Cyber attackers aren’t passive; defenders can’t be either

Training program teaches cyber operators to adopt an offensive mindset to defend against attacks

As a cyber engineer, he is more than familiar with the internet, cybersecurity and the threats that exist online.

But once he learned more about known cyber exploits and vulnerabilities, and started thinking like a hacker, he quickly realized that he needed to do more to protect his devices.

“It’s like in Harry Potter where they had ‘Defense Against the Dark Arts’ teachers who taught the wizarding students all the dark arts so they knew how to defend themselves against it,” said Ferguson, who works in computer network operations, or CNO, at Raytheon Intelligence & Space’s Cyber Offense and Defense Experts, or CODEX.

Raytheon Intelligence & Space, a Raytheon Technologies company, recognizes that cyber defenders need to know the techniques, tactics, and tools that hackers — be they state actors, ransomware criminals, or lone-wolfs — use, so they’ll be better able to defend against them.

There is a worldwide shortage of cybersecurity experts. Currently, there are about 436,000 vacant cyber jobs in the U.S. and 3.4 million globally, according to a report from (ISC)2, a non-profit organization specializing in cyber training and certification programs that issues an annual study on cybersecurity workforce trends.

Raytheon Technologies is addressing this shortfall through an in-house program to develop and increase these rare skillsets. Called Offensive Labs, it’s a training program that is teaching students topics such as vulnerability research, or VR, CNO, and binary reverse engineering, the process of dissecting and understanding source code when the original software code is unavailable.

“We’re approaching this from the perspective of a hacker and using our knowledge of offensive tactics to better inform how we do cyber defense,” said Tim Zentz, director of CODEX. “To help individuals adapt to this mindset, we’re working with them to determine their current capabilities and guiding them in expanding their skills and knowledge.”

In 2022, Offensive Lab’s inaugural year, 60 students completed the Offense Labs training course, exceeding the program’s organizers plan to have 50 graduates. This year, they have expanded the courses offerings to create three separate tracks of instruction and are planning to have as many as 75 students complete the course of instruction.  

“We have a couple of different paths depending on what the student’s end goal is,” said Japheth Light, Offensive Labs training director. “One of those paths is vulnerability research, where students learn to find and exploit software vulnerabilities. Another is for CNO developers, and this year we’ve added a third track for developing hardware emulation and virtualization as applied to offensive cyber. Hardware emulation provides very low-level control of a system that can be useful for reverse engineers, vulnerability researchers, or CNO developers.”

The CNO developer track is offering a new course for its students, designed to widen the applicability of the training to information technology and cybersecurity professionals.

“The CNO developer students that are now going through the program are brand new. We’re calling it DEVCORE, which is a C programming-focused curriculum,” said Mike Weldon, Offensive Labs director. “We are teaching some fundamentals, best coding practices, how to use Git and Bitbucket to store their code and all the great things involved with C programming in general. That will make them more successful on their future programs.”

They’ve also made the course available to engineers across Raytheon Technologies to provide them with the opportunity to update or improve their skills and seek new opportunities within the company.

“This shows that we’re committed to investing in our engineers, giving them opportunities to either advance or broaden their skillsets,” Weldon said. “We have quite a few junior-level engineers, but we’ve also had a handful of engineers who have been with Raytheon for 10 years or more, and they’re very good at what they do. But they were looking for a change and joined the program.”

All of the course offerings start with a general knowledge track to give every student a common background.

“There’s the opening, general knowledge module that I teach, that all of our students go through,” Light said. “It gives everybody a background in topics that are common to all the learning paths. We cover x86 assembly language, the basics of reverse engineering, and give overviews of the training paths ahead. Our students come from different backgrounds and have a wide range of experience; we want to get everybody on the same page before going on to module two.”

From there, instruction divides between the VR track and the CNO development track with each cohort receiving tailored instruction.

“For the VR students, they proceed to war games, which is a platform that has 32 different reverse engineering and VR challenges that they'll work through,” Light said. “Then we have an internal two-week class, called VR tradecraft, where we go more in depth on bug patterns and bug discovery, as well as different architectures and their protections and defeats. We conclude with a two-week capstone project, to put it all together and let students prove their mettle before they move out onto a program.”

“We’re approaching this from the perspective of a hacker and using our knowledge of offensive tactics to better inform how we do cyber defense.” 

Tim Zentz, CODEX director

The students in the VR course value the company and feedback they receive.

“I really enjoyed having actual lab work,” said Matthew Vest, an engineer in Palm Bay, Florida. “It was fun sitting in class and listening to the instructor. But I think that that two things that I enjoyed were: Doing the lab work and being able to apply the knowledge and the skills that I was given or the tool sets that I was introduced to. And second, being able to have an instructor that was knowledgeable. If I ever got caught up or had questions that even the internet couldn’t answer, I could go to my instructor, and he has this knowledge from years and years and years of experience doing CNO. And that that was really cool being able to have this gigantic bank of knowledge to draw from whenever you needed help.”

“For the CNO students, they’ll have various challenges in their training. We start them off with four C programming projects,” said Light. “These cover topics like using sockets, inter-process communications with shared memory, and other stuff to get them practice with programming. Students also take our four-week CNO tradecraft course where they learn how to hide processes, inject code into processes, and things like that. Finally, they take a training class on Windows or Linux internals and ultimately conclude with a two or three-week capstone.”

The opportunity to practice the skills taught during instruction is a highlight for the students.

“The assignments that they give you, they don’t just give them to you and then you submit them, and they grade them – they give you feedback and then they ask you to resubmit them if they’re not good enough,” said Todd Scroggins, an engineer in Huntsville, Alabama. “They’re trying to make sure that your code is up to par with what they would expect to deliver to a customer. So, it’s really nice to have somebody who’s been doing this for a while, review your code and give you suggestions and feedback and then be able to go back and implement it and then get more suggestions and feedback as you go through the course.”

Besides growing new talent that can immediately be assigned to projects, Offensive Labs is also helping retrain and recruit talent.

“I think it was really cool that Raytheon Technologies spent a lot of the time, effort and ultimately money into something like this,” said Maurice Barnett, an engineer working in Greenville, South Carolina. “Vulnerability research isn’t something really taught in college. It’s awesome that we get this opportunity to have a safe space to get your hands dirty and go deeper into this field.”

The feedback from Offensive Labs customers inside of Raytheon Technologies has been overwhelmingly positive.

“Overall, it seems that those individuals who went on to assignments have been highly useful,” Weldon said. “We’ve heard great feedback from the program managers and the engineering teams. And also, the engineers who went through the program that it was useful training that set them up for success on their programs.”

Graduates of Offensive Labs are eager to put their new skills into action. They know their work directly supports national security, and the course has shown them the extent and how nation-state and black-hat hackers pose a threat to the country’s infrastructure.

“We need to come up with defenses before attacks and zero days happen,” said Ferguson, using a cybersecurity term for newly discovered methods of attack. “We’ve got to be out there actively trying to hunt for these exploits, these vulnerabilities, ourselves, so we can learn to defend ourselves.”

For more information on cybersecurity jobs at Raytheon Technologies please visit the company’s cyber careers site.