In order to red team an unknown, potential adversary, a set of parameters are set for the red team to follow based on the Defense Advanced Research Project’s Agency’s (DARPA) understanding of terrorist behavior:
- The cyber-terrorist is believed to have a level of sophistication somewhere between that of a sophisticated hacker and a foreign intelligence organization.
- This adversary is assumed to be able to raise funds on the order of hundreds of thousands to a few million dollars, and he is willing to spend these funds to accomplish his mission.
- This adversary is assumed to be able to acquire all design information on a system of interest.
- This adversary is assumed to be very risk averse. Premature detection is a serious negative consequence for the cyber-terrorist.
- This adversary has specific targets or goals in mind when they attack a given system.
- The adversary will also expend only the minimum amount of resources needed to accomplish their mission.
- The cyber-terrorist is assumed to be professional, creative, and very clever. They will seek unorthodox and original methods to accomplish their goals.
The Information Design Assurance Red Team (IDART) spent most of its time gathering intelligence on the target system. Their results were only considered successful if the team met their objectives and preserved stealth. In this study the red team followed the same basic process repeatedly, and gave up before mounting an attack with a risk threshold that was too high.
DARPA’s experience suggests some improvements to the process that they are using to model the cyber-terrorist adversary including the use of additional red teams, improving the scientific method used to record and test red team behavior, incorporating verified terrorist behavior, war-gaming cyber terrorist scenarios, and improving the library of possible approaches to difficult threats.