Once, Twice, Three Times a Crater

Why "Once a Year" Doesn’t Cut It for Cybersecurity: The Case for Continuous Testing

The Department of Defense (DoD) has long relied on periodic assessments for physical fitness and operational readiness, like annual rifle qualifications. However, when it comes to cybersecurity, the once-a-year mindset is dangerously inadequate. The recent shift to the Cyber Operational Readiness Assessment (CORA) program underscores the necessity of adopting a continuous, proactive approach to securing the DoD Information Network (DODIN). While CORA represents a significant leap forward, it must be paired with offensive, red-team-driven testing to truly counter evolving adversarial threats.

Cyber Threats Are Constant; Testing Should Be Too

Cyber adversaries don’t wait for annual assessments—they exploit weaknesses as soon as they emerge. CORA’s focus on continuous readiness highlights the dynamic nature of cyber threats, but even CORA’s approach, centered on high-priority terrain and defensive readiness, must be complemented by continuous offensive red-team testing.

• Annual vs. Continuous Testing: An annual assessment is akin to checking a rifle’s accuracy once a year but leaving it unmaintained the rest of the time. Continuous offensive testing identifies vulnerabilities as they appear, reducing risk exposure and keeping systems hardened against real-world tactics.
• Adversary Evolution: With adversarial tactics evolving daily, such as lateral movement, privilege escalation, and exfiltration, waiting months to test defenses risks leaving critical systems vulnerable.

Offensive Testing: Taking the Fight to the Adversary

While CORA focuses on operational readiness and risk-based metrics, offensive red-team testing pushes the boundaries by simulating real-world attacks to uncover exploitable vulnerabilities.

• Root Cause Analysis: Offensive testing uncovers systemic weaknesses that go beyond boundary reviews, addressing vulnerabilities at their core.
• Dynamic Adjustment: Much like CORA adjusts key indicators based on the evolving threat landscape, red-team operations adapt to emerging adversarial tactics, ensuring continuous relevance and effectiveness.

For instance, red-team exercises have been shown to uncover 35% more critical vulnerabilities compared to traditional methods, bridging the gap between defense and real-world threats.

Proactive Cybersecurity: Beyond Compliance to Resilience

The shift from compliance to operational readiness reflects a necessary change in the DoD’s mindset. However, resilience requires more than defensive metrics. Continuous red-team testing ensures that the DoD’s systems are not just compliant but capable of withstanding sophisticated attacks.

• Integrated Threat Insights: Offensive testing integrates seamlessly with CORA’s risk-based metrics, ensuring that vulnerabilities identified during simulated attacks are prioritized and addressed in the broader cybersecurity framework.
• Real-Time Readiness: Just as CORA provides commanders with a clearer understanding of high-priority terrain, red-team testing offers actionable insights into how adversaries might exploit weak points.

Conclusion: A Unified Approach to Cyber Defense

The launch of CORA is a step in the right direction, but it must be paired with continuous, offensive testing to secure the DODIN against the relentless pace of cyber threats. Just as warfighters train daily to maintain readiness, cybersecurity systems must be tested continuously to ensure resilience.

By integrating CORA with red-team-driven offensive testing, the DoD can achieve:

1. Proactive Defense: Mitigating vulnerabilities before adversaries exploit them.
2. Holistic Readiness: A comprehensive understanding of both defensive and offensive cybersecurity postures.
3. Mission Assurance: Ensuring that critical systems remain operational, no matter the threat.

In cybersecurity, waiting even a week can mean the difference between mission success and failure. The DoD must embrace continuous offensive testing as an integral component of its cyber readiness strategy.