Supply Chain Information Exchange: Non-conforming & Authentic Components

Similar documents
Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Cybersecurity in Acquisition

Enabling Distributed Event Management: Interoperability for Automated Response and Prevention. Sean Barnum George Saylor Aug 2011

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyberattack Analysis and Information Sharing in the U.S.

Implementing Executive Order and Presidential Policy Directive 21

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

CYBER SECURITY OPERATION CENTER (CSOC)

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS

Engineering Improvement in Software Assurance: A Landscape Framework

Secure Development Lifecycle

Protocols for exchange of cyber security information

Cyber Threat Intelligence Sharing Standards

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

The Perfect Storm Cyber RDT&E

Software Assurance Ecosystem Knowledge Architecture. 1 Wednesday, December 31, 2008

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

The UK s National Cyber Security Strategy

DHS Cybersecurity: Services for State and Local Officials. February 2017

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

Cybersecurity Technical Risk Indicators:

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Cyber Resilience. Think18. Felicity March IBM Corporation

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

The NIST Cybersecurity Framework

Industry role moving forward

SHARKSEER Zero Day Net Defense. Ronald Nielson Technical Director

Building an Assurance Foundation for 21 st Century Information Systems and Networks

RSA NetWitness Suite Respond in Minutes, Not Months

Cyber Partnership Blueprint: An Outline

align security instill confidence

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Engineering Your Software For Attack

IEEE Sec Dev Conference

MAKING SECURITY MEASURABLE AND MANAGEABLE

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ENISA EU Threat Landscape

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Seagate Supply Chain Standards and Operational Systems

TEL2813/IS2621 Security Management

European Union Agency for Network and Information Security

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

RiskSense Attack Surface Validation for IoT Systems

Nebraska CERT Conference

Threat Modeling and Sharing

What can an Acquirer do to prevent developers from make dangerous software errors? OWASP AppSec DC 2012 April 5, 2012

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cybersecurity Overview

The Office of Infrastructure Protection

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

COUNTERING IMPROVISED EXPLOSIVE DEVICES

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

FAA Cybersecurity Test Facility (CyTF) By: Enterprise Information Security Team ANG-B31 Patrick Hyle, William J Hughes Technical Center

Building a Resilient Security Posture for Effective Breach Prevention

PIPELINE SECURITY An Overview of TSA Programs

Appendix 12 Risk Assessment Plan

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

Security Solutions. Overview. Business Needs

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

Cybersecurity Risk Management:

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Modern Cyber Defense with Automated Real-Time Response: A Standards Update

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Acquisition and Intelligence Community Collaboration

Achieving DoD Software Assurance (SwA)

Appendix 12 Risk Assessment Plan

Cyber Security & Homeland Security:

NEN The Education Network

Security by Default: Enabling Transformation Through Cyber Resilience

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Defense Engineering Excellence

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

IBM Future of Work Forum

Building Secure Systems

Control Systems Cyber Security Awareness

SIEM Solutions from McAfee

Enhancing the cyber security &

Department of Management Services REQUEST FOR INFORMATION

Protecting your next investment: The importance of cybersecurity due diligence

Framework for Improving Critical Infrastructure Cybersecurity

DEFENSE LOGISTICS AGENCY

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Transcription:

Supply Chain Information Exchange: Non-conforming & Authentic Components Joe Jarzombek Director for Software and Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience

Agenda Purpose Overview Community of Interest Environment Opportunities Methodology Leveraging Structured Representations to Support Consistency and Automation Next Steps 2

Purpose Elicit Stakeholder Collaboration for Security Automation efforts associated with Supply Chain Risk Management: Standardize taxonomies for component conformance to specifications and authenticity Develop standard information sharing mechanisms, such as a Supply Chain Observable expression language and associated data dictionary 3

Overview The USG and industry partners are working toward solutions to reduce counterfeit information and communications technology (ICT) supply chain risks. The USG and industry partners need a scalable means to report and detect ICT supply chain risks attributable to counterfeits, defects, and tainted components (i.e. non-conforming components/parts). Existing structured representations can be leveraged to support consistency and automation of reporting and detecting nonconforming components/parts. 4

Community of Interest There are multiple government, industry, and associations who are engaged in counterfeit taxonomies and anti-counterfeiting, at large. Below are a sample of said entities: Government MDA DLA FAA US Navy US Army CBP ICE and many others Industry SMT BAE Honeywell American Electronic Resource Academia and Associations Center For Hardware Assurance and Security Engineering (CHASE) SAE CALCE University of Maryland ERAI AIA IDEA 5

Community of Interest (example) CHASE strives to unite commercial, academic and government expertise to enhance the nation s hardware assurance and security. Their current and past project sponsors include: Industry Government 6

Community of Interest What communities have databases for identifying non-conformant components? Government-Industry Data Exchange Program (GIDEP): Cooperative activity between USG and industry participants to reduce resource expenditures by sharing technical information. Joint Deficiency Reporting System (JDRS): Cross-service, webenabled automated tracking system across the Aeronautical Enterprise. designed to initiate, process and track deficiency reports from the Warfighter through the investigation process. ERAI, Inc: Privately held global information services organization that monitors, investigates and reports issues affecting the global semiconductor supply chain. Product Data Reporting and Evaluation Program (PDREP): Product Quality Deficiency Report for the Department of the Navy. Suspected Unapproved Parts (SUP) Program: Used by the Federal Aviation Administration (FAA). 7

Community of Interest What entities currently have counterfeit taxonomies? University of Connecticut Center for Hardware Assurance, Security, and Engineering (CHASE) SAE Standards AS5553 Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Department of the Navy s Product Data Reporting and Evaluation Program (PDREP) Product Quality Deficiency Report Department of Energy Annual Counterfeit Report 8

Environment Departments and Agencies (D/A s) counterfeit management programs vary in approach and maturity. There are a number of counterfeit databases that are not used to their fullest potential (e.g., GIDEP). Various definitions and characterization of counterfeits across the USG complicates the issue (e.g., many quality assurance procedures reflect existing counterfeit standards, but are not explicitly counterfeit guidance). The level of sophistication for testing counterfeits varies across D/As. The verification of data entered into counterfeit databases and confidence level for testing techniques are unclear. Not all D/A s approaches to counterfeits have uniform reporting procedures. The majority of D/As may prioritize the inspection of suspect counterfeit items based on factors that include mission criticality. 9

Opportunities Need for a common language for communicating and interacting within the USG (among D/A s) and with industry Need for sharing information on authentic components Facilitates research into and detection of non-conforming items Need for sharing information on non-conforming components Ability to create repository of searchable data for identification, trend analysis, etc. Need to reduce test cost and time Ability to reduce the cost of testing, reporting, and maintaining counterfeit-free components Need to encourage OCM-level anti-counterfeiting techniques Most economical method to add track and trace capability to a chip Need to establish mechanisms and test flows to benchmark the testing techniques and counterfeit ICs 10

Methodology Taxonomy for Conforming & Non-Conforming Components/Parts Catalogue Methods for Detection, Testing, and Anti-Counterfeiting Build Taxonomies for determining: Authentic components Counterfeit components Defective components Tainted components containing malware (MAEC, exploitable weaknesses (CWE), and known vulnerabilities (CVE) Define Observables Leverage existing structured representations to scale detection & reporting of counterfeits COUNTERFEIT Exploitable weakness AUTHENTIC Unpatched Vulnerability TAINTED Malware Malware (MAEC), CWE, CVE Unpatched Vulnerability Exploitable weakness DEFECTIVE Components can become tainted intentionally or unintentionally throughout the supply chain, SDLC, and in Ops & sustainment *Text demonstrates examples of overlap

Leveraging Structured Representations to Support Consistency and Automation After defining observables for each type of non-conformant component (including defective and tainted components), the following enumerations, languages, and schemas would be used to specify extensions that cover counterfeits, authentic components, and defects. These enumerations include: CVE to reference vulnerabilities in defective or tainted components (http://cve.mitre.org/) CWE to represent weaknesses leading to defective or tainted components ( http://cwe.mitre.org/) MAEC to represent characterization of malicious logic in tainted components ( http://maec.mitre.org/) CAPEC to represent approaches in the Counterfeiting taxonomy (http://capec.mitre.org/) CybOX to represent observable characteristics for detection/determination of nonconformant components (http://cybox.mitre.org/) STIX to represent non-conformant patterns, Anti-counterfeiting approaches and other threat context (http://stix.mitre.org/ TAXII to enable sharing of actionable cyber threat information across organization and product/service boundaries (http://taxii.mitre.org/) 12

Next Steps In moving forward, need to leverage support from engaged stakeholders and harmonize existing counterfeit taxonomies to ensure automation efforts align with industry, academia, and government-wide approaches. Formalize taxonomies for conforming and non-conforming parts Build and maintain catalogue of detection & anti-counterfeiting methods and establish mechanisms and test flows to benchmark techniques Test ability to create automated tools for observables and identify gaps in existing enumerations and languages Specify extensions that covers counterfeits, authentic components, and defects Specify relevant data dictionaries to serve as clear description of the expressivity needed (including identifying and filling the gaps between CybOX and SCOX). Ensure XXXX-as-a-Service supply chain risks are addressed in moving to the Cloud for software, IT, platform, communications and data services Ensure automation efforts reduce test cost and time 13

Background 15

Leveraging Structured Representations to Support Consistency and Automation Common Attack Pattern Enumeration and Classification (CAPEC) Community effort targeted at: Standardizing the capture and description of attack patterns Collecting known attack patterns into an integrated enumeration that can be consistently and effectively leveraged by the community Gives you an attacker s perspective you may not have on your own Where is CAPEC today? http://capec.mitre.org Currently 386 patterns, stubs, named attacks 2012 The MITRE Corporation. All rights reserved.

Leveraging Structured Representations to Support Consistency and Automation Common Attack Pattern Enumeration and Classification (CAPEC) The CAPEC structure can be used to characterize common approaches to counterfeiting and tainting. Can represent attacker behavior, observables, skills or resources required, mitigations, etc. For example, in the draft Counterfeit Taxonomy the Counterfeit/ Alteration/Inserted Malware entry already has a brief CAPEC pattern (CAPEC-441 Malicious Logic Inserted Into Product). Current CAPEC Supply Chain Attack taxonomy could easily be modified with the results of the taxonomy work here to refine and extend its value to anti-counterfeiting and SCRM. 17

Leveraging Structured Representations to Support Consistency and Automation Cyber Observable expression (CybOX) 18 Cyber Observable expression (CybOX) is a standardized language for encoding and communicating information about cyber observables ( http://cybox.mitre.org) A measurable event or stateful property in the cyber domain Some measurable events: a registry key is created, a file is deleted, an http GET is received, Some stateful properties: MD5 hash of a file, value of a registry key, existence of a mutex, CybOX provides Expressivity: Very flexible -- can express both instances and patterns Large number of objects defined and is user-extensible Each object has a rich set of (optional) properties Object patterns can be expressed as arbitrary Boolean expressions using AND, OR, NOT and at the field level with a range of patterning conditions 2013 The MITRE Corporation. All rights reserved

Leveraging Structured Representations to Support Consistency and Automation Cyber Observable expression (CybOX) CybOX can be leveraged to explicitly specify the observable patterns for what counterfeit and what real look like These patterns could then be used within Indicators of what to look for and as adornments to relevant CAPEC attack patterns CybOX can also be used to capture actual instantial observations of observable properties This could support the capture of test/inspection results Capturing the patterns and the instantial results in the same language simplifies the ability to match against the patterns 19

Leveraging Structured Representations to Support Consistency and Automation Cyber Observable expression (CybOX) for SCRM/Anti-Counterfeiting CybOX currently contains ~80 defined Objects including objects that can convey some of the relevant properties (Product, Device, etc.) for the SCRM/Anti-Counterfeiting use cases The core of CybOX is built to provide basic observable expressivity independent of specific Objects or Actions. Because of this, it can easily be extended with new Objects or Actions CybOX is/will continue to be primarily focused on Cyber Domain This does not mean that it can not be leveraged as a basis for other domain-specific representations CybOX is a common schema shared among MAEC (for Malware), CAPEC (for Attack Patterns), CEE (Events), and Digital Forensics The SCRM/Anti-Counterfeiting community could define its own domainspecific language based on CybOX to enable characterization of all relevant observable properties 20

Leveraging Structured Representations to Support Consistency and Automation Cyber Observable expression (CybOX) for SCRM/Anti-Counterfeiting The CybOX Product Object currently captures Name, Vendor, Version, Edition, etc. The CybOX Device Object currently captures Manufacturer, Model, Serial Number, etc. A wide range of other Objects cover much of the digital landscape. SCRM-specific Object could easily derive from these objects and add structures for characterizing things like packaging, anti-tamper, hardware-specific properties, etc. New Objects could also be created for non-cybox, SCRM-specific constructs like Chip, Circuit, Boards, etc. 21

Leveraging Structured Representations to Support Consistency and Automation Structured Threat Information expression (STIX ) Structured Threat Information expression (STIX ) is a collaborative communitydriven effort to define and develop a standardized language to represent structured cyber threat information. See http://stix.mitre.org/ The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. All interested parties are welcome to participate in evolving STIX as part of its open, collaborative community. It is NOT a sharing program, database, or tool but supports all of those uses and more Trusted Automated exchange of Indicator Information (TAXII ) is the main transport mechanism for cyber threat information represented as STIX. Through the use of TAXII services, organizations can share cyber threat information in a secure and automated manner. Supports Clear understandings of cyber threat information Consistent expression of threat information Automated processing based on collected intelligence Advance the state of practice in threat analytics

23

Leveraging Structured Representations to Support Consistency and Automation Structured Threat Information expression (STIX ) Leveraging Indicators to represent targeted patterns of concern (i.e. what to look for) Leveraging CVE & CWE within Exploit Targets to convey underlying issues in processes and products Leveraging CAPEC within TTP to convey counterfeiting and tainting approaches and give context to Indicators Leveraging Incidents to characterize instances of counterfeiting/tainting Leveraging Threat Actors to convey parties doing counterfeiting and tainting Leveraging Courses of Action to convey anti-counterfeiting approaches and taint/defect mitigations 24

Leveraging Structured Representations to Support Consistency and Automation Structured Threat Information expression (STIX ) Usage Example for SCRM Incident Acme router found with counterfeit/altered malware-injected OS code Indicator Immediately deploy Indicators with pattern for specific hash of the OS code COA Test all such deployed routers for the Indicators Remove all tainted routers from operations and submit for forensic analysis Investigate supply chain provenance to detect how code was injected TTP CAPEC-447: Malicious Logic Insertion into Product Software during Update Exploit Target CWE-494: Download of Code Without Integrity Check 25

Leveraging Structured Representations to Support Consistency and Automation Structured Threat Information expression (STIX ) Usage Example for SCRM COA Integrate integrity check into router software update process Threat Actor Through forensic/incident analysis a commercial proxy for a certain nation state is identified as the culprit Campaign Through cross-incident and TTP analysis, a campaign is discovered with this Threat Actor using similar TTP to target a particular set of victims on not limited to Acme routers Indicator More general Indicators are developed and deployed to targeted victims that are not specific to the particular Acme tainting 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback