N221-050 TITLE: Advanced Cyber Threat Hunting Toolkit for Deployed Tactical Platforms

OUSD (R&E) MODERNIZATION PRIORITY: Cybersecurity

TECHNOLOGY AREA(S): Ground / Sea Vehicles

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.

OBJECTIVE: Develop an open architecture, modular cyber search, detection, attribution, and mitigation toolkit to directly support cyber threat hunt on tactical platforms.

DESCRIPTION: A necessary part of defense capabilities is the ability to detect highly advanced nation-state cyber implants and supply chain attacks within Defense systems. While evolving cyber adversary detection technologies have matured for enterprise mission and business systems, constrained tactical systems often lag behind the lifecycle of these capabilities. Unique standalone tools, supported by automation and machine-assisted decision making, are needed for deployment in austere tactical platform environments. U.S. Navy surface ship combat, weapon, navigation, and control systems are highly complex, heavily networked, and reliant upon core commercial technologies � making them susceptible to advanced cyber threats. Innovative solutions are needed to enable the search, detection, attribution, and mitigation of these advanced threats within these constrained systems.

Cyber threat hunting is reflected in current standards as a proactive search capability in specified organizational systems to detect, track, and disrupt advanced persistent threats. While emerging control system architectures support cyber hygiene and rudimentary defense and response, well-tailored cyber-attacks remain elusive to current detection technology. Reliance of next generation surface tactical platforms on technology for combat systems and navigation functions with growing concerns of cyberattacks at sea demonstrates the need for advanced tools that can be used in constrained environments.

The Navy seeks an open architecture, modular cyber search, detection, attribution, and mitigation toolkit that will be deployed as a standalone capability and scalable to work within a larger system of systems distributed platform or tiered architecture. The envisioned solution will leverage the detection and response capabilities planned for employment on U.S. Navy surface ships. It will allow for automated and semi-automated operation supported by intelligent autonomy that does not require continuous connectivity to shore-based defensive cyber operations infrastructure. When connected to shore-based or distributed maritime operations infrastructure; threat intelligence including tactics, techniques, and procedures (TTPs) and observable attribution shall be shared for attack progression tracking and proactive mitigation. Favorable consideration will be given to solutions which include advanced malware threat hunting capabilities, applicability to distributed and underway environments, and conformance to DoD and U.S. Navy requirements for cybersecurity capability deployment(DoD Instruction Number 8500.01 dated March 14, 2014 with Incorporating Change 1 Effective October 7, 2019. Subject: Cybersecurity). The solution will be tested by the Government on a representative tactical system to validate its effectiveness. Testing will include identification of gaps to target specific, custom built technologies to address those gaps.

Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. Owned and Operated with no Foreign Influence as defined by DOD 5220.22-M, National Industrial Security Program Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Counterintelligence Security Agency (DCSA), formerly the Defense Security Service (DSS). The selected contractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances, in order to perform on advanced phases of this contract as set forth by DCSA and NAVSEA in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material IAW DoD 5220.22-M during the advance phases of this contract.

PHASE I: Develop a concept for an open architecture, modular cyber search, detection, attribution, and mitigation for a cyber-threat hunting toolkit. Demonstrate the concept can feasibly meet the parameters of the Description. Show feasibility through a combination of analysis, modelling, and simulation. The Phase I Option, if exercised, will include the initial design specifications and capabilities description to build a prototype solution in Phase II.

PHASE II: Develop, demonstrate, and deliver a prototype toolkit based on the results of Phase I. The prototype will be tested on a representative tactical system to validate effectiveness in meeting the Description parameters. Testing will include identification of gaps to target specific, custom built technologies to address those gaps.

It is probable that the work under this effort will be classified under Phase II (see Description section for details).

PHASE III DUAL USE APPLICATIONS: Support the Navy in transitioning the technology to Navy use through one or more managed acquisition activities. The prototype is a toolkit of targeted cyber threat hunter tools for niche operational technology in tactical environments, specifically U.S. Navy surface tactical platforms. Assist technology transition through developmental and operational test of the technology under cooperative and adversarial assessment conditions in an operational test environment. The technology will be matured to include a forensic capability. During product maturation, assist in conducting appropriate cyber engineering to include a security risk assessment, test and evaluation (T&E), and ensure compliance with pertinent regulatory principles and best practices (i.e., National Institute of Standards (NIST) 800 series publications, Risk Management Framework (RMF), and Cybersecurity Technical Authority (CS TA) Standards). Product may be licensed for deployment to U.S. Government users for direct use and/or licensed to a Software Support Activity (SSA) for additional integration and sustainment support.

This technology will be useful by any software company that has a need to protect their applications from cyber-attacks.

REFERENCES:

1. Joint Task Force. "Security and Privacy Controls for Information Systems and Organizations." Gaithersburg, MD: National Institute of Standards and Technology, 2020. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.
2. Jacq, Olivier, Boudvin, Xavier, Brosset, David, Kermarrec, Yvon, and Simonin, Jacques. "Detecting and Hunting Cyberthreats in a Maritime Environment: Specification and Experimentation of a Maritime Cybersecurity Operations Centre," 2018 2nd Cyber Security in Networking Conference (CSNet), Paris, 2018. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8602669.
3. Haddadpajouh, Hamed, Mohtadi, Alireza, Dehghantanaha, Ali, Karimipour, Hadis, Lin, Xiaodong, and Choo, Kim-Kwang Raymond. "A Multi-Kernel and Meta-heuristic Feature Selection Approach for IoT Malware Threat Hunting in the Edge Layer." IEEE, 2020, pp. 1-9. https://ieeexplore.ieee.org/abstract/document/9205853.

KEYWORDS: Cyber Threat Hunting; Tactical Platform; Advanced Cyber Threats; Detection Technology; Cyber Attacks; Advanced Persistent Threats.