19 December 2017

New Research on Red-Teaming Technical Capabilities and Cyber Defence Exercises

Researchers at the Technology Branch of NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) recently presented two novel studies on tools enhancing red-teaming and cyber defence exercises at the 2017 IEEE Military Communications Conference (MILCOM). The proposed solutions have already been tested in Locked Shields, the most complex live-fire cyber defence exercise in the world and the red-teaming exercise Crossed Swords, both organised by CCDCOE.

Cyber defence exercises have received much attention in recent years, and are increasingly becoming the cornerstone for ensuring readiness in this new domain. For example, Locked Shields organised since 2010, is a well-known exercise where Blue or defending teams are given a realistic simulated environment which they have to protect from the Red or offending team. Crossed Swords is an exercise directed at training Red Team members for responsive cyber defence.

“However, previous exercises have revealed the need for automated and transparent real-time feedback systems to help participants improve their techniques and understand technical challenges. Red team members are typically not experts in monitoring and intrusion detections tools, thus being unaware how their actions are visible to network defenders,” explains Markus Kont, Researcher at CCDCOE Technology Branch.

Research paper “Frankenstack: Toward Real-time Red Team Feedback“ authored by Markus Kont, Mauno Pihelgas, Kaie Maennel, Bernhards Blumbergs and Toomas Lepik addresses the very issue. „We developed a novel and modular open-source framework to address this problem, dubbed Frankenstack. This framework was used during Crossed Swords 2017 execution and in general the training audience found it useful, but we intend to develop it even further,“ concludes Markus Kont.

Due to the novelty of Red Team-centric exercises, very little academic research exists on providing real-time feedback during such exercises. Thus, the paper serves as a first foray into a novel research field.

The second study “Bbuzz: A Bit-aware Fuzzing Framework for Network Protocol Systematic Reverse Engineering and Analysis“ authored by Bernhards Blumbergs and Risto Vaarandi focuses on advancing network protocol analysis tool-set and technical capabilities concentrating on Red Teams. Fuzzing is a critical part of secure software development life-cycle, for finding vulnerabilities, developing exploits, and reverse engineering. Unfortunately, assessed tools do not have the required capabilities for working with protocols, where constructing bit groups are not byte aligned. In this paper, authors propose a systematic approach and a tool prototype developed for the cyber red teaming purposes.

“In a case study, the developed Bbuzz tool is used to reverse engineer a proprietary NATO Link-1 network protocol allowing to inject rogue airplane tracks into air operations command and control system. This allows red team members and security researchers to conduct fast end effective in-depth analysis of various network protocols independent of their operational layer. Such attack was successfully executed within the world's largest international live-fire technical cyber defence exercise Locked Shields 2017,” says Bernhards Blumbergs, lead author and former Researcher at CCDCOE Technology Branch.

The papers were accepted and first published at the 2017 IEEE Military Communications Conference and the final version of the paper is included in Proceedings of the 2017 MILCOM. MILCOM continues to be the premier international conference for military communications.

NATO Cooperative Cyber Defence Centre of Excellence is a Tallinn-based knowledge hub, research institution, and training and exercise centre. The international military organisation is a community of currently 20 nations providing a 360-degree look at cyber defence, with expertise in the areas of technology, strategy, operations and law.

NATO CCD COE is home of the Tallinn Manual 2.0, the most comprehensive guide on how International Law applies to cyber operations. The Centre also organises the world’s largest and most complex international technical live-fire cyber defence exercise Locked Shields. Another highlight of the Centre is the International Conference on Cyber Conflict, CyCon, a unique event joining key experts and decision-makers of the global cyber defence community in Tallinn. The tenth anniversary event CyCon X: Maximising Effects will take place from 30 May to 1 June 2018.