3. Breach-to-Response Acceleration

Cyber Battlerooms to learn to recognize adversary action

The old adage "it takes 10,000 hours of practice to become an expert" is very true in cyber defense. We can't teach people to prevent zero day exploits but we can provide an inexpensive way to show what happens when an exploit is used. Technology today is finally available to provide ubiquitous Cyber Battlerooms, like Netflix, where you log into the cloud and "play" on a Virtual Clone Network of a government agency, water treatment plant, electric power plant, financial institution or anything we need to protect.

 

To be a Battleroom and not just a network or cyber range, you need the infrastructure (firewalls, routers, domain controllers), a synthetic internet, fake users who do the actions of whatever you are emulating (e.g., open emails, edit documents, browse the internet), realistic network/host traffic, cyber defense tools (e.g., sensors, log aggregation, vulnerability scanners, forensic solutions etc) and an adversary. With the Cyber Battleroom (CBR), defenders can see what lateral movement, privilege escalation, exfiltration, command and control or a host of actions that hackers and nation state adversaries looks like. They can dramatically improve their detection capability and try different responses. They can become instinctive and powerful cyber defenders.

 

In support of OSD/Director Operational Test and Evaluation (DOT&E), we have taken technology developed at national laboratories and commercial products to create a CBR that is hosted in Amazon Web Services, Google Cloud, Govt Cloud or a number of solutions. Hosting on the unclassified cloud makes this very affordable and scalable. Prior to this year, we did not know how to emulate the layer 2 and layer 3 devices in a virtual cloud environment. Now we do thanks to a middle layer technology that a start up called Ravello provided and SimSpace integrated with. Using all of this, we created CBRs that look very much like various critical infrastructure components and even an entire joint military base. We used this to test different Cyber Protection Teams using detailed metrics we developed based on the NIST cybersecurity framework. We can score a cyber defense team and identify where they are weak. But more importantly, whenever we build the different CBRs, we emulate real world threat actors and we have a zero day exploit emulator. We have examples of Mandiant's APT-1 or Deep Panda or Cyber Snake or Carbanak.....etc. Each of our CBRs is there in the cloud to be turned on whenever anyone wants to practice.

 

This is like on-line gaming only more fun, in my opinion, because it is real. You can see and defeat adversaries. You can play against a live adversary. You can score and compete. You could create a competitive league and have a leaderboard of who or what team has achieved success against what level or type of adversary. But more importantly, you can learn to recognize a breach and respond quickly. In using this technique, we have trained teams to detect and respond within minutes. Its not magic, its practicing in a real-world environment that is closed (and hence safe).

 

A CBR provides a realistic environment to see and respond to cyber threats and reduce response times. This also has a lot of benefit in the area of creating our cyber workforce!! This can be an environment to learn on or be assessed on (hire only who can score X or mandate that agency defense teams score Y) - the opportunities are endless.

Add tags and help us assess and classify your idea. Pick from the list below or type in a new tag.

Voting

1 vote
Public Input
Idea No. 125