DOD’s Cyber “Red Teams” Stressed as Security Tests Grow

The Cyber X-Games 2018 was hosted by the Army Reserve Cyber Operations Group, 335th Signal Command (Theater), at the University of Texas at San Antonio from June 13-19, 2018, and included 72 participants form across the ARCOG, Air Force personnel from network and cyber operations centers/squadrons and civilian network and cyber professionals from government contractor entities. Army Reserve photo by Sgt. Erick Yates.

Cybersecurity threats are proliferating faster than the Defense Department can discover and address them in operational evaluations, and the military needs additional, more advanced cyber “Red Teams,” the Pentagon’s top testing official recently said in his annual report.

“Operational tests continued to discover mission-critical vulnerabilities in acquisition programs, and assessments during combatant command training exercises continued to identify previously undetected vulnerabilities,” Director of Operational Test and Evaluation Robert Behler said in the Fiscal 2018 report published Jan. 31, which echoed past analyses of the Defense Department’s test enterprise.

“However, there were an increasing number of instances where the cyber Red Teams employed during DOT&E assessments experienced greater difficulty in penetrating network defenses or maintaining previously acquired accesses,” he said. “The rate of these improvements is not outpacing the growing capabilities of potential adversaries, who continue to find new vulnerabilities and techniques to counter the fixes and countermeasures by DOD defenders.”

The Fiscal 2018 findings were compiled throughout about 120 cybersecurity tests and assessments conducted with the combatant commands and military services in the largest year of operational cybersecurity testing to date. DOT&E also sponsored four classified analyses that spanned nuclear command, control, and communications systems, cross-domain security solutions, data breaches, and user authentication issues.

“The demand for cyber expertise to plan and execute cyber assessments across the DOD, and for the in-depth analyses of the data produced by these events, is rapidly increasing and stressing available resources,” according to the report. “Assessments that do not include a fully representative threat portrayal may leave warfighters and network owners with a false sense of confidence about the magnitude and scope of cyber-attacks facing the department.”

Behler suggested five areas in which the Pentagon could improve its cyber testing by relying on trained personnel and automation. Focus assets and personnel on the parts of a network that are the most important to a mission, he said, and create tools that improve operators’ situational awareness in the cyber landscape.

He recommended rolling out a set of cyber reporting standards to characterize threats as they are found, and said cyber defense teams comprised of local defenders, help desks, system managers and others cannot be “one-size-fits-all.”

“Know the key cyber terrain, operational concepts, and available tools,” Behler wrote. “Match tools and skills to the operational tasks, missions, and key cyber terrain. Practice and train in operationally representative conditions against realistic cyber attacks.”

He also noted DOD should use both automated and human penetration testing to find bugs, which Air Force officials echo is a growing norm as the service iteratively tests new software.

“Stop ‘flattening’ the networks and relying on defensive tools at the network boundary,” Behler wrote of decentralized systems where threats have many entry points.

At a Jan. 29 Senate Armed Services cybersecurity subcommittee hearing, freshman Sen. Rick Scott (R-Fla.) questioned whether a spread-out network could be more vulnerable than a centralized one.

That creates “1,000 ways” for a hacker to intrude, Pentagon CIO Dana Deasy responded.

“It comes down to how you architect for that centralized approach,” Deasy said. “You architect with a very flat area where, once they get in, they can cause great havoc—that is not appropriate. If you are smartly architecting for a centralized approach where you are limiting what I would like to call the blast radius where the problem can [occur], then actually, centralization has some huge merits that you don’t get … from a decentralized site.”

The DOT&E report laid out several more significant findings:

One major command that reported cyber vulnerabilities had possibly harmed its ability to conduct missions saw those issues fixed within 60 days.

New technologies added to legacy systems that were previously thought to be safe could now offer cyber attackers a way in.

Adversaries can exploit similar network vulnerabilities at separate commands that share information and systems.

Pentagon leadership took action to fix a “serious set of cyber and physical vulnerabilities [at facilities and installations] that, if exploited, could degrade critical missions.

A study of cyber tests run between FY14 and FY17 found that “defenders demonstrated increasing ability to detect Red Team activity, that Red Teams prefer to employ stolen credentials over software vulnerabilities, and that defenders need to improve speed and accuracy for processing reported incidents.”

Master testers who simulate cyber attacks are leaving Red Teams for higher-paying commercial jobs with less travel, according to Behler. The best teams were overscheduled and overwhelmed, and Red Teams weren’t available to help with DOT&E assessments on several occasions.

At the same time as it recommends the Pentagon consider ways to retain Red Team members, the DOT&E office also plans to vet whether Red Teams can handle more advanced threats in fiscal 2019.