OODA has a deep heritage in red teaming enterprise and advanced technologies. In cybersecurity, a Red Team is a group of experienced professionals authorized and organized to test a system using realistic methods of a real adversary. The objective of a Red Team is to improve security by emulating the objectives and tactics of real-world attackers and then mitigating the attack surface and vulnerabilities revealed in the testing.

Web3 technologies would greatly benefit from red teaming. Seemingly great innovations get fielded without sufficient security controls, resulting in impactful incidents. How bad are these incidents? As of March 2022 Web3 incidents have resulted in over $61 Billion in losses since 2011. (Web3 Incident Database)

OODA recommends Web3 developers and projects focus Red Team efforts on six key areas:

• Integrity of the underlying blockchain
• Integrity of the blockchain contract code and associated underlying business processes
• Security of the consumer-facing application environment
• Security of the underlying application hosting infrastructure
• Secure the Endpoint
• Security of the APIs (as applicable)

Integrity of the underlying blockchain

Most modern blockchains (e.g. Ethereum) have made appropriate investments in addressing security as part of their overall design model. This includes design and investment to mitigate major classes of attacks like those involving taking over control of the majority of validation capabilities (a 51% hack). For those projects building on existing blockchains (especially Bitcoin and Ethereum), the integrity of the underlying blockchain is likely not a consideration. Newer, more isolated blockchains come with new kinds of risks, including risks due to over-centralization. In these cases, a red team review of the blockchain architecture and audit of the underlying code is required.

Integrity of the blockchain contract code and associated underlying business processes

Many projects layer contracts on-top of existing blockchains to govern their operational functionality (for example a DeFi application or DAO on Ethereum). Developers leveraging best practices can start a project with a foundation of trust but still end up fielding a capability that can be exploited by adversaries. Bringing in a red team to evaluate not only the contract code, but the underlying business logic integrity can help ensure the downstream integrity of the project.

As an example of the danger of an attack on the underlying blockchain, consider the summer of 2016 attack against the first major Distributed Application Organization (DAO) on Ethereum.

Security of the consumer-facing application environment

Given most users lack the technical sophistication to interact directly with the blockchain contracts, purposeful web and mobile applications are developed to serve as the primary interface. These applications typically mimic the development models of other web and mobile applications and can be subjected to the same red teaming considerations as other software projects. For example, red team evaluations frequently find vulnerabilities in consumer facing web applications that allows users to operate outside the authorized parameters of the application

Security of the underlying application hosting infrastructure (including AWS)

Applications that run on cloud-based infrastructure and common operating system platforms are vulnerable to attack due to poor configuration choices, outdated patch levels, or other common infrastructure security issues. These infrastructure assets can be appropriately hardened and configurations validated through red teaming initiatives. Some of the biggest intrusions against Web3 targets have occurred due to security issues with the hosting infrastructure, including incidents against exchanges that leverage a variety of cloud service providers. Attacks against hosting infrastructure have resulted in success via multiple paths, including accessing “cold” wallets not meant to be connected to the Internet, accessing credentials, and planting trojans and other malicious code designed to extract information and elevate access for further exploitation. Given that criminals have developed advanced capabilities in targeting and exploiting any weakness in cloud service providers and hosting environments, red teaming of your infrastructure is absolutely critical for any Web3 solution.

Secure the Endpoint

Another common attack vector is to target the workstations, laptops, and other endpoints used by those key individuals developing and maintaining the technology. This can include an assessment of internal technology assets as well as targeted spearphishing to determine what level of compromise is achievable if an attacker compromises trusted accounts.

Of course, the ultimate endpoint is the human being, so red teaming engagements can serve as great training and awareness activities to drive employee engagement on proper security practices and establishing a culture of security for your project.

Security of the APIs (as applicable)

As projects seek to interoperate with each other, consumers, and other applications, APIs are developed to facilitate the machine-machine communication or business process interactions required. Developers have access to a wide range of libraries and code to to develop APIs that enable a wide range of functions. To ensure the integrity of these APIs, they should be subjected to security testing as well.

Concluding Thoughts

OODA has a deep heritage in red teaming enterprise and advanced technologies and we recognize an urgent need to incorporate red teaming and penetration testing approaches to help secure the emergent technology environment associated with Web3.

We believe that Web3 components including blockchains, cryptocurrencies, NFTs, DeFi and other solutions yet to be conceptualized will be exponentially disruptive in the coming years. To realize these opportunities will require an approach that considers cybersecurity concerns as part of the design process.

We are happy to engage in additional conversations on this topic and will cover this topic during upcoming networking events.

The Web3 Cyber Incident Database

Over the past several years, there has been a rapid emergence of companies, projects, and initiatives in what is broadly categorized as Web3 domain. While monitoring that rapid innovation, the OODA research team has noticed a disproportionately high number of cybersecurity incidents that have the potential to negatively impact the Web3 innovation ecosystem, disrupt customer adoption of these technologies, and result in consumer and enterprise monetary losses.

OODA has compiled a Web3 incident database based on our research to categorize what compromises are taking place as well as document the cyberattack root causes. Tracking root causes provides insights into how innovators can create robust cyber risk management approaches and reduce the potential for consequential attacks.

Access this database at:

Cryptocurrency Incident Database

 

OODA network members can also access these additional resources on Web3 including insights into how to reduce risk and inform business strategies. Research and reporting of interest includes:

What CEOs Need To Know About Bitcoin: Including potential new business models to consider  A Cambrian Explosion in innovation in Bitcoin related products and services is underway. Here is what the business leader should know about this revolutionary transformation of the global financial sector.

The Cryptocurrency Incident Database OODA analysts track every major cybersecurity incident and seek insights into root causes that can inform defenses.

Is Bitcoin a National Security Risk? How might Bitcoin be framed as a national security risk?  As national security technologists, here is our take on where the government is likely concerned.

The Past Present and Future of DeFi  Here we capture insights from two of our most popular OODAcasts on the cryptocurrency revolution, one with crypto pioneer Bradley Rotter and one with author of “The Infinite Machine” Camila Russo.

Bitcoin and Ethereum and the Metaverse  Jahon Jamali is one of the great explainers of the nature of the crypto revolution and provides insights here into the nature of the coming changes.

What Will The Federal Government Do In Response To The Rise of Cryptocurrencies? All businesses and citizens should understand the importance of improving policy in this domain, but we also need to be cautious about over regulating or passing foolish rules that do more harm than good.