Lockheed Martin creates and provides realistic capture the flag events for your training requirements. This simulation will walk you through the thought process to use real world cyber attacks to disable an adversary’s operations. Can you successfully capture the flag?
START
In OPERATION GLEEFFUL PANTHER CMT 321 conducted successfully exfiltrated data on RSS DAVROS networks
INTELLIGENCE BRIEFING
CMT 321 was able to implant a covert remote access payload on several enterprise clients
You are authorized to use our TANGLED WEB capability to communicate with the payload on a client computer
You must use these to pivot into the mission systems enclave and deliver effects against the landing light system
Reconnaissance
Choose Reconnaissance Option:
Port Scan Unsuccessful!
Port Scan reports that only port 3389 (RDP) and port 80 (web) are reachable and no known vulnerabilities are discovered
lpalmer !3fhts&46@@
net_ops Op#32FGS2^&!2
Credential Search discovers text file in user lpalmer documents titles “ids.txt” containing
Pivot to the Lighting Control System
Choose Your Next Step:
Host Access Attempt Unsuccessful!
You try to RDP to the Lighting Control Station using both lpalmer and net_ops credentials. Lpalmer credentials gives you are remote session on the Lighting Control Station with user-level privileges. User-level privileges isn’t good enough.
Success! You Gained Access to the Router!
You try both lpalmer and net_ops credentials. net_ops credentials gives you access to router. You notice port for RDP (3389) is open and you open port SMB (445) while you are there.
Continue Your Reconnaissance
No Vulnerability Found.
You discover the Lighting Control Station is NOT vulnerable to an RDP exploit.
Success! You Found a Vulnerability!
You discover the Lighting Control Station is vulnerable to an SMB exploit.
Success! You Gained System Level Access!
You try the SMB exploit several times and it eventually works. You install a remote command shell on the Lighting Control Station that is executing with system-level privileges.
Time to Disrupt the RSS DAVOS
Mission Failed! Your Actions Have Been Discovered!
You generate a high rate stream of control packets that randomly change the lights on the panel. This causes confusion that disrupts flight operations temporarily. However the effect is so obvious the RSS SKARO landing crew quickly realizes the problem, shuts down the Lighting Controller and employs manual control of landing lights and returns to normal flight ops.
Success! You Gain Access to the Lighting Panel Control Application.
You run mimikatz and dump credentials and discover the LPANEL application in Desktop of landing_crew user. You are also able to see the currently running LPANEL application in TaskMgr. You enable RDP on the server and gain a graphical session.
Success! You Capture Key Data.
You capture modbus traffic that contains simple control messages that turn lights on/off (discrete) and provide current status of lights (periodic)
Time to Spoof the Lighting Control System.
Choose the Correct Order to Spoof the Systems:
Mission Failed! Your Exploit does not Trick the Adversary
The ground crew sees the lighting configuration change quickly and resets. When you try again they reset but lose confidence in the systems. They move to manual operations with little impact on flight operations.
Success! You ensure the Lighting Status Panel Always Shows Green Status!
You successfully spoof reports to “good lighting configuration” to the Light Control Station by sending the spoofed messages at 5x the rate of the legitimate status Let’s now set the lights to an incorrect configuration
Set the Carrier's Landing Lights in the Wrong Configuration
You have changed the lighting configuration to indicate the wrong landing zone BUT the flight crew sees the correct status on their display. This causes confusion between pilot and ground crew creating a near collision and damaging the landing aircraft. Flight ops are shutdown for 8 hours to investigate and recover
Choose an Option to Disrupt the Lighting Control System
Choose an Option:
Mission Failed! Your Attempts Have no Impact on Flight Operations
You kill the app. They ground crew notices quickly and restarts. You close it again and the ground crew reboots the computer. You had no impact on flight operations. You have FAILED the mission
Mission Accomplished! You Successfully Halted Flight Operations!
You start your own copy of the lighting panel app. You send commands to indicate the wrong landing zone on final approach. The pilot is confused and does emergency break off but too late and clips the deck. There is minor crash. Flight ops are shutdown for 8 hours to investigate and recover.
Lockheed Martin is available and interested in tailoring our existing catalog of capture the flag events or developing new one to meet your cyber workforce development needs via courseware, guided training videos, and/or live events
Navy, Army, Air Force and Marine cyber testers and combat mission force teams participate in our capture the flag events, which are championed by the OSD DT&E Cross Service Cyber T&E Working Group and cited as a positive cyber workforce development tool in the GAO-19-128 on Weapon Systems
We continue to develop new scenarios and events to provide our cyber workforce with realistic cyber testing and operations challenges against representative US and adversary environments
You completed a walk through of a simplified subset of an actual Capture the Flag exercise Lockheed Martin designed, developed and executed under the National Cyber Range Program
WHAT DID I JUST DO?
