Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team - - PowerPoint PPT Presentation

blue teams
SMART_READER_LITE
LIVE PREVIEW

Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team - - PowerPoint PPT Presentation

Mar 02, 2024 307 likes •526 views

Certification and Standards for Army Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office Lead Ensuring Cyber Resiliency In All Phases of Acquisition Rolando Lopez - Lead Computer Engineer 1 The

slide-1
SLIDE 1

1

Certification and Standards for Army Blue Teams

Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office Lead Rolando Lopez - Lead Computer Engineer

Ensuring Cyber Resiliency In All Phases of Acquisition

slide-2
SLIDE 2

2

The Cybersecurity Challenge in Acquisitions

Cyber yber Blue lue Tea eam Ev m Even ents ts

Ris Risk k Mana Management F gement Framew amewor

  • rk

k (RMF) (RMF)

Cyber yber Red ed T Tea eam m Ev Even ents ts

How a Typical Weapon System Program Lifecycle Looks Today

slide-3
SLIDE 3

3

The Cybersecurity Gaps

Policy/ Process/ Execution Gaps

  • Compliance with RMF has not ensured cyber-secure systems
  • Cyber Red Teams have been effective, but identifying vulnerabilities late in the acquisition

lifecycle is problematic

  • No strict certification and standardization requirements for Blue Teams (like there are for

Red Teams) - PMs turn to whomever they can get to provide cooperative cybersecurity support

  • No mature or easily accessible central source for identified vulnerabilities and lessons

learned

  • No centralized mechanism for reporting or communicating cybersecurity team activities
slide-4
SLIDE 4

4

Blue Team

  • Insider
  • Cooperative
  • Broad Focus
  • As Early/Often as Possible

Red Team (NSA Certified)

  • Outsider
  • Adversarial
  • Threat Representative
  • Late in the Acquisition Cycle

Current Army Acquisition Cyber Team Comparison

slide-5
SLIDE 5

5

Cyber Acquisition Blue Team (CABT) Guiding Definition

The definition at the core of CABT Management Office’s certified Blue Team is as follows:

A group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture.

The mission of Cyber Acquisition Blue Teams is to:

  • Identify security threats and risks in the operating environment.
  • Analyze network environments and their current state of security readiness.
  • Provide recommendations that integrate into an overall community security solution,

increasing the customer's cybersecurity readiness posture.

Source: CNSSI 4009, “Committee on National Security Systems (CNSS) Glossary,” APR 2015

slide-6
SLIDE 6

6

CABT - Concept of Support

General Cybersecurity Information to PM’s Cyber Blue Team Events

 Vulnerability

assessments

 Formal and

informal testing

 Present PM with

mitigation options

 Provide PM with

solid information to assess risk Central Vulnerability Aggregation & Analysis

 Vulnerabilities

centrally collected and analyzed

 Identify trends

and lessons learned

 Pulled from

programs across the Army in addition to public and Intel sources Assistance Early in Acquisition Lifecycle

 Incorporate

cybersecurity in program plans and documents

 Assist with

contract language

 Cyber Tabletop

facilitation and participation

 Advise on supply

chain risks

 Cyber SMEs

habitually aligned, always on call

 Advise and

assist throughout the entire lifecycle

 Can apply

lessons learned from entire Blue Team community Information Sharing & Cyber Trends Reporting

 Trends and lessons

learned reporting

 Information on Blue

Team capabilities

 Readily and easily

available to PMs/ PEOs

 Sharing of tools,

TTPs, SOPs, etc.

SME: Subject Matter Expert TTP: Tactics, Techniques and Procedures SOP: Standing Operating Procedures

slide-7
SLIDE 7

7

CABT Management Office - Lines of Effort

INFOR INFORM ENABLE CE CERTIFY TIFY POL OLICY ICY & & DOC OCTRINE INE

Certification & Standards Manual Evaluator Scoring Metrics Guidebooks, Handbooks, and SOPs Certification Evaluation Teams CABT Certification Events Re-Certifications, Spot Checks & Revocations Facilitate Sharing of Information, Tools, TTPs, SOPs, Best Practices, etc. Quarterly Trends Reporting to ASA(ALT) Gather Data, Synthesize Lessons Learned, Educate and Connect PMs, CABTs CABT Portal, Lessons Learned Repository, C3D, etc.

slide-8
SLIDE 8

8

CABT Certification Process

Blue Team Candidate Organization Certified CABTs NSA-Certified Red Teams CABT Management Office

PREPARATION APPLICATION VERIFICATION VALIDATION POST-CERTIFICATION

  • Secure funding, personnel,

facilities and admin support

  • Create policies, procedures
  • Establish training program
  • Prepare application package
  • Register to CABT Portal
  • Conduct self-assessment
  • Submit application package
  • Adjust and resubmit as

necessary

  • Coordinate for on-site

evaluation

  • Fund and host on-site

evaluation

  • Provide documentation and

access to facilities

  • Provide personnel for

interviews and demonstrations

  • Create POA&M for all

uncorrected deficiencies

  • Execute deficiency POA&M
  • Support re-evaluation as

needed

  • Receive certification memo

signed by the Certifying Official

  • Manage certification

processes, standards, and systems

  • Provide standards, checklists,

examples

  • Provide information access,

clarification

  • Facilitate training
  • pportunities
  • Form evaluation team and

review application package

  • Provide constructive feedback
  • n any non-concurrence

issues

  • Coordinate on-site evaluation

with team and candidate

  • Conduct on-site evaluation:

In-brief, interviews, analysis, completion of scoring matrix, spot corrections, and out-brief

  • Provide deficiency report,

review POA&M

  • Re-evaluate as needed
  • Prepare and route certification

memorandum to Certifying Authority

  • Provide signed certification

memo to candidate, keep copies

  • Track Blue Team activities
  • Conduct spot checks for

adherence to standards

  • Review annual self-assessment
  • Conduct recertification every 3

years

  • Assist providing training,

lessons learned, ride-alongs, documents, etc.

  • Provide personnel to support

Certification Evaluation Team as needed

  • Provide personnel to support

Certification Evaluation Team as needed

  • Advise, assist & support

regarding open network activities

  • Assist providing training,

lessons learned, ride-alongs, documents, etc.

  • Provide personnel to support

Certification Evaluation Team as needed

  • Provide personnel to support

Certification Evaluation Team as needed

  • Adhere to standards
  • Support CABT-MO Lessons

Learned process

  • Actively share information &

tools w/community

  • Annual self-assessment
  • Full recertification every 3 years

CERTIFIED

slide-9
SLIDE 9

9

Evaluation Scoring Metrics

  • The ESM is the scoring document used by the Certification Evaluation Team (CET)

during the execution of a CABT certification assessment.

̶ The ESM serves to inform the decision to certify a Candidate CABT and accompanies the CABT Management Office’s recommendation for/against certification to the Certifying Authority.

  • The ESM contains:

̶ High-level rules/guidance that the CET members should follow during an assessment; ̶ 118 prioritized (I, II, III) evaluation items in Question-Answer format; and ̶ Minimum Requirement statements that further define the expected “answers” to each ESM item that the CET members are seeking.

slide-10
SLIDE 10

10

Lessons Learned Initiative

  • Aggregating vulnerabilities can cause issues
  • Repository of system vulnerabilities can

increase classification

  • Analyze data from Blue Team events to derive

and share trends & lessons learned

̶ Meets the intent without all the issues of a vulnerabilities repository ̶ “Sanitize” data to safeguard system anonymity ̶ Utilize other means (e.g., CABT Portal, C3D, etc.) for the sharing of tools, CABT info, and other subjects of interest ̶ Soliciting feedback from PMs and prospective blue teams

slide-11
SLIDE 11

11

Organizational and Personnel Blue Team Standards

Bridging from Blue Team Organizational Standards Assessment to Blue Team Personnel Standards Assessment

  • Currently, a Blue Team is assessed at the organizational level by the Evaluator Scoring

Metrics (ESM) when undergoing the certification process.

  • As the certified Blue Team community matures in capability, we would like to assess the

effectiveness of the Blue Teams’ personnel training programs to ensure competence of individual Blue Team members.

  • This approach requires striking a delicate balance between the need to standardize a baseline

level of individual competence and the need to provide Blue Team organizations the agility to maintain their respective mission-centric training programs.

slide-12
SLIDE 12

12

Future Efforts

Assess Blue Team Personnel Standards Using a Cybersecurity Capture- the-Flag (CTF) Event

  • Map the ESM items to well-vetted Knowledge, Skills, and Abilities (KSAs).

− Sources include: NIST NICE Framework − Conduct a gap analysis and create additional KSAs as required to ensure 100% coverage of the ESM items

  • Create a Cybersecurity CTF event which assesses the skills and abilities of participating Blue

Team members.

− Individual objectives for capturing flags can be tailored to personnel skill levels (e.g., Apprentice, Journeyman, Master/Lead) − Pilot the CTF on the DoD National Cyber Range and host it on the U.S. Army’s Persistent Cyber Training Environment (PCTE) platform

slide-13
SLIDE 13
slide-14
SLIDE 14
slide-15
SLIDE 15

15

Blue Team Definitions

Two Definitions:

1. The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team).

  • Defends against real or simulated attacks.
  • Conducted as part of an operational exercise.
  • Conducted according to rules established and monitored by a neutral team.

2. A group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture.

  • Identifies security threats and risks in the operating environment.
  • Analyzes the network environment and its current state of security readiness.
  • Provides recommendations that integrate into an overall community security solution to

increase the customer's cybersecurity readiness posture.

Source: CNSSI 4009, “Committee on National Security Systems (CNSS) Glossary,” APR 2015

slide-16
SLIDE 16

16

  • Total ESM items: 118
  • ESM Item Counts (by Section):

−Section 2, Documentation Review: 62 −Section 3, Verification Tasks: 28 −Section 4, Performance Tasks (emphases on pen testing): 28

  • ESM Item Counts (by Priority):

−Priority I: 45 −Priority II: 52 −Priority III: 21

ESM Structure and Format

slide-17
SLIDE 17

17

“Document Review” ESM Item Example:

Overview of ESM Structure and Format

slide-18
SLIDE 18

18

“Verification Tasks” ESM Item Example:

Overview of ESM Structure and Format, cont’d

slide-19
SLIDE 19

19

“Performance Tasks” ESM Item Example:

Overview of ESM Structure and Format, cont’d

slide-20
SLIDE 20

20

Purpose: Streamline the certification process. Registration Application Validation Post Certification

  • Provides information on certification process

−FAQs −Program Documents (e.g., CSM) −Registration Packet Instructions −Deadline Alerts (i.e., e-mail)

  • Stores/Archives

−CABT Candidate Application −Certification Awards/Scorecards

CABT Portal