Insight by Raytheon

Moving toward an active cyber defense posture requires a different type of training

Raytheon Intelligence and Space is training the next generation of cybersecurity professionals in both offensive and defensive skillsets.

Shape

Offense and Defense Working Together

We think about putting those two groups together and having them collaborate on the best postures to defend your enterprise, you start to get into the mindset of an attacker. Understanding the tools and techniques helps you put a better defensive posture into your network, and also helps you to understand how to combat malware in a way that you've maybe never thought of in the past.

Shape

Training and Tools for Offense and Defense

As it sits today, our three tenants of the offensive labs that we focus on are vulnerability research, binary reverse engineering and computer network operations. From there, we can supply talent to a broad range of missions. But getting that talent onboard, or upskilled is what we are really focused on.

In sports, the saying goes the best offense is an aggressive defense. In cybersecurity, that adage is becoming more appropriate by the month and by the cyber attack.

This is true because over the last several years, the discussion around cybersecurity hasn’t just focused on defensive operations. The government and industry have become more comfortable talking about certain offensive cyber actions and tactics, techniques and procedures (TTPs).

It has become clear that there are definite benefits to embracing offensive operations on top of an organization’s typical defensive concepts.

The Defense Department recognized the need to find the right balance as it developed cyber mission forces. Of the 133 teams, Cyber Command has tasked 81 teams to defensive missions, 27 teams to offensive missions, and an additional 25 teams to missions that support both offense and defense.

John DeSimone, the president of the cybersecurity, intelligence and services at Raytheon Intelligence and Space, said when organizations look at defensive cyber operations through an offense lens, an important integration happens.

“When we think about putting those two groups together and having them collaborate on the best postures to defend your enterprise, you start to get into the mindset of an attacker. Understanding the tools and techniques helps you put a better defensive posture into your network, and also helps you to understand how to combat malware in a way that you’ve maybe never thought of in the past,” DeSimone said during the discussion Meeting the Need for Offensive and Defensive Cyber Teams. “Rather than just doing alerting and then figuring out how to contain and then cleanse, you can start to figure out how to go after the attackers, maybe even attack the malware that’s in your network to slow it down at a faster rate so you’re not in a long period of cycle times to return to normalcy. We see it as a very important step in the future.”

Accelerating mitigation actions

By putting your offense and defensive experts on the same teams, agencies can move toward an active defense posture. This lets organizations better understand how attackers techniques and accelerate mitigation actions.

Raytheon Intelligence and Space launched its offensive lab as a training program to teach defenders more about offense with a focus on topics such as vulnerability research, computer network operations and binary reverse engineering.

James Thompson, the director of Raytheon Intelligence and Space Offensive Labs, said the shortage of talent and the need to develop these integrated skillsets are major drivers of the training program.

“There’s a common set of skills and how you choose to apply those skills either to an offensive mission or to a defensive mission really varies. But at the core, a foundational understanding of computer architecture and some of the key tenets of the security research is what we’re trying to build with offensive labs,” he said. “We are leveraging and emphasizing the talent that we have today, in particular, those that not only are new to this arena, but also those that want to pivot their career and upskill themselves, or go into a different area of security research. As it sits today, our three tenants of the offensive labs that we focus on are vulnerability research, binary reverse engineering and computer network operations. From there, we can supply talent to a broad range of missions. But getting that talent onboard, or upskilled is what we are really focused on.”

By training cyber employees in both offensive and defensive skillsets, organizations and agencies become better in both areas.

Removing the stigma

Jon Check, executive director of cyber protection solutions at Raytheon Intelligence and Space, said offense can inform defense measures and tactics, and defense can help offensive experts more quickly recognize steps that may stop their efforts.

“There a healthy competition between the offensive and defensive side and we’re trying to remove that stigma by manufacturing the talent that we need to support all missions,” he said. “If you are a defensive track, you were trained very specifically and you’ve never really did some of the offensive activities. We’re really focused on removing that stigma, recognizing that to truly be as effective as a cybersecurity professional, you really need to understand how both sides work because that will lead to absolute ‘A-ha’ moments where they’ll realize ‘I know exactly what this attackers is doing because this is how I learned about that activity.’ They can think of a new way to defend that maybe we haven’t thought of before.”

Thompson added typically training would be more focused on the techniques, tools and tradecraft that defenders have proven valuable.

“What we’re trying to do with offensive labs is instruct on not only the base of the attack when it occurs, but also all of the tradecraft that goes on prior to the attack,” he said. “How do you build fuzzers [a software testing tool]? How do you really weaponize exploits that are known about a system? How is the research done?  We’re really getting all the students in that mindset to be a really well rounded engineer.”

Important for zero trust

The integration of offensive and defense skillsets becomes more important as agencies move toward a zero trust architecture.

DeSimone said having an offensive mindset gives defenders a lot more capabilities opportunities to defend their networks and data and to stop attackers inside and outside of their network.

Check added agencies need to figure out how to be agile to bring in new tools or capabilities as the threats change, which is a benefit of zero trust.

“There’s no doubt there are plenty of tools out there for people to decide to use, but there’s absolutely no way to ensure that you’re going to get to a zero trust posture. It’s really about what are you doing to configure, integrate and really build those into your total active defense and how you’re going to defend your enterprise against attackers?” Check said. “One of the key aspects of proliferating the good tools as fast as we can is the Achilles heel and the bottleneck that seems to happen every time of having people that truly understand how that tool would integrate within an environment because every environment is at a different level of maturity within their cybersecurity enterprise.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Featured speakers
  • Jon Check

    Executive Director Cyber Protection Solutions, Raytheon Intelligence and Space

  • John DeSimone

    President, Cybersecurity, Intelligence and Services, Raytheon Intelligence and Space

  • James Thompson

    Director, RI&S Offensive Labs

  • Jason Miller

    Executive Editor, Federal News Network