Cyberattacks are being conducted daily on any type of target, and any notion that a state of full cyber security can be reached is a mere illusion. Cybersecurity is about managing risks and to ascertain that, to a certain extent, proper procedures and adequate security measures are being taken. Exposed to constant cyber threats, military organisations rely on a vast number of communication and information systems. As global investment in cyber security grows, many businesses have come to recognise the value of regularly assessing the effectiveness of their cyber security to stand up to the latest advanced threats.
To improve the level of security, an arsenal of solutions has been created and this includes vulnerability assessments. Vulnerability assessments are an integral part of cybersecurity and can take a number of forms that range from security audits to penetration testing. According to the United States National Institute of Standards and Technology, pentesting ‘…is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.
It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability
The use of red teams — ethical hackers who identify system vulnerabilities — can be an effective way for organizations to find and fix problems before malicious cyber actors exploit. The demand for such red team security assessments, however, far outstrips the supply of those who can do them — and the time and expertise it takes for a red team to create required infrastructure is a critical limiting factor. The Defense Advanced Research Project Agency wants to address that problem through automation.
To evade detection as they move laterally through networks evaluating protections, red team behaviors inevitably create “signatures” or the tactics, techniques and procedures they use that can indicate their presence. If blue teams spot those signatures early on in an exercise, the assessment shuts down. If blue teams can see those signatures in networks outside the one being assessed, then the red team stands to lose the time and resources it has invested in building an operational infrastructure that emulates sophisticated threats. This failure damages the long-term effectiveness of the red team.
Because it takes a red team so much time and subject matter expertise to build a test infrastructure – including domain names, IP addresses, virtual servers and other components — that mimics sophisticated threats, evades detection and reduces signatures, the Defense Advanced Research Project Agency wants to automate some of that work.
DARPA launched Signature Management using Operational Knowledge and Environments (SMOKE) program In Dec 2021 with aim to develop tools to automate the planning and deployment of threat-emulated, attribution-aware cyber infrastructure.
In broad agency announcement describes two task areas that will “enable red teams to plan, build, and deploy cyber infrastructure that is informed by machine-readable signatures of sophisticated cyber threats.”
The first task involves the development and deployment of the cyber infrastructure required for network security assessments. DARPA wants tools that will automate the acquisition, management and disposal of both infrastructure resources and cyber personas used for infrastructure interactions. It also wants tools that can recommend and execute various contingency plans based information provided by signature sensors, which are the basis of the second task – developing tools that will help automate the discovery of adversaries’ signatures.
With these tools, red teams will be able “to increase the scale, efficiency, duration, and effectiveness of cyber security assessments,” DARPA said. “Moreover, red teams will be able to provide longer cyber security assessments for a larger number of concurrent networks because of their ability to remain hidden for longer.”