Prior to my current role as a Federal Engagement Manager for the Synack Red Team, I worked within the Army Special Operations Forces (ARSOF) , also known as the “Quiet Professionals”. The ARSOF mission is to organize, train, equip and deploy in support of America’s National Security Strategy. While I was serving in the US military, the most important lesson I learned, which is also a key pillar in the ARSOF Truths, is that:
“Quality is more important than quantity.”
Leaving ARSOF and entering my next chapter, it’s satisfying to see the same qualities of Army’s Special Operations in the U.S.-based Synack Red Team (SRT). They’re elite, they’re ethical, and they’re motivated not only by bounties, but also by a self-less mission to secure America. One of the first questions Synack receives during congressional or executive meetings with policy makers in Washington D.C. is about how we vet SRT. How do we know we can trust them?
From my initial experiences working with Synack, our SRT are one of our greatest assets. Their work has been recognized in the White House Cyber Strategy, highlighted during Hack the File Transfer Mechanism, recently highlighted by the Air Force for success on recent engagements, and an increasing number of them have either served or are sourced from the American military. Synack’s red team is a combination of veterans, patriots, and technologists that are driven to focus on areas within security where they can make an immediate and lasting impact.
Similar to Special Operations Soldiers, these U.S.-based SRT are uniquely trained and qualified; promoting resilience described in the 2018 National Cyber Strategy.
2018 National Cyber Strategy:
“The United States Government will also promote regular testing and exercising of the cybersecurity and resilience…This includes promotion and use of coordinated vulnerability disclosure, crowd-sourced testing, and other innovative assessments that improve resiliency ahead of exploitation or attack.”
The National Cyber Strategy (September, 2018) clearly promotes the use of crowdsourced testing across government platforms and infrastructure. All security testing operations include inherent risk, but Synack’s U.S.-based SRT provide elite qualities, similar to Special Operations (a sense of duty, ethics, values and safeguarding the American way), and at incredible scale.
Synack’s deployment of this patriotic, ethical hacking force for the U.S. Government continues to gain support among stakeholders within DoD and all levels of the U.S. Government. This week, Wright Patterson Air Force base released their official statement regarding Synack’s Hack the Logistics System which occurred last fall. As highlighted in the press release, SRT members engaged the Reliability and Maintainability Information System (REMIS) which is an automated information system that is intended to provide the Air Force with the capability to receive, process, store, and retrieve performance and readiness information on Air Force weapons systems and equipment. REMIS does not contain classified information, but the readiness of U.S. Government aircraft and weapons could prove to be useful data for hostile nation states and bad actors. The threats to these systems are human, and the SRT acted to fill the SOF Truth ideology that Humans are more important than Hardware.
As identified by the Air Force, U.S.-based SRT members went to work conducting over 1700 hours of combined attack activity in search of critical issues, resulting in 12 exploitable vulnerabilities with ranging severity. The quality reports provided by this team enabled the Air Force to immediately and efficiently remediate 11 of the 12 issues which highlights the dedication these individuals have to securing our nation. However, Hack the Logistics System was a small snapshot of the capabilities behind Synack’s U.S.-based SRT.
The SRT group protecting the information systems and assets of their country set new highs in 2017, exceeded those heights in 2018, and will continue to meet the demands of a country that requires modern solutions in support of their growing mission. Government targets in 2018 accounted for more than 25,000 hours of research and testing, spanning 15 agencies and organizations.