The Red Team: The Good “Bad Guys”

Photo by Joseph Bullinger

By Susan Piedfort

TO PROTECT CYBER SYSTEMS FROM HACKERS, YOU HAVE TO THINK LIKE HACKERS. THAT’S ALL IN A DAY’S WORK FOR SPACE AND NAVAL WARFARE SYSTEMS CENTER (SSC) ATLANTIC’S RED TEAM, AN EXPERT COLLECTIVE OF GOOD “BAD GUYS” WHO CONDUCT ADVERSARIAL ASSESSMENTS ON DEPARTMENT OF DEFENSE NETWORKS.

SSC Atlantic’s Red Team, certified by the National Security Agency and accredited by the United States Cyber Command, is one of nine certified Department of Defense (DoD) Red Teams and one of only two in the Navy. The SSC Atlantic Red Team assesses DoD cyber security service providers (CSSP), provides adversarial and aggressor support to cyber exercises, and supports cyber developmental and operational testing to acquisition programs with information technology (IT) components. Their customers include the Defense Health Agency (DHA), Defense Contract Management Agency, U.S. Marine Corps, Special Operations Command, and the Naval Enterprise Networks program office (PMW 205).

The Red Team’s real-world attack simulations are designed to assess and improve the effectiveness of an entire information security program, including those controlling weapons systems, platforms, sensors, and networks.

“The thinking is, if you simulate bad guys and put network defenders and system owners under controlled stress in a controlled environment, you get a better sense of how they will perform,” said Jason Jurand, the Red Team’s director. “If you wait long enough, the real-world adversaries will tell you what’s wrong with your system, usually at the worst time,” Jurand said. “Our first rule is ‘do no harm.’ Our adversaries don’t have that rule.”

Jurand emphasizes that the Red Team better positions customers to deal with these vulnerabilities on their terms rather than those of their adversaries.

The Red Team’s functional capabilities were developed when SSC Atlantic’s CSSP was created and certified. The CSSP’s mission is to protect, detect, respond, and sustain IT systems, and, as part of the “protect” service, the Red Team also assesses the defense capabilities of CSSPs across the DoD Information Network.

SSC Atlantic’s Red Team has 13 government employees and can adjust their size according to need through the use of their contracting strategy. They are technically skilled with backgrounds in computer science, computer engineering, software development, test and evaluation, networking, and system administration.

According to Jurand, a knowledge of how things work—and an understanding of how to degrade, disrupt, or deny a customer’s cyber environment while actually doing no harm—requires a deep technical background.

“From a temperament point of view, you have to be naturally curious and think unconventionally. Red Team people are tinkerers,” he said, “with maybe a little bit of a dark side.”

SSC Atlantic’s Red Team is certified to perform a variety of assessments, including local ones, where they are invited in by a customer and work collaboratively and cooperatively to help identify and mitigate known vulnerabilities—and often to discover new ones.

The Red Team assesses wireless security, which ranges from systems as innocuous as a home Wi-Fi to anything in the RF spectrum, such as shipboard or aircraft wireless systems.

The Red Team is very effective with user-driven attacks, which Jurand describes as complicated but usually the most successful.

“Most cyberattacks are user-driven, where you manipulate the user into doing something that gets them in trouble,” Jurand said. “For a Red Team, it’s the easiest to get at and yields the most reliable results. We’ve never had a phishing campaign that failed.”

Jurand explained that cybersecurity deficiencies found by the Red Team fall into the categories of people, processes and technology, with people being most common deficiency found.

“Insider threats are real. It’s not just about getting past the guy at the front gate or tailgating into a building; it’s user attacks and social engineering,” he said. “And even though everyone gets cybersecurity training every year, invariably we’ll find some kind of shortcoming.”

Something as simple as going into a hospital or military health clinic can pose cybersecurity challenges that can actually risk lives. Those going in for outpatient appointments or visiting patients admitted to a hospital may want to use their phones or tablets on the facility’s Wi-Fi. In a worse-case scenario, these devices could pose a threat to IT systems that connect patients to life-saving equipment. To combat this threat, SSC Atlantic’s Health Systems Security Engineering integrated product team, headed by Cal Stephens, provides full scope network/ cybersecurity services to DHA, including network protection suite design and development, accreditation, deployment and operations fused with Cyber Command- accredited Tier 2 CSSP services.

“Cal was part of developing a secure intranet for DHA, engineering the design, deploying it, doing network operations and sustainment of that infrastructure, and we were serving in an information assurance capacity,” Jurand said.

This series of events provided SSC Atlantic a unique operational cyber perspective within the Navy. Given their capability, it made sense for SSC Atlantic to provide CSSP and Red Team services for other customers. The CSSP team was originally certified by the Defense Information Systems Agency and accredited by US Strategic Command in 2012.
Today, SSC Atlantic’s Red Team is more and more in demand. “Once we got certified, the phone starting ringing off the hook and it hasn’t stopped since,” Jurand said. “It has really led to a great capability for SSC Atlantic.”

“There is so much complexity in cybersecurity threats; new ones pop up every day. We make folks take training and we do checkups to try to keep networks and systems healthy, but invariably, when Red Teams do assessments we always find shortcomings,” Jurand said.

“We are looking for stuff that is unusual,” he said, spending lots of time and energy looking through the assessment data to find what he describes as a “horrifying collection of success event audit records” that may indicate compromise.

For example, why is someone logged in at 2 a.m. on Christmas morning? Why is an administrator surfing the Internet and downloading data to the server? Are detections being made the way they are expected even when there are no failure or deny event audit records?

While the Red Team’s mission is to help and protect customers, they are not always welcomed with open arms.

“People are often taken out of their comfort zones or feel violated when the Red Team shows up,” Jurand said. “That’s a healthy reaction to have,” he said, since some people think they could get fired or that the network is actually being compromised.

“We are not the bad guys, we are trying to teach them about threats and how to mitigate them,” Jurand said. “Red Team operations really represent an investment in a customer’s cybersecurity infrastructure and in the people who use it. We are teaching them to be more aware of their vulnerabilities.

“In the end they realize that a real adversary would probably teach the same, but on much worse terms.”

They also perform remote assessments, which are more covert in nature. The Red Team tries to gain access to the customer’s network without the knowledge of the customer’s CSSP or “Blue Team.” Persistence missions involve the Red Team staying in the network as the customer’s Blue Team is actively pursuing it.

“They are trying to pry us out of network, and we are trying to burrow in and stay in,” Jurand said.

About the author:
Susan Piedfort is a writer with SSC Atlantic public affairs.