For code and country

Raytheon’s cybersecurity incident response teams mitigate attacks against US

Far from flickering screens in dark rooms often seen in Hollywood’s portrayal of cyber defenders, this is the real-world workspace of Daniel, a cybersecurity analyst lead with a Raytheon cybersecurity incident response team.

Rather than a clandestine bunker, analysts like Daniel often work from home. Together with his team – many working remotely across the country – they protect the U.S.’ digital infrastructure from a myriad of cyber threats.

“We are involved in a lot that keeps the American way of life running, and we fight all kinds of actors,” said Daniel. “Every day brings something new. It’s a lot of fun. The job is a giant puzzle, and I like that aspect of it.”

Behind the screens with the real cyber CSI 

Part of the team’s work is known as host forensics, the practice of examining systems such as desktops, laptops and mobile devices to discover evidence of cyber incidents. By analyzing logs, metadata, file systems and more, the team can uncover an attack and assess the damage. Raytheon’s cyber incidence response teams are well known in this field, possessing the expertise and tools to address intricate cybersecurity problems.

The rise of remote work has opened new opportunities for attackers, particularly those acting on behalf of nations vying for dominance in the information realm.

“The volume and scope of what cybersecurity professionals must deal with are daunting. We’ve gone from being secure by implementing firewalls to now analyzing large volumes of data,” said Julian Zottl, chief technology officer for Cyber Protection Solutions at Raytheon. “Cybersecurity has gone from an IT implementation to a big-data engineering problem very quickly.”

Digital Defense Dictionary

Collaboration and automation in a matrix of malware

“Every day presents a new challenge,” said Jack, a cybersecurity analyst technical lead. “Sometimes we’re handed a hard drive with minimal information, other times we’re in environments with tens of thousands of systems to analyze.”

Jack explains how crucial collaborating is, emphasizing how team dynamics help ensure nothing is overlooked.

“My colleagues will be sitting there looking at the same data set, and they’re going to find something I may have missed. It’s knowing each other’s strong points and playing off each other,” Jack said.

Raytheon is investing in automation to discover and analyze incidents faster, eliminate human error and produce actionable intelligence faster.

Automating rote tasks frees up the team to use their critical-thinking skills and work more closely with customers, tailoring their approach based on the specifics of an incident and the complexity of the network.

“If industrial control systems are involved, we bring in our specialists in that domain,” said James, a cyber incident response manager. “Likewise, if it’s a cloud infrastructure issue, our cloud experts step in.”

Looking for a needle in a stack of needles

Regina is a cybersecurity analyst lead, overseeing more than 30 team members. Her analysts comb through data to look for evidence of cyberattacks, uncovering anomalies and finding any intrusions.

“It’s like searching for a needle in a stack of needles,” Regina said.

Some of the hardest intrusions to detect are those designed to happen quietly and invisibly. A tactic employed by attackers called “living off the land,” uses tools native to the environment, so as not to create an anomaly and thus avoid detection.

“It blurs the line between legitimate activity and potential threats,” said Joseph, a cybersecurity analyst.

Regina and many of her colleagues have a saying: Bad actors only need to win once. We have to win every time.

“The bad guys often have the upper hand because they operate without any rules, while we, as the defenders, must operate within strict boundaries,” she said.

Each day presents a different challenge for Regina and her team, from misconfigured servers and insecure edge devices to potential breaches that require swift action. However, it is not just about reacting to problems as they arise; it is also about proactively hunting down vulnerabilities and strengthening security measures.

Burning bad actors 

Raytheon’s focus goes beyond finding and mitigating cyberattacks. By publishing findings about identified threats, the team not only fortifies defenses but also disrupts adversaries’ operations.

“The most rewarding part of my job is when we can ‘burn’ an adversary’s infrastructure and their tactics, and we make them public knowledge,” Daniel said. “It causes a significant disruption in their operations, forcing them to invest resources in creating new tools or tactics.”

Within the realm of cloud forensics, Raytheon’s cybersecurity incident response teams confront unique challenges. While host forensics and network forensics teams often rely on on-site investigations, Raytheon’s cloud-centric approach allows the team to work with customers remotely, which brings several advantages.

“Our ability to remotely assist customers in making critical configuration changes expedites our response time,” said Mackenzie, a cybersecurity analyst. “We work closely with organizations to secure their cloud portals, grant permissions and use powerful tools for data collection and analytics. It’s a perk of the job when everything falls into place.”

According to Mackenzie, it’s a huge mission, and the responsibility can be overwhelming at times. And while threats loom large, their commitment to securing their customer’s critical infrastructure is unwavering.

“There are days when you feel like you’re making a difference, making it more difficult for threat actors to carry out their malicious plans,” Mackenzie said. “There are moments that bring a sense of satisfaction, knowing that actions are being taken to hinder the adversaries’ ability to do their dirty deeds. That’s why I joined the mission and feel fortunate to work with talented teammates.”

Editor’s note: This feature story does not use the full names of the cyber defenders who work on the cybersecurity incident response teams for their privacy and security.