Endgame cyber solution proves useful for Air Force at Red Flag
- By Mark Pomerleau
- Mar 10, 2016
In the world of cybersecurity, threat detection is only half the battle. The real trick is eradicating discovered irregularities in the network. This can be achieved using big data analytics tools that perform a variety of assessments on networks to scour for threats, predict what could be coming and eliminate them once found.
One such tool got a workout, for the second year in a row, earlier this year at the Air Force’s Red Flag exercise at Nellis Air Force Base, Nev. The Endgame cyber operations platform takes a three-pronged approach to network defense: stealth operation, multi-stage detection and precision response, according to the company.
Endgame’s stealth sensors operate covertly, with minimal impact on the network, Nate Fick, Endgame’s CEO, told Defense Systems. Multi-stage detection “can eliminate entire classes of adversary behavior,” he said. And the precision response can isolate adversary activity and decide whether to eliminate it or just observe. “There are plenty of tools out there that will tell you, Hey, you’ve got a lion in your house,” he said, “but they don’t empower you to do anything about the lion.”
Red Flag exercises, which have been in practice since 1975 and typically are held four times a year, are large-scale training exercises designed to simulate full combat operations, often including coalition forces. htThe most recent, Red Flag 16-1, held over three weeks in late January and early February, took place with air forces from the U.K. and Australia. And in recent years, the Air Force has fully incorporated cyber operations into the exercise, reflecting cyber’s growing importance in real-world operations.
Endgame was invited to the past two Red Flag exercises, participating in contrary capacities. Last year, Endgame equipped the red teams to provide them with near-peer capabilities that performed so well that de-briefers said the red teams (attackers) knew the networks better than the blue teams (defenders). This year, Endgame lined up with the blue cyber protection teams. “Several days into the exercise they actually had to turn the Endgame capabilities off because the red team wasn’t getting enough training done. We were blocking them from doing their jobs,” Fick said.
The military is working to improve the effectiveness of cyber simulations, which have fallen short in the past, according to a watchdog report. “Exercise authorities seldom permitted cyber attacks from being conducted to the full extent that an advanced adversary would likely employ during conflict, so actual data on the scope and duration of cyber attacks are limited,” the director of the Defense Department’s office of Operational Test & Evaluation wrote in the report.
The Air Force Scientific Advisory Board last year studied the vulnerabilities in embedded systems, which the service relies on for aircraft flight control, control surface actuation, radar or electronic warfare system operation, munitions interfaces and spacecraft system control, to name a few. The board noted that vulnerabilities to such systems can be introduced anywhere from the start of the supply chain through maintenance, as well as by direct attacks or through radio frequency signals, noting that these vulnerabilities exist despite the fact that embedded systems lack Internet connections.
An Air Force spokesperson confirmed that the full report is not available for public consumption but the one-page abstract the service released provides 10 recommendations and states that traditional protective strategies won’t work for cyber mitigation. Securing networks is a main focus, as is securing airborne platforms such as unmanned systems that have previously been hacked.
Endgame is in talks with the Air Force, other service branches, DOD and the Intelligence Community for future operational deployment of the cybersecurity tool to provide hunting capabilities. Fick defined those capabilities as “the proactive continuous effort to detect and then eliminate sophisticated adversaries in enterprise critical infrastructure,” providing a four-step hunt cycle that includes surveying critical assets, securing ground to prevent further damage, detecting adversary techniques – not just the tools – and responding with precision as to not disrupt the business process.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.