27 nov 2013 cyber defence cde themed competition presentations

Cyber Defence: Securing

Against the Insider Threat

Centre for Defence Enterprise (CDE)

themed competition

© Crown copyright 2013 Dstl

29 November 2013

Room 1

Defence challenges in cyber security

© Crown Copyright Dstl 2011

The threat, the risk

• Increasing in complexity and scale

• Diverse, asymmetric & symmetric

• “Non-traditional” cyber threats

– Electromagnetic attack

• MOD’s business

– Working in dangerous situations

– An obvious target


29 November 2013

MOD networks

• Large and varied

– 70+ countries

– 1200 UK sites

– 800,000 IP addresses

– 225,000 users

– 95% is made up of 19 core systems with 1000 applications

• Planned and ad hoc

• Bought as a service


29 November 2013

Platforms and weapons

• Increasingly cyber-enabled,

connected platforms

• Tighter integration with industry

• Complex logistics and support

• Supply-chain security


29 November 2013

“Strange and charmed” systems

• Non-standard hardware, software

and protocols

• Legacy hardware, software and

protocols

• Low-bandwidth connectivity at the

fringes

• Outside the envelope of IA and cyber

security


29 November 2013

Defence cyber S&T


Defence cyber S&T programme

• Part of national & MOD cyber programmes

• £25m p/a and rising

• Decision support

• Operations

• Situational awareness

• Defence

• Human factors


29 November 2013

The pipeline

• Sponsoring research

– Centre for Defence Enterprise (CDE)

– Use of existing consortia

– Shaping and co-sponsoring academic research

– Commercial competitions

• Assessing candidate technologies

– Intelligent customer function

• Test and evaluation

– Testbed connected to MOD networks


29 November 2013

http://www.ukcge.ac.uk/pageImages/logo_rcuk_1.jpg

Future challenges

• Scale and sophistication of threat

– Situational awareness and defence

– Big data

• Pace of technical changes vs government

– Domestic/professional co-existence, bring-your-own-device (BYOD)

– Cloud

– SMART

• Defence-specific issues

– Cyber in MOD’s mission

– The “strange and charmed”


UK UNCLASSIFIED

Cyber Defence: Securing Against the

Insider Threat

CDE themed competition – launch 27 Nov 2013


29 November 2013

UK UNCLASSIFIED

Cyber defence

• Substantial efforts are focused on

prevention of unauthorised

access to systems or platforms

• However, this does not prevent

the potential abuse of legitimate

credentials

– Both illegitimate users of legitimate

credentials and cyber insiders


29 November 2013

UK UNCLASSIFIED

Insider threat

• Employee activity (deliberate or accidental)

is one of the main causes of internal IT

security incidents that lead to the leakage of

confidential corporate data

• Potential issues for MOD

– Reputational damage

– Political/diplomatic fallout

– National security


29 November 2013

© BBC 2013

UK UNCLASSIFIED

Aim of this CDE competition


29 November 2013

Dstl is looking for novel and innovative proof-

of-concept tools and techniques to detect

cyber insider threats or abuse of legitimate

user credentials, utilising host-based solutions

UK UNCLASSIFIED

Focus

• Challenge is based on

detecting anomalous

behaviour

– Utilising legitimate

credentials

• Three main aspects

– Malware

– Unauthorised personnel

– Legitimate personnel


29 November 2013

Unauthorised

personnel utilising

legitimate credentials

Malware utilising

legitimate credentials

Legitimate personnel

utilising legitimate

credentials

UK UNCLASSIFIED

Types of threat

• Malware, individuals or

groups

• Permanent staff, temporary

staff or contractors

• May be deliberate,

accidental or under the

influence of a third party


29 November 2013

Outcome is negative impact on confidentiality,

availability and integrity of MOD data

Types of activities

Sabotage

Espionage

Fraud

IP Theft

Accidental damage

UK UNCLASSIFIED

Anomalous behaviour

• Includes that which is significantly different to the

standard user behaviour for a given credential set

– Especially that which increases the risk to the confidentiality,

availability and integrity of MOD data

• May only be obvious over time

– Each individual action might be innocuous and within the

users authorised scope of action

• Need to consider the potential risk of actions and how

this changes over time (cumulative risk)


29 November 2013

UK UNCLASSIFIED

Insider threat

• However, later attribution

is still valuable

• Users often go through

five steps for malicious

behaviour

1. Exploration

2. Experimentation

3. Exploitation

4. Execution

5. Escape/Evasion

• Want to detect as early

as possible


29 November 2013

0

0.25

0.5

0.75

1

Lik

elih

oo

d

Time

Detection

Attribution

UK UNCLASSIFIED

Baseline behaviour

• To spot changes in behaviour, a baseline is needed

– Requires minimum burden

– Learns regular patterns (diurnal, seasonal, familiarity, aging)

– Ideally can account for changes of role (resulting in changed

patterns)

– Flags, and ideally prioritises, different types of anomalous

behaviour for investigation and mitigation

– Can account for variance in background behaviour


29 November 2013

UK UNCLASSIFIED

Pattern of life baseline


29 November 2013

M T W T F S S

1

2

3

4

5

Regular

Deadline

Remote

Change Host

Deployed

UK UNCLASSIFIED

Socio-technical indicators


29 November 2013

Experiences

Contextual

Physical

Behavioural

Potential physical aspects of the user

that can be tested and evaluated

Aspects of the interaction between the

user and the host or platform

Forensic authorship, structural semantic

analysis etc

Forensic linguistics etc

Including, but not limited to, aspects such as:

UK UNCLASSIFIED

Socio-technical Indicators


29 November 2013

Connectivity

Data access

Storage & offload

Exploration

Is the user storing large quantities of data on the

local host, are they trying to offload this etc

Is the user exploring new areas unrelated to them,

are they trying to access different hosts, seeking

new (and unrelated) data sources etc

Is this consistent with role, are new data sources

being sought, etc

Levels of connectivity, location, bandwidth, access

etc

Including, but not limited to, aspects such as:

UK UNCLASSIFIED

Socio-technical methods


29 November 2013

Heuristics

Al/Bots/Neural Networks

Statistical Algorithms

Grid Based/Vector

Space/Frequency

Analysis

Identifying weak signals within a noisy

background – individual activities might be

innocuous

What are the signals of insider threat? Can we

identify the stages of activity?

Is it possible to train systems to identify

anomalous behaviour?

Both behavioural and technical – can we

forecast what abnormal looks like for the host?

Including, but not limited to, methods such as:

UK UNCLASSIFIED

Socio-technical indicators

• No single indicator is likely to give a complete picture

• Suppliers need to indentify relevant and

complementary indicators that allow for detection of

anomalous behaviour

– Even when spread over a long time period

• Indicators should allow for prioritisation of risk

– Which activities are more likely to lead to serious impact to

MOD digital assets?


29 November 2013

UK UNCLASSIFIED

Different types of host


29 November 2013

Host Platform

(eg ship’s plant)

Analysis directly on

the host itself Inline Host

Analysis undertaken

on an inline host

UK UNCLASSIFIED

Central analysis


29 November 2013

Host Host Host Host

Central analysis

Potential to perform some central analysis. However, solutions must perform a

level of analysis on the host – cannot merely undertake full packet capture

UK UNCLASSIFIED

Testing concept demonstrators

• Suppliers are expected to be able to demonstrate the

benefits of their chosen approach


29 November 2013

Data Suppliers need to have access to a

suitable data source to test and refine

their choice approach

Must be able to demonstrate to Dstl

why their data source is applicable

Metrics Suppliers need to choose appropriate

metrics to demonstrate the benefits of

their chosen approach

Must include computational burden,

sensitivity and specificity

UK UNCLASSIFIED

What we want

• Novel and innovative proof-of-concept demonstrators

at Technology Readiness Level (TRL) 1-4

• Success metrics for the approach

• An initial test plan against relevant exemplar data

• A development plan beyond the initial proof-of-

concept phase

• Solutions that consider the breadth of MOD hosts


29 November 2013

UK UNCLASSIFIED

What we don’t want

• Existing higher TRL solutions or network analysis

tools

• Proposals that:

– Add substantial burden

– Expand the threat surface

– Force users to alter their behaviour

– Do not include some form of demonstrator

– Are proprietary black box solutions


29 November 2013

UK UNCLASSIFIED

Levels of funding

• Dstl have committed up to £1M of funding for the

initial proof-of-concept demonstrators

• No cap on the value of proposals

– However more likely that a larger number of lower-value

proposals (eg £50k - £150k) will be funded at this stage

• Aiming for an initial demonstration within 3-5 months


29 November 2013

Submissions via the CDE Portal

17:00 Thursday 9 January 2014

UK UNCLASSIFIED

Every little helps...

• Problem space is broad, complex

and challenging

• Requires interaction between

physical and social sciences

• Individual suppliers may only be able

to provide a solution to part of the

problem space

– These pieces are still potentially of value

– Networking and collaborating


29 November 2013

© Dstl 2013

UK UNCLASSIFIED

• Technical questions

[email protected]

• CDE questions

[email protected]


29 November 2013

In conclusion

• Opportunity!

• Innovation

• Demonstration

• Focus

– Host-based solutions

– Abuse of legitimate credentials

– “Strange and charmed”

• Closing date - Thursday 9 January 2014 at 17:00 hrs!


29 November 2013

27 nov 2013 cyber defence cde themed competition presentations

Technology

escapeevasion crown

charmed crown copyright

defence challenges

defence cyber st programme

cyber insiders29

cyber insider threats

national mod cyber programmes

insider threat users