Easily deployable and interconnected cyber toolbox for defence use

Topic description

Specific Challenge:

The main challenge is to create a new generation of mobile cyber toolbox to be used by cyber rapid response teams (CRRTs) to manage cyber incidents (detect, investigate and remedy hostile activities) in defence field, as well as government environment and critical information infrastructure.

Usually, CRRTs are deployed as mobile teams to deal with cyber incidents on its premises or from remote locations, possibly with limited access to secure communication means. In the modern environment, the dependency also for military operations from civilian infrastructure (including industrial systems) and civilian solutions is growing rapidly with emerging technologies such as 5G and IoT (Internet of Things).

Although there are many rapid response initiatives and many rapid response teams formed both in civilian and military organizations, they have limitations. These teams are usually able to operate only in common enterprise environments (e.g. Microsoft and Linux based environments), have limited capabilities for specialized systems, or are dedicated to work only in organizations’ internal networks. Therefore, these teams lack skills and tools to operate in multi-site and multi-organization environments. On the other hand, they are restricted to work in their own networks by legal constraints and technological means.

Currently, a number of home-grown and relatively well-established tools and training – both commercial and open source- are available. Large companies active in cybersecurity have also built cyber toolboxes for internal and external use.

These toolsets are, however, best suited to relatively conventional scenarios and may not be convenient to use or highly effective in transnational military and government environments.

Some of the limitations include:

• the packaging and architecture of such solutions, the integration with back-office investigation capabilities and the ability to face narrow network bandwidth;
• the stealthiness of the deployed tools on potentially compromised networks;
• the ability to face other, non-traditional types of systems, such as industrial control systems and SCADA (Supervisory control and data acquisition).

The proposals must address the development of capabilities for CRRTs to manage effectively cyber incidents in the various above-mentioned environments and fields.

These capabilities (hardware and software) must be integrated smoothly and comprehensively in an easily deployable (including via commercial airlines) cyber toolbox.

The toolbox must address the following areas:

Data collection, reporting, and reach back

• Stealthy data collection tools on potentially affected systems;
• Ticketing system;
• Communication platform;
• Big data exchange platform;
• IoC (Indicator of compromise) sharing platform.

Monitoring, log aggregation

• Firewalls, IDS (Intrusion detection system)/IPS (Intrusion prevention system), including required network interface adapters, duplicators, taps, etc.;
• Data collections tools and SIEM (Security information and event management);
• Operating systems scanning, including deep and proven boot sanity checks of various Windows, Mac OS and Linux distributions, including in the virtualized environment;
• Firmware scanning (USB, Ethernet, and WiFi-based)

Analysis and forensics capability

• Analysis of the deployable tool output, including the analysis of acquired images and network traffic;
• Fast, configurable data lake for logs and network activity analysis;
• Connection with cyber threat intelligence.

ICS/SCADA capability

• Tools required for data collection and analysis in industrial environments, addressing the most common ICS/SCADA elements’ manufacturers, protocols, interfaces, etc.;

Vulnerability assessments and penetration testing capability

• Tools (hardware and software) for vulnerability assessment and penetration testing.

Targeted activities

The proposals must cover the study, design, prototyping and testing of the cyber toolbox, not excluding downstream activities.

The targeted activities must in particular include:

• the review of the typical current capability of a CRRT, the activities such team performs, and the types of automated support that such a team needs. This must consider, among other things:
  • the possible functional gaps in current toolsets;
  • the impact of virtualized/cloud type environments on tool deployment and scalability;
  • the extent to which integration of different tools might simplify operator tasks and improve the effectiveness of a deployment;
  • the definition of a process to manage the evolution of the tools among many participating entities.
• the review of the implications of operating in widely distributed and interoperable environments, in particular, considering how CRRTs operate in constrained environments such as the military deployed environment;
• the review of the advanced team operating models that enable collaborative distributed activity, critically necessary to contain or manage large scale attacks enabling mission assurance, taking into account the questions of need-to-know/need-to-share and communications with command and control systems;
• based on these analyses, identification of specific enhancements that must be made to current generation toolsets, processes and practices;
• the design, prototyping and testing of a new generation toolset implementing these enhancements;
• exercises to inform operating processes and practices across the full operating domain;
• collective exercises (i.e. across multiple sites/systems/teams) to further develop operating processes and practices.

Main high-level requirements

The toolbox should consist of four principal parts:

1) Workplace. Laptops with the appropriate software.

2) Sensors. Deployable network sensors, including data collection interfaces.

3) Back-office infrastructure. Back-office infrastructure and services.

4) Cloud. Cloud services, SaaS tools, commercial data feeds.

1. Workplace

• The workplace should consist of a set of identically prepared laptops, provided together with additional accessories, like external hard drives, taps, duplicators, interfaces, cables, adaptors, also specific forensic tools (such as Tableau hardware);
• Laptops should contain all required software for identified CRRT tasks, including, but not limited to, incident handling, monitoring, forensics, vulnerability assessment, penetration testing, back-office communication;
• Software for monitoring, log collection, and analysis of ICS (Industrial control system)/ SCADA environments, covering at least the 20 most popular ICS/SCADA protocols should be provided;
• A virtualization environment should be installed for running virtual machines. If specific applications need Linux or other OS, they should be prepared inside appropriate virtual machines.

2. Sensors

• Deployable sensors should be provided for collecting network traffic;
• A sensor should be composed of one or more servers, routers, switches, duplicators, taps, adapters, interfaces, and other hardware accessories for connecting to various networks and infrastructures;
• Everything should be fitted into an easily transportable, ruggedized box/frame. The box weight and dimensions should allow it to be transportable by commercial airlines;
• The toolbox should contain two identical sensors (for redundancy, training, and testing).

3. Back-office infrastructure

• The back-office infrastructure consists of one or more servers and data storage to be installed in a central (home) location. It is meant to provide required services for the CRRT:
  • IoC (Indicators of compromise) sharing platform (e.g. MISP (Malware information sharing platform);
  • Ticketing system (e.g. RTIR (Request tracker for incident response);
  • Communication platform (e.g. MatterMost);
  • Big data exchange platform (e.g. NextCloud);
  • Collaboration platform (e.g. GitLab, Confluence);
  • Git repository (e.g. GitLab);
• Infrastructure should support the ability to install other required tools and services.

4. Cloud

• Cloud should be understood as a set of cloud services and commercial SaaS tools.
• This should at a minimum include:
  • commercial data feeds;
  • commercial signatures for sensors;
  • threat intelligence platform.

Other common requirements for the toolbox

• Modular structure. Components should be able to work independently and to be removed or replaced;
• The toolbox should be based on open standards and common best practices to facilitate interoperability with existing national cybersecurity systems, including, but not limited to, cyber situation awareness, cyber threat intelligence, and command and control platforms. This means using common open import/export formats, existing interfaces, and the use of APIs throughout individual tools;
• Deployable tools on a potentially compromised network and systems should be stealthy and auditable;
• Analysis of collected data should be able to be done both manually and automatically;
• The proposed solution should consist of necessary hardware and software for online and offline investigation;
• The toolbox should be able to provide the analysts with an autonomous capability (analyse the collected data on a deployable system), while being able to interconnect with back-office in different network availability conditions, to get threat intelligence, send analysis results, etc.;
• The proposed solution should provide dynamic, scalable, and resilient solutions, capable of easily integrating all the actors and nodes involved in each mission;
• The proposed solution should allow rapid installation (for example – on new servers or new laptops), restoring/reverting, administration and operation;
• Toolbox (workplaces, sensors) should be easily deployable overseas, including via commercial airlines;
• The proposed solution should include training materials sized for not less than 120 hours of appropriate training;
• Delivery of the project – a fully functioning, ready to use toolbox.

• Developing new generation tools and procedures for defensive cyber operations in any operational context;
• Improving readiness and response capability for unconventional cyber-attacks in the Member States;
• Improve cyber incident prevention, mitigation, investigation and reporting capabilities in the Member States for large scale cyber-attacks impacting both civilian as well as military environment;
• Support the development of Member State’s cyber defence capabilities and decision-making in cyber emergencies.