10 minute read
Next Move: Anticipation is a Big Part of Cybersecurity
Next Move
ANTICIPATION IS A BIG PART OF CYBERSECURITY
By Eric Tegler
Protecting America’s defense communication and data networks from cyberattacks is a ceaseless game of chess. As renowned chess champion Emanuel Lasker said, “When you see a good move, look for a better one.”
A contingent of the defense cybersecurity research community is doing just that.
While a major portion of research and development remains focused on passive defenses for software and embedded systems, there is another thread that is increasingly focused on quantifying the activity and understanding the behavior of cyber adversaries to develop more effective countermeasures.
This research is expected to yield ideas and cybersecurity approaches that will have to be absorbed by the government’s technology integrators and the military as fast as possible. When building networks and systems robust enough to allow warfighters to function effectively, the next move is always critical.
The Cyber Agility Framework: Data Science Meets Cybersecurity
After about 10 minutes chatting with Jose Mireles – a Departmentof Defense (DOD) cybersecurity expert who co-developed whats called the “Cyber Agility Framework” (CAF) as part of his thesis at theUniversity of Texas at San Antonio (UTSA) – I said, “This looks like what would happen if a data scientist rocked up to a cybersecurity problem.”
“Exactly,” he said.
In the simplest terms, the CAF is a set of mathematical equations that analyze any data set. In this case, the data is cyber-attack alerts.
Mireles is part of a broader collaborative including Dr. Shouhuai Xu,director of the Laboratory for Cybersecurity Dynamics and computerscience professor at UTSA, UTSA student Eric Ficke, and researchersat Virginia Tech, the U.S. Army Combat Capabilities DevelopmentCommand (CCDC) Army Research Laboratory (ARL), and the U.S. AirForce Research Laboratory (AFRL).
Jose Mireles co-developed the Cyber Agility Framework (CAF) as part of his master’s thesis at the University of Texas at San Antonio (UTSA). Mireles collaborated with UTSA colleagues as well as researchers from Virginia Tech, the U.S. Army Research Laboratory, and the Air Force Research Laboratory.
Photo Courtesy of UTSA
Together, they conceived the CAF as a tool to score the agility of cyber attackers and defenders. You can think of it as a measuring stick, a framework to help government and industry organizations visualize how well (or how poorly) they outmaneuver attacks.
One valuable source of cyberattack data comes from “Snort Alerts.” Snort is an intrusion detection system designed to detect and alert users to irregular activities within a network. In widespread use, Snort provides real-time traffic analysis and packet logging, just the kind of data meant to be plugged into the CAF.
The CAF team began by taking four terabytes of packet capture (PCAP) data from the National Cyber Defense Collegiate Competition, using it as a control to input into the framework, then iterating the data as new Snort updates and versions (community and subscription rules) were issued.
“Over time, that allowed us to see whether a new update caught [intrusions] that weren’t there before,” Mireles said. “We were able to determine which [Snort] versions were good for static attack analysis.”
The researchers then applied the framework to several years of DEFCON Snort data sets. The CAF allowed them to see changes in Snort alerts/detection and the changes in cyberattacks in response.
CAF researchers also used a “honeypot” – a computer system that lures real cyberattacks – to attract and analyze malicious traffic. As both attackers and defenders created new techniques, the researchers used the framework to better understand how a series of engagements transformed into a new adaptive pattern.
For example, an attacker launches a new exploit. How long does it take a defender to respond to the new tactic? Once the defender rolls out a countermeasure, how long does it take the attacker to defeat or work around it? CAF researchers call this “evolution generation.”
Dr. Shouhuai Xu, director of the Laboratory for Cybersecurity Dynamics at the University of Texas San Antonio (UTSA) and one of the collaborators who developed the Cyber Agility Framework.
Photo Courtesy of the UTSA
The CAF’s capacity to illustrate evolution generation graphically shows promise for helping users change their cyber defenses quickly. As a potential tool for crafting future defense and response strategies, it’s of particular interest to the Army.
“The Army is most interested in this technology as a predictive tool for cyber countermeasures,” Dr. Purush Iyer, division chief of Network Sciences at the Army Research Office (an element of ARL), affirmed.
“During a mission, the Army depends on network platforms to provide soldiers with vital information that must be protected. It’s no longer enough to just have passive cybersecurity measures that look for malicious activity. An agile framework that keeps changing and thus keeps the adversary from making assumptions about a system is a key step in improving cybersecurity.”
The predictive potential of the CAF isn’t yet fully understood, Mireles acknowledged. Exhaustive peer review has helped refine the framework and suggested it works best as a visualization tool, he said.
“If you’re an enterprise and you’ve got people looking at [attacks], you could almost say it’s like alert correlation. It helps you put what you’re looking at in perspective. You could have 15,000 to 20,000 alerts. What does that mean? The framework tries to give meaning to what may be a whole bunch of noise and data.”
But it does have predictive qualities. Xu uses a chess analogy to explain:
“For example, you could have a situation like a Level 2 [chess player] playing against a Grand Master. If I know [my opponent], I can have a guiding principle to prioritize my defense ... I can proactively allocate my resources to better defend. I could even strategically use a deception mechanism to help figure out what the attacker is going to do in the future.”
Large-scale deployment of the CAF is still in the future, Iyer confirmed. It will undergo further refinement at ARL and the CCDC C5ISR (command, control, computers, communications, cyber, intelligence, surveillance and reconnaissance) Center before eventually rolling out to the Army’s combatant commands (COCOMs).
It will also potentially find its way into the DOD’s chief cyber technology integrator.
DISA: Research Meets Integration
The Defense Information Systems Agency (DISA) bills itself as a combat support agency of the DOD – the “trusted provider to connect and protect the warfighter in cyberspace.”
Practically, that means DISA’s 8,000 military and civilian employees operate and assure command and control and information-sharing capabilities within a global enterprise information infrastructure. It’s a task that requires uninterrupted vigilance and operational acumen. It also means the agency is continually in search of and incorporating new technologies and processes.
In that sense, DISA is a technology integrator, said Stephen Wallace, systems innovation scientist for the agency's Emerging Technologies Directorate.“
My group’s responsibility is to understand the [cybersecurity] challenges that the agency and the DefenseDepartment face and then look for emerging technologies– things that aren’t [mature] yet but may be within the next couple years – that we can bring in and apply.”DISA’s priorities affect the work of research threats to military and government systems, raised by the users.
“We get things directly from the COCOMs,” Wallace said, “and we have a great working relationship with the intel community – there’s a lot of information-sharing that occurs there. We [identify threats] via a variety of methods. The growth of sharing information in the last few years has become significantly better.”
Stephen Wallace, a systems innovation scientist at the Defense Information Systems Agency (DISA), reviews a slide on his computer detailing a cloud based internet isolation (CBII) strategy. CBII transfers Internet browsing sessions from traditional desktop browsers to a secure, isolated cloud-platform. The service isolates potential malicious code and content within the cloud-platform, separating the threat from direct connections to DOD networks.
That sharing of threat information has led to four primary areas of cybersecurity technology development of greatest interest to DISA: network defense, cloud security, identity assurance, and artificial intelligence security. Other areas include embedded systems and supply chain security.
Examples of DISA projects in these areas include browser isolation and continuous multifactor identity authentication.
Given that approximately 30 to 70 percent of cyberattacks come through internet browsers, DISA was looking for a way to keep its computers from being conduits for DOD network intrusions. Industry suggested one way to approach browser insecurity: Simply disconnect the browser from the network.
Working with private-sector firms, the Emerging Technologies Directorate is adopting a strategy wherein browsing takes place on a commercial cloud that is not connected to DOD servers.
The end user still interacts with the internet, but merely sees an image of the browsing session on a remote server rather than receiving/sending data directly via his/ her own browser. Potentially malicious code or content doesn’t touch the DOD network; it is contained in the commercial data center, inspected there when a threat is detected, and removed.
“Browser isolation is a great example of us taking a different approach to [vulnerability],” Wallace said, “stepping back and asking, ‘Can we approach the problem differently than we have traditionally?’”
DISA is exploring a nontraditional approach to identity verification as well.
The problem of identity assurance has grown exponentially with the use of mobile devices (phones, tablets, etc.) by military/government personnel. Assuring that only authorized individuals have access to DOD information networks via such devices and that identity cannot easily be contravened by merely handing the device to another individual or having it stolen is a major challenge – a problem that the agency’s “shared identity” projects look to counter.
The Department of Defense has explored alternatives for authenticating and verifying user access to its information systems for several years. To improve the validation process, DISA will implement hardware attestation on its future devices and use continuous multifactor authentication (CMFA) – the concept of establishing and continuously validating a user’s digital identity – to achieve assured identity.
DISA Image
“That came from us looking at the way we’ve traditionally done authentication and how authentication is done commercially, realizing that it’s typically point-in-time,” Wallace explained. “I authenticate to a system and my authentication lasts for a period of time – one hour, eight hours. Typically the user isn’t challenged again after that initial authentication.
“We wanted to continuously authenticate the user in the background using device sensors or contextually based factors [location, Wi-Fi network connection, device peripheral connections] to generate a dynamic risk score. If the score stays above a certain level, the user is allowed to continue functioning. If it falls below a level, we can issue other challenges, lock them out of the device, etc.”
Assured identity is broader than the project mentioned above and is a topic on which DISA works closely with its research partners. Other cybersecurity risks are brought to the agency’s attention by outsiders, occasionally centered on vulnerabilities that don’t make sufficient noise to overcome the current buzz.
“For instance, we’re looking at where we need to go from a next-generation cryptography perspective,” Wallace said.
Finding the technologies or processes to advance network cryptography is one thing. Finding a way to deploy them quickly is another.
Like its counterparts in DOD, DISA is making use of alternate means of acquisition, including Other Transaction Authorities (OTAs), to get warfighters the secure infrastructure they need. Given the rate at which cyber challenges change, increasing the speed of integration is important and an ingredient in the trust that DOD networks still inspire, Wallace said.
“The one thing I think we’ve all learned in this space is that you never speak in absolutes. But I’m very confident in our team’s ability to defend and protect the networks. The folks we have in DISA do a fantastic job ensuring that we’re able to deliver on our mission every day.”
DoDCAR: Framing Godzilla Drives Research
One of the most vexing cybersecurity problems is where to allocate research resources. As we connect more things and more information across DOD information networks, we keep increasing the attack surface and the number of potential threat vectors. Figuring out and articulating which threats need most attention can help direct research to address them.
The Department of Defense Cybersecurity Analysis and Review (DODCAR) seeks to characterize and quantify cyber threats to help DOD and wider government target investments in cyber countermeasures and cybersecurity research.
At a defensive cyber operations symposium in 2018, Patrick Arvidson, special assistant to the Office of the National Manager for National Security Systems, National Security Agency, described the overall cyber threat as “Godzilla” and DODCAR as a framework that defines the monster from multiple perspectives and measures its punch.
In doing so, it facilitates decision-making “on where the application of resources would make the biggest difference in thwarting the action and intent of the adversaries, not necessarily every tactic [they] use,” Arvidson said.
DOD and NSA describe DODCAR as a threat-based, analysis-driven, repeatable process to synchronize and balance cybersecurity investments, minimize redundancies, eliminate inefficiencies, and improve all-around mission performance.
Characterizing and quantifying cyber threats will help the Department of Defense and government make prudent decisions about how to best allocate funds for cybersecurity research and cyber countermeasures.
Image Courtesy of UTSA
DODCAR is basically a multi-layer threat framework with cyber competency scoring and analysis. The top threat layer addresses the strategic objective of the adversary, which is to get in, stay in, and act. The operational layer assesses an adversary’s aim to be persistent and move laterally. A third layer focuses on the intent of the attacks, such as targeting applications, portable drive exploits, or information exfiltration.
Perhaps most important, DODCAR creates a common way to talk about and assess threats across agencies and programs. It provides what Arvidson called a “heat map” and a capability list along with an assessment of how well the capabilities perform.
The scoring creates an implementation roadmap for the DOD information networks. Cybersecurity managers can tell where there is investment against the threat, where there is no investment, and define the gaps. Having both threat prioritization and gap identification allows researchers to narrow in on the most fertile areas for cyber defense development.
If, using DODCAR, you can figure out what Godzilla is doing instead of trying to guess, you can more effectively target research investment. You can apply existing cyber countermeasures more successfully and likely anticipate your adversary’s next move.
