NIE Cyber Threat Team hackers support OPFOR
May 24, 2012
by Drew Hamilton
While White Sands Missile Range Soldiers play the role of enemy combatants and insurgents during May's Network Integration Evaluation 12.2, civilians from the Army Research Laboratory's Survivability/Lethality Analysis Directorate quietly play another kind of enemy behind the scenes.
NIE 12.2, the third NIE to take place at White Sands Missile Range, is a large-scale evaluation event intended to mature the Army's tactical computer network. A joint effort between Army Test and Evaluation Command, Brigade Modernization Command, and the System of Systems Integration Directorate, the evaluation takes various systems being evaluated and places them in the hands of Soldiers from the 2nd Brigade Combat Team, 1st Armored Division. Those Soldiers then try and use the new systems in conditions similar to what they would find on the battlefield.
While the face of the exercise showcases the challenges of fighting in harsh terrain, like WSMR's deserts and mountains, behind the scenes another battle is quietly taking place in the digital realm. Members of ARL's Information and Electronic Protection Division take on the evaluation of the technology from the perspective of the computer expert. In the information age, enemies can be just as much of a threat with a computer as they can with a roadside bomb. Army computer systems can find themselves under attack from anything ranging from independent criminals to a formal military cyber warfare unit.
While cyber warfare is usually beyond the activities of the common Soldier, the impact of a cyber attack could easily be felt on the battle in a near future where Soldiers are connected to their command 24 hours a day. Just as a successful attack on a supply convoy can cause a rippling effect across a theater of operations as units and commanders adjust their plans and operations to the resultant supply shortfall, a successful cyber attack can be felt at many different levels. "If a civilian e-mail server is attacked somewhere on the internet, a first order effect is that the machine might suffer a performance degradation or an outage. A second order effect is that a different backup server will now be burdened with a heavier traffic load, which may cause it to deny service to some users who are trying to access their e-mail, which in turn may have third or fourth order effects," said Anthony Castanares, a computer scientist with ARL White Sands.
While the NIE won't be testing civilian e-mail servers, the example Castanares gives illustrates how Army systems need to be protected not only from an attack, but also have the ability to compensate for the loss of another network asset due to either a cyber attack or its actual destruction by conventional means. The Army defines this kind of requirement as information assurance (IA): the assurance that information systems like computer networks will be resistant to threats and systems and their information and capabilities are available to authorized users.
To ensure that any new Army systems are prepared for this kind of situation, information assurance requirements must be included in the Army's testing and evaluation process. "The work we're doing in the NIE is more comprehensive than what we usually do in the lab, in the sense that we are testing systems in an operational environment, assessing their IA security posture, reviewing IA policies, and observing the operators using those systems to see if there are any potential weaknesses that could be exploited. If we discover any weaknesses, we then suggest mitigations to improve the unit's IA posture," said Kenneth Sayles III, a computer scientist with ARL White Sands.
ARL's role begins before the Soldiers even enter WSMR test ranges. ARL begins by conducting an initial evaluation of the systems that they will be testing during the NIE. "Before the test begins there's a team that does an audit that captures the current IA posture of the systems under test prior to the start date. That's what some of our people do, is the audit that says 'this is ready for test,'" Castanares said. ARL computer engineers and scientists review the systems functions and operations, analyzing everything from the physical hardware, to the software, sometimes going all the way down to individual lines of programming code, and even factoring in how the Soldier is using the device, looking for possible vulnerabilities that an adversary could exploit. The report generated from the evaluation is then provided to system owners, who can then decide how best to address these potential vulnerabilities.
ARL's second function comes into play during the NIE's field evaluation. Just like the teams of Soldiers that represent insurgents and enemy troops during the evaluation, ARL assembles a team of computer experts who can act as a cyber threat team. Using everything from freely available software, to commercial network test tools, to custom written programs and custom developed tools, the ARL cyber threat team attempts to break through the defenses of computer systems being evaluated. "We are being faithful in representing a competent hacker," said Castanares. Maintaining the test's purity, the threat team is a different set of personnel than the group that initially evaluated the systems. Ensuring that these groups are isolated from each other maintains a realistic IA test environment, with the threat team going through the entire process of identifying the test systems as a target, attempting to find vulnerabilities to exploit, and then conducting actual attacks.
ARL's final portion of the evaluation is to assemble a report on how the systems being tested held up to their efforts. Just like the Soldiers taking part in the field portions of the NIE, ARL's computer experts assemble reports on their findings so that the decision makers can determine how best to proceed on a project or system. "We deploy separate teams of subject matter experts who will analyze the network in real time, study the responses from both Soldiers and live systems in real time, and go back and correlate all this data that says what the threat portrayal actors did. Then we go back to our logs and see what everyone did and what effects the attacks had. That's the analysis that really captures all this information and says this is why you should care about these vulnerabilities, because these are the effects it could have," Castanares said.
"Prior to being fielded or being decided upon for acquisition, large acquisition programs have to undergo threat based cyber testing, where a group of individuals like us study the techniques and actions that threat actors in the real world take to target Army systems. We develop tools and techniques and use them to test Army systems and assess the survivability of these systems under test," Castanares said. In support of acquisition test and evaluation, ARL regularly conducts IA compliance and certification testing, IA and threat modeling and simulation, security code analysis, penetration testing, threat computer network operations testing, and vulnerability assessments. "We're busy, but it's because of the wide range of capabilities we can provide in this realm," Sayles said.