To protect cyber systems from hackers, you have to think like hackers.
That’s all in a day’s work for Space and Naval Warfare Systems Center (SSC) Atlantic’s Red Team, an expert team of good “bad guys” who conduct adversarial assessments on Department of Defense (DoD) and other networks to find vulnerabilities before the real bad guys get a chance to.
SSC Atlantic’s Red Team, certified by the National Security Agency (NSA) and accredited by the United States Cyber Command (USCYBERCOM), is one of nine certified DoD Red Teams and one of only two in the Navy. The SSC Atlantic Red Team assesses DoD cyber security service providers (CSSP), provides adversarial and aggressor support to DoD cyber exercises, and supports cyber developmental and operational testing to DoD acquisition programs with information technology (IT) components. Their customers include the Defense Health Agency (DHA), Defense Contract Management Agency, U.S. Marine Corps, United States Special Operations Command, Program Executive Office Defense Health Management Systems (PEO DHMS) and Naval Enterprise Networks Program Office (PMW 205).
The Red Team’s real-world attack simulations are designed to assess and significantly improve the effectiveness of an entire information security program, including those controlling weapons systems, platforms, sensors and networks.
“The thinking is, if you simulate bad guys and put network defenders and system owners under controlled stress in a controlled environment, you get a better sense of how they will perform,” said Jason Jurand, director of SSC Atlantic’s Red Team.
“If you wait long enough, the real-world adversaries will tell you what’s wrong with your system, usually at the worst time,” Jurand said. “Our first rule is ‘do no harm.’ Our adversaries don’t have that rule.”
Jurand continued to emphasize that the Red Team better positions customers to deal with these vulnerabilities on their terms rather than the adversary’s terms.
The Red Team’s functional capabilities were developed when SSC Atlantic’s CSSP was created and certified. The CSSP’s mission is to protect, detect, respond and sustain IT systems, and as part of the “protect service,” the Red Team assesses the defense capabilities of CSSPs across the DoD Information Network (DoDIN).
SSC Atlantic’s Red Team has the ability to surge and adjust their size to the demand signal through the use of their contracting strategy and has 13 government employees. They are technically skilled with backgrounds in computer science, computer engineering, software development, test and evaluation, networking and system administration.
According to Jurand, a knowledge of how things work – and an understanding of how to degrade, disrupt or deny a customer’s cyber environment while actually doing no harm – requires a deep technical background.
“From a temperament point of view, you have to be naturally curious and think unconventionally. Red Team people are tinkerers,” he said, “with maybe a little bit of a dark side.”
SSC Atlantic’s Red Team is certified to perform a variety of assessments across the DoDIN, including local assessments, where they are invited in by a customer and work collaboratively and cooperatively to help identify and mitigate known vulnerabilities – and often to discover new ones.
They also perform remote assessments, which are more covert in nature. The Red Team tries to gain access to the customer’s network without the knowledge of the customer’s CSSP or “Blue Team.” Persistence missions involve the Red Team staying in the network as the customer’s Blue Team is actively pursuing it.
“They are trying to pry us out of network, and we are trying to burrow in and stay in,” Jurand said.
The Red Team assesses wireless security, which ranges from systems as innocuous as a home Wi-Fi to anything in the RF spectrum, such as shipboard or aircraft wireless systems.
The Red Team is very effective with user driven attacks, which Jurand describes as complicated but usually the most successful.
“Most cyber-attacks are user driven, where you manipulate the user into doing something that gets them in trouble,” Jurand said. “For a Red Team, it’s the easiest to get at and yields the most reliable results. We’ve never had a phishing campaign that failed.”
Jurand explained that cybersecurity deficiencies found by the Red Team fall into the categories of people, processes and technology, with people being most common deficiency found.
“Insider threats are real. It’s not just about getting past the guy at front gate or tailgating into a building; it’s user attacks and social engineering,” he said. “And even though everyone gets cybersecurity training every year, invariably we’ll find some kind of shortcoming.”
Something as simple as going into a hospital or military health clinic can pose cybersecurity challenges that can actually risk lives. Those going in for outpatient appointments or visiting patients admitted to a hospital may want to use their phones or tablets on the facility’s Wi-Fi. In a worse-case scenario, these devices could pose a threat to IT systems that connect patients to life-saving equipment. To combat this threat, SSC Atlantic’s Health Systems Security Engineering integrated planning team, headed by Cal Stephens, provides full scope network/cybersecurity services to the DHA, including network protection suite design and development, accreditation, deployment and operations fused with USCYBERCOM-accredited Tier 2 CSSP services.
“Cal was part of developing a secure intranet for DHA, engineering the design, deploying it, doing network operations and sustainment of that infrastructure, and we were serving in an information assurance capacity,” Jurand said.
This series of events provided SSC Atlantic a unique operational cyber perspective within the Navy. Given their capability, it made sense for SSC Atlantic to provide CSSP and Red Team services for other customers. The CSSP team was originally certified by Defense Information Systems Agency (DISA) and accredited by U.S. Strategic Command in 2012.
Today, SSC Atlantic’s Red Team is more and more in demand.
“Once we got certified, the phone starting ringing off hook and it hasn’t stopped since,” Jurand said. “It has really led to a great capability for SSC Atlantic.”
“There is so much complexity in cybersecurity threats; new ones pop up every day. We make folks take training and we do checkups to try to keep networks and systems healthy, but invariably, when Red Teams do assessments we always find shortcomings,” Jurand said.
“We are looking for stuff that is unusual,” he said, spending lots of time and energy looking through the assessment data to find what he describes as a “horrifying collection of success event audit records” that may indicate compromise.
For example, why is someone logged in at 2 a.m. on Christmas morning? Why is an administrator surfing the Internet and downloading data to the server? Are detections being made the way they are expected even when there are no failure or deny event audit records?
While the Red Team’s mission is to help and protect customers, they are not always welcomed with open arms.
“People are often taken out of their comfort zones or feel violated when the Red Team shows up,” Jurand said. “That’s a healthy reaction to have,” he said, since some people think they could get fired or that the network is actually being compromised.
“We are not the bad guys, we are trying to teach them about threats and how to mitigate them,” Jurand said. “Red Team operations really represent an investment in a customer’s cybersecurity infrastructure and in the people who use it. We are teaching them to be more aware of their vulnerabilities.”
“In the end they realize that a real adversary would probably teach the same, but on much worse terms.”
SSC Atlantic provides systems engineering and acquisition to deliver information warfare capabilities to the naval, joint and national warfighter through the acquisition, development, integration, production, test, deployment, and sustainment of interoperable command, control, communication, computers, intelligence, surveillance, reconnaissance (C4ISR), cyber and information technology (IT) capabilities.