On the sidelines of #DEFAUS19, we caught up with SIG Jacob Greenberg, 138th Signal Squadron (Melbourne), and SIG Bryce Kendall-Robertson, 7th Signal Regiment (Toowoomba). The pair pitched a Gamified Exploitable Box they have developed and were awarded second place.
Samuel Cox (SC): Can you give readers the bottom line up front (BLUF) of your pitch?
Jacob Greenberg (JG): We developed a training aid to teach people who work in information security the discipline of vulnerability research and exploit development. This box also acts as an aptitude test, or skills identification tool, for people who are interested in performing cyber security for the Australian Army.
SC: What were you hoping to get out of pitching at #DEFAUS19?
Bryce Kendall-Robertson (BKR): We’ve already acquired funding from the 6th Brigade, so the main purpose was to connect with the wider Army and give more people the opportunity to use this product.
SC: Did you both have an interest and aptitude in this space before joining the Army? Or is this something that has been fostered and encouraged by Army?
BKR: I already had prior knowledge and some expertise. But the thing is, you can’t really define at what ‘level’ someone is because there is currently no gauge to measure them against. Every skillset is completely different, but we hope our product will help with this. However, by comparison to where I was years ago, Army has helped me take substantial steps forward. We’re talking leaps and bounds.
JG: I have a hobbyist background in information security. As a result, I posted straight to the 138th Signal Squadron straight from Initial Employment Training (IET). I have done vulnerability research where I deep dive native applications that run on systems, identify flaws in them and find ways to weaponise those flaws. I have just completed the accelerated Defensive Cyber Training Course which is the Army’s new cyber training continuum. It is acting as a prototype IET for the new cyber trade. The focus is solely on defensive cyber operations, but it has expanded my knowledge and skillset. But that journey won’t ever end; we all have to keep continuously learning.
SC: So your product is focused upon defensive cyber security?
JG: Yes. This tool teaches people to identify vulnerabilities in native software. The deciding factor between a ‘bug’ and a ‘vulnerability’ is its exploitability. So, when you audit software for a vulnerability, you want to be able to demonstrate that you can exploit it. That isn’t an offensive endeavour. You’re essentially doing what an adversary will do, but you’re doing it first and then hardening against it. Our Gamified Exploitable Box seeks to train that mindset. One way to think about this is wargaming. We’re adopting the OPFOR lens and identifying our flaws to prepare for warfare. This box has programmed flaws which you will need to exploit in order to break into it. These flaws are all custom designed by me; they’re unique and boutique, much like the proprietary systems you’d find in Defence. Defence proprietary systems don’t exist anywhere in enterprise, so if you were to use an enterprise grade vulnerability scanner, like NESSUS or OpenVAS, you’re not going to find anything scanning a Battle Management System terminal, for example. Such programs won’t be familiar with Defence’s boutique software. So, what I wanted to achieve with this box is teaching people to audit systems through a custom lens, as opposed to just using known vulnerability scanners that are ill-suited for the task.
SC: What are your hopes for where the Australian Army will go with cyber in the future? What do you want us to achieve? What are the goals you think we need to meet?
BKR: Firstly, a baseline level of knowledge across the Australian Defence Force. That doesn’t necessarily mean everyone using our tool, but everyone having a cyber security mindset. I’m not talking about another mandatory training powerpoint brief to complement the social media brief every year. Equipment is vulnerable to exploitation, so we need to have a test and have a think. They can practice their skills offline on this box and then apply them to their job in order to identify where an adversary might get in on their network. Equipment like this box breeds conversation between people.
JG: As industrial control systems in armoured vehicles and air platforms start to become more-and-more connected, we’re going to see vulnerability to cyber attacks.
BKR: Cyber security should be treated like car insurance; you don’t see the value of it until your car is hit. We won’t truly understand the significance of investing in this capability until we’re attacked. Consider this: people tend not to care for cyber security until their phone is hacked and all their contacts and the messages and photos they have sent are taken. We exist in a blissful world where we think we’re safe. But we need to protect ourselves.
JG: Cyber is just another capability. It should be exciting if that is your interest or hobby from a technical perspective. But you should also be healthily aware that it is a potential method of attack and defence.
SIG Bryce Kendall-Robertson was a member of the 7th Signal Regiment team that recently won the Cyber Skills Challenge. A multi-agency and multi-national Capture the Flag (CTF) competition, key participants included cyber specialists from Australian Defence Force Services, Department of Defence, Australian Government agencies, FVEY partners, industry and academia.
#DEFAUS19 was held in Canberra from 30 Sep – 01 Oct 19.
FAQs and pitch guidance for #DEFAUS20 can be found here.
Join the @DEF_Aus conversation on Twitter by following #DEFAus20.
It helps to know what is happening when you challenge the accepted. 10in10 is an interview series designed to share insight into future-leaning work across the Australian profession of arms. One interview will be released every day for 10 days. You can find previous interviews here.
About the Author: Samuel J. Cox is the editor of Grounded Curiosity. You can follow him on Twitter via the handle @samuel_j_cox