Cyberattacks are being conducted daily on any type of target, and any notion that a state of full cyber security can be reached is a mere illusion. Cybersecurity is about managing risks and to ascertain that, to a certain extent, proper procedures and adequate security measures are being taken. Exposed to constant cyber threats, military organisations rely on a vast number of communication and information systems. As global investment in cyber security grows, many businesses have come to recognise the value of regularly assessing the effectiveness of their cyber security to stand up to the latest advanced threats.
To improve the level of security, an arsenal of solutions has been created and this includes vulnerability assessments. Vulnerability assessments are an integral part of cybersecurity and can take a number of forms that range from security audits to penetration testing. According to the United States National Institute of Standards and Technology, pentesting ‘…is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability
A red team or the red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view. A red team operation is a simulated cyber-attack that rigorously tests an organisation’s ability to detect and respond to breaches. Mirroring the covert tactics and methodologies of real-life attackers, red teaming can highlight critical exposures within IT infrastructure, applications, personnel and processes as well as recommend remedial actions to address any identified weaknesses.
Cyber red teams (CRT) – commonly performing penetration testing – focus on threats from adversaries in the cyber world. They mimic the mind-set and actions of the attacker in order to improve the security of one’s own organisation. As a standing capability in a military environment, these tools can be used in order to enhance preparedness and improve training capacities. Red teaming is the work performed by the red team in identifying and assessing, inter alia, assumptions, alternative options, vulnerabilities, limitations and risks for that organisation.
A red team engagement differs from penetration testing in a number of key ways. Whereas a penetration test is commissioned to identify as many vulnerabilities as possible within a short timeframe and widely present findings to stakeholders, the goal of a red team operation is to covertly test an organisation’s detection and response capabilities over weeks and months, often without the knowledge of all in-house personnel.
Red teaming in cyberspace is not a new phenomenon. Exercise Eligible Receiver , conducted in 1997, was a prominent example of a high-scale exercise led by an NSA red team that consisted of attacks on critical infrastructure networks, particularly energy providers and Command and Control capabilities.
Today cyber red teams are often to be found in exercises and training sessions, as outlined by the US DoD. The main purpose is to test the blue teams that are supposed to defend the networks rather than to focus on vulnerability assessments. Cyber red teaming is a technical endeavour and will mostly rely on high-level specialists with a wide range of skill-sets. It can be conducted either from an internal dedicated organised element, or outsourced to specialised contractors.
Cyber red teaming can be carried out both by operational and simulated (cyber ranges) environments. Cyber ranges will allow an organisation to evaluate and test certain offensive solutions in a harmless environment). Ready-to-use solutions might have unforeseeable consequences that can cause damage and harm, especially when tested on a “live” environment.
The Pentagon is gearing up to red team industry Cybersecurity
The Pentagon is considering a process that will alow the Department of Defense to challenge the cyber security of its contractors. Asked if the Defense Department was looking at a “red team” cyber process for its industrial partners, Kevin Fahey, assistant secretary of defense for acquisition, told reporters, “we will.”
“On a quarterly basis, we have a big event with industry. In our last engagement, which was just a couple weeks ago, that was a main topic of discussion,” Fahey told reporters Monday at the Farnborough Airshow. “From an industry relationship, their feedback to us was that’s what they want: us to red team,” he added.
In this scenario, a red team cell would test vulnerabilities and try to penetrate the contractors’ systems, in order to identify weaknesses. America’s defense industrial base has been raided over the last few years, an issue the Trump administration has outlined as a key danger for the defense department.
Eric Chewning, the head of the Pentagon’s industrial policy office, noted that that data breaches from defense contractors has been an issue for some time, noting “It’s not just on the classified space, but it’s also on the sensitive unclassified information as well that’s important to us.”
But Chewning is aware that just loading new requirements onto industry could turn off the kind of high-tech commercial firms the Pentagon needs to attract to stay on the cutting edge.
“As we’re thinking about the standards and rules, with industry’s input, we also have to keep in mind the commercial conversation we just had, which says, ‘Listen, we can’t also drive a whole bunch of cost into this system or a whole new set of compliance requirements that make folks not want to do business with us,’” he said.
“So we have to find the right balance. More broadly, you could see a convergence of both commercial and military requirements in terms of secured architectures helping to solve some of that equation, but we’ll see.”
However, creating a red team situation should not be something totally new for the defense industry. Fahey compared the situation to what the Pentagon has done with software and system engineering.
“If we can figure out how do we do a level of maturity on cybersecurity and do red teaming, how do we check you that you are compliant, it is sort of a construct that our industry understands,” Fahey said.
NEC Technology Automatically Identifies Cyberattack Risks for ICT Systems and Important Infrastructure
NEC Corporation announced in Nov 2018, the development of a technology for automatically identifying the risk of cyberattacks. The new technology uses simulations in order to create a comprehensive evaluation of cyberattack risks for ICT systems and important infrastructure, such as electricity, gas, water, and transport facilities.
This technology collects information about components and complex network settings that are particular to control systems, as well as information on data flow, including information about isolated environments, from actual systems and reproduces a virtual model based on that information. The virtual model is used to run cyberattack simulations that enable the automatic identification of a variety of cyberattack risks.
Cyberattack simulations are created using analysis knowledge based on attacks utilizing e-mail and the Web, data falsification, spoofing, and attacks on isolated networks utilizing a USB and other techniques, in addition to knowledge about software vulnerability and attack techniques that are extremely sophisticated and hard to understand. This makes it possible to create an exhaustive range of realistic attack simulations.
“This technology can identify potential attack paths and the scope of their influence, making it possible to implement the necessary security measures with a minimum of system outages,” said Mikiya Tani, General Manager, Security Research Laboratories, NEC Corporation. “Moreover, the technology bolsters the security of social infrastructure and ICT systems for enterprises, while contributing to the safety of communities and the development of economic activity.”
NEC aims to provide this technology commercially within the 2019 fiscal year. Primary features of the new technology include the following:
Creation of a virtual model for accurate security risk analysis
NEC developed a technique to create a virtual model by collecting detailed system information necessary for risk analysis, such as the hardware information of components (programmable logic controller [PLC] and others) peculiar to control systems, communications settings, such as packets and protocols, and data flow.
This makes it possible to visualize the entire configuration of complicated systems and data flow, which has conventionally been difficult to understand, even for specialists with extensive experience and advanced skills in status analysis. With this technique, NEC achieves an immediate, accurate understanding of the areas of vulnerability in risk analysis.
Analysis of realistic attack scenarios utilizing an attack database
NEC created a database of analysis knowledge that is used to produce simulations with a computer. The database consists of information on software vulnerabilities and attack technique data, such as CVE and CAPEC, which are widely disclosed around the world, but can only be understood by specialists. By structuring and creating a database of common characteristics, such as the conditions under which attacks become feasible, the status of attackers, and the change in the status of systems that occurs when attacks succeed, a series of attack simulations, from the starting point to the goal of attacks, can be automatically and accurately created at high speed.
Further, because the database of analysis knowledge encompasses a variety of attack forms, such as attacks utilizing e-mail and the Web, data falsification, spoofing, as well as attacks on an isolated network utilizing a USB or other techniques, it is possible to create more realistic attack scenarios.
With this technology, an attack can be understood visually and automatically. Further, because the effectiveness of security when measures are taken can be repeatedly confirmed, potential security risks can also be found.
NEC will showcase this technology at the “C&C user forum & iEXPO 2018” held by the NEC Group at the Tokyo International Forum on Thursday, November 8 and Friday, November 9