WASHINGTON — When hackers break through the Pentagon’s cyber defenses, it’s the job of elite threat-hunting teams to find intruders or damage.
Most recently, U.S. Cyber Command deployed cyber teams to check military networks for any signs of a compromise following what some experts and Congress members say is potentially the biggest hack and cyber espionage campaign in U.S. history.
The Pentagon has found no evidence thus far that the susceptibility affected Department of Defense’s networks. “Parts of our software supply chain source have disclosed a vulnerability within their systems, but we have no indication that the DoD has been compromised,” said Capt. Katrina Cheesman, a U.S. Cyber Command spokesperson.
But the teams are looking for damage nonetheless.
While the department doesn’t share many details about how defensive cyber protection teams do their jobs, one common tactic that threat hunters employ is monitoring networks closely for any strange behavior or actions, such as odd login times or use of unusual software.
A network user who takes actions outside of normal daily activity could be a hacker that the defensive team must block out of computer systems, sometimes confronting active trespassers directly to deny access through a kind of virtual hand-to-hand combat.
In the latest breach, the U.S. blames Russia for implanting malicious code in software updates provided by government supplier SolarWinds, allowing unprecedented access for months across federal networks.
The infiltration went beyond the software vendor, with hackers accessing networks in a variety of ways, The Wall Street Journal reported in a Jan. 29 article that included a Cybersecurity and Infrastructure Security Agency estimate that 30 percent of affected businesses and government offices did not have a direct link to SolarWinds.
To date, Cyber Command’s teams have not been asked to assist breached federal agencies but would do so if authorized, Cheesman said.
Cyber protection teams — 68 in total — make up the majority of the Pentagon’s cyber troops, and they’re always in high demand to help with suspicious activity throughout the vast DoD information network. Staff throughout the world use DODIN, a complex collection of thousands of local networks, for everything from sending real-time information to war fighters to storing basic personnel data.
While cyber protection teams are the DoD’s defensive frontline, they primarily act as a response force and don’t get involved until an adversary breaches networks, according to a December presentation during an Army conference by one of its cyber units.
When a breach occurs, the teams go to the site of the problem with specialized kits including a mix of laptops, small servers, passive and active sensors, analytic capability and software tools.
They work with the local IT staff who run networks to understand the unique qualities of a particular network’s day-to-day operations. The teams help search for malicious activity, eradicate any lingering interlopers, and recommend to the local personnel how to rebuild stronger network defenses.
Each team has 39 members, but they deploy in smaller elements to spread their expertise and rotate through active operations, regrouping and training.
Cyber experts familiar with cyber protection teams’ work described for C4ISRNET how the units would respond to a hypothetical breach, with some experts sharing insights anonymously because they are not authorized to speak publicly about the issue.
If CPTs see the actor is still on the network, they will work to kick the hacker off by changing credentials and blocking methods of access like backdoors and then determine what information the actor reached. The teams might have to set up deliberate defense within the network, putting up blockades to disrupt adversaries and force them into certain portions of the network. That improves their ability see hackers’ activity or confront them directly.
A team’s first action would likely be to get a handle on the attack vector, determining what machines or network segments run malicious software. From there, commanders prioritize hunting on the highest and most sensitive assets or portions of the network. For example, a system that works with the nuclear command and control infrastructure would be a top priority.
Sophisticated network hunters are needed because high-end actors will obfuscate their activity with a variety of tools, such as using credentials and privileges to look like an administrator or legitimate user. CPTs will try to lock out the actors by changing credentials and passwords, a painstaking process of looking at all corners of the network, all legitimate users and credentials.
With the latest breach, the actors were so stealthy they succeeded in masking their activity to look like a legitimate user. This is where a hunter has to know network processes inside and out, including what servers are running and what level of system is running those processes. Their forensics process might take them deep into network logs to analyze.
These hunters carefully look for the slightest anomalous behavior. That skill is the benefit, many sources said, of training cyber warriors to joint standards to learn offense and defense.
“The time that you spent trying to work on a network as an offensive person is going to help you understand where you might want to look defensively,” said Andrew Hall, a retired Army colonel who directed the Army Cyber Institute and teaches cybersecurity at Marymount University. “Now, they might use different techniques than you, so you’re probably not going to find the exact same thing as you, but you think of it from both sides. You think of it as a defender, you think of it as an offensive person.”
However, the reach of the recent hack makes it difficult for hunters to know where to look. Given the wide use of the vulnerable software within the government and DoD — and how well the actor stayed hidden — experts have said uncovering the extent of the any damage could take months.
Mark Pomerleau is a reporter for C4ISRNET and Fifth Domain.