Australia’s defence cyber unit scales up bug hunting

Australia can’t expect to be an expert in all areas of IT security and instead must pick niche areas such as hardware security and autonomous cyber defence to excel in, according to the Defence Science and Technology Group's head of cyber research.

Mike Davies, research leader of the cyber assurance and operations unit of the DTSG - the primary IT and communications security branch within the agency - today addressed the Building Cyber Resilience conference in Sydney on the state of cyber security in Australia.

The current problem, Davies said, is that attackers are calling the shots, meaning defenders are losing the war.

“We develop new countermeasures, tools and techniques to combat the threat ... but the problem is that the threat actors do the same,” he said.

“So you end up in the situation where typically we’re always behind the eight ball. The challenge for us as a community is how we decrease the chance that we are just making incremental improvements on defence and increase the likelihood that we get an edge on the threats out there.”

The key to success, according to Davies, is specialising in key areas.

“We’re not going to be world-class at everything. I think we need to pick niche areas and grow those capabilities really well," he said.

“Cyber security is such a huge field, we really need to be focused.”

The DSTG's cyber unit forecasts and prototypes advanced types of adversarial software and hardware, demonstrates their likely appearance and effect, and develops techniques to disclose and counter the presence of such threats.

It works in conjunction with the Australian Signals Directorate and the Australian Cyber Security Centre, and also develops tools and methods to discover and fix vulnerabilities, including more recently in solutions for autonomous cyber defence and resilient and trustworthy ICT.

Becoming an expert in niche areas

At the moment, a lot of the cyber unit's work is focused on intrusion detection and response, Davies said.

The office has refocused its emphasis on vulnerability discovery in recent times after being concerned the DSTG would lag behind industry on the issue.

“I was concerned we would be just a bit player, just a drop in the ocean in terms of what industry are doing,” Davies said.

“So we’ve rebalanced our emphasis on vulnerability discovery, where we try to find the flaws and predispositions in our systems before they get exploited by others."

In order to discover and identify flaws in technology before malicious actors, the DSTG is utilising the ‘fuzzing’ technique long popular with hackers and industry - whereby systems are bombarded with a range of inputs to determine where weaknesses lie.

But discovering flaws in hardware and software is just one of three related key areas Davies’ team is zeroing in on.

Davies thinks autonomous cyber defence and trustworthy ICT have the potential to significantly shake up the sector.

Trusting hardware

Most of the IT security products relied on by end users today assume that the underlying hardware is trustworthy, Davies said.

But in actuality hardware is open to a range of vulnerabilities, and it has the Prime Minister and Cabinet (PMC) -  the primary source of advice on government and parliamentary policy - worried.

“One concern of the PMC is the security of our ICT supply chain. We procure hardware from a range of countries and sources that we have to trust, but if you look at that supply chain there’s a range of opportunities from design to manufacture to supply to maintenance and even disposal for hardware trojans,” Davies said.

“Implants embedded in hardware ... that allow an adversary to gain a presence on your systems that can be triggered at will and can do a range of things from degrading systems to complete denial of service attacks.”

Australia doesn't have the industrial and economic capacity to have trusted foundries (centralised procurement of credited hardware), according to Davies.

So the DSTG is working to develop a "trustworthy computing basis" in collaboration with NICTA, which would involve a "very small hardware footprint that is very easy to credit with trusted software logic".

DSTG will provide “award-winning hardware approaches” and NICTA will supply trusted seL4 software kernels. The end goal is to have the capability to assume hardware is compromised and act accordingly.

The office has also built a “digital video guard” - a small hardware security peripheral that acts as a hardware trojan countermeasure.

The product is inserted between a host computer and a display and allows the contents of a known video signal to be trusted. 

Bug-hunting automatons

Similarly looming as a key area of focus, Davies believes, is autonomous cyber defence.

His team is currently working on a project called ‘Hinder’ that involves agents working within systems 24/7 to continually probe for weaknesses and fix any they discover.

“It’s about being able to respond within seconds of things happening, and being able to adapt and be resilient for threats,” Davies said.

“At the moment we put in anti-virus platforms and firewalls and they sit there until there’s a threat and we react. How many times do we hear of compromises in our systems that sit there for months before they are detected?”

It’s a new area for the DSTG, Davies said. But the agency wants to have some autonomous cyber defence capacity with the agency’s research networks within the next five years.

These software agents would be able to, for example, “see a particular vulnerability path for a particular server, or see a route is misconfigured".

“They might discover a user has temporarily disabled application whitelisting to test a new product, or that during the night the firewall has upgraded and disabled certain important functions in systems,” Davies said.

“The agents would detect all that, shut down systems, repair them and bring them back, or even clone them to understand what’s going on."