You are here

Network Black Box (NBB)

Description:

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Sensing and Cyber, Advanced computing and Software OBJECTIVE: The Network Black Box Direct to Phase 2 (DP2) SBIR topic seeks to develop and demonstrate a system prototype capable of automatically retaining, retrieving, and analyzing network data to support threat detection and response efforts by cyber security operations teams. DESCRIPTION: Today’s enterprise networks are challenged by a myriad of cyber threats that can jeopardize the confidentiality, integrity, and availability of a network. An organization’s enterprise security controls aim to protect the organization’s networks against threats from hackers, malicious software, and attempts to steal sensitive information [1]. Threat hunting and incident response tactics, techniques, and procedures (TTPs) employed by an organization’s cyber security operations teams help protect the networks by continuously monitoring for threats in progress that evade security controls and breach the network [2]. Despite significant investment in enterprise security controls, and the collection and use of diverse and voluminous datasets for threat hunting and incident response, many organizations lack the infrastructure capacity and resources to store key enterprise network security data in a reliable, efficient, and cost-effective way, for durations comparable to the average dwell time [3] of cyber attackers (i.e., the amount of time an attacker spends on a target network before being detected). Dwell times, which vary based on region and other factors, can average up to two months, giving attackers plenty of time to wreak havoc on the target network [4]. In addition, shortfalls in infrastructure capacity and resources adversely impacts an organization’s ability to efficiently and effectively conduct incident response forensics on the network security data, once intrusion is detected.Organizations across government and industry would benefit from a simple, yet powerful, reliable, efficient, and cost-effective mechanism to support automated retention, retrieval, and analysis of key enterprise network data for security operations teams to conduct incident response forensics, such as root cause analysis [5] and lateral movement [6] detection, ex post facto. PHASE I: The Network Black Box SBIR topic is soliciting Direct to Phase 2 (DP2) proposals only, which must include supporting documentation of Phase 1 feasibility. Phase I feasibility must be demonstrated through evidence of: a completed proof of concept/principal or basic prototype system; definition and characterization of system properties/technology capabilities desirable for DoD/IC/government and civilian/commercial use; and capability/performance comparisons with existing state-of-the-art technologies/methodologies (competing approaches). Entities interested in submitting a DP2 proposal must provide documentation to substantiate that the scientific/technical merit and feasibility described above has been achieved and also describe the potential commercial applications. DP2 Phase I feasibility documentation should include, at a minimum: • technical reports describing results and conclusions of existing work, particularly regarding the commercial opportunity or DoD/IC insertion opportunity, risks/mitigations, and technology assessments; • presentation materials and/or white papers; • technical papers; • test and measurement data; • prototype designs/models; • performance projections, goals, or results in different use cases; and, • documentation of related topics such as how the proposed Network Black Box solution can enable the retention, retrieval, and analysis of network data to support threat detection and response efforts by security operations teams. The collection of Phase 1 feasibility material will verify mastery of the required content for DP2 consideration. DP2 proposers must also demonstrate knowledge, skills, and abilities in the technical areas of cyber operations, software engineering, network security, data analytics, artificial intelligence, and machine learning. For detailed information on DP2 requirements and eligibility, please refer to the DoD Broad Agency Announcement and the DARPA Instructions for this topic. PHASE II: The Network Black Box DP2 SBIR topic seeks to develop and demonstrate a system prototype capable of automatically retaining, retrieving, and analyzing network data to support threat detection and response efforts by security operations teams. It is envisioned that Network Black Box approaches will take the form of a physical or virtual appliance with an intuitive user interface supporting at least the two use cases stated previously, namely root cause analysis and lateral movement detection. Proposed solutions should enable organizations to retain and analyze enterprise network data for at least one year for a network consisting of at least 10,000 hosts. Strong Network Black Box proposals will provide experimental evidence and a quantitative analysis on the cost, capacity, and scalability of such a capability, and present preliminary evidence on the usefulness of the retained data for root cause analysis, lateral movement detection, and any additional use cases. DP2 proposals should: • describe a proposed framework design/architecture to achieve the above stated goals; • present a plan for maturation of the framework to a demonstrable prototype system; and • detail a test plan, complete with proposed quantitative metrics for verification and validation of the prototype system performance. Phase II will culminate in a prototype system demonstration using compelling use cases consistent with commercial opportunities and/or insertion into a DARPA program (e.g., the Cyber Agents for Security Testing and Learning Environments (CASTLE) [7] program which seeks to generate data-driven, machine-readable descriptions of how attacker tools behave, how attack paths unfold, and how to label observable attack behavior; and the Signature Management using Operational Knowledge and Environments (SMOKE) [8] program which seeks to assist red teams with planning with deploying TTPs to evade network defenders in order to achieve assessment objectives (e.g., lateral movement in networks) and assess how networks perform against malicious cyber actors (MCAs)). The Phase II Option period will further mature the technology for insertion into a DoD/ IC Acquisition Program, another Federal agency, or commercialization into the private sector.The below schedule of milestones and deliverables is provided to establish expectations and desired results/end products for the Phase II and Phase II Option period efforts. Schedule/Milestones/Deliverables: Proposers will execute the research and development (R&D) plan as described in the proposal, including the below: • Month 1: Phase I Kickoff briefing (with annotated slides) to the DARPA Program Manager (PM) including: any updates to the proposed plan and technical approach, risks/mitigations, schedule (inclusive of dependencies) with planned capability milestones and deliverables, proposed metrics, and plan for prototype demonstration/validation. • Months 4, 7, 10: Quarterly technical progress reports detailing technical progress to date, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (while this would normally report progress against the plan detailed in the proposal or presented at the Kickoff briefing, it is understood that scientific discoveries, competition, and regulatory changes may all have impacts on the planned work and DARPA must be made aware of any revisions that result), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 12: Interim technical progress briefing (with annotated slides) to the DARPA PM detailing progress made (including quantitative assessment of capabilities developed to date), tasks accomplished, risks/mitigations, planned activities, technical plan for the second half of Phase II, the demonstration/verification plan for the end of Phase II, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 15, 18, 21: Quarterly technical progress reports detailing technical progress made, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (with necessary updates as in the parenthetical remark for Months 4, 7, and 10), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 24: Final technical progress briefing (with annotated slides) to the DARPA PM. Final architecture with documented details; a demonstration of the ability to automatically retain, retrieve, and analyze network data to support threat detection and response efforts by security operations teams; documented application programming interfaces; and any other necessary documentation (including, at a minimum, user manuals and a detailed system design document; and the commercialization plan). • Month 30 (Phase II Option period): Interim report of matured prototype performance against existing state-of-the-art technologies, documenting key technical gaps towards productization. • Month 36 (Phase II Option period): Final Phase II Option period technical progress briefing (with annotated slides) to the DARPA PM including prototype performance against existing state-of-the-art technologies, including quantitative metrics for assessment of privacy features/capabilities. PHASE III DUAL USE APPLICATIONS: Network Black Box has potential applicability across DoD/IC/government and commercial entities. For DoD/IC/government, Network Black Box is extremely well-suited for forensic analysts tasked with conducting postmortems after an organization’s network is compromised. Network Black Box has the same applicability for the commercial sector. Phase III refers to work that derives from, extends, or completes an effort made under prior SBIR funding agreements, but is funded by sources other than the SBIR Program. The Phase III work will be oriented towards transition and commercialization of the developed Network Black Box technologies. For Phase III, the proposer is required to obtain funding from either the private sector, a non-SBIR Government source, or both, to develop the prototype into a viable product or non-R&D service for sale in government or private sector markets. Primary Network Black Box support will be to national efforts to help secure government and commercial networks against MCAs that target critical networks. Results of Network Black Box are intended to improve understanding of MCA threats and improve detection and response actions across government and industry. REFERENCES: 1. NIST SP 800-53 Revision 5. 2020. “Security and Privacy Controls for Information Systems and Organizations.” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf 2. Waqas, Iam. PrivacyAffairs. 2022. .https://www.privacyaffairs.com/threat-hunting-vs-incident-response/ \ 3. Armor Defense. 2021. “Dwell Time as a Critical Security Success Metric.” https://cdn.armor.com/app/uploads/2020/04/Ebook-DwellTime.pdf 4. Nayyar, Saryu. “Why The Dwell Time Of Cyberattacks Has Not Changed.” 2021. https://www.forbes.com/sites/forbestechcouncil/2021/05/03/why-the-dwell-time-of-cyberattacks-has-not-changed/?sh=1ddedc37457d 5. Gross, Natalie. CDW StateTech. 2021. “Incident Response: The Steps to a Root Cause Analysis for State Government.” 6. Cybertalk.org. 2022. https://www.cybertalk.org/what-is-lateral-movement-computing/ 7. DARPA I2O. 2022. Broad Agency Announcement, Cyber Agents for Security Testing and LearningEnvironments (CASTLE) HR001123S0002. Available at https://sam.gov/opp/5fa7645fdf464f70b5c67e24585926f7/view. 8. DARPA I2O. 2021. Broad Agency Announcement, Signature Management using Operational Knowledge and Environments (SMOKE) HR001122S0006. Available at https://sam.gov/opp/8832e2b8d9864169a234834eea89e5f1/view KEYWORDS: Network Security, Cybersecurity, Incident Response, Threat Hunting, Artificial Intelligence, Machine Learning, Automation, Data Analytics
US Flag An Official Website of the United States Government