“The technology is being used to deploy, within a cyber operations, a defended asset list. If you look at what are essentially your crown jewels on the defense networks and the defense weapon systems, the things that Cyber Command and the services cyber components most want to defend from malicious cyber activities, we’re deploying deceptive elements around them to essentially create pre-filtered sensors and pre-filtered data gathering capabilities and devices,” Gould said on Ask the CIO. “Now, if the defenders of those systems see interactions with these decoys, they can assume that any of that interaction and any of that telemetry and indicator data that’s created on those devices, is bad because no one should be interacting with these devices and no one should know that they’re there.”
Gould added the prototype is testing whether cyber defenders can move these fake devices around to different protected enclaves or to different weapon systems, or whether it’s better just to leave them in place.
“Each team type that is using this technology is using it in a slightly different way,” he said. “Both vendors had very specific problem sets. One did more of an enterprise detect and response similar to what we see in the commercial side. But the one that we saw pretty good results with was on the cyber threat intelligence gathering side as well as the threat hunting side. They are gathering telemetry from those interactions, gathering intelligence and tools, techniques and procedures from an adversary that is interacting with these decoys. It had a much more military flavor to the operation.”
A big step forward
Gould said should these technologies prove out over the long term, the tools would be game changers for how DoD, and really any organization, protects their networks and data.
“I’d say it’s a big step forward. There’s a lot of detection and response tools that are out there, and the government has a lot of those at their disposal. What we haven’t had until this prototype is the ability to deploy these highly tailored and highly targeted decoys and endpoints that fit into these very specific environments for the purposes of information gathering,” he said. “We had very good tools to do this across the DoD Information Network (DoDIN) or the information network that DoD operates on or one of the service networks. But now we have the ability to deploy these fake devices that already pre-filter traffic and indicator data for you in these very specific environments, using the indicators and the characteristics of that environment, rather than just doing it generically across an entire swath of the network portion or the entire network itself.”
Gould said this means cyber defenders can create tailored and more specific protection and response plans for any given part of DoD or any organization instead of trying to have the one-size-fits all approach to cyber protections.
DIU started down this path to relook at endpoint security at the request of one of the service’s operational cyber teams.
“Typically in the commercial world, deception is used for detect and respond. It’s essentially a way to deploy fake artifacts, fake decoys, fake machines, honeypots, all these different fake pieces of computing infrastructure throughout an environment as a way to try to see if anyone is interacting with those fake artifacts. Then from there, can a security operations team determine who is that adversary that’s interacting with those, what type of malicious activity is being interacted with those? Is it insider threat is an external threat? Then from there, can you identify how to best defend against that?” Gould said. “What we were looking to do, and what the customer on our end was looking to do, was to take that one step further and try to figure out can we not just detect and respond to that threat, but can we start to ratchet up the deception to start toying with an adversary? Can we deploy this around a weapon system for the purposes of protection and intelligence gathering? Can we really play off of the paranoia that most offensive cyber operators have? In a way that makes them wonder and question every move they’re making because are they being watched? Is this a real environment, a real weapon system, a real government network or not?”
DIU released an other transaction agreement proposal to industry asking for advanced endpoint detection and response capabilities. The office received short white papers from 20 companies, including 10 they hadn’t heard about or worked with before, and chose six to provide in-person/virtual pitches.
From there, DIU chose two vendors to prototype their technologies.
Gould said the prototype period is almost over and DIU will decided how to transition the technology to a production OTA that would be longer term and a larger scale.
Gould said DIU has a slate of cyber projects coming up in 2021 as well as the expanded partnership with the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department.
“We’re looking to help with the hunt forward kits for the U.S. Cyber Command community. We’re looking at some new ways to gather non-traditional telemetry types when it comes to cyber threat intelligence gathering, not your traditional indicators of compromise-based indicators, but other forms of data that can be used to create a cyber picture of an adversary,” he said. “We’re looking into some industrial control system and operational technology areas for some of the services and how do we help them protect more of their power and embedded systems, across the different services. We’re doing more cloud and remote-based projects, given the COVID situation that’s created a new demand across the DoD for more remote-based protections and bring your own device and zero trust type projects. We actually stood up a sub team within our team for telecommunications that is looking into more wireless spectrum and 5G and wireless intrusion detection system type projects.”