Updates on Dronegate

Since I wrote my fist post on the virus affecting the drone fleet at Creech Air Force base, information has begun to trickle in and some interesting commentary has emerged.

The Air Force has followed their official press release stating that the virus, which they say was a credential stealer, was merely a nuisance with a statement by General Robert Kehler, head of U.S. Strategic Command, which oversees Cyber Command. Gen. Kehler confirmed that the virus did not target Remote Pilotless Aircraft specifically, and instead said that “It was a virus that we believe at this point entered from the wild, if you will.” As I suspected and the other Air Force release implied, the virus has not yet been eradicate and it has not been determined how such a virus entered the drone systems in the first place.

While Kehler remains very confident in the Air Force’s defenses, he also set more realistic goals in line with a “plan to fail” paradigm. ”We see multiple deliberate attempts to try to get into our networks, almost daily,” he noted, but thankfully “ the systems that we have put in place to detect such viruses worked… Perfect defense is probably not something we can achieve, but the idea of mission assurance is something we must achieve.”

In this context, “mission assurance” likely refers to the Department of Defense Instruction Number 8500. Mission assurance means system design and risk management so that, despite attacks and failures, a system can always complete its primary mission. In Directive 85000, the DoD defines three Mission Assurance Categories depending on the importance of the information for operations. MAC 1 refers to systems providing information vital do deployed or contingency forces where failure is unacceptable and the most stringent protection is necessary, while loss of integrity on MAC II systems can be tolerated for only a short time and require additional protection beyond industry norms, and MAC III systems, which handle information necessary for day-to-day operations but not critical in the short-term to deployed or contingency forces, can be protected by commercial best practice alone. According to the Air Force, the systems affected were Ground Control Systems, which refers to the facility predators are flown from but not the flight system including the stick, rudder pedals, or throttle. While RPA in flight would not be directly affected, meaning that infected systems were not MAC I, they could have been MAC II or MAC III so according to the DoD directive, their security should match or exceed the best commercially available solutions.

Mission assurance is a good goal for the Air Force because Directive 8500 outlines more of a risk management and system architecture approach to security with information sharing between stakeholders as advocated by Bob Gourley and Andrzej Kawalec at the HP Protect 2011 Conference. Gen. Kehler also acknowledges that perfect defense is unrealistic, hinting at presumption of breach. Still, if current defenses worked as well as the Air Force claims, the virus would not have spread and become so hard to eradicate. The difficulties in cleaning infected computers and identifying the attack vector imply insufficient remediation and forensics tools, important elements of “plan to fail” and presumption of breach based security.

This brings into question whether the Ground Control Systems fulfilled Directive 8500. In an excellent article on “Embracing the ‘Presumption of Breach’ Doctrine With Rapid Detection and Response“, Jim Ivers of Triumphant explains the importance of remediation and forensic tools currently on the market which would represent commercial best practice. These tools, separate from network defenses so that they can pick up what the shields missed, provide rapid detection along with comprehensive discovery and analysis. Through this analysis, they can counteract the persistence mechanisms present in modern malware which resurrect the virus after the malicious executable has been deleted, as seemed to be the case with the lingering drone malware. Triumphant also does change monitoring, tracking all the changes a virus made to limit collateral damage and avoid the costly process of wiping whole systems clean as initial reports claimed the Air Force was doing. Lastly, commercial best practices would correlate attack and machine data generated by firewalls and other network defenders so that the source of the virus could be identified and security gaps filled. As the Air Force is still only speculating over the manner in which this virus got on their networks, it seems that they failed in this process. Thus, while the goal of mission assurance is admirable, it seems that the Air Force needs to do more planning to fail in order to catch up to industry best practice in detection, remediation, and forensics.