Cyberattacks are being conducted daily on any type of target, and any notion that a state of full cyber security can be reached is a mere illusion. Cybersecurity is about managing risks and to ascertain that, to a certain extent, proper procedures and adequate security measures are being taken. Exposed to constant cyber threats, military organisations rely on a vast number of communication and information systems. As global investment in cyber security grows, many businesses have come to recognise the value of regularly assessing the effectiveness of their cyber security to stand up to the latest advanced threats.
To improve the level of security, an arsenal of solutions has been created and this includes vulnerability assessments. Vulnerability assessments are an integral part of cybersecurity and can take a number of forms that range from security audits to penetration testing. According to the United States National Institute of Standards and Technology, pentesting ‘…is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.
Towards the aim of realism, red teams plan and deploy tactics, techniques, and procedures
(TTPs) that mimic the most advanced cyber threats. Red teams use these TTPs to evade network
defenders in order to achieve assessment objectives (e.g., move laterally in networks) and assess
how critical networks and mission platforms fare against true MCAs.
It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability
The use of red teams — ethical hackers who identify system vulnerabilities — can be an effective way for organizations to find and fix problems before malicious cyber actors exploit. The demand for such red team security assessments, however, far outstrips the supply of those who can do them — and the time and expertise it takes for a red team to create required infrastructure is a critical limiting factor.
The Defense Advanced Research Project Agency wants to address that problem through automation. To evade detection as they move laterally through networks evaluating protections, red team behaviors inevitably create “signatures” or the tactics, techniques and procedures they use that can indicate their presence. If blue teams spot those signatures early on in an exercise, the assessment shuts down. If blue teams can see those signatures in networks outside the one being assessed, then the red team stands to lose the time and resources it has invested in building an operational infrastructure that emulates sophisticated threats. This failure damages the long-term effectiveness of the red team.
Because it takes a red team so much time and subject matter expertise to build a test infrastructure – including domain names, IP addresses, virtual servers and other components — that mimics sophisticated threats, evades detection and reduces signatures, the Defense Advanced Research Project Agency wants to automate some of that work.
DARPA launched Signature Management using Operational Knowledge and Environments (SMOKE) program In Dec 2021 with aim to develop tools to automate the planning and deployment of threat-emulated, attribution-aware cyber infrastructure.
In broad agency announcement describes two task areas that will “enable red teams to plan, build, and deploy cyber infrastructure that is informed by machine-readable signatures of sophisticated cyber threats.”
The first task involves the development and deployment of the cyber infrastructure required for network security assessments. DARPA wants tools that will automate the acquisition, management and disposal of both infrastructure resources and cyber personas used for infrastructure interactions. It also wants tools that can recommend and execute various contingency plans based information provided by signature sensors, which are the basis of the second task – developing tools that will help automate the discovery of adversaries’ signatures.
With these tools, red teams will be able “to increase the scale, efficiency, duration, and effectiveness of cyber security assessments,” DARPA said. “Moreover, red teams will be able to provide longer cyber security assessments for a larger number of concurrent networks because of their ability to remain hidden for longer.”
Awards
Parsons Subsidiary to Develop Cyber Threat Emulation Automation Tools
A Parsons subsidiary has secured an $11.6 million contract from the Defense Advanced Research Projects Agency to automate cyber threat emulation planning and execution for network security assessments.
BlackHorse Solutions will work under the Signature Management using Operational Knowledge and Environments program and support the development of tools to help network security professionals find cybersecurity vulnerabilities during red team exercises, the Department of Defense said.
Forty-five percent of contract work will occur in Herndon, Virginia, and the remaining 55 percent will be conducted in Utah, Maryland and Colorado through September 2025.
DARPA received 26 offers for the cost-plus-fixed-fee contract via a broad agency announcement and is obligating $663,026 in fiscal 2022 research, development, test, and engineering funds.
SMOKE seeks to prototype data-driven tools designed to enable automated discovery of cyberthreat signatures, or patterns that red team hackers use to evade detection.
The US Defense Advanced Research Projects Agency (DARPA) has awarded Parsons subsidiary BlackHorse Solutions a $12-million contract to support the agency’s cybersecurity assessments.
The firm will work on Signature Management using Operational Knowledge and Environments (SMOKE), a program developing data-driven capabilities to support applications of threat-emulated cyber infrastructures.
“Our offensive and defensive cyberspace operations combine leading edge technical innovations, mission planning and automation solutions, cyber threat intelligence, and advanced cyber threat hunting and incident response to protect networks and enhance mission effectiveness,” Parsons High Consequence Missions Vice President Mike Kushin stated.