9 september 2014: automating cyber defence responses cde themed competition

Automating Cyber

Defence Responses

© Crown copyright 2013 Dstl

10 September 2014

Defence Cyber S&T

© Crown Copyright Dstl 2011

Strategic context ‘Cyber Security has been assessed as one of the highest priority national security risks to the UK’

‘a transformative programme for cyber security which addresses threats from states, criminals & terrorists’

‘to derive huge economic and social value from a vibrant, resilient and secure cyber space’

Cyber in MoD

• Falls under Joint Forces Command “work toward making military operations successful by making sure joint capabilities, like …cyber-operations, are efficiently managed and supported”

• 2 Key S&T programmes in Dstl: – Assured Information Infrastructure – Cyber

• £40 million S&T budget and growing


Cyber in Dstl

Assured Information Infrastructure

A continuously evolving single logical, reconfigurable,

resilient information infrastructure across UK and deployed, fixed and mobile

elements

Cyber Delivering digital resilience and projecting power and

influence to meet UK military, diplomatic and economic

objectives

The design, management and

normal use of cyberspace

The abuse of cyberspace

Cyber Foundation Capabilities Information Assurance

Architecture - network management - convergence - resilience - IA - spectrum

Coalition / Interoperability

Management - network - spectrum - IA

Experimentation, simulation & modelling

Disruptive technology

Technology Watch

Fundamental Science

Comms & Networks Assurance

Information Level Assurance

Enterprise Services IA

Crypto

Foundations of Trust

IA Human Factors

Competition focus

Decision Support

Situational Awareness

Cyber Defence

Human component

Cyber Offence

The Technical Cooperation Programme

• TTCP is a collaborative research programme between Australia, Canada, New Zealand, the United Kingdom and the United States of America, originally started in 1957

• TTCP has recently set up a strategic Cyber Challenge group

• Adopting Canadian Automated Computer Network Defence (ARMOUR) framework for collaborative cyber defence work – Google GD Canada ARMOUR


10 September 2014

http://wiki/o/File:TTCP_Crest.jpg

The Defence Context


Complexity

• Large and varied – 70+ countries – 1200 UK Sites – 225,000 Users

• Deployed elements • Dynamic • Outsourced services


10 September 2014

The threat, the risk

• Increasing in complexity and scale

– CND + social engineering + insider

threat + …………

• “Non-traditional” cyber threats

– Electromagnetic attack

• Arms race


10 September 2014

Types of System

• Office-like • Radio Frequency • Constrained

bandwidth • High latency • Platforms


10 September 2014

Platforms

• Cyber Physical Systems • Tight coupling with Industry • Complex


10 September 2014

Coalition Working

• Mission Networks • Allies

– NATO – 5 eyes

• Partners


10 September 2014

Nirvana • Respond to the problem before it propagates through

the network, causing wider damage • Improved understanding of what is going on • Allows for human decision making when required • Works across the fixed and deployed spaces • Enables better defence in a coalition


10 September 2014

Technical Context


Cyber Defence

• Cyberspace is essential to our operations

• Adversaries will disrupt our systems

• Our defensive response requires – elements of automation – human intervention


10 September 2014

The Problem

• Concerning MOD systems – Reliance on cyberspace – Disruption from cyber attack – Speed, frequency, targeting, motivation – Sophisticated, distributed, stealthy – Unique threats (actors and environment) – Complex and dynamic


10 September 2014

Complexity & Connectivity


10 September 2014

The Context


10 September 2014

• Research proposals • Proof-of-concept • Tools and techniques for: Planning automated responses to threats and attacks on our systems N.B. not the defensive tools themselves

An automated or semi-automated capability to change systems in response to cyber events

The Need

Elements of the defence response


10 September 2014

Collecting information

Identifying the attack

Analysing potential courses of action

Responding

The Solution scope – Permanent infrastructure and deployed systems – Different responses – Human intervention – Identify defensive actions, processes, contexts – Significant capability improvement


10 September 2014

Scope - Courses of Action


10 September 2014

Observe - collecting situational awareness data

Orient - analysis to determine actual and possible attacks

Decide – determining/selecting courses of action

Act - taking the appropriate action

Collecting information

Identifying the attack

Analysing potential courses of action

Responding

Solution architecture constraints

• Other elements already exist • Function and interfaces not well

defined • Input / Output requirements on other

elements


10 September 2014

Collecting

Identifying

Courses of Action

Responding

Course of Action – input events

• Predicted / Detected attacks • Attack sources • Early indicators • Attack patterns • Vulnerabilities • System configuration and management data • Data sources


10 September 2014

Collecting

Identifying

Courses of Action

Responding

Course of Action - responses

• Compartmentalisation and connectivity • Configuration changes i.e. firewalls • Routing • Access controls and lockdown status • Service availability • Attack signatures and patch levels • Alerts and warnings, staffing levels • Security operating procedures and controls


10 September 2014

Collecting

Identifying

Courses of Action

Responding

Solution Architecture assumptions

• Courses of Action element: – Define functions / operations / interfaces – Identify data required / provided – Identify data sources

• Identify your assumptions • Identify metrics • Document test data & tests – data will not be

provided by MOD


10 September 2014

Collecting

Identifying

Courses of Action

Responding

Course of Action - metrics

• For each response action we need metrics – Effective prioritisation – Response actions vs threat/attack – Automatic response vs manual intervention – Impact and risk assessment

• Metrics themselves – Detailed definition and meaning – Value ranges – Use


10 September 2014

What we want

• Novel and innovative approaches to developing courses of action

• Final report • Proof of concept demonstration • A development plan beyond the initial proof-of-

concept phase • Solutions that consider the breadth of MOD systems,

end points, hosts etc


10 September 2014

What we don’t want

• Technology watch or horizon scanning • Existing technology products and tools • Demonstrations of the same • Marginal improvements in capability • Paper based studies • Focus / emphasis on presentation layer • Fully formed User Interface


10 September 2014

Exploitation – towards phase 2

• Tool or toolset – component of a wider system • Open source, service oriented architecture • Specific implementation not decided • Comms, messaging, data flow through Enterprise

Service Bus • Potential for collaboration with overseas partners


10 September 2014

Solution Architecture – phase 2


10 September 2014

Enterprise Service Bus

Data Analysis and Action

Course of Action Analyser

Data Storage

Data Presentation

Attack / Incident Analysers Response Coordinator

Data Source Connectors Course of

Action View

Course of Action Library and response

status

Effector Connectors

Infrastructure Management Systems

Infrastructure

Conclusion


In conclusion

• Opportunity! • Innovation • Demonstration • Focus

– Automation – Course of action – Decision, not action


10 September 2014

Don’t Forget! • Your bid must be made via the CDE Portal

– Emailed proposals will not be accepted – Don’t leave it until the last minute – the portal can only handle

a limited number of concurrent sessions


10 September 2014

… and finally … • Dstl have committed up to £1 million of funding for

the initial proof-of-concept demonstrators • No cap on the value of proposals

– However more likely that a larger number of lower value proposals (e.g. up to £100,000) will be funded at this stage

• Anticipated delivery within 6 months of being on contract (latest – March 2016)


10 September 2014

Submissions via the CDE Portal by 1700 Thursday 23rd October 2014

• Technical questions – [email protected]

• CDE questions – [email protected]


10 September 2014

mailto:[email protected]

mailto:[email protected]


10 September 2014