A new public-private partnership recently concluded its first hackathon-type rapid prototype event to help discover new techniques or tools that can be applied to problems or challenges facing U.S. Cyber Command.
“The Chameleon and the Snake” took place in late September and targeted “malware signature diversity and signature measurement for Microsoft Windows … in a simulated operational environment at a realistic pace.”
The event was hosted by DreamPort, run by the Maryland Innovation and Security Institute through a partnership intermediary agreement with Cyber Command. DreamPort is billed as the cyber version of SOFWERX, the public-private partnership run through Special Operations Command to foster greater innovation for rapid solutions.
The notion of DreamPort is to create an innovative, sandboxed environment in a state-of-the-art facility where companies can demonstrate capabilities to help inform Cyber Command as to what industry or academia are developing.
“If you have capability and [the government] want to kick the tires on it more — [but] you don’t have the cleared folks, you don’t have the folks that can actually go in and work with the operators directly — we can bring it in there,” Karl Gumtow, DreamPort director and CEO of the Maryland Innovation and Security Institute, said during a Sept. 6 event in Washington.
For the Chameleon and the Snake, offensive participants were challenged to create — either through integration, enhancement or from scratch — a single tool to alter the signature of an operational tool for Windows without changing functionality. Defensive participants were challenged to create — either through integration, enhancement or from scratch — a single tool to for fully automating the classification of an unknown Windows Executable as malware/benign, variant of known sample, attributed to known group.
While no specific contracts may come out of each rapid prototyping event, a Cyber Command spokesman told Fifth Domain that the events can form the basis for follow-on contracts if capabilities meet a current and funded mission need. Moreover, the events can be used to drive future investment strategies for capabilities, they said, adding there is not currently a follow-on acquisition from the most recent rapid prototyping event.
Cyber Command has been touting a broader, more robust partnership with industry and academia as a means of greater defensibility.
“We work with partners consistently to ensure that they adapt — adapt in their technologies, their tools and their approaches," Gen. Paul Nakasone, commander of Cyber Command, said during a speech at the beginning of October.
“This idea of a posture of persistent innovation across all our partnerships is critical to counter our adversaries.”
Cyber Command’s deputy commander, Lt. Gen. Vincent Stewart, told Congress in September that the command has learned over the past year or so that growing the force demands persistent engagement, persistent presence and a persistent innovative spirit. Failure to do any of the above means DoD can never compete against near-peer competitors in cyberspace.
Northrop Grumman announced its team was a winner at the Chameleon and the Snake in the defensive component while a release from Draper, a nonprofit entity, announced its team was a winner in the offensive component.
The Northrop team was able to “rapidly prototype a malware detection and attribution capability, and use it to accurately measure and attribute malware signatures,” a release from the company said.
The Draper team developed a malware-evasion prototype to avoid automated and manual malware detection making it difficult for humans and automated analyses to detect it.
“The team’s Twisted Mirror framework is specially designed to allow various obfuscation techniques to be chained together to create a compounding effect, increasing the difficulty to manually or automatically analyze or deobfuscate binaries,” a release from Draper said.
The next rapid prototyping event hosted by DreamPort will be in December 2018 and will challenge participants to implement an automated process to interact with a Windows machine as humans do. They will be charged with trying to fool a human judge monitoring target computers via Remote Desktop Protocol or Virtual Network Computing into thinking a normal user is interacting with that machine and not an automated program or process.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.