Endgame tracks down adversaries in AF Red Flag exercise
- By Mark Pomerleau
- Mar 15, 2016
In the world of cybersecurity, threat detection is only half the battle. The real trick is eradicating discovered compromises in the network. Security staff must be able to automate the hunt for vulnerabilities, detect and track threats that have penetrated the network and eliminate adversaries once found.
According to Endgame CEO Nate Fick, the continuous effort to detect and eliminate sophisticated adversaries in enterprise critical infrastructure, can be described as a hunt cycle that includes surveying critical assets desirable to protect, securing ground to prevent further damage, detecting adversary techniques – not just the tools – and responding with precision as to not disrupt the business process.
The Endgame cyber operations platform was tested at two recent Air Force’s Red Flag exercises, which are large-scale training events designed to simulate full combat operations, including cyber operations.
Endgame takes a three-pronged approach toward network defense: stealth operation, multistage detection and precision response,” Fick said. “We can deploy these stealth sensors to operate with zero detectable persistence. They operate covertly, they have minimal network impact and they give customers full visibility then into adversary activity."
With multistage detection, Endgame “can eliminate entire classes of adversary behavior," Fick said. We can prevent process injection -- one of the ways adversaries land on the box. We can then prevent lateral movement…[and] we can prevent privilege escalation,” which is how adversaries attempt to move up the stack.
In terms of precision response, Fick said, “there are plenty of tools out there that will tell you you’ve got a lion in your house, but they don’t empower you to do anything about the lion.” Endgame has “precision response action built into it, and you can isolate devices, you can terminate adversary activity…or you can just observe.”
Today, enterprises are operating in the third generation of cybersecurity, according to Fick. The first generation focused on perimeter security in which defenses were just built around the network. Once administrators accepted that threats were getting past these defenses, the approach was to detect threats against a library of known threats. This second generation strategy had no predicative aspects, however, which gave birth the third generation of cybersecurity -- applying analytics.
Endgame was invited to the past two Red Flag exercises, working with both offensive and defensive teams. Last year, the Endgame-equipped red team’s near-peer capabilities performed so well that de-briefers said the red teams knew the networks better than the blue teams, according to Fick. This success led to a repeat invitation, but this year, Endgame armed the blue cyber protection teams. “Several days into the exercise they actually had to turn the Endgame capabilities off because the red team wasn’t getting enough training done,” Fick said. "We were blocking them from doing their jobs."
Endgame is in talks with the Air Force, other service branches, the Defense Department, civilian agencies and the intelligence community for future deployment of the cybersecurity platform.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.