By Light and FireEye incorporate threat intelligence into cyberspace attacks

By Light Professional IT Services and the intelligence-led security company, FireEye announced the integration of Mandiant Threat Intelligence within By Light’s Cyberoperations Enhanced Network and Training Simulators (CENTS).

The merged capabilities provide a unique platform to train defensive cyberspace operators against the most relevant malware tools threatening Department of Defense (DoD) networks today.

As today’s cyberspace landscape features an increasing number of well-funded, highly organized, and complex adversaries, the use of real-world threat intelligence in training and exercises has become crucial to defending effectively against cyberspace attacks.

Industry-leading Mandiant Threat Intelligence from FireEye provides Cyber Protection Teams (CPTs) an opportunity to experience how these adversaries operate. Furthermore, DoD opposing forces (OPFOR) can customize their attacks to provide the most complete and responsive training scenario available to the defenders.

By delivering captured and repurposed malware in the CENTS range environment – either on command or automated – the OPFOR can emulate malicious actors’ tactics, techniques, and procedures (TTPs).

“Through this integration with By Light, we are giving highly skilled outfits such as the U.S. Cyber Mission Forces (CMF) access to the tailored, proprietary data and intelligence they need to rapidly develop and deploy advanced capabilities,” said Ron Bushar, CTO of Government Solutions at FireEye.

“Within the custom command and control Mandiant Cyber Operations Platform (MCOP), teams can repurpose the very APT payloads to train the CMF in defensive cyberspace operations (DCO), alongside a Mandiant specialist, and supported by our FireEye Labs Advanced Reverse Engineering (FLARE) team. The realism and training impact behind these attack scenarios is truly unmatched.”

“By Light’s expanded relationship with FireEye underlines our commitment to increasing the realism and training opportunities of the range environment,” said Tim Grattan, Senior Vice President, Cyberspace Operations, By Light Professional IT Services.

“Integrating best-in-breed Mandiant Threat Intelligence into CENTS allows us to better prepare CPTs, local cyberspace defenders, and students to detect and respond to these attacks.”

Within CENTS, an attack is based on a real-world threat actor or group (e.g., APT3, APT10, Emotet) and uses captured malware to emulate the specific threat.

To support collective training events and exercises, these attacks are enriched with Mandiant Threat Intelligence and occur as part of multiphase plans that form the basis for adversary campaigns against U.S. networks and infrastructure.

By Light and FireEye further contextualize the threat activity by coupling the attacks with enemy objectives and success criteria. All malware is contained within the safety of a cyberspace range customized by the user to reflect the operational environment.

By Light customers can use APT cyberspace attacks on the CENTS platform for a variety of training purposes:

• Observe attacks: CENTS users can launch an attack to test sensor detection capabilities, rehearse incident response actions, and identify indications and warnings associated with an attack.
• Evolution of threat: CENTS allows users to modify the training environment and vary existing attacks to study the APT’s tradecraft and likely courses of action.
• Mission rehearsal: Range builders using CENTS can overlay various APT attack plans to teach, train, and assess cyberspace professionals using the threat actor’s TTPs and to prepare them for upcoming missions.
• Operational technology (OT) and industrial control systems (ICS): CENTS begins at Layer 2 and enables IP addressable mission systems and ICS to be added on the fly. Extend the range with unit kits or OT networks to test mission systems and defend ICS.