The Department of Defense (DOD) has taken a bold step in addressing the need for more innovation and capabilities in fighting modern adversaries. Deputy Secretary of Defense Kathleen Hicks recently introduced the department’s new Replicator initiative intended to use attritable, autonomous systems at scale to achieve speed and efficiency.
In today’s evolving digital landscape, where the specter of cyber threats looms large, the demand for innovative, agile cybersecurity solutions is at unprecedented heights. Many of the DOD’s problems also plague the cybersecurity industry. Applying the DOD Replicator’s tactics, techniques, and procedures to streamline cybersecurity is a no-brainer that offers practical applications.
Converge is developing use cases with the Replicator principles in mind, but before sharing those, it’s important to understand the DOD’s goal with this initiative and the definition of attritable.
Faster innovation behind the Replicator effort
The DOD maintains and safeguards US military operations. According to Hicks, continuing to be successful requires the ability to field improved capabilities faster. Counter to the current trend of immense, multiyear projects and initiatives, Replicator spearheads the simultaneous development of multiple rapid, inexpensive, attritable solutions.
If the word attritable isn’t familiar, you’re not alone. It’s a term primarily used inside the defense industry. Breaking the term down to its root of attrit helps get to the definition. Attritable means “able to undergo attrition.” From the DOD’s point of view, attritability is a characteristic that trades longevity and maintainability for low-cost, sacrificial systems designed for minimal, if any, reuse.
Understanding the Replicator initiative
Outlined by Deputy Secretary Hicks, the Replicator initiative focuses on fielding attritable, autonomous systems on a massive scale within an 18- to 24-month period by going smaller, smarter, and cheaper. Hicks highlights the need to complement high-investment capabilities, such as stealth aircraft, with more agile solutions to stay ahead of evolving threats.
The initiative is a strategic move to counter the advantages of the People’s Republic of China. The theory behind it parallels the aphorism, “Don’t let perfect be the enemy of good.” Replicator seeks rapid results by embracing new artificial intelligence (AI) technologies and methodologies, robotics, smart manufacturing, and machine learning.
Current cybersecurity trends and challenges
Organizations are adopting vendor “ecosystem plays” to enhance defenses in the current cyber landscape. Many of these ecosystem solutions promise near-complete telemetry and aggregation of alerts and logs across all systems, but they come with challenges. Effectively integrating new and legacy tools across an environment can be slow, cumbersome, resource-heavy, and expensive. The sunk cost fallacy quickly becomes a reality, making it difficult to pivot in response to emerging threats, especially when a tactical pivot requires significant investments and board approval.
Large-scale solutions can be counterproductive and hinder the protection of organizations facing new and fast-moving vulnerabilities. We applaud cybersecurity vendors for their exceptional diligence and research in promptly releasing protective measures against new vulnerabilities — but the pace and caution they use to release these measures are often too slow, leaving organizations with little more than hope that they aren’t the first target on adversaries’ hit lists.
Time to implement cybersecurity tools
Research by the Ponemon Institute shows that 58% of respondents say security effectiveness improved with zero-trust implementation. Yet the same report shows that nearly 40% of organizations are still working on a zero-trust strategy and have yet to implement one. In our experience, organizations take up to nine months or longer to deploy a cybersecurity technology solution. Calibrating the tool for optimal performance and training users and admins takes additional time.
AI is known to accelerate response times, shortening the time to identify and contain a breach by an average of 108 days, according to research by IBM. Conversely, this same research shows that only 28% of organizations apply AI extensively to their security processes.
Converge increasingly uses AI in our service and solution areas and within our organizational cybersecurity program. Our practices apply AI to help customers rapidly deploy solutions and automate processes while our internal teams are working with our Advanced Analytics practice, using our extensive AI capabilities to build unique tools to address our specific security needs, including vulnerability exposure, asset inventory cross-validation, deepfake impersonation for offensive employee security training, service account validation, and regular password rotation.
Applying Replicator advantages to cybersecurity
The Replicator concept offers unique approaches that can address some current cybersecurity challenges:
- Breaking initiatives into manageable bites: Deconstructing larger initiatives into smaller, more manageable tasks promotes quicker implementation and adaptability.
- Rapid response to environmental changes: Attritable, autonomous systems enable quick response to environmental changes, new vulnerabilities, and emerging threat indicators.
- Budget-friendly solutions: Leveraging smaller, smarter, more cost-effective platforms provides cybersecurity teams with budget-friendly solutions that reduce organizations’ financial burden.
- Tolerance for mistakes: Making it more acceptable to endure and learn from mistakes fosters a culture of continuous improvement and innovation without the high-level impacts of a single, costly project that fails.
- Agile team structure: Breaking a larger organization into agile tiger and strike teams, each centered on one project per quarter, ensures focused, efficient cybersecurity efforts.
- Promotion of numerous solutions: Supporting multiple projects, ideas, and initiatives simultaneously better aligns with reality for most cybersecurity teams.
Putting Replicator theory into cybersecurity practice
There are a multitude of strategies from the DOD program that organizations can harness for their cybersecurity programs, including:
Using deception solutions and threat intelligence: Create canary tokens and honeypots within environments based on threat intelligence indicators on the fly.
Using honeypots as a defensive lure away from prime targets has been around since the late 80s to early 90s. Canary tokens have a more recent history, with the term first used in 2003, and are used to discover intrusions. Both aid a defense-in-depth strategy but can be complex to deploy and manage effectively, preventing many organizations from integrating them into their security strategies. Deception techniques are among the last lines of defense once an adversary has breached a network, but they might just be the key to tipping off the security team that an attack is underway.
AI-powered honeypots and canary tokens not only remove the traditional deployment blockers of time and resources but also provide improved versions with the ability to evolve. Organizations can now use automation and real-time indicators from toolset data to build and deploy defenses and bolster threat intelligence insights in near real-time.
Automating response tactics: Use automation to block malicious IPs and URLs and to revoke sessions for critical at-risk users.
Evolved security solutions use multiple tactics for automatic defensive measures, but it’s less common for solutions to aggregate multiple independent data streams. This use case is like a lightweight security orchestration, automation, and response (SOAR) solution.
In this example scenario, Microsoft Active Directory (AD) user alerts indicate multiple failed logins from a foreign country, while the DNS filtering solution alerts for traffic going to a known nefarious command-and-control server. A tool built to counteract these threats automatically aggregates these indicators of compromise (IOCs) to set a chain of actions into motion, including determining whether to revoke the user’s AD sessions and reset their password, isolating the host within your EDR solution, sending the user an email with instructions to call into the helpdesk to have their account re-instated, and providing the SOC with a summary report of the events to investigate.
Review and cleaning up of Active Directory: Use AI to cross reference AD with HR repositories to streamline the review and location of invalid accounts and users.
Overlooking the health and hygiene of the AD environment is common, even with notable investments made in security tools. Automating simple cross-reference between a known true system, such as an HR payroll database, and AD quickly and efficiently provides an accurate depiction of the environment with little effort.
Evaluating cloud security posture: Leverage automated cloud risk discovery powered by AI to review cloud security posture and identify easily implementable compliance standards, followed by generating the necessary policies and proposing a workflow for a configuration implementation project schedule.
Most cloud providers include some sort of security health check, but few can discern an organization’s core business assets and crown jewels due to a lack of context. Testing the efficacy of cloud security settings by building a small AI tool using standard AD rights can show how much information the tool collects, alters, and exfiltrates from the cloud environment.
Open-sourced tools, such as AzureHound and Chaos Monkey, are widely used in the enterprise world for this same purpose, but they might not always fit your specific use case. Building and implementing a solution with this functionality will take some time, but repeated and wide-ranging use would far outweigh the resource costs to build and maintain it. Again, start with a small use case and grow the tool from there.
Verifying security efficacy should be a standard practice; this tool does exactly that. For example, you might trust that SharePoint settings are correct, but verifying that belief by using your new tool to test whether a standard user can access an executive’s SharePoint folders and download sensitive files would be a great use case.
Starting with a small goal and use case, like the one above, is an effective way to validate your security posture automatically, and use cases can be expanded over time. The advantage of building your own tool is that it will be purpose-built to your environment’s exact specifications and needs, so everyone from the SMB world up to the Fortune 500 can benefit.
Meeting cybersecurity challenges with solutions
As Deputy Secretary Hicks aptly stated, we are at an alchemic moment where operational problems meet potential solutions in an atmosphere that fosters innovation. Adopting the Replicator initiative exemplifies the DOD’s willingness to take a transformative approach to US defense. While your organization might not have the same threat profile as the Department of Defense, it still faces risks. By applying the Replicator Initiative theory to your organization, you can pile up the small wins and make headway on the gargantuan task of cyber defense.
Converge is on the front lines of cybersecurity every day. Our experts can help your organization adopt these same principles to navigate the complex cybersecurity landscape with speed, scalability, and efficiency. Connect with us today to build your cyber risk resilience and prepare for what’s next.
