Bolstering Cybersecurity Controls Throughout the U.S. Army

“For more than a decade, we had broad challenges with testing and validating cybersecurity controls,” says a capabilities development manager for the U.S. Army’s cyber defense operations wing. “We needed to operationalize cyber testing. As I see it, cyberspace is just another plane for military maneuvers; the only difference is that the plane consists of ones and zeros. A firewall is an obstacle, just like a brick wall, and it too can be broken. Like the infantry, the cyber defense team needs to search for, identify, and then remediate vulnerabilities.”

The U.S. Army considered several breach and attack simulation tools before selecting the AttackIQ Security Optimization Platform. The goal was to move “out of being reactive, to a more proactive approach to defense,” says the capabilities manager. “We wanted a platform for continuously assessing the effectiveness of our people and organizations against specific new threats we could see coming down the pike.”

AttackIQ’s Security Optimization Platform was appealing because of its attack simulation playbooks and its tight integration with the MITRE ATT&CK framework. “All of our cyber defense operations are aligned to the MITRE ATT&CK kill chain,” says the capabilities manager. “When we are looking for adversarial activity to simulate, our defenders turn to the MITRE ATT&CK framework for guidance.”

Another consideration, according to a project officer who helps provide the Army’s information technology and business systems, was that “we needed to be able to both emulate specific attacks and routinely scan the network for any threats that our HBSS [host-based security system] had not picked up.” The Security Optimization Platform meets this need. It can periodically run automated simulations based on threats identified in the MITRE ATT&CK framework, and can perform one-off simulations at users’ discretion.

“AttackIQ holistically evaluates people, processes, and policies, as well as security technologies,” the capabilities manager says. “We are building an AttackIQ environment that will simulate attack campaigns, with the goal of helping our defenders lower their time to detect and respond to specific threats. We intend to consistently push similar attack sequences to see whether responses get faster with each iteration. If the time isn’t decreasing, we will need to determine whether our systems or processes need improvement, or our soldiers need training.”

While human red teams can perform similar assessments, they could not do so as frequently as the U.S. Army wanted. “We don’t have the option to continuously do red teaming,” says the capabilities manager. “There are so few red teams available within our military, trying to get on their schedule is always a challenge for individual groups. And when a group does get a red team’s time, once a year or so, they perform a one-off assessment, which usually ends up being a compliance check. Using AttackIQ enables us to do much more frequent control validations, and to retest as often as we want to make sure we’re making progress.”

One area that is ripe for AttackIQ insights is cybersecurity education. “We need to incorporate AttackIQ into our cybersecurity courses,” she says. “If we do, our soldiers will come out of the gate trained on how to not only defend the network, but also find the TTPs [tactics, techniques, and procedures] that our adversaries are using. They will start their careers as military cybersecurity defenders with an understanding of the adversary’s mindset and how the network might be attacked.”

The Security Optimization Platform also has potential to improve defenders’ job-performance evaluations. “Threat emulations could really help with talent management in the cyber community,” says the capabilities manager. “We could use AttackIQ to periodically perform pop quiz type assessments. We could customize the scenarios so that a host analyst, for example, is tested on her ability to identify threats on an endpoint.”

One other area in which the Security Optimization Platform may help the U.S. Army effect real change is the procurement of security solutions. Each division within the U.S. Army could use AttackIQ to test the effectiveness of its existing security program during the decision cycle for new investments. Meanwhile, the U.S. Army could run a trend analysis to identify security challenges that permeate the entire organization.

All told, the U.S. Army is on track to use the Security Optimization Platform to build a more strategic defense posture across acquisitions, talent management, and operations.

Ready for your cybersecurity program to be tested-against real-world threats, optimized for effectiveness, and prepared for future attacks?