HTB2.0_Playbook_091523_RELEASE

https://misi.tech Page 1 of 61 © MISI 2023

https://misi.tech Page 4 of 61 © MISI 2023 destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. [ CISA.gov ]. The fictitious Nove Cerchi facility described in this playbook falls under this sector. The Sector Specific Plan for healthcare and public health can be found on the CISA Website here: https://www.cisa.gov/sites/default/files/publications/nipp-ssp-healthcare- public-health-2015-508.pdf

https://misi.tech Page 7 of 61 © MISI 2023 Meanwhile , John looked at himself in the mirror. He couldn’t remember the last time he had been this angry. He tried to piece together the series of events that occurred since Sunday morning that pulled him to where he stood currently. First, he got a text message from the chief of medicine early Sunday morning that alerted him to Joseph’s social media post about their ‘supposedly’ secret patient Stephen Austin. He thought back to their mandatory health training. This post meant a HIPPA violation since HIPPA states that health information is created or received by a health care provider (us) and since the post relates to the past, present, or future physical or mental health or condition of an individual (the patient) his post included individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium ”. If this wasn’t bad enough, then the chief of medicine called an emergency Sunday meeting between him, Vanessa, Pierre and Joseph all of whom were supposed to have the day off. The chief seemed to enjoy the argument John had with Vanessa which annoyed John even more so than the argument itself. He replayed the last exchange he had with Vanessa as he tried to keep his heart rate under control: “Vanessa, I don’t care about intent”, John shouted, “This post was a huge deal! Not only did Dr. Virgil violate Mr. Austin’s safety, but HIPPA is going to fine our asses over this! His own government is very angry at us. They will never send another dignitary to us, and I bet State Department is probably angry too.” “John, I know it’s a big deal”, Vanessa responded with increasing anger as she slammed her palm on the board room table. “Joseph is the best surgeon we have! I bet a thousand people are alive today because of him alone!”, she responded angry at John’s narrow viewpoint. “Vanessa, I am the HIPPA disclosure and compliance officer and now I must file this report just as CRISP is breathing down my neck that their VPN accounts don’t work. The upgraded water and HVAC systems were just turned on, on Friday and this damn surgery is supposed to happen today or tomorrow. We don’t need this right now! The risk assessment was just completed, and it shows we have serious problems to fix. ”, John shouted. “Can we please fire him?”, John asked the chief of medicine. John rapidly shook his head to clear his thoughts. He knew he couldn’t put off the CRISP or HIPPA problems any longer and had to get going. He turned to leave his office and walked quickly out the door towards the neo-natal unit.

https://misi.tech Page 10 of 61 © MISI 2023 Background There are some concepts that are very important to understand prior to participation in this exercise. The reader is encouraged to perform research on these concepts on their own, but we will cover the most important concepts in this section providing some background on each prior to moving onto the story that sets up this competition. The concepts you should understand prior to participation in this exercise are: • Protected Health Information (PHI)/Electronic Protected Health Information (ePHI) • Department of Health and Human Services (HHS) • Healthcare Information Portability and Accountability Act (HIPPA) PHI Protected Health Information (PHI) is described in detail in HIPPA and other regulations, but at MISI, we find that there is substantial confusion about what PHI really means. The following hippajournal.com article does a decent job attempting to explain PHI: https://www.hipaajournal.com/what-is-protected-health-information/ The author writes: “…it is necessary to review the definitions of ‘health information’ and ‘Individually identifiable health information’ as they appear in the General HIPAA Provisions ( §160.103 ).” This is an effective approach, try to understand the concept of health information first. The author writes that Health Information is: “Information, including genetic information, whether oral or recorded in any form or medium, that: is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” Let’s summarize: Health information is the information that captured by, created by or shared with your: doctor/nurse/school/job that describes you, your pre-existing conditions, sickness(es) and event health care you may require in the future.

https://misi.tech Page 13 of 61 © MISI 2023 The reader can review the entire description from the following URL: https://www.hhs.gov/hipaa/for-professionals/privacy/laws- regulations/index.html This website writes: “The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the ‘covered entities’).” This is our next important term, covered entities . The National Institutes of Health writes: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons. In the context of our story, Nove Cerchi is a covered entity under HIPPA. The reader can continue this article on the following NIH URL: https://privacyruleandresearch.nih.gov/pr_06.asp There are two (2) other HIPPA rules to understand as summarized in the following table: Rule Description Security Rule HHS writes that The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called "covered entities" must put in place to secure individuals' "electronic protected health information" (e-PHI). In the context of our

https://misi.tech Page 16 of 61 © MISI 2023 Nove Cerchi Medical Nove Cerchi Medical is a 35-year-old medical facility in Columbia, Maryland. It occupies nine-floors with intensive care, laboratories, patient exam, and operating rooms. Over its history, it has treated ten- thousand patients, and their medical records are currently on file within the Nove Cerchi electronic health records system(s). The hospital recently has undergone a six-figure upgrade to information systems, medical gear and building automation for providing better services to their patients. Public records show that more than one-hundred employees work for the Nove Cerchi Medical facility. At admission, patients and visitors are greeted by nursing staff ready to respond to requests for help. Visitors can either request admittance or visit a family member or loved previously admitted. Visitors to the hospital are required to always display a visitor badge. There are three triage (or ‘exam’) rooms available for seeing patients. A typical visit to the hospital takes no more than thirty minutes during which time a patient may spend twenty-five minutes waiting to see a doctor. Admissions sits outside of the Information Technology server rooms that are for all intents and purposes in-accessible to the public. The security office sits adjacent to admissions where surveillance footage can be reviewed, and security badges are issued to employees. In addition, employees who work in hospital security can monitor the air quality of the entire floor from the monitoring system that runs from security workstations. There are believed to be at least two separate surveillance systems running that monitor hospital activities. Just down from Admission is the newly completed neo-natal intensive care unit (NICU) boasting the most secure features of any hospital in the United States. New parents Thomas and Nichole welcomed a beautiful baby girl Pearl into the world not two months ago. Due to a case of bronchiolitis, the beautiful newborn girl had to spend the first six days of her life in the neonatal intensive care unit. Sadly, she was stricken with late-onset pneumonia on the sixth day in the neo-natal unit and had to stay for seven more weeks of intensive round-

https://misi.tech Page 19 of 61 © MISI 2023 It was recently publicly disclosed that foreign dignitary Stephen Austin was admitted to Nove Cerchi Medical sometime in August of 2023 for undisclosed reasons. Social Media accounts for one of the surgeons at Nove Cerchi recently but accidentally revealed that sometime early on the morning of September 19 th 2023, a critical surgery is scheduled for Stephen Austin to address a potentially life- threatening ailment. Mr. Austin is featured in this recently released press photo (shown on the left here) for his home country press corps. Open-Source Intelligence (OSINT) A typical initial task for a RED team member during a penetration test is to learn about their target using publicly available information. This type of information is commonly referred to as open-source intelligence or OSINT. The MITRE ATT&CK framework will call this reconnaissance ( TA0043 ). OSINT can be leveraged to identify physical locations and assets to target, or even employees that are possible targets for phishing or USB device drops. We are certainly not going to tell the RED team what to look for, but we will reveal that Nove Cerchi Medical will have several employees with valid email addresses and will operate a website that may or may not reveal important details for RED team members. We believe the Nove Cerchi Medical website will be hosted in AWS and the employees may utilize cloud services for file sharing and communication. BLUE team be careful. You may want to consider reviewing the same public resources to learn what the RED teams may know about! MITRE ATT&CK Throughout this playbook we will refer to the MITRE ATT&CK knowledge base as we did in the previous section. We consider this an extremely valuable resource for describing cyber-attacks, but the reader should note that we may be using ATT&CK to reveal a hint or two for our RED teams. If you are

https://misi.tech Page 20 of 61 © MISI 2023 interested in participating in Hack the Building 2.0 and this event, you are urged to familiarize yourself with the ATT&CK Matrices found here: - https://attack.mitre.org/ - https://collaborate.mitre.org/attackics/index.php/Main_Page Website Interested parties will find the Nove Cerchi Medical Facility at the following URL: https://novecerchimedical.com As with all online content used in a MISI exercise, the content of a website should not be a single-instance review. You should take care to review this content at least once when you read this playbook and again when the exercise is in-progress. Participants should realize that review of this content will result in the implicit execution of one of the sub-techniques of the following MITRE ATT&CK Technique: https://attack.mitre.org/techniques/T1589/ Employees Regardless of your ‘team’ (attackers, or defenders), you should understand that an attacker will (and should) conduct reconnaissance of employees or members of their target prior to launching any initial access attempts. An employee is usually the weakest link in any business when it comes Let’s meet the following employees that work for Nove Cerchi Medical. This information may or may not prove useful for the execution of this story: The following images are randomly produced faces via Generative Adversarial Network (GAN) technology. These are not real-life people.

https://misi.tech Page 21 of 61 © MISI 2023 Picture Employee Biography Vanessa Jahat is the hospital administrator for Nove Cerchi. She is well respected for her accomplishments earning the position of administrator at only 36 years of age. She is currently single stating she prefers to focus on her career and not any personal life. She believes she may want one kid someday but not today. She attended Towson University and studied Business Administration and was an intern at Nove Cerchi for all six years of schooling. She is credited with helping achieve a balanced budget for the FY22 year after dealing with the burdens of the COVID19 surge in patients. Vanessa is not a cyber security expert but has fought hard for all of the budget requests that the director of information technology (IT) has requested. John Smith is the director of information technology for Nove Cerchi Medical. He has twenty-five (25) years of experience in network engineering and cyber security for healthcare organizations. He follows extremely effective cyber security practices and has repeatedly needed to request resend emails from outside parties since he will block many email messages that are not from known senders. John is a strong Microsoft Windows and Linux user and prefers to use a Windows endpoint primarily. John graduated locally from the University of Maryland Baltimore County in 2000 with a degree in Computer Science. He has worked at Nove Cerchi Medical for only four (4) years. It is believed he is looking for new employment, but he has not advertised this to any of his colleagues. John is believed to have two children.

https://misi.tech Page 22 of 61 © MISI 2023 Picture Employee Biography Dr. Farinata Styx is renowned Urologist for Nove Cerchi Medical. She emigrated to the United States on an H1-B visa from Italy only five (5) years ago and plans to apply for citizenship. She attended medical school at the University of Milan in Italy and performed her residency at Ospedale Luigi Sac. Farinata is extremely nice but has been cited on more than 1 occasion for lapses in proper cyber security practices while at work at the Nove Cerchi facility. Farinata is known to be close friends with the nursing staff at Nove Cerchi and is currently not married. Dr. Joseph Virgil is the premier Cardio Thoracic surgeon for Nove Cerchi Medical. He has performed 1865 surgeries for Nove Cerchi with a 73% success rate of patients. Joseph is known to be good friends with John Smith and attempts to follow Joseph’s example of good cyber security practices. Unfortunately, it is known that Joseph is currently being sued for medical malpractice for a recent surgery conducted in 2023. The outcome of this surgery is not known. Joseph is scheduled for a surgery of an extremely sensitive patient on September 19 th , 2023. Joseph is a graduate of Harvard Medical School where he graduated in the top 20% of his class. Attackers should know that a social media account for Dr. Virgil revealed that he is scheduled to perform a surgery on a very important person Stephen Austin sometime during the week of 18 September. This was an accidental reveal as this is a HIPPA violation

https://misi.tech Page 23 of 61 © MISI 2023 Picture Employee Biography Dr. Francesca Rimini is the head of obstetrics for Nove Cerchi Medical. She has delivered five hundred thirty-six babies during her tenure at Nove Cerchi. Francesca attended Duke Med and graduated in 1999. Francesca has repeatedly posted on social media how proud she is of the new highly secure Neo-Natal ward that Nove Cerchi has opened on the newly upgraded ninth floor of the facility. She is currently unmarried. Pierre Bodo is the deputy director of Information Technology for Nove Cerchi medical. He has worked in this position for one (1) year and 2 months since his last position at a maritime facility. Pierre is a very talented worker with experience in Windows, Virtualization, and network defense platforms such as Cisco Cyber Vision, Nozomi Guardian and is Elastic Security certified. Pierre is the person who has setup many of the upgraded systems within Nove Cerchi network(s) but is frequently accused of using and re-using poor passwords for his host- side accounts of boxes that he has configured. Pierre is the author of the recent plan of action and milestones (POAM) report detailing the risks identified within the Nove Cerchi facility during the recent HIPPA required Risk Assessment. John Smith is upset at having to repeatedly ask Pierre for the master copy of the POAM and Risk Assessment results as they contain sensitive information. Scenario Difficulty When we present a scenario in our playbooks, we provide an estimated level of difficulty associated with it. This difficulty is meant for a Red Team participant only. We use five (5) levels to describe the difficulty of each scenario and we present a description of each level here for your review. Remember, this is our interpretation of the difficulty required to be

https://misi.tech Page 24 of 61 © MISI 2023 successful. We have learned to encourage people with no pre-existing skills in Industrial Control Systems and protocols if they are willing to learn on the fly. This is one of the best marks of a successful red or blue team operator. If you can adapt, you will be successful. The difficulties we use to describe our scenarios are: Difficulty Description None A scenario rated as ‘None’ difficulty means that we consider the answers or actions required as obvious. Usually only one action is required to be successful. Enter a default password, make a single HTTP POST/GET, sniff a value from the network. Crack a key or password which is on a wordlist returning in seconds. We don’t expect any coding for scenarios rated as ‘None’ in difficulty. Scenarios rated as ‘None’ in terms of difficulty are considered trivial for a blue team defender to identify including the source addresses of the attackers. Trainee A scenario rated as ‘Trainee’ means that someone with less than 1 year of experience should be able to be successful. This will require more than 1 action but examples or descriptions of all the actions required are either provided or can be found with simple Google Searches. These scenarios also will almost never require you to infer a command line argument or determine which tools to use but we may require single line changes to code and scripts for these to be successful (typically changing hard-coded arguments or values that cannot be specified on the command line). We do give hints for scenarios rated as ‘Trainee’ level of difficulty. Scenarios rated as ‘Trainee’ in difficulty will be easier for a blue team defender to spot but not as trivial as those rated as ‘None’. Intermediate A scenario rated as ‘Intermediate’ may require more than 1 year of experience to complete successfully. This will require multiple steps to achieve success and very few of the follow- on steps or actions will be described in advance. The key with Intermediate Difficulty is the demonstration of applied knowledge. If you are told to achieve an outcome on a target, you first must solve the issue of access to the network, then recon to identify the target followed creation of payloads to achieve your desired outcome. You will have to write code to achieve your goals for a scenario rated ‘Intermediate’. This is the first level of difficulty where we consider it equally difficult for a Blue Team member to spot the attack as it is for the Red Team to perpetrate.

https://misi.tech Page 25 of 61 © MISI 2023 Difficulty Description Advanced A scenario rated as ‘Advanced’ is considered a direct extension of one rated as ‘Intermediate’. Here you will have to write more code, work harder for initial access, even perform reverse engineering or use of tools non-standard tools such as software defined radios, programming embedded systems and using programming languages such as C and C++. One concrete example of the difference between an intermediate and advanced scenario will be the injection of industrial control traffic to perform basic functions such as turning off power to an output versus specific traffic to turn off power to some inputs while enabling power to others which means you must understand the input and output states of your target PLC or medical device. Expert The most difficult scenarios we will ever execute. A scenario rated as ‘Expert’ will require assistance or input from someone with multiple years of experience, more than 5 years and usually more than 10. This will require performing 1 or potentially more actions completely from scratch such as reverse engineering a sample file or constructing your own tool that executes multiple functions. An expert scenario will require difficult work to remain undetected. NOTE that there is an implicit assumption of existing skill you will bring to this and any MISI competition. The ideal participant in this event has some prior exposure to penetration testing, network security assessments, or vulnerability and reconnaissance scanning. On the opposite site, the ideal participant will have some degree of experience in running cyber security tools for network defense. If you come to this event understanding industrial protocols such as MODBUS, BACNet or EtherNet/IP and healthcare specific protocols such as HL7, you will have advantages over your competitors. While we want all interested parties to be involved, you will require some skills to compete. We will use a simple graphic gauge (like what is shown here) to indicate our assigned difficulty level for a scenario as follows where an arrow will indicate the difficulty level whose description can be found above in this section. Training Scenarios We are releasing our newly developed training scenarios for this event and plan to make this a regular occurrence at future MISI exercises. These training

https://misi.tech Page 26 of 61 © MISI 2023 scenario(s) will be a requirement for student attackers (RED) team and will be optional for professional or government/military participants where you may have already been required to take classroom training or have multiple years of experience under your belt when you participate in this exercise. A MISI training scenario is a fully functional, self-contained demonstration of a small number of protocols or technology that are involved in the exercise where the scenario is featured. The scenario will be physically disconnected from the exercise environment and may or may not have Internet connectivity. The purpose of a training scenario is to provide practice point where a participant can identify targets and potentially exploit devices using the same type of packages and protocols that will be found in the exercise network. You will be invited 1 team at a time to connect to the training scenario where a MISI engineer will guide you in the following actions: • Identify ALL required target devices on the network (Including IP address/MAC Address information) • Identify the protocol(s) or technology being used in the process (including port numbers and protocol names) • Interrupt the process under execution using custom crafted code or an existing tool (no physical interruption allowed) The benefit of the ‘training’ is that a MISI engineer will work with each team to achieve the previously stated goals. If a team requires assistance, we will reserve the right to ask them to return to the training scenario after others have had a chance to visit. Participants should pay attention during initial briefings to determine what type of connectivity is required for each training scenario. Your participation in a scenario will be exclusive to your team only and it will take place away from view of other participating teams. We strongly urge you to bring Linux and Python 3 to a MISI trainer. If you choose to use a Microsoft Windows environment, you are advised to have the following items available: • nMap 7.94 (with Zenmap) • Wireshark • Python 3.11.x • Visual Studio Code

https://misi.tech Page 27 of 61 © MISI 2023 Trainer 1 We will be featuring the first MISI Trainer (we are calling Trainer 1) in this exercise. This trainer will feature at least 1 cyber-physical process that can be controlled and interrupted remotely. The participant should be aware that there may or may not be Internet access available to this self-contained environment. This featured in the following picture shown below: A participating team will be invited to interact with this scenario and is expected to bring a laptop computer to connect to the switch on the lower-left corner of the display, ethernet cables will be provided. Once connected you are expected to answer the following questions: 1. What are the components of this process? 2. What are their addresses? 3. What protocol(s) are being used If you can answer all these questions, we require a participant to develop a payload to interrupt the process over the network. This will be simple. The fact that this is a trainer means we will guide the participant through this construction. Registration This event is ‘invite-only’ so there is no registration. As we plan to re-run this story, this will change in the future, and we will release an updated story to account for registration details at that time. Execution We are working on details for the actual execution of this event. We strongly encourage you to check-back each week as we establish more details on how the execution of the event will occur. What we can describe now is the following:

https://misi.tech Page 28 of 61 © MISI 2023 - All on-site RED Teams will be positioned in the same physical space at separate tables. - BLUE Teams will be in visual sight of RED Teams but out of earshot. - The operating hours of each day of this exercise will be: 0800 – 1600. - If a BLUE Team member catches a RED Team, they will be able to affect network access for increasing periods of time. - BLUE Teams will always have visual sight of all stations of this event whereas RED Teams may not be able to see all stations. Schedule Currently this event is scheduled for execution on the following dates: 18 - 21 September 2023 We have identified an estimated end time of: 1400 EST, Thursday September 21, 2023. We do plan to reserve a brief window of no more than two (2) hours Friday September 22 for any participating party to re-attempt a scenario without intervention so long as each team understands this will NOT count towards any performance evaluations or final ‘place’ in this exercise. Stay tuned to real-time chat for more information. Controlling Team Access We reserve the right to schedule each RED team to access specific scenarios or systems that run within this competition space. When this occurs, each competing team will receive the same amount of access time to the restricted scenario or system(s) without negotiation. We will communicate access restrictions during initial briefings for RED teams as the event draws closer, but we reserve the right to adjust access during live execution in response to adverse network or social conditions. Exclusion List We will use an exclusion list (also referred to as a blacklist) during execution of this event to indicate assets which are expressly prohibited from attack or interaction. An asset may represent an IP address, CIDR address, website or even a specific URL on a target on the network. All participants must abide by this list and will receive only 1 warning if they interact with an asset that has been excluded from interaction. Repeated interaction with restricted or excluded assets will result in removal from the event. Participants will need to learn that they must exercise caution when interacting with a control system

https://misi.tech Page 29 of 61 © MISI 2023 (e.g., programmable logic controller) or the device may hang or become corrupted. Awards We are planning to release a small trophy to the three top performing teams during execution of this event. We will release further details about trophies during the initial briefings for the RED and BLUE teams for this event prior to exercise start. Communication We will utilize a Discord Server for this event. We will release an invitation link to all registered participant email addresses as the event date comes closer. As with previous events, each team will be separated into different channels. You are strongly encouraged to monitor the Discord Server during normal business hours in the event we need to reach you. If you do not respond to three (3) attempts to contact you, your access will be immediately terminated until we can discuss whatever issue caused us to reach out to you in the first place. Video We do plan on recording video during the execution of this event This video will be streamed to a companion conference taking place at the same as this event via Twitch and YouTube Due to the unique nature of this event, participants will be permitted to ‘enter’ the hospital facility section of the event space in person a limited number of times. When this happens you will be on camera recorded by the surveillance systems that are active on the network and the simulcast stream of the proceedings to the conference taking place at the same time. Exercise Updates In the past we have needed to issue on-the-spot information to participants such as temporary pauses due to equipment failure(s) or system resets. These messages will be communicated to participants audibly and via the Discord server. This may include re-releasing this playbook with updated information. Because of this, we strongly encourage participants to join Discord to be alerted to these updates.

https://misi.tech Page 30 of 61 © MISI 2023

https://misi.tech Page 31 of 61 © MISI 2023 Teams We discuss the roles you can fill when you participate in the Hack-The-Building 2.0 challenge in this section. We need two (2) types of participants in our story: RED, and BLUE. We will discuss each team type separately next. Remote Participation There will not be any remote access participation for RED teams during this event. MISI is not responsible for how a RED team may choose to collaborate with offsite personnel for research and prototyping, but we will not offer any RED teams a VPN access account as we may have done in the past. Since there are online resources involved in an exercise, they are typically only released with strict firewall rules controlling who can access. We will make every attempt possible to accommodate offsite personnel to allow access to these online sites and resources but please be patient. You are required to communicate such requests over Discord only. We will not be able to respond to requests from email. Coordinated Disclosure This exercise is bound by the coordinated vulnerability disclosure process adopted by MISI. Any information discovered during this event will be disclosed in a responsible manner and this means you cannot publish details on social media of any kind. Failure to abide by this rule will result in immediate banning from any future MISI exercise. The reader is encouraged to review the CISA website discussing the coordinated vulnerability disclosure process: https://www.cisa.gov/coordinated-vulnerability-disclosure-process Team Rules MISI has several rules you are expected to abide by to participate in this event: • On-site teams can be no larger than five (5) participants. • Absolutely NO party may execute any action against Nove Cerchi Medical resources until they are given an official start via Discord. • Each participating organization can field a team five (5) on-site RED team participants. • RED Teams must sign and submit an electronic rules of engagement (ROE) PDF prior to the cyber exercise. No ROE, no admittance. • RED Teams agree that they will NOT publish any results of any discoveries made during this event PERIOD.

https://misi.tech Page 32 of 61 © MISI 2023 • RED and BLUE Teams agree to leave each other alone, no snooping or spying of screens will be permitted. • Teams agree to NEVER perform any denial-of-service activities (WIFI actions will be permitted only after collaboration with MISI personnel via Discord) • Teams agree to report all activities executed and to not engage in any dishonest, illegal or immoral actions up to and during execution of this event. • Visiting Attackers must abide by the two-finger tap rule if they are asked to leave the hospital area(s). • No BLUE team personnel may touch or interact with any physical resource of a RED team participant. The exception being any battery- powered computing device that lacks a keyboard and is not under the direct physical control of a RED team member. In this case, the BLUE team participant may handle said device(s) with care ensuring not to drop them and may either power them off or place them in RF shielded containers or pouches. (e.g., you cannot cut the Ethernet wire of an attacker with scissors, it has happened in the past) • No participant shall change any password for any device without reporting to MISI exercise control (EXCON). Doing so will result in an immediate exercise stop which may require extended down-time. • No participant shall modify protected accounts on any exercise system (this includes the ‘Ansible’ account on all assets). Modifying this account in any way will result in an immediate exercise stop. • NO BLUE team personnel may attempt to connect to any network port(s) on ANY RED team participant laptop. • No participant may utilize a WIFI pineapple (or the equivalent PineAP or EvilTwin open-source software) without consulting with MISI Exercise Control We cannot stress this enough, if you stray from the approved target list, you will be removed from the competition. RED Offensive or RED teams are being asked to carry a specific mission for each or ‘scheme’ in this Hack the Building 2.0 Event. We strongly urge on-site teams to bring at least three (3) participants for this event, but you may have up to five (5) on a single RED Team. Each mission may require the creation of

https://misi.tech Page 33 of 61 © MISI 2023 prototype code to inject, replay or alter traffic to achieve a specific effect. You should be ready to write code (e.g., Python, C or JavaScript), capture network traffic (PCAP), perform network reconnaissance, crack passwords, reverse engineer files and PCAP, and operate remote access programs such as Metasploit , PowerShell Empire , Veil , BEEF , Pupy , and others. Hospital Visits This is a unique exercise that tries to follow real-life practices. In a hospital, people are admitted as visitors and patients every hour of every day and in this exercise, RED team members can admit themselves for examination to Nove Cerchi. We will be able to accommodate three (3) patients at a time and RED teams must follow these rules for admittance: • A single RED team member may not admit themselves more than 3 times in a single day of exercise. • A RED team cannot admit the same person twice in a row. • RED teams can only admit someone if an exam room is empty. • An admitted patient must stop at reception first before accessing the hospital. • An admitted person must display whatever badge or identifier they are given at reception. • A patient may be asked to leave electronic devices in their car or back in the waiting room. • An admitted patient may be left alone in an exam or ‘triage’ room for some period. They are not permitted to leave this room without displaying a security badge that will successfully scan on a badge reader at security. • A patient may be asked to leave the facility by a BLUE team member. If asked or ‘two-finger tapped’ on shoulder or arm (only), they must leave immediately. If you do not follow these rules, you will be removed immediately. Rules of Engagement RED Team members are required to submit a signed rules of engagement (ROE) for all teams to be considered for participation. This is an important document for several reasons: 1. As we wrote earlier, we are firm believers in responsible vulnerability discovery or what CISA calls the ‘Coordinated Vulnerability Disclosure Process’. We are fortunate to have vendors work during exercises with us to demonstrate their technology and to publicly disclose any

https://misi.tech Page 34 of 61 © MISI 2023 vulnerability that you discover without letting the vendor address the problem first is irresponsible and potentially dangerous. Disrespecting this process will result in your immediate dismissal from all future MISI events and we will work with our customers to ensure you face additional consequences. 2. An ROE is a required legal document that should be signed by all participating parties before you conduct any type of offensive operation against a target should you chose to make this you career (and we hope you do). It is important for you to learn this lesson early. Here are some helpful articles that go into more detail: • https://www.sans.org/posters/pen-test-rules-of-engagement- worksheet/ • https://www.cisa.gov/resources-tools/services/penetration-testing-0 Expected Skills We suggest the following skills are required to be a successful RED Team: - Python (requests, scapy, pymodbus,, pyshark, BACpypes) - Network Recon (nmap, masscan, snmp, BACNet) - Wireless Surveys (Kismet, airodump-ng, hcitool) - Payload Building (msfvenom, empire, veil) - Host Exploitation (Metasploit Framework) - PCAP Analysis (Wireshark, tcpdump) - Vulnerability Scanning (OpenVAS, Nessus, nmap NSE Scripts, openscap, lynis) What to bring We provide suggestions on what tools a RED team should bring but be forewarned: part of the execution of cyberspace operations is pre-planning. You must think through what tools are required. At a minimum, you are highly encouraged to bring the following items: o Laptop(s) & Charger(s) o External USB WIFI (802.11ac or 802.11ax support) o External Bluetooth Radio o Virtualization Software (we only support VMWare virtualization; you can get 30-day trials) o Offensive Linux Distribution o USB Flash Memory o RFID Badge Scanning and Exploitation o RJ-45 Ethernet Cord (3-6 feet)

https://misi.tech Page 35 of 61 © MISI 2023 Scoring Remember, this is a story of money. Traditionally, MISI will use CTFd for tracking RED team performance and would normally release a specific site for scoring closer to the event date. If we choose to use CTFd for this event, RED Team personnel will be issued an invite to CTFd through the Discord Server. At While we use a CTFd system to measure traditional performance, we will be adding additional metric of performance to this event, money. As a RED team member, you should be carefully watching everything to see if there are flags you can supply to gain points or types of fictitious PHI you can gather to earn more money. Flags and PHI will be found almost anywhere inside the Nove Cerchi networks. PHI and Cold Hard Cash Since this is an exercise about money instead of executing scenarios, we are asking RED Teams to disrupt processes and gather PHI both of which will earn you money. The first type of PHI you will find on the Nove Cerchi servers is a prescription record PDF. This is a record of a physician prescribing medicine to a past patient. An example of this is shown below on the left. The second type of PHI you will find is a diagnosis report from a past visit to a patient exam room at the Nove Cerchi facility. This is shown in the images below alongside a record of a drug prescription (remember its ‘fake’) issued to a past patient. For each record type you will see below, we assign a dollar value to the record that you will earn if you are able to ransom the data away from Nove Cerchi employees. You will earn this amount for each file you ransom provided you are able to show proof of the ransom. For the record, the ‘money’ discussed in this section is purely imaginary. You will not earn actual money from gathering PHI in this event. In addition, the information contained in these files is 100% fictitious. No personal data is used at any time.

https://misi.tech Page 36 of 61 © MISI 2023 Worth $50.00 USD Worth $100.00 USD In addition to these types of PHI files shown previously, as this is a teaching exercise, we will be using X-Ray imagery from the research website https://radiopedia.org and proper citation of images used will be available. An example image to be on the lookout for is shown next including the corresponding citation. The citations for any x-ray imagery used will be found in the root directory of the primary location within our competition network where the imagery will be found. Any subsequent images used throughout the remainder of the network will be copies of those found in this root or Worth $10.00 USD NOVE CERCHI MEDICAL 7000 Columbia Gateway Dr. Columbia, MD 2104 __________________________________________________________________ Physician’s Signature: ____________________________________________________ www.novecerchimedical.com Name: Dorothy Davis DOB: 11/28/1947 Today's Date: 7-13-2007 Physician: Joseph Virgil MD Refills: 0 Dosage: 16 mg Medication: Nitroglycerin Instructions: Take as needed for cheset pain relief. Do not exceed three doses per day. NOVE CERCHI MEDICAL 7000 Columbia Gateway Dr. Columbia, MD 2104 Attending Physician: Filippo Argenti MD SSN: 122-26-3423 Medical Diagnosis Patient Name: Edward Lopez Date of Diagnosis: August 27, 2023 Age: 81 Chief Complaint: Complaining of leg pain after prolonged sitting or standing, along with symptoms of warmth and redness in the legs. Medical Diagnosis: Based on the presented symptoms and patient history, the medical diagnosis for Edward Lopez is as follows: 1. Peripheral Arterial Disease (PAD): Peripheral Arterial Disease is a condition characterized by the narrowing or blockage of blood vessels that carry blood from the heart to the extremities, particularly the legs. The symptoms of warmth, redness, and leg pain after prolonged sitting or standing are commonly associated with PAD. These symptoms are typically experienced due to reduced blood flow and oxygen supply to the leg muscles. Proposed Treatment Plan: Upon diagnosing Edward Lopez with Peripheral Arterial Disease, the following treatment plan is recommended: 1. Lifestyle Modifications: - Encourage regular exercise, such as walking, cycling, or swimming, to improve blood circulation. - Promote a healthy diet low in saturated and trans fats, with an emphasis on fruits, vegetables, whole grains, and lean proteins. - Encourage smoking cessation to improve vascular health. 2. Medications: - Prescribe medications, such as antiplatelet agents (aspirin, clopidogrel), cholesterol-lowering drugs (statins), and medications for managing blood pressure and diabetes as per the patient's medical history. 3. Surgical Intervention (if necessary): - In more severe cases, revascularization procedures such as angioplasty or bypass graft surgery may be recommended to restore blood flow to the affected leg(s). 4. Symptom Management:

https://misi.tech Page 37 of 61 © MISI 2023 top-level location. X-RAY image case courtesy of Ian Bickle, Radiopaedia.org, rID: 171278 The final type of file available on this network is a DICOM image result from a sonogram. Readers may associate the sonogram to an expectant mother, but the sonogram is used for a variety of purposes including blood flow, studying newly discovered lumps in the body and even guiding needles for biopsy and tumor treatments. Worth $15.00 USD Participants should understand that the list of possible PHI data files and numbers of each type that are available for this exercise is subject to change. We will publish any changes or additions to this list on Discord during the exercise.

https://misi.tech Page 38 of 61 © MISI 2023 Proof We touch on the concept of proof in this section. As a RED team operator, we highly advise you to learn the value of collecting evidence of actions taken during an operation. This can help you diagnose if something goes wrong, it can help prove your success at steps within your operational plan. In a MISI exercise, you are strongly advised to capture proof of your success. The most common form of proof is a screenshot showing outputs of tools you execute. You can enable timestamps in your shell history to ensure that timestamps are also captured but the screenshots are the simplest and most effective method of ensuring you can prove. The other type of proof we commonly encounter is source code that executes actions on objectives such as injecting traffic targeting a PLC or server. This is perfectly acceptable but as a secondary proof vector to a screenshot showing successful execution of your action(s). Ideally you should be capturing both types of proof of success. Command and Control We want to pause for a second and discuss usage of remote command and control (C2) assets during this event. You can assume the Nove Cerchi Medical network is connected to the Internet. If you successfully expand access off initial access network(s) where you start, you may find the need to control Nove Cerchi Medical assets via remote cloud-connected servers. We will not stand up any cloud-connected asset for you during this event. You are responsible for all cloud assets you require for successful operations during this event. You will be required to report on IP addresses used for cloud assets during exploit attempts. BLUE We are not only looking for RED teams for our Event. We want to find the group of participants who are eager to defend the facilities of Nove Cerchi Medical during our event operation. This is commonly referred to as a BLUE team. You will be granted administrator access to the networks and systems, and if you successfully spot an attacker, you will be granted permission to execute what we call defensive cyberspace operation response actions upon approval from MISI. The center piece of the BLUE team arsenal will be Elasticsearch. BLUE Teams will be granted access to a full Elastic Security Stack for this event that will include: - Syslog - Windows Log(s)

https://misi.tech Page 39 of 61 © MISI 2023 How will BLUE teams compete? A BLUE team member’s job is to spot an attack in progress or that has completed and attempt to determine things such as: - What was the source address of the attack? - When did it start? When did it stop? - What was attacked? - Is it on-going? - What is the potential impact of the attack? - What are the TTPs that are being used in this attack? - Are there any Indicators of Compromise (IoC) that we can capture and share? - Can we mitigate this attack? - Can we prevent it from happening again? As we stated previously, we are using a Discord Server for communication and your job as a BLUE team defender will be to publish a Significant Action or SIGACT alert within the BLUE team channel if you discover an attack. You can then request a DCO-RA to respond which we will discuss shortly. Expected Skills The following skills are required to be a successful BLUE Team: • Kibana Search/Query • Kibana Visualization • Syslog Log File Analysis • PCAP Analysis • Netflow Analysis • Filesystem analysis • Windows Registry Analysis • PHP Vulnerability Analysis • Intrusion Detection System Operation • Windows Event Log Analysis DCO-RA A Blue Team can execute defensive cyber operation response actions or DCO- RA to defend a network. We are challenging BLUE Teams to plan to execute DCO-RA for this Event. While we have multiple DCO-RA actions planned, we will reveal now that BLUE team personnel will be permitted to request any of the following actions: - Block MAC address from Nove Cerchi WIFI

https://misi.tech Page 40 of 61 © MISI 2023 - Kick MAC address from Nove Cerchi WIFI - Change WIFI passwords on Nove Cerchi WIFI - Change User Passwords - Revert/Reboot Hosts - Kill processes. - Lock user Accounts - Disable Network Ports - QoS Network Ports Team members will be permitted to request these actions through Discord, and we will rule on the action and assist in the execution if sufficient evidence is provided. We will not inform RED teams of any DCO-RA actions that are executed against them. Ubiquiti Cloud-Key Removing actors from the Nove Cerchi networks in this exercise will be accomplished through the Ubiquiti Cloud Key web interface. MISI may offer BLUE teams the ability to login to the Cloud Key to block a competitor from the network. We will notify teams via Discord if we offer this option during execution. Mission Critical The BLUE Teams should understand that a hospital network like Nove Cerchi will contain systems that are essential to saving lives. As such, some actions they may request will be denied as they may have adverse impact on other systems functioning in the network. For example, in a past event a BLUE team altered the security settings of a network switch on a remote subnet of the competition network, and this resulted in the entire network no longer being accessible from the rest of the environment. If this was done in a real- life environment this could have extremely negative outcomes for patients in the hospital. Attack Reporting System We have created a system for BLUE team personnel to report suspected attacks. This will be a web-based form for capturing details about an attack in progress. This link will be available only during the actual exercise and each reported attack will automatically notify Discord channels. We can use this detail to understand BLUE team performance and ability to identify attacker TTP. The attack reporting form URL for this exercise can be found at: https://ybztcgbr3j.execute-api.us-east-1.amazonaws.com/default/attackreporting

https://misi.tech Page 41 of 61 © MISI 2023 All participants should know the following fact. The attack reporting system resource is ABSOLUTELY off limits to RED teams. This is owned by Amazon. DO NOT Touch this form if you are an attacker. We have summaries of the data gathered by this form that we can make available to BLUE team personnel. Vendor Interaction One of the most interesting aspects of the BLUE team is that you will be able to interact with vendors of advanced cyber security technology who are donating their solutions for this event. We already have multiple vendor commitments, and you should leverage this opportunity as free training on some of the most advanced ICS and healthcare information security platforms in the marketplace. We can confirm the following advanced technology for defensive cyber operations including control systems will be present at this event: • Asimily Secure • Cisco Cyber Vision • Forescout Platform • Elasticsearch with Kibana • Keysight Packet Broker • Nozomi Networks Guardian • Ascom Healthcare • SecureXperts Initial Story As this exercise starts, Nove Cerchi will be open for business just like any other normal day. This means that without customers, the hospital will not survive. The reader is strongly encouraged to read the prologue to ensure all the human and social details of our story are identified. As you read in the prologue, the Nove Cerchi Medical facility just recently completed their required Risk Analysis as stipulated by the HIPPA Security Rule. The RED team participants should be on the lookout for this internally produced report as it can clearly identify the vulnerabilities that the hospital should be planning to fix in the short term. RED team participants will be positioned in the waiting room area of the floor plan shown earlier and may remain ‘all day’. During this time, RED teams are allowed to enter the hospital facility as customers or patients, but they must

https://misi.tech Page 42 of 61 © MISI 2023 understand that there are a limited number of exam rooms that will be available during working hours. These teams will be found in the waiting room areas of the facility as described on the floor plan map shown previously. Any patient or visitor granted entrance to the facility will be required to display either an access sticker or a wristband. Anyone not in possession of either item will be assumed to be a hospital employee but there will be consequences to this claim. RED teams should be aware that the Nove Cerchi facility is protected by an access control system. In the photo on the right, you can see the access control reader found at admissions in addition to the access control panel itself. Each critical area in the rest of hospital will have a badge reader and any participant attempting to interact with a station may be questioned by hospital security prompting you to show your badge. There will be internet access available in the waiting room for any visitors, but a RED team will not be able to talk across the waiting room to any team member that has entered the facility as a patient. BLUE team members will be found in the access restricted area of the facility for security personnel but are permitted to roam anywhere on the floor including the waiting rooms. RED teams must find a way to expand access beyond the initial starting point of the NOVECERCHI-PUBLIC WIFI network to those networks that will allow them to attempt to locate any potential flags and ‘pull-off’ the money-making schemes described in the next section. The prologue mentions a specific HIPPA related item that may assist RED teams in determining how to expand access by describing cyber risks that the target healthcare facility currently suffers. They are encouraged to attempt to locate this item. There may be direct paths from public WIFI to the internal networks and there very well could be ‘longer’ paths requiring multiple steps of persistence and pivoting. As

https://misi.tech Page 43 of 61 © MISI 2023 always, should the story stall, the ‘storyteller’ may move it along unexpectedly requiring both sides to react quickly to new threats. Another unique aspect to this exercise is that barring any scheduling team access that may occur, there will be no set time windows for any activities during execution. Teams are encouraged to review the money-making schemes in the next section and determine their own order of execution. If you find you are having issues with one scheme, move onto the next while you still have time. All participants should be aware of the electronic medical records (EMR) system used by Nove Cerchi. Currently the Nove Cerchi Medical facility uses the OpenEMR platform for storage and processing of patient protected health information. Any patient who wishes to enter the Nove Cerchi facility during this exercise must self-register with this platform using the link shown in the following image: The link above for those who cannot see it in the image is: https://openemr.novecerchimedical.com/portal/ This link will only be accessible during the exercise operating hours and is not accessible remotely due to the risks of exploitation. Participants should remember that the OpenEMR platform does not respond to email addresses

https://misi.tech Page 44 of 61 © MISI 2023 that end in non-standard Top-Level Domains (TLD) such as .tech so make sure to use a suffix like .com, .net or .edu when supplying an email address for registration. Participants are strongly advised to remember that they should not supply real personal information during registration. In short, your email address and your first name should be real, nothing else matters. All participant registered information is purged at the completion of this exercise.

https://misi.tech Page 45 of 61 © MISI 2023 We discuss the specific money-making schemes which will count overall scoring in this section. Each scheme will have a stated goal that you should attempt to achieve without detection by the blue team. Just a reminder, RED teams are not ‘actually’ making money during this event, you are simply trying to gain value over your teammates to claim success .

https://misi.tech Page 46 of 61 © MISI 2023 Scheme Ransom Nove Cerchi PHI Difficulty Suggestions - PowerShell - C# - Python Technologies Faced - Windows File Shares - Web Application - Active Directory - PDF - Adobe Acrobat PDF - DiCOM - OpenEMR - MySQL Description In this scheme, you must identify and ransom the electronic health records of past patients within the Nove Cerchi Medical facility. Do not delete records, just ransom them. You must gain access to the Nove Cerchi MEDSTAFF network and identify the files that contain this data. Once identified you must maintain access and develop a payload that will prevent normal hospital employees from accessing the data. There are multiple sources of ePHI within the Nove Cerchi network. At least one of these should be a file share instead of an application. If upon gaining access, you discover that the records area already ransomed, you must wait until the previous attacker is paid and the records are unlocked to proceed. This means you must successfully

https://misi.tech Page 47 of 61 © MISI 2023 open 1 record to check and see if the files are already ransomed. This means you won’t have a chance to earn any money from this event until this is completed and could result in your loss of access first thus losing your chance to perform your own ransom. Once you have identified access and developed your own ransom method, you must notify a Nove Cerchi employee either through Discord or an email to an employee. The technique must ensure that an employee cannot open the files you consider ransomed through normal means. You won’t have to write your own ransomware and you are NOT permitted to use any samples that have been reported to VirusTotal or other sources to accomplish your feat. The following article describes the collection of MITRE ATT&CK techniques used in this approach by previous attackers: https://media.defense.gov/2023/May/24/2003229517/-1/- 1/0/CSA_Living_off_the_Land.PDF It is important for your payday that you record every file that you ransom as this is the only way we can ensure that you are ‘paid’ properly for your efforts. No real exchange of money will take place, but MISI will track the number of files and their type to maintain a status of which team makes the most money during the exercise. It is also important to understand that the BLUE team can decide that you are not going to get paid but there is a cost associated with this. Participants should know that they will only get one opportunity to perform this feat, Vectors used to gain access may be closed by the BLUE team as the exercise continues. The values assigned to PHI found in files are described previously in the section titled PHI and Cold Hard Cash. If you believe you locate PHI data elsewhere on the network that has not already been mentioned, you are obliged to report this on Discord in the event you could receive on-the-spot additional rewards. HOWEVER, the BLUE team members could also locate said data and request its removal, so you have been warned.

https://misi.tech Page 48 of 61 © MISI 2023 Scheme Disrupt & Disable Nove Cerchi Water Supply Difficulty Suggestions - nMap - Python3 Technologies Faced - Phoenix Contact - VT SCADA Lite - Windows 11 - IFM MODBUS Description In this scenario, RED team attackers should be attempting to disrupt or disable the Nove Cerchi Medical facility. This system was upgraded prior to the start of this exercise and can be completely controlled from the MEDSTAFF, FACILITIES, SECURITY and SERVICES networks. There is at least one flag to identify during the process of expanding access across Nove Cerchi networks when hunting the water treatment systems but there may be more. Be sure to review CTFd to determine which flags to look for this money-making scheme. Once you believe you have access to the appropriate subnet that contains the water treatment systems, you should attempt to understand this cyber physical system to setup potential destructive payloads you can launch. None Intermediate Advanced Expert Trainee

https://misi.tech Page 49 of 61 © MISI 2023 We have come up with the following table that describes how much money your actions can make if you can successfully demonstrate them: Step Monetary Value Shutoff initial water pump $500.00 Shutoff water pressurization $500.00 Activate Water treatment $1000.00 De-activate water flow rate monitors $1000.00 Demonstrate RFID badge access $1000.00 Disable water heater $2000.00 The RED teams should understand that each time they attempt to earn this money, they raise their risk of being detected by the BLUE team. The BLUE team may eventually identify the vectors that teams are using but as we wrote earlier, this system is considered mission critical and as such, they will not be able to close every path they request. RED Teams should also understand that since the water treatment plant of Nove Cerchi is considered protected, they must possess a valid access control badge to physically interact with the station. There are a variety of ways to obtain an access badge and if they are creative, they should be able obtain blank or even programmed badges during the event. The access control system uses proximity access cards in the 26-bit Weigand format. This format is described in detail on this link: https://getsafeandsound.com/blog/26-bit-wiegand-format/ To qualify for the RFID ransom money, they must demonstrate successful badge access on the water station badge reader. No other reader will count towards this reward. There may be badges used throughout the hospital that are universal which means they will be able to swipe at the HVAC reader successfully.

https://misi.tech Page 50 of 61 © MISI 2023 Scheme Disrupt & Disable Nove Cerchi HVAC Difficulty Suggestions - Python - YABE - Bacpypes - nMap Technologies Faced - Windows 11 - BACNet - SNMP - Niagra Description In this money-making scheme, RED team attackers should be attempting to identify the HVAC network subnet of the Nove Cerchi facility. Once they identify this subnet, they should attempt to disrupt the HVAC control system to show they maintain control. The system will be used throughout the exercise in a normal fashion. This system is the most complex in all Nove Cerchi and there are five (5) separate parts of this HVAC system. During the process of identifying this subnet and expanding access to the appropriate subnets, there will be at least one flag that can be discovered. Teams should ensure to review CTFd to understand which challenges they should be locating flags to solve. None Intermediate Advanced Expert Trainee

https://misi.tech Page 51 of 61 © MISI 2023 We have come up with the following table that describes how much money your actions can make if you can successfully demonstrate them: Step Monetary Value Alteration of Temperature Display $500.00 Direct deactivation of Air Conditioner $1000.00 Demonstrate RFID badge access $1000.00 BACNet deactivation of Air Conditioner $2000.00 Closing cooling vent $2000.00 RED Teams should also understand that since the HVAC plant of Nove Cerchi is considered protected, they must possess a valid access control badge to physically interact with the station. There are a variety of ways to obtain an access badge and if they are creative, they should be able obtain blank or even programmed badges during the event. The access control system uses proximity access cards in the 26-bit Weigand format. This format is described in detail on this link: https://getsafeandsound.com/blog/26-bit-wiegand-format/ To qualify for the RFID ransom money, they must demonstrate successful badge access on the HVAC badge reader. No other reader will count towards this reward. There may be badges used throughout the hospital that are universal which means they will be able to swipe at the HVAC reader successfully. Due to the complexity of this money-making scheme, we will allot extra time to a team attempting to exploit this scheme provided they can prove they have exploitable access to the stations that comprise this cyber physical process. Also due to the complexity of this station, we will reward the ransom money described in the table above if a team can activate stations instead of ‘deactivating’ them. For example, if you can turn on the cold air when it is not currently active, this proves you understand this cyber physical process enough to be rewarded. Teams should understand that if they attempt to reprogram an industrial device and fail mid-process this may result in a STOPEX situation which requires the entire exercise to pause while the stations are reprogrammed.

https://misi.tech Page 52 of 61 © MISI 2023 NOTE: This scenario in no way condones the illegal abduction, removal, or separation of children from their parents. MISI aims only to teach about the risk of child abduction from a hospital and the role of cyber security in preventing this awful situation. We are fortunate to have this scenario donated by the team at the National Cryptologic Foundation. Any attempts to physically damage this scenario will result in an immediate removal from the competition. Your success is achievable without causing physical damage to this station. Scheme Kidnap Baby From NICU Difficulty Suggestions - Hacker tool kits are not always electronic. - Eyes are always on in the NICU Technologies Faced - Access Control - Key Control - Access Control Card - Smart Card Login - Video Surveillance None Intermediate Advanced Expert Trainee

https://misi.tech Page 53 of 61 © MISI 2023 Description In this scenario, you are attempting to kidnap the baby Pearl (did you read the prologue?) for ransom. You are here to test the security of the National Cryptologic Foundation Digital Asset Defense Environment (DADE) room (we will miss you Scott). To enter the NICU, there are very strict procedures that if not followed will alert security and put the facility in lock-down mode and alert the hospital security and the police. The NICU has an observation area where the baby can be always seen. It has a motion detection, glass break, carbon monoxide and water detection sensor, so physical attacks are not recommended. This scenario will involve limited interaction with coaches from the National Cryptologic Foundation team, but each participating team will receive the same help as all others. We have come up with the following table that describes how much money your actions can make if you can successfully demonstrate them: Step Monetary Value Gain unauthorized access to the NICU $10,000.00 Disabling the Alarm System $1000.00 Remove baby Pearl from Room $60,000.00 Covering up video camera $10,000.00 The NICU has a motion detection, glass break, carbon monoxide and water detection sensor, so physical attacks are not permitted. To enter the NICU you must have a card and PIN code and to open the front door and disarm the NICU security alarm. Once inside, you must completely close the door and re-arm the security alarm within 30 seconds of entering the room. Video is always on at the NICU with often a 1:10 ratio of nurses to babies. There is no “snatch and grab”. The Infant protection system is attached to the baby and if detached will set off the alarm. You must remove the alarm bracelet before you leave the room. The infant monitoring system must be disabled from the computer system, which does not have a username password combination.

https://misi.tech Page 54 of 61 © MISI 2023 NOTE: This scenario in no way condones the illegal abduction, removal, or separation of children from their parents. MISI aims only to teach about the risk of child abduction from a hospital and the role of cyber security in preventing this awful situation. Scheme Escape with Baby Pearl Difficulty Suggestions - HTTP - MSSQL - PowerShell - C#/Python - DNS Zones Technologies Faced - Asset Tracking - Web Application - 915MHz Radio Frequency None Intermediate Advanced Expert Trainee

https://misi.tech Page 55 of 61 © MISI 2023 Description In this scenario, you are attempting to bypass the asset tracking system being used at Nove Cerchi to provide infant and newborn security. This is a multi-homed application that interfaces in real- time with radios in the exercise area which can track the asset tags that are affixed to the newborn baby as we discussed in the previous scenario. In this chapter of our story, you and your team must ‘snatch’ baby Pearl after she has been removed from the NICU as discussed in the previous scenario and is being walked up and down the hallway of Nove Cerchi. You will need to coordinate with offsite team members to both grab the poor child and interact with the asset tracking system attempting to disrupt communication between the asset tag and the radio systems tracking location. You are required to coordinate your attempts to snatch the innocent baby Pearl when she is out of the NICU with a parent or guardian within the boundaries of Nove Cerchi. This means you can approach the parent and snatch the baby (calmly), but you must obey the two- finger tap rule to stop attempting to reach the door if security is nearby. You are advised to watch for the security patrols to understand how they work. It is almost a certainty this will require coordinated assault between onsite personnel and offsite team members. As you can probably imagine, the asset system security will be configured to attempt to prevent unauthorized usage or modifications so it will not be a simple affair to exploit and attack. We have come up with the following table that describes how much money your actions can make if you can successfully demonstrate them: Step Monetary Value Prevent security lockdown and exit door with baby Pearl $100,000.00

https://misi.tech Page 56 of 61 © MISI 2023 Scheme Disrupting Medical Device Data Transfer Difficulty Suggestions - Python - tcpdump/Wireshark Technologies Faced - HL7 - DiCOM - PACS - MirthConnect - Orthanc Description In this scenario, you are attempting to prevent the transfer of medical device data from the source device in a triage bay (or exam room) to its server-side storage system. You will receive a ransom reward for each device that you can prevent from communicating with its server component. You must wait until the start of the exercise to be informed which devices are online as possible targets for this scenario. You will not be given address details of these devices; you are responsible for finding out this information on your own. As a reminder, an ARP poison ( T1557.002 ) or DNS Cache poison. ( T1584.002 ) are not considered successful disruption by MISI standards. While proper execution of these techniques shows knowledge of offensive cyber operation TTP, there are more sophisticated ways to perform this action . None Intermediate Advanced Expert Trainee

https://misi.tech Page 57 of 61 © MISI 2023 You will receive a single one-time reward for each device you can affect, but if you are able to affect the server-side component through traditional mission effects, you will be awarded the combined sum of all devices that communicate through that server component. You must understand that you are to exercise all possible caution to not destroy any device(s) within the exercise network. You are not permitted to change the passwords of any device(s) you interact with. Manual interaction with a device while inside the hospital as a patient does not count as disrupting device transfer unless you can prove you are able to utilize a laptop or portable computing device connection to said device to stop the transfer. To say this plainly, you won’t get a ‘ransom’ reward by simply turning off a device in person. You are also not permitted to change any password or PIN of any of these devices. We have come up with the following table that describes how much money your actions can make if you can successfully demonstrate them: Step Monetary Value Disrupt HL7 Information Flow $10,000.00 Disrrupt DiCOM information flow. $10,000.00

https://misi.tech Page 58 of 61 © MISI 2023 Under no circumstances are participants permitted to physically interact with the infusion pumps used in this exercise. While the pumps only utilize saline solution, you are nonetheless NOT permitted to touch them or place them on your person at any time. Scheme Infusion Confusion Abusin Difficulty Suggestions - Python - nMap Description In this scenario, you are attempting to interact with and control infusion pumps from across the network. There are two different brands of infusion pumps used within Nove Cerchi. If you can locate these pumps and activate their delivery functions or intercept communications between the pump and any control server software from across the network, you will receive a ransom reward for this function. The reward for this scheme be $2000 per pump. A participating team will ONLY be able to get this reward once. Participants are reminded to request permission to attempt to affect these devices if located. We are withholding the names of the pumps used in this exercise due to the sensitivity of the models and actual danger involved in delivery of an improper drug or amount of drug to an affected patient. Any RED team participant that enters None Intermediate Advanced Expert Trainee

https://misi.tech Page 59 of 61 © MISI 2023 the hospital area as a patient will be able to identify the model and perform research on-the-spot during the event. Participants should know that the infusion pumps are considered ‘mission critical’ to Nove Cerchi and thus are not able to be shut-off by network defenders (BLUE). Also due to the extreme complexity of an infusion pump and the corresponding server software, we will award ransom money to any team that can demonstrate a Man in The Middle attack and intercept communication between the pump and upstream simulated server components without needing to prove any further control. This will be awarded so long as the team does NOT rely on a low complexity ARP Poison attack for the interception and said team provides evidence of the payload(s) used and shows screenshots demonstrating control.

https://misi.tech Page 60 of 61 © MISI 2023