27 nov 2013 cyber defence cde themed competition presentations
DESCRIPTION
Centre for Defence Enterprise (CDE) Innovation Network. Themed competition launch - Cyber defence: securing against the insider threat.TRANSCRIPT
Cyber Defence: Securing
Against the Insider Threat
Centre for Defence Enterprise (CDE)
themed competition
© Crown copyright 2013 Dstl
29 November 2013
Room 1
Defence challenges in cyber security
© Crown Copyright Dstl 2011
The threat, the risk
• Increasing in complexity and scale
• Diverse, asymmetric & symmetric
• “Non-traditional” cyber threats
– Electromagnetic attack
• MOD’s business
– Working in dangerous situations
– An obvious target
© Crown copyright 2013 Dstl
29 November 2013
MOD networks
• Large and varied
– 70+ countries
– 1200 UK sites
– 800,000 IP addresses
– 225,000 users
– 95% is made up of 19 core systems with 1000 applications
• Planned and ad hoc
• Bought as a service
© Crown copyright 2013 Dstl
29 November 2013
Platforms and weapons
• Increasingly cyber-enabled,
connected platforms
• Tighter integration with industry
• Complex logistics and support
• Supply-chain security
© Crown copyright 2013 Dstl
29 November 2013
“Strange and charmed” systems
• Non-standard hardware, software
and protocols
• Legacy hardware, software and
protocols
• Low-bandwidth connectivity at the
fringes
• Outside the envelope of IA and cyber
security
© Crown copyright 2013 Dstl
29 November 2013
Defence cyber S&T
© Crown Copyright Dstl 2011
Defence cyber S&T programme
• Part of national & MOD cyber programmes
• £25m p/a and rising
• Decision support
• Operations
• Situational awareness
• Defence
• Human factors
© Crown copyright 2013 Dstl
29 November 2013
The pipeline
• Sponsoring research
– Centre for Defence Enterprise (CDE)
– Use of existing consortia
– Shaping and co-sponsoring academic research
– Commercial competitions
• Assessing candidate technologies
– Intelligent customer function
• Test and evaluation
– Testbed connected to MOD networks
© Crown copyright 2013 Dstl
29 November 2013
Future challenges
• Scale and sophistication of threat
– Situational awareness and defence
– Big data
• Pace of technical changes vs government
– Domestic/professional co-existence, bring-your-own-device (BYOD)
– Cloud
– SMART
• Defence-specific issues
– Cyber in MOD’s mission
– The “strange and charmed”
© Crown Copyright Dstl 2011
UK UNCLASSIFIED
Cyber Defence: Securing Against the
Insider Threat
CDE themed competition – launch 27 Nov 2013
© Crown copyright 2013 Dstl
29 November 2013
UK UNCLASSIFIED
Cyber defence
• Substantial efforts are focused on
prevention of unauthorised
access to systems or platforms
• However, this does not prevent
the potential abuse of legitimate
credentials
– Both illegitimate users of legitimate
credentials and cyber insiders
© Crown copyright 2013 Dstl
29 November 2013
UK UNCLASSIFIED
Insider threat
• Employee activity (deliberate or accidental)
is one of the main causes of internal IT
security incidents that lead to the leakage of
confidential corporate data
• Potential issues for MOD
– Reputational damage
– Political/diplomatic fallout
– National security
© Crown copyright 2013 Dstl
29 November 2013
© BBC 2013
UK UNCLASSIFIED
Aim of this CDE competition
© Crown copyright 2013 Dstl
29 November 2013
Dstl is looking for novel and innovative proof-
of-concept tools and techniques to detect
cyber insider threats or abuse of legitimate
user credentials, utilising host-based solutions
UK UNCLASSIFIED
Focus
• Challenge is based on
detecting anomalous
behaviour
– Utilising legitimate
credentials
• Three main aspects
– Malware
– Unauthorised personnel
– Legitimate personnel
© Crown copyright 2013 Dstl
29 November 2013
Unauthorised
personnel utilising
legitimate credentials
Malware utilising
legitimate credentials
Legitimate personnel
utilising legitimate
credentials
UK UNCLASSIFIED
Types of threat
• Malware, individuals or
groups
• Permanent staff, temporary
staff or contractors
• May be deliberate,
accidental or under the
influence of a third party
© Crown copyright 2013 Dstl
29 November 2013
Outcome is negative impact on confidentiality,
availability and integrity of MOD data
Types of activities
Sabotage
Espionage
Fraud
IP Theft
Accidental damage
UK UNCLASSIFIED
Anomalous behaviour
• Includes that which is significantly different to the
standard user behaviour for a given credential set
– Especially that which increases the risk to the confidentiality,
availability and integrity of MOD data
• May only be obvious over time
– Each individual action might be innocuous and within the
users authorised scope of action
• Need to consider the potential risk of actions and how
this changes over time (cumulative risk)
© Crown copyright 2013 Dstl
29 November 2013
UK UNCLASSIFIED
Insider threat
• However, later attribution
is still valuable
• Users often go through
five steps for malicious
behaviour
1. Exploration
2. Experimentation
3. Exploitation
4. Execution
5. Escape/Evasion
• Want to detect as early
as possible
© Crown copyright 2013 Dstl
29 November 2013
0
0.25
0.5
0.75
1
Lik
elih
oo
d
Time
Detection
Attribution
UK UNCLASSIFIED
Baseline behaviour
• To spot changes in behaviour, a baseline is needed
– Requires minimum burden
– Learns regular patterns (diurnal, seasonal, familiarity, aging)
– Ideally can account for changes of role (resulting in changed
patterns)
– Flags, and ideally prioritises, different types of anomalous
behaviour for investigation and mitigation
– Can account for variance in background behaviour
© Crown copyright 2013 Dstl
29 November 2013
UK UNCLASSIFIED
Pattern of life baseline
© Crown copyright 2013 Dstl
29 November 2013
M T W T F S S
1
2
3
4
5
Regular
Deadline
Remote
Change Host
Deployed
UK UNCLASSIFIED
Socio-technical indicators
© Crown copyright 2013 Dstl
29 November 2013
Experiences
Contextual
Physical
Behavioural
Potential physical aspects of the user
that can be tested and evaluated
Aspects of the interaction between the
user and the host or platform
Forensic authorship, structural semantic
analysis etc
Forensic linguistics etc
Including, but not limited to, aspects such as:
UK UNCLASSIFIED
Socio-technical Indicators
© Crown copyright 2013 Dstl
29 November 2013
Connectivity
Data access
Storage & offload
Exploration
Is the user storing large quantities of data on the
local host, are they trying to offload this etc
Is the user exploring new areas unrelated to them,
are they trying to access different hosts, seeking
new (and unrelated) data sources etc
Is this consistent with role, are new data sources
being sought, etc
Levels of connectivity, location, bandwidth, access
etc
Including, but not limited to, aspects such as:
UK UNCLASSIFIED
Socio-technical methods
© Crown copyright 2013 Dstl
29 November 2013
Heuristics
Al/Bots/Neural Networks
Statistical Algorithms
Grid Based/Vector
Space/Frequency
Analysis
Identifying weak signals within a noisy
background – individual activities might be
innocuous
What are the signals of insider threat? Can we
identify the stages of activity?
Is it possible to train systems to identify
anomalous behaviour?
Both behavioural and technical – can we
forecast what abnormal looks like for the host?
Including, but not limited to, methods such as:
UK UNCLASSIFIED
Socio-technical indicators
• No single indicator is likely to give a complete picture
• Suppliers need to indentify relevant and
complementary indicators that allow for detection of
anomalous behaviour
– Even when spread over a long time period
• Indicators should allow for prioritisation of risk
– Which activities are more likely to lead to serious impact to
MOD digital assets?
© Crown copyright 2013 Dstl
29 November 2013
UK UNCLASSIFIED
Host-based solution
© Crown copyright 2013 Dstl
29 November 2013
All images taken from the defence image database © Crown copyright 2013
UK UNCLASSIFIED
Different types of host
© Crown copyright 2013 Dstl
29 November 2013
Host Platform
(eg ship’s plant)
Analysis directly on
the host itself Inline Host
Analysis undertaken
on an inline host
UK UNCLASSIFIED
Central analysis
© Crown copyright 2013 Dstl
29 November 2013
Host Host Host Host
Central analysis
Potential to perform some central analysis. However, solutions must perform a
level of analysis on the host – cannot merely undertake full packet capture
UK UNCLASSIFIED
Testing concept demonstrators
• Suppliers are expected to be able to demonstrate the
benefits of their chosen approach
© Crown copyright 2013 Dstl
29 November 2013
Data Suppliers need to have access to a
suitable data source to test and refine
their choice approach
Must be able to demonstrate to Dstl
why their data source is applicable
Metrics Suppliers need to choose appropriate
metrics to demonstrate the benefits of
their chosen approach
Must include computational burden,
sensitivity and specificity
UK UNCLASSIFIED
What we want
• Novel and innovative proof-of-concept demonstrators
at Technology Readiness Level (TRL) 1-4
• Success metrics for the approach
• An initial test plan against relevant exemplar data
• A development plan beyond the initial proof-of-
concept phase
• Solutions that consider the breadth of MOD hosts
© Crown copyright 2013 Dstl
29 November 2013
UK UNCLASSIFIED
What we don’t want
• Existing higher TRL solutions or network analysis
tools
• Proposals that:
– Add substantial burden
– Expand the threat surface
– Force users to alter their behaviour
– Do not include some form of demonstrator
– Are proprietary black box solutions
© Crown copyright 2013 Dstl
29 November 2013
UK UNCLASSIFIED
Levels of funding
• Dstl have committed up to £1M of funding for the
initial proof-of-concept demonstrators
• No cap on the value of proposals
– However more likely that a larger number of lower-value
proposals (eg £50k - £150k) will be funded at this stage
• Aiming for an initial demonstration within 3-5 months
© Crown copyright 2013 Dstl
29 November 2013
Submissions via the CDE Portal
17:00 Thursday 9 January 2014
UK UNCLASSIFIED
Every little helps...
• Problem space is broad, complex
and challenging
• Requires interaction between
physical and social sciences
• Individual suppliers may only be able
to provide a solution to part of the
problem space
– These pieces are still potentially of value
– Networking and collaborating
© Crown copyright 2013 Dstl
29 November 2013
© Dstl 2013
UK UNCLASSIFIED
• Technical questions
• CDE questions
© Crown copyright 2013 Dstl
29 November 2013
In conclusion
• Opportunity!
• Innovation
• Demonstration
• Focus
– Host-based solutions
– Abuse of legitimate credentials
– “Strange and charmed”
• Closing date - Thursday 9 January 2014 at 17:00 hrs!
© Crown copyright 2013 Dstl
29 November 2013