Leveraging software emulation to root out hackers

Big data and automation tools help organizations fingerprint malicious online behavior.

Hacker working in the dark room and stealing information

Cyberattacks present an increasing threat to the United States across all sectors of government and commercial industry, from the battlefield to the factory floor, requiring a strong, holistic approach to cyber defense through active monitoring and modeling techniques.

Recent attacks, such as the Russian-backed espionage operation that compromised a server at software developer SolarWinds Inc., affecting its downstream customers — including half a dozen federal agencies — and the recent ransomware attack on Colonial Pipeline Company, which halted fuel shipments to much of the U.S. East Coast for over a week, represent a grave threat to national security.

Defending against such attacks can be difficult, and recovering from an incident such as a ransomware lockdown can be almost impossible for smaller companies, explains Lee Chieffalo, technical director of cybersecurity operations at Viasat. Because many businesses can’t afford an in-house security team, they end up being more vulnerable to cyberattack, he said.

The growing digitization of the American workplace compounds these problems by increasing an organization’s attack surface. It also makes it difficult to return to paper-and-pencil operations if systems, data, and mission-critical capabilities are inaccessible. In many cases, organizations such as hospitals, which must keep certain critical systems running, have little choice but to give in to hackers’ demands.

“Do I stay down for weeks or months, unable to do anything, or do I just pay this ransom? It’s very profitable, very easy to do, and very hard for companies to recover from and fight off,” Chieffalo said.

Compounding this problem is the COVID-19 pandemic and the massive shift from office to home-based work with the need to extend corporate networks to individual worker’s homes. With more people remotely accessing extended networks, it creates a greater surface area for attackers to exploit.

Connected networks are also an important way U.S. and allied forces operate on modern battlefields. While networked sensors and communications systems give commanders better situational awareness, it also creates potential avenues for cyberattack. Chieffalo notes that the cyber domain is a major area of focus in military circles as it brings a powerful asymmetric warfare capability.

“Every major military in the world is trying to figure out how they can protect themselves as well as leverage it as an offensive capability,” Chieffalo explained.

Fighting back

One way to protect a network, especially for companies that can’t afford dedicated security teams, is to partner with an internet service provider or cybersecurity company to monitor their network traffic for unusual activity, said Nick Saunders, director of analytics with Viasat’s Cybersecurity Services.

Internet and communications service providers like Viasat augment their customers’ security by protecting their networks and alerting them if anything out of the ordinary is detected.

“We provide our customers a unique cybersecurity capability that enhances their connected experience, whether in an enterprise or tactical setting. This can be bundled as part of a wireless service package or as a stand-alone cyber capability,” Saunders said.

The volume of data Viasat handles for its customers provides unique access to vast amounts of cyber intelligence, monitoring over 2.4 billion network events daily. With the amount of data it manages and monitors, Saunders noted that the company is able to identify and characterize an incident or attack type, learn from it, and apply those lessons laterally to other customers and situations. Effectively, this mirrors the way attackers move laterally across victims by exploiting a weakness, but in a reverse, positive manner, he said.

The emulation toolbox

Emulation is a key weapon Viasat has in its arsenal to help customers. This takes several forms, from collecting data and creating digital “fingerprints” to identify cyberattack types and the groups behind them, to red team testing of networks and modeling outcomes for different types of defenses.

Viasat uses the data it pulls in from the networks it supports and monitors to build a behavioral library of different threat types and groups, explains Jessica O’Bryan, the company’s Cyber Threat Intelligence and Threat Hunt Development lead. She adds that there are many open-source threat intelligence reports commercially available and that everyone — the good guys and bad guys — has access to them. But she said Viasat goes one step further by building adversary behavioral threat profiles that have never been published.

Besides creating a behavioral threat library, another of Viasat’s advantages is that it is an internet service provider. This is important because it provides access to vast amounts of traffic and cyber events; this enables the company to capture events and validate and implement protection mechanisms before threats make it to Viasat’s customer networks, explains Saunders.

“We have a very wide aperture perspective on threats, from fixed terminals to aircrafts and enterprise networks. We use our learnings and observations on one network to contextualize threats to a particular industry or attempts to affect a particular person,” Saunders said.

This bird’s-eye view of internet traffic lets Viasat collect data on how hackers operate and what tools they use, which in turn lets the company build new defenses that can be applied to all its customers.

Modeling threats and threat-hunting solutions

Part of building out these defenses involves threat modeling and threat hunting. One way to determine if new cyber defenses work is to try to hack them. Using red teams trained in offensive security and hacking techniques, Viasat can test and determine if the defenses it developed can withstand a cyberattack. Adversary emulation methodologies are used to determine whether detection systems work properly against a range of threats, explains Jonathan Wyatt, Viasat’s red team lead. Threat hunting techniques are also used to proactively determine whether an adversary has gained access to a network segment. The output of a threat hunt can be used to develop detection systems tuned to specific types of attacks.

Viasat’s analytical approaches undergo different stages, explains Saunders. One approach is for company data scientists to develop adversary behavioral detection tools that can identify a specific threat signature. Wyatt notes that this allows Viasat to sift through its network traffic in certain ways that permit better threat detection.

Once enough data has been collected through this process, it can be moved to a machine-learning model that can be used to develop a more refined security product, response, or alert that can be broadcast to analysts or other users.

“Once we achieve trust in that model, then we’ll deploy that into production and then watch it over time and monitor it and see if it’s still coming up with findings or if it needs to be tweaked and responded to,” Saunders said.

Once a problem is detected, response and remediation efforts will vary, depending on the customer. Some clients have arrangements where Viasat can help mitigate any problems caused by a cyberattack, but sometimes this isn’t possible with certain organizations, such as some government agencies where endpoints are managed by government entities.

However, in other circumstances, the company can step in and stop an attack on behalf of the client, said Chieffalo. “It’s truly customer-dependent on the case,” he explained, noting that one caveat to non-intervention would be if an attack posed direct harm to Viasat’s network.

Viasat: a unique history

Perhaps best known for its satellite communications products and services, Viasat began some three decades ago as a contractor supplying the Defense Department and other government agencies with its secure communications hardware. One of its specialties in this area, and something which it is still a market leader in, is encryption and information assurance.

Because Viasat’s equipment is designed to work over wide area networks and beyond line-of-sight connections, the shift to digital communications and the need to augment that with a layer of cybersecurity came naturally, explains Saunders. An important aspect of this is the end-user experience, especially when different pieces of equipment and cybersecurity software are working together.

“Sometimes it’s better to look at the whole picture and think about it from a holistic perspective. That’s how we’re approaching the cyber problem. You can’t have communications without security,” Saunders said.

Learn more information on Viasat cybersecurity for defense.

Reprinted from SIGNAL Online, Aug. 2021 with permission of SIGNAL. Copyright 2021. All rights reserved.