Think of each tactic as a progression of the attack toward the end objectives, meaning a failure (or lack) of controls allowed the attack to progress.
  • Within each tactic column, we have the techniques used to progress the attack to the next phase, or tactic. Techniques represent the specific attack mechanisms used and understanding them can help us formulate risk and determine appropriate controls - including how much those controls should cost!

Taking down the shuttle mission

While the plans I drew up for this attack didn't look quite as crisp as a MITRE ATT&CK map, I guarantee I had them and they looked something like this.

battle-plan
My battle plan looked something like this.

But here's the twist: If I were to map the tactics and techniques in my space shuttle attack to the ATT&CK framework, it'd likely look something like this:

mitre-att&ck-conti-ransomware

Yes, that's the right image - the one we just looked at. Why? Because these ransomware attack playbooks go back decades!

I was deep in these tactics and techniques before I'd even heard the term "hacking" because it's just intuitive, which is what makes the ATT&CK framework so valuable.

Call to action!

How good do you feel about an infiltrator's ability to move around your network, undetected? In so many cases, the very first indication of an intrusion is the new desktop wallpaper on your systems after ransomware has rendered it unusable.

So much has happened leading up to that moment, all undetected, and all completely preventable with Illumio Zero Trust Segmentation.

Illumio can help you avoid becoming the next cyber disaster victim on the news. Get in touch and learn how!

Related topics

No items found.

Related articles

3 Steps CISOs Must Take to Prove Cybersecurity Value
Cyber Resilience

3 Steps CISOs Must Take to Prove Cybersecurity Value

Learn the value-based approach to security that will succeed in the boardroom and protect your organization from evolving cyber threats.

Read more
Cyber Monday: Are Your Situational Crown Jewels Protected This Holiday Season?
Cyber Resilience

Cyber Monday: Are Your Situational Crown Jewels Protected This Holiday Season?

Proper protection is not fleeting like the Starbucks holiday product glossary. Good security should be baked in and accounted for all year round.

Read more
Resilient Critical Infrastructure Starts with Zero Trust
Cyber Resilience

Resilient Critical Infrastructure Starts with Zero Trust

From the Colonial Pipeline breach to the JBS ransomware attack, the past year has shown us that cyberattacks on U.S. critical infrastructure are more relentless, sophisticated, and impactful than ever before – and all too often threaten the economic stability and wellbeing of U.S. citizens.

Read more
No items found.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?

Learn more