ARLINGTON, Va. – U.S. military researchers are asking Georgia Tech Research Corp. in Atlanta to develop ways to detect, manage, and defeat cyber hackers and help build-in cyber security as part of the computer design process.
Officials of the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., announced a $22.7 million contract to Georgia Tech last week for the Signature Management Using Operational Knowledge and Environments (SMOKE) project.
SMOKE seeks also to measure the risk of cyber threats in real-time; and find new ways for red-team ethical hackers to maintain their evasiveness as they help train cyber security experts root-out malicious cyber behavior.
Georgia Tech cyber security experts will develop data-driven tools to automate the planning and execution of threat-emulated cyber infrastructure necessary for military network security assessments.
Military computer networks are under persistent threat from malicious cyber hackers, so network security experts must be able to assess their cyber vulnerabilities and defenses by using red team ethical hackers and blue team cyber defenders.
Red team exercises are designed to exceed simple penetration testing, and emulate cyber attacker behaviors as realistically as possible, to form a picture of network defense readiness.
Towards the aim of realism, red teams use tactics that mimic advanced cyber threats to evade network defenders and assess how critical networks fare against a determined cyber attack.
A core aspect of red team security assessments are procedures to build domain names, IP addresses, virtual servers, and other components to control red team tools. This infrastructure must exist openly on the public Internet and emits signals that, if detected too easily, can end the assessment quickly without much gain, but at considerable expense.
Signatures are patterns of the way an organization performs cyber operations. Attribution is the ability to link a cyber attack to a likely hacker. Red team members don't want the blue team to attribute attacks to likely perpetrators too quickly, which can weaken a cyber security assessment.
The ability to emulate sophisticated threats, evade detection, and reduce signatures requires a significant amount of time and expertise. Today, furthermore, the demand for network security assessments is greater than the supply.
SMOKE seeks to develop tools to automate the deployment of automated cyber threats that will enable red teams to increase the effectiveness of cyber security assessments. these tools also could provide red teams with longer cyber security assessment because of their ability to remain hidden.
Related: The essentials of trusted computing and cyber security
DARPA researchers want industry to develop tools that enable automated and scalable emulated cyber threats. SMOKE will prototype components that enable red teams to plan, build, and deploy cyber infrastructure that is informed by machine-readable signatures of sophisticated cyber threats.
To ensure realism, DARPA experts will evaluate SMOKE components on real-world networks controlled by SMOKE performers and government partners -- first on emulated environments, and perhaps later on live networks.
The SMOKE program seeks breakthrough approaches in abstracting away complexities of diverse network environments; operating in partially denied environments, reasoning under uncertainty, and reacting to unforeseen detection and/or attribution events; measuring tradeoffs among efficiency and effectiveness of plans in terms of speed and evasion; overcoming state space explosion of typical models for cyber infrastructure planning; developing mechanisms to acquire, manage, and maintain infrastructure elements that conform to signature management policies; executing infrastructure changes in accordance with real-time attribution assessments and plan contingencies; discovering latent associations between infrastructure artifacts; automating expert judgments used to build and traverse infrastructure associations; and expanding knowledge of adversary infrastructure.
SMOKE is a four-year effort divided into two: developing, demonstrating, and evaluating individual components; and comparative evaluations formed by integrating program components. The contract includes one option that could increase its value to $24.7 million.
SMOKE has two technical areas: automated planning and execution of attribution-aware cyber infrastructure; and generating infrastructure signatures.
On this contract Georgia Tech will do the work in Atlanta and Athens, Ga., and should be finished by October 2026. For more information contact Georgia Tech Research online at https://gtrc.gatech.edu.
