cyber resiliency & agility - call to actioncyber resiliency/agility – purpose and goals...
TRANSCRIPT
Copyright © 2012 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Cyber Resiliency & Agility – Call to Action
MITRE Resiliency Workshop
May 31, 2012
Suzanne Hassell
Engineering Fellow
Raytheon Network Centric Systems
Cyber Resiliency/Agility – Purpose and Goals
5/29/2012
Surviving the Persistent IO Threat
We should assume that the attackers have
invaded our network and we may not
detect them.
Global monoculture has created a vast
attack target for exploiting.
Ill-defined Network Perimeters
5/29/2012 3
Ensure Mission Survival in a Cyber Compromised Environment
Agenda
The Cyber S&T Vision for Resiliency and Agility
Resiliency and Agility Purpose and Goals
Resiliency and Agility Techniques
Examples of Resiliency Techniques
Metrics
Recommendations
5/29/2012 4
References to:
5/29/2012 5
5/29/2012 6
5/29/2012 7
Cyber Resiliency/Agility – Purpose and Goals
5/29/2012
Advanced Persistent Threats •Insider Threats
•Supply Chain Compromise
•Unpatched Vulnerabilities
5/29/2012 8
Ensure Mission Survival in a Cyber Compromised Environment
Goal: Work Factor Ratio
• Minimize the magnitude of the
attacker’s effect, survive
• Increase cost to the attacker
• Increase the uncertainty that the
attack was successful
• Increase chance of detection and
attribution
Key Resilience/Agility Techniques
Adaptive
Containment
Cyber Modeling
Deception
Detection
Distributedness
Diversity
Integrity
Isolation
Least Privilege
Monitoring
Cyber Maneuver
Non Persistence
Precedence
5/29/2012 9
The Nature of Cyber Agility is:
Proactive as well as Responsive
Centralized, Distributed and Autonomous
Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures
Workshop Oct 29, 2010 with some modifications
Prioritization
Pro-active
Randomness and
unpredictability
Reconstitution
Redundancy
Leverage Techniques from Continuity of Operations,
Safety, Networking, Anti-Tamper, Virtualization
Examples of Resiliency Techniques
The following slides cover some areas of research, products or
programs that illustrate various resiliency techniques.
5/29/2012 10
App Maneuver Fake Applications
Service Maneuver Fake Service Components
Session Maneuver Fake Sessions
Network Maneuver Fake Addresses/Ports
Link Maneuver Fake Ports/Protocols
Netw
ork
Maneuver C
om
mander
Agility Cyber Maneuver and Deception Layers
Physical Maneuver Fake Components
OPS Maneuver Fake Mission Operations
Maneuver services are centralized, distributed or autonomous
5/29/2012 11
Agility At All Layers!
5/29/2012
Be a Moving Target
Net Maneuver
Proactive maneuvering of network elements to evade attacks.
Does not wait until attack is detected – think frequency
hopping radio for networks.
Increases cost to the attacker
Increases the uncertainty that the attack was successful
Diversity by maneuvering across platform, hypervisors,
operating systems, networks
Increases chance of detection and attribution
Reconstitution removes Malware.
Honey Net for deception and monitoring of attackers.
Open architecture - easy to add support for additional
network elements.
Cyber Maneuver, Proactive, Deception, Diversity,
Reconstitution, Randomness
Network Maneuver Commander
Proactive, Random Maneuvering of
Network Elements
Net Maneuver Commander
(NMC) Architecture
•Collection of loosely coupled
services
•Orchestrated via Enterprise
Service Bus
•Generic plug-in framework to
support
new applications
For additional details, please refer to
“Using Cyber Maneuver to Improve
Network Resiliency”, in the MILCOM
2011 Proceedings
5/29/2012 14
Reactive and Pre-emptive
Net Maneuver Effect on OODA Loop
Observe, Orient, Decide and Act
5/29/2012
Reduce Your Attack Surface
Trusted Thin Client ™
Provides one access point for multiple classification
levels. Eliminates the need for cabled connections
to each classified network across multiple desktop
systems .
Reduces desktop hardware and power
No data stored locally – read only
Flexible implementations
Thin client hardware
Software only virtual machine
Utilizes existing workstations
For users requiring resource
intensive applications and access to
lower level networks
Accredited solution, widely deployed
Security Blanket ™
Automatically locks down the operating system,
significantly reducing the opportunity for malware to
enter and propagate.
Harden Operating System
Restrict user access
Configure security settings
Disable unnecessary services and
protocols
Output is DISA STIG Compliant
Containment, Integrity
5/29/2012
Trust, But Verify Your Own
SureView ™
Insider threat detection and evidence gathering based on
proven rule sets and behaviors.
Detect policy violations, compliance incidents or
malicious acts
DVR replay plays back what the user was actually doing
before, during, and after the flagged incident
Measure the effectiveness of business processes and
policy
Monitor every vector of communication
Accredited solution, widely deployed
Adaptive, Containment, Detection, Proactive, Isolation
5/29/2012
Find and Disable the Infiltrator
RShield ™
Analyzes e-mail, attachments and embedded URLs at line speeds by
rapidly and seamlessly routing them to virtualized detection farms
where they are opened and observed inside a sophisticated, unique
and proprietary virtual environment.
Intercepts after spam filtering and anti-virus
Looks for unauthorized or unexpected behavior that indicates
malware
Scales to run at line speeds
Within Raytheon, many targeted spear phishing attempts
detected targeting many users
Adaptive, Detection, Monitoring, Deception, Isolation, Proactive
Importance of Resiliency/Agility Metrics
Metrics must be used to evaluate the agility and resiliency of
systems and networks.
Tools used for evaluation of Resilient architectures will support
these metrics.
5/29/2012 19
Metrics Are Key to Resiliency and Agility Strategy
5/29/2012 5/29/2012 20
Example Metrics for Cyber Maneuver Evaluation
Basis for many metrics is Time
Metrics on Attacks
– Percent of successful attacks
– Percent of partially successful attacks
– Time spent per phase
– Duration of successful attack
Metrics on Defenses
– Mean number of attack disruptions
– Defense factor
– Defensive efficiency
21
For additional details of these metrics, please
refer to “Measurement, Identification and
Calculation of Cyber Defense Metrics” in the
MILCOM 2010 Proceedings
Analysis of Results
Example: Defense Factor
– Defense Factor = ratio of Attack
Execution to Defense Action
– As Defense Actions become faster,
Attack Success drops off
Example: Network Size
– Varying network size (i.e., number of
host nodes)
– For a malicious email attack, network
size has no appreciable effect
22
Cyber Analysis Modeling Evaluation for Operations CAMEO
Summary - Call to Action
The vision for Resiliency and Agility has been set forth in the
Cyber S&T Roadmap
Requirements for Resiliency and Agility are Coming!
Not just “cyber” products, although deploying them can help
All systems and networks need the appropriate level of cyber
agility and resiliency capabilities– architecture framework,
toolkits and processes including modeling and simulation
Must be measurable – metrics are crucial!
Collaboration amongst Government, Industry and Academia
5/29/2012 24