Cyber Attack Information System CAIS. DI Thomas Bleier, MSc, CISSP, CEH

Transcription

1 Cyber Attack Information System CAIS Cyber Attack Information System DI Thomas Bleier, MSc, CISSP, CEH AIT Austrian Institute of Technology Bundeskanzleramt Österreich Bundesministerium für Landesverteidigung und Sport Bundesministerium für Inneres FH St. Pölten OIIP Österreichisches Institut für Internationale Politik T-Mobile Austria T-Systems Austria NIC.AT / CERT.AT

2 AIT Austrian Institute of Technology Austria s larges non-university research center Focused on infrastructures of the future ±1000 Safety & Security Department: Guaranteeing efficiency and reliability of critical infrastructures, development and provision of futureoriented technologies

3 ICT Security AIT Research Topics o Security Engineering of large and complex systems o Facilitating Security by Design o National Cyber Defense o Efficiently security large-scale service-oriented architectures o Cloud Computing for high-assurance applications o Security and Risk Management for Smart Grids and Critical Infrastructures o Next Generation Key Management for Encryption Tools, Methodologies + Application Domains = Secure Systems

4 The problem The complexity of ICT systems is increasing o Landing on the moon with Lines of Code o Today: F-35 fighter jet: 5,7 Mio; Boeing 787: 6,5 Mio; Mercedes S-Class: 20 Mio; Chevrolet Volt: 100 Mio. Systems are getting more and more interconnected o Internet-of-Things, Always-on, Pervasive Computing o M2M (Machine-to-Machine) Communication o Virtual Infrastrucutures (Cloud), etc. Industry trend towards open network architectures o Open protocols (e.g. IP) o Increased number of third parties The dependency on ICT systems is increasing o Smart Grid, Smart Home, Smart City, Smart Phone o egovernment, ecommerce, ehealth, emobility

5 The CAIS project Cyber Attack Information System Austrian national research project Partly funded within the national security research programme KIRAS o By the Federal Ministry for Transport, Innovation and Technology Duration: 2 years, Project goal: to study concepts, models and approaches for setting up a national cyber center in order to keep track of ongoing incidents on a national level and establish/maintain situational awareness

6 Project consortium Coordinator: AIT Austrian Institute of Technology GmbH Project Partners: Federal Chancellery Federal Ministry of Defence and Sports Federal Ministry for the Interior University of Applied Sciences St. Pölten oiip - Austrian Institute for International Affairs T-Mobile Austria T-Systems Austria NIC.AT / CERT.AT

7 Starting position Dependence on ICT o Coupling of critical infrastructures via ICT o Novel areas like Cloud, Mobile Cyber terrorism (and cyber war) is reality! o Estonia, Stuxnet, Flame, etc. Different initiatives raising awareness and working on parts of the problem o e.g., Computer Emergency Response Teams (CERTs) Novel challenges for infrastructure providers o Detection of coordinated attacks towards multiple organizations o Collaborative protection through knowledge sharing Need for a Cyber Attack Information System on a national level!

8 National Cyber Defense - Goals Linking and coordinating existing initiatives o CERTs o National initiatives, e.g., crisis management Establishing situational awareness on a national level o Infer risks for society due to interdependent infrastructures Facilitating public-private partnerships o Private organizations delivering public services Maintaining organizational responsibility o Definition of roles, responsibilities, obligations etc. Activating inter-organizational collaboration o Information exchange e.g. regarding exploited vulnerabilities o Mutual aid in securing systems against current threats

9 National Situational Awareness Understand o Structure of networks and interdependencies o Availability of services o Ongoing business and operations Detect and predict o Undesired activities and their current or future impact on services, operation, or infrastructure Observe and analyze o Responsive actions and mitigation strategies and their success o Effectiveness of service recovery procedures on an organizational as well as national level! gather, filter, process, assess, analyze, interpret, comprehend, visualize, predict, inform, share

10 The CAIS Approach Cyclic approach similar to incident response methods Hierarchical structure: organizational vs. national level Stepwise Process 1. Monitoring Collect data about status of infrastructure 2. Anomaly Detection Detection of incidents 3. Decision Making Establishing situational awareness, collaborative approach 4. Instruction/Advice Discovery of targeted counter measures 5. Response Mitigation of effects, e.g., through infrastructure adaptation, service patching, etc

11 The CAIS Approach III. Decision Making IV. Advice II. Anomaly Detection III. Decision Making II. Anomaly Detection IV. Instruction II. Anomaly Detection II. Anomaly Detection V. Response V. Response I. I. Monitoring I. Monitoring 11 I. Monitoring

12 Advanced Incident Response Cycle Strategic evolution of an ICT infrastructure (green) o o o (1) Simulation of future threats and attacks (2) Planning and deployment of protection mechanisms (6) Periodic updates and maintenance Detection of on-going attacks (red) o o o (3) Anomaly detection (4) Evaluation of potential impact (5) Immediate effect mitigation Application of advanced modeling and simulation techniques

13 Pro-Active Simulation Analyzing the efficiency of deployed defense o Improved monitoring mechanisms o Adaptation of infrastructure o Update of incident response plans Simulation - Input o Updated (=to be) model of infrastructure o Historical contextual data from a verified anomaly/attack or o Expected network data of a potential attack Simulation - Output: o Resilience measure of to-be-model compared to as-is-model Learn about the resilience against potential future attacks (i.e., o Open create vulnerabilities a library of resilience patterns reflecting best practices against specific classes of attacks)

14 Re-Active Simulation Evaluation of potential causes and effects of attacks o Probability that a detected anomaly is actually an attack? o Potential effects on the overall national infrastructure? Simulation - Input o Current infrastructure models (services, dependencies, ) o Current network data (abstract view; including usage, etc.) o Explicit information about detected attacks towards a service Simulation - Output o Potential effects on other services (e.g., cascading effects) Learn more about currently ongoing large-scale attacks to o Support for root cause analysis better predict their impact on other services

15 CAIS Architecture - Organizational II. Anomaly Detection III. Decision Making IV. Instruction I. Monitoring IV. Response Conventional incident response cycle on organizational level Local monitoring of services Local anomaly detection Fast (local) response based on decisions within org. boundaries Local asset management Periodic reporting to cyber defense center (assets, anomalies, attacks)

16 Anomaly detection - local Distributed Log File Discovery Log File Aggregation Date Compression and Event Classification Event Clustering and Fingerprint Creation Compression, Obfusecation, and Reporting Log File Management Features: * Aggregationof varying source formats * Timstamp correction * Data compression Data Analysis Features: * Flexible event classification * Event clustering = fingerprints * Rule-based anomaly detection Reporting Features: * Human-assistance * Report generation * Privacy-aware data handling Collaborative anomaly detection approach Pre-processing of log file data within an organization Used for local event classification and anomaly detection Reporting interface to the national level

17 CAIS Architecture - National II. Anomaly Detection III. Decision Making IV. Advice I. Monitoring IV. Response Collective asset management (abstract level) Holistic simulation and centralized evaluation national situational awareness Complex threat analysis (e.g., distributed attacks) to infer consequences of a single attack (e.g., towards a single point of failure) Simulation of potential future threats to prepare countermeasures Planning coordinated counter measures and facilitating information sharing

18 Anomaly detection - global Scalable Data Collection Data Correlation and Aggregation Threat Simulation and Impact Evaluation National Decision Making Support and Advice Data Aggregation Features: * Scalable massive data collection * History management * Data fusion Simulation and Evaluation Features: * Infrastructure models * Fingerprint evaluation * Agent-based simulation Support and Advice Features: * Decision making * Coordinated notifications * Establishing mutual aid Collaborative anomaly detection approach Aggregation of data from different sources Correlation and data fusion to derive situational awareness info Simulation and prediction of impacts on national CI Feedback to the organizations

19 CAIS Architecture - combined

20 CAIS Roles - Organization Involved roles for fast and effective incident response o Periodically run through O1to O7 Roles and responsibilities designed to fit into most existing organizational structures o Typically there is a 1:n mapping from roles to persons NoC = Network Operating Center

21 CAIS Roles - National Involved roles for longterm strategic evolution of the national ICT infrastructure o o o Periodically run through N1to N11 (N1): reporting from organization (N11): advisory to organization

22 CAIS Roles - Combined Connecting roles on organizational and national level Additionally introduce national asset management (red) o Requesting information about organizational assets on demand, which are relevant for national data analysis and simulation purposes

23 MNE7 Multi-National Experiment 7 Military Experiment in several dimensions o Maritime, Air, Space, Cyber, Inter-Domain Understand./Planning o Participants: AUT, CAN, CHE, DEU, DNK, ESP, FIN, FRA, GBR, HUN, ITA, KOR, NOR, POL, SGP, SWE, TUR, USA, and NATO Each Domain structured in numerous objectives. For the Cyber Domain the objectives are: o Threats, Vulnerabilities and Risk Analysis o Information Sharing o Legal Understanding o Enabling Technologies - Cyber Situational Awareness Standard Operating Procedure (SOP) o Situational Awareness

24 MNE7 Multi-National Experiment 7 Work in context of this SOP includes: Cyber Center Roles and Responsibilities o Cyber Center SA Element o Cyber Center Execution Element o System Operator o Decision Maker Cyber Center SA Process Model o Data Collection Phase o Analysis Phase o Informing Phase Supporting Technologies o Monitoring Techniques o Anomaly Detection o Simulation and Forecast

25 Conclusion Since cyber attacks become increasingly sophisticated and coordinated, there is a strong need to also coordinate defense mechanisms Situational awareness is key to even detect attacks Infrastructure modeling and simulation is a central mechanism for preparation against future threats Close collaboration of all parties in the digital society is mandatory o Private organizations provide status reports about ongoing activities; in turn, they receive information about others in the same domain or having similar infrastructure assets. o Government evaluates the health status of critical infrastructures on a national level, accounting for interdependencies, and predict possible consequences of detected anomalies. Future Work: Currently the implementation of various introduced concepts is on-going. First evaluation results beginning of

26 Cyber Attack Information System Thank you! Questions? Thomas Bleier Dipl.-Ing. MSc zpm CISSP CEH Program Manager ICT Security, Safety & Security Department AIT Austrian Institute of Technology GmbH AIT Austrian Institute of Technology Bundeskanzleramt Österreich Bundesministerium für Landesverteidigung und Sport Bundesministerium für Inneres FH St. Pölten OIIP Österreichisches Institut für Internationale Politik T-Mobile Austria T-Systems Austria NIC.AT / CERT.AT CAIS Konsortium 26