By Geoff Fein
The Network Exploitation Test Tool (NETT), developed by General Dynamics [GD], provides a cyber threat test on friendly force systems for vulnerability analysis and system evaluation.
Additionally, NETT enables more robust data capture to help in the wiring of more detailed and accurate reports, John Callahan, project manger for NETT, told Defense Daily in a recent interview.
One aspect of NETT provides a red team threat to a system to make sure that that system is as secure as possible, he said.
“Traditionally, what a red team will do, they will have some subject matter experts that collect open source either through individual pieces of software that they download from the Internet or use tools like BackTrack 3, which is a bootable CD that has a lot of threats already integrated into it, or they buy a commercial product,” Callahan said.
“But one of the problems with commercial tools,” he added, “[what they tend to do] is abstract the threat to the point that the operator doesn’t have that really fine control over how they are using the tool.”
For example, one tool widely used for scanning is called Nmap (Network Mapper). “It can be used in a way that would set off alarms in a control center that is trying to monitor a network or it can be used very stealthily. It all has to do with what options the operator chooses when they run Nmap,” Callahan said. “So it can be the bull in the china shop or it can be very very stealthy.
“Within NETT we have integrated Nmap and provided a user interface to control it and do the data capture behind the scenes. But we exposed to the operator all those command line options that they normally would have,” he added.
Integrating Nmap into NETT makes it easier for an operator who now no longer needs to know how to install Nmap to run it, Callahan said.
Another feature of NETT is its data capture capability.
The typical red team would perform these operations trying to break into a network or a computer or whatever their mission is, Callahan noted. But the data that comes back from the use of these tools is usually returned on an Ascii console window. “You can imagine it is difficult for them to capture all the data that comes back. It’s pages and pages of information about IP addresses and port numbers and operating systems, and other pieces of information.”
Commercial companies that provide hacker classes tell students to cut and paste the Ascii text into a text editor, Callahan said. “So as you are doing the testing you are also cutting and pasting.”
“Later, you can imagine after cutting and pasting, trying to port out of all this information is tricky. If they collected all the data, getting them to explain to somebody who can write a report for an executive, or a summary report for a general, is difficult, and it’s not unheard of that two days of testing will take two weeks to write a report,” he said. “The real power of using a tool like NETT, is not only the visualization aspects of it but all that data capture that would have been dumped to the screen is being parsed for them and inserted into a sequel data base behind the scenes..”
Operators are not burdened with the responsibilities of having to do the data capture, Callahan added.
“So writing a very detailed and accurate report after the fact becomes pretty much a trivial exercise. That’s part of the penetration test realm that has really been ignored– the data report after the fact, and the ability to advertise that you could repeat that test six months later after the system has had a chance to be updated,” he explained.
NETT was originally sought by the Threat Systems Management Office (TSMO), an organization within Program Manager Instrumentation Targets and Threat Simulators (PM ITTS).
“TSMO has an Army system they needed to provide cyber threat testing against and in particular this system was Windows- and Solaris-based. There really wasn’t anything off the shelf that could be used in a test environment that captured the operator actions, that captured what tools were being used and when they were being used,” Callahan said.
Because this was a formal test to introduce the system operationally, General Dynamics needed to be able to document what the test was composed of, and what was happening, so that the company could author a report after the fact and validate that the test exercised the system, he added.
Windows is Microsoft‘s [MSFT] operating system. Solaris is Sun‘s [JAVA] operating system.
“That was the genesis of what became the NETT program. We went through that testing…the test was successful. In the process of preparing for that test we had built some software automation tools that were integrating the open source to help us do the data capture and some level of visualization,” Callahan said. “It was really a prehistoric effort compared to what we have in NETT today.”
TSMO saw the value of what had been done there and told General Dynamics the company needed to mature the capability, Callahan added. “Since their role is to provide threats of all kinds, including information operations threats for the DoD, they have continued to fund us and provide requirements to us to extend NETT.”
The Army is the lead on NETT. Callahan noted that there is a group within the Marine Corps and the Air Force interested in the technology and General Dynamics is in the process of adding additional organizations to the list of users.
“The Army has a process where a member of DoD can apply for copies of NETT, and they go through a Memorandum of Agreement, required training courses, and then they have access to NETT,” he said. “The Army funded it and General Dynamics developed it, but the Army controls distribution of the capability.”