Cyber Resiliency & Agility Call to Action

Transcription

1 Cyber Resiliency & Agility Call to Action MITRE Resiliency Workshop May 31, 2012 Suzanne Hassell Engineering Fellow Raytheon Network Centric Systems Copyright 2012 Raytheon Company. All rights reserved. Customer Success Is Our Mission is a registered trademark of Raytheon Company.

2

3 Cyber Resiliency/Agility Purpose and Goals Surviving the Persistent IO Threat We should assume that the attackers have invaded our network and we may not detect them. Global monoculture has created a vast attack target for exploiting. Ill-defined Network Perimeters Ensure Mission Survival in a Cyber Compromised Environment 5/29/2012 3

4 Agenda The Cyber S&T Vision for Resiliency and Agility Resiliency and Agility Purpose and Goals Resiliency and Agility Techniques Examples of Resiliency Techniques Metrics Recommendations 5/29/2012 4

5 References to: 5/29/2012 5

6 5/29/2012 6

7 5/29/2012 7

8 Cyber Resiliency/Agility Purpose and Goals Advanced Persistent Threats Insider Threats Supply Chain Compromise Unpatched Vulnerabilities Goal: Work Factor Ratio Minimize the magnitude of the attacker s effect, survive Increase cost to the attacker Increase the uncertainty that the attack was successful Increase chance of detection and attribution Ensure Mission Survival in a Cyber Compromised Environment 5/29/2012 8

9 Key Resilience/Agility Techniques Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010 with some modifications Adaptive Containment Cyber Modeling Deception Detection Distributedness Diversity Integrity Isolation Least Privilege Monitoring Cyber Maneuver Non Persistence Precedence The Nature of Cyber Agility is: Proactive as well as Responsive Centralized, Distributed and Autonomous Prioritization Pro-active Randomness and unpredictability Reconstitution Redundancy Leverage Techniques from Continuity of Operations, Safety, Networking, Anti-Tamper, Virtualization 5/29/2012 9

10 Examples of Resiliency Techniques The following slides cover some areas of research, products or programs that illustrate various resiliency techniques. 5/29/

11 Agility Cyber Maneuver and Deception Layers Maneuver services are centralized, distributed or autonomous OPS Maneuver Service Maneuver App Maneuver Session Maneuver Network Maneuver Link Maneuver Physical Maneuver Fake Mission Operations Fake Service Components Fake Applications Fake Sessions Fake Addresses/Ports Fake Ports/Protocols Fake Components Network Maneuver Commander Agility At All Layers! 5/29/

12 Be a Moving Target Net Maneuver Proactive maneuvering of network elements to evade attacks. Does not wait until attack is detected think frequency hopping radio for networks. Increases cost to the attacker Increases the uncertainty that the attack was successful Diversity by maneuvering across platform, hypervisors, operating systems, networks Increases chance of detection and attribution Reconstitution removes Malware. Honey Net for deception and monitoring of attackers. Open architecture - easy to add support for additional network elements. Cyber Maneuver, Proactive, Deception, Diversity, Reconstitution, Randomness 5/29/2012

13 Network Maneuver Commander Proactive, Random Maneuvering of Network Elements Net Maneuver Commander (NMC) Architecture Collection of loosely coupled services Orchestrated via Enterprise Service Bus Generic plug-in framework to support new applications For additional details, please refer to Using Cyber Maneuver to Improve Network Resiliency, in the MILCOM 2011 Proceedings

14 Reactive and Pre-emptive 5/29/

15 Net Maneuver Effect on OODA Loop Observe, Orient, Decide and Act

16 Reduce Your Attack Surface Security Blanket Automatically locks down the operating system, significantly reducing the opportunity for malware to enter and propagate. Harden Operating System Restrict user access Configure security settings Disable unnecessary services and protocols Output is DISA STIG Compliant Trusted Thin Client Provides one access point for multiple classification levels. Eliminates the need for cabled connections to each classified network across multiple desktop systems. Reduces desktop hardware and power No data stored locally read only Flexible implementations Thin client hardware Software only virtual machine Utilizes existing workstations For users requiring resource intensive applications and access to lower level networks Accredited solution, widely deployed Containment, Integrity 5/29/2012

17 Trust, But Verify Your Own SureView Insider threat detection and evidence gathering based on proven rule sets and behaviors. Detect policy violations, compliance incidents or malicious acts DVR replay plays back what the user was actually doing before, during, and after the flagged incident Measure the effectiveness of business processes and policy Monitor every vector of communication Accredited solution, widely deployed Adaptive, Containment, Detection, Proactive, Isolation 5/29/2012

18 Find and Disable the Infiltrator RShield Analyzes , attachments and embedded URLs at line speeds by rapidly and seamlessly routing them to virtualized detection farms where they are opened and observed inside a sophisticated, unique and proprietary virtual environment. Intercepts after spam filtering and anti-virus Looks for unauthorized or unexpected behavior that indicates malware Scales to run at line speeds Within Raytheon, many targeted spear phishing attempts detected targeting many users Adaptive, Detection, Monitoring, Deception, Isolation, Proactive 5/29/2012

19 Importance of Resiliency/Agility Metrics Metrics must be used to evaluate the agility and resiliency of systems and networks. Tools used for evaluation of Resilient architectures will support these metrics. Metrics Are Key to Resiliency and Agility Strategy 5/29/

20 5/29/

21 Example Metrics for Cyber Maneuver Evaluation Basis for many metrics is Time Metrics on Attacks Percent of successful attacks Percent of partially successful attacks Time spent per phase Duration of successful attack Metrics on Defenses Mean number of attack disruptions Defense factor Defensive efficiency For additional details of these metrics, please refer to Measurement, Identification and Calculation of Cyber Defense Metrics in the MILCOM 2010 Proceedings 21

22 Analysis of Results Example: Defense Factor Defense Factor = ratio of Attack Execution to Defense Action As Defense Actions become faster, Attack Success drops off Example: Network Size Varying network size (i.e., number of host nodes) For a malicious attack, network size has no appreciable effect 22

23 Cyber Analysis Modeling Evaluation for Operations CAMEO

24 Summary - Call to Action The vision for Resiliency and Agility has been set forth in the Cyber S&T Roadmap Requirements for Resiliency and Agility are Coming! Not just cyber products, although deploying them can help All systems and networks need the appropriate level of cyber agility and resiliency capabilities architecture framework, toolkits and processes including modeling and simulation Must be measurable metrics are crucial! Collaboration amongst Government, Industry and Academia 5/29/