Copyright © 2012 Raytheon Company. All rights reserved.

Customer Success Is Our Mission is a registered trademark of Raytheon Company.

Cyber Resiliency & Agility – Call to Action

MITRE Resiliency Workshop

May 31, 2012

Suzanne Hassell

Engineering Fellow

Raytheon Network Centric Systems

shassell@raytheon.com

Cyber Resiliency/Agility – Purpose and Goals

5/29/2012

Surviving the Persistent IO Threat

We should assume that the attackers have

invaded our network and we may not

detect them.

Global monoculture has created a vast

attack target for exploiting.

Ill-defined Network Perimeters

5/29/2012 3

Ensure Mission Survival in a Cyber Compromised Environment

Agenda

The Cyber S&T Vision for Resiliency and Agility

Resiliency and Agility Purpose and Goals

Resiliency and Agility Techniques

Examples of Resiliency Techniques

Metrics

Recommendations

5/29/2012 4

References to:

5/29/2012 5

5/29/2012 6

5/29/2012 7

Cyber Resiliency/Agility – Purpose and Goals

5/29/2012

Advanced Persistent Threats •Insider Threats

•Supply Chain Compromise

•Unpatched Vulnerabilities

5/29/2012 8

Ensure Mission Survival in a Cyber Compromised Environment

Goal: Work Factor Ratio

• Minimize the magnitude of the

attacker’s effect, survive

• Increase cost to the attacker

• Increase the uncertainty that the

attack was successful

• Increase chance of detection and

attribution

Key Resilience/Agility Techniques

Adaptive

Containment

Cyber Modeling

Deception

Detection

Distributedness

Diversity

Integrity

Isolation

Least Privilege

Monitoring

Cyber Maneuver

Non Persistence

Precedence

5/29/2012 9

The Nature of Cyber Agility is:

Proactive as well as Responsive

Centralized, Distributed and Autonomous

Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures

Workshop Oct 29, 2010 with some modifications

Prioritization

Pro-active

Randomness and

unpredictability

Reconstitution

Redundancy

Leverage Techniques from Continuity of Operations,

Safety, Networking, Anti-Tamper, Virtualization

Examples of Resiliency Techniques

The following slides cover some areas of research, products or

programs that illustrate various resiliency techniques.

5/29/2012 10

App Maneuver Fake Applications

Service Maneuver Fake Service Components

Session Maneuver Fake Sessions

Network Maneuver Fake Addresses/Ports

Link Maneuver Fake Ports/Protocols

Netw

ork

Maneuver C

om

mander

Agility Cyber Maneuver and Deception Layers

Physical Maneuver Fake Components

OPS Maneuver Fake Mission Operations

Maneuver services are centralized, distributed or autonomous

5/29/2012 11

Agility At All Layers!

5/29/2012

Be a Moving Target

Net Maneuver

Proactive maneuvering of network elements to evade attacks.

Does not wait until attack is detected – think frequency

hopping radio for networks.

Increases cost to the attacker

Increases the uncertainty that the attack was successful

Diversity by maneuvering across platform, hypervisors,

operating systems, networks

Increases chance of detection and attribution

Reconstitution removes Malware.

Honey Net for deception and monitoring of attackers.

Open architecture - easy to add support for additional

network elements.

Cyber Maneuver, Proactive, Deception, Diversity,

Reconstitution, Randomness

Network Maneuver Commander

Proactive, Random Maneuvering of

Network Elements

Net Maneuver Commander

(NMC) Architecture

•Collection of loosely coupled

services

•Orchestrated via Enterprise

Service Bus

•Generic plug-in framework to

support

new applications

For additional details, please refer to

“Using Cyber Maneuver to Improve

Network Resiliency”, in the MILCOM

2011 Proceedings

5/29/2012 14

Reactive and Pre-emptive

Net Maneuver Effect on OODA Loop

Observe, Orient, Decide and Act

5/29/2012

Reduce Your Attack Surface

Trusted Thin Client ™

Provides one access point for multiple classification

levels. Eliminates the need for cabled connections

to each classified network across multiple desktop

systems .

Reduces desktop hardware and power

No data stored locally – read only

Flexible implementations

Thin client hardware

Software only virtual machine

Utilizes existing workstations

For users requiring resource

intensive applications and access to

lower level networks

Accredited solution, widely deployed

Security Blanket ™

Automatically locks down the operating system,

significantly reducing the opportunity for malware to

enter and propagate.

Harden Operating System

Restrict user access

Configure security settings

Disable unnecessary services and

protocols

Output is DISA STIG Compliant

Containment, Integrity

5/29/2012

Trust, But Verify Your Own

SureView ™

Insider threat detection and evidence gathering based on

proven rule sets and behaviors.

Detect policy violations, compliance incidents or

malicious acts

DVR replay plays back what the user was actually doing

before, during, and after the flagged incident

Measure the effectiveness of business processes and

policy

Monitor every vector of communication

Accredited solution, widely deployed

Adaptive, Containment, Detection, Proactive, Isolation

5/29/2012

Find and Disable the Infiltrator

RShield ™

Analyzes e-mail, attachments and embedded URLs at line speeds by

rapidly and seamlessly routing them to virtualized detection farms

where they are opened and observed inside a sophisticated, unique

and proprietary virtual environment.

Intercepts after spam filtering and anti-virus

Looks for unauthorized or unexpected behavior that indicates

malware

Scales to run at line speeds

Within Raytheon, many targeted spear phishing attempts

detected targeting many users

Adaptive, Detection, Monitoring, Deception, Isolation, Proactive

Importance of Resiliency/Agility Metrics

Metrics must be used to evaluate the agility and resiliency of

systems and networks.

Tools used for evaluation of Resilient architectures will support

these metrics.

5/29/2012 19

Metrics Are Key to Resiliency and Agility Strategy

5/29/2012 5/29/2012 20

Example Metrics for Cyber Maneuver Evaluation

Basis for many metrics is Time

Metrics on Attacks

– Percent of successful attacks

– Percent of partially successful attacks

– Time spent per phase

– Duration of successful attack

Metrics on Defenses

– Mean number of attack disruptions

– Defense factor

– Defensive efficiency

21

For additional details of these metrics, please

refer to “Measurement, Identification and

Calculation of Cyber Defense Metrics” in the

MILCOM 2010 Proceedings

Analysis of Results

Example: Defense Factor

– Defense Factor = ratio of Attack

Execution to Defense Action

– As Defense Actions become faster,

Attack Success drops off

Example: Network Size

– Varying network size (i.e., number of

host nodes)

– For a malicious email attack, network

size has no appreciable effect

22

Cyber Analysis Modeling Evaluation for Operations CAMEO

Summary - Call to Action

The vision for Resiliency and Agility has been set forth in the

Cyber S&T Roadmap

Requirements for Resiliency and Agility are Coming!

Not just “cyber” products, although deploying them can help

All systems and networks need the appropriate level of cyber

agility and resiliency capabilities– architecture framework,

toolkits and processes including modeling and simulation

Must be measurable – metrics are crucial!

Collaboration amongst Government, Industry and Academia

5/29/2012 24