Resilient Architectures Jeffrey Picciotto 2 nd Annual Secure and Resilient Cyber Architectures Workshop
Transformation of Thought CONOPS Use Cases End to End Flows Cyber Threats & Intelligence Prioritize Missions Identify Mission Dependencies on Cyber Mission Impact Analysis Cyber Threat Susceptibility Assessment WHAT S MOST IMPORTANT WHAT RESOURCES ARE MOST IMPORTANT WHAT ARE THE RISKS HOW TO MITIGATE THE RISKS Mitigations Cyber Risk Remediation Engineering Analysis Security Engineering Assurance Practices Resiliency Practices Anti Tamper SCRM Practices 2
Desired Outcome The cyber resiliency foundation we develop & shape is adopted by sponsors so missions are more assured. Identify Requirements Create Solutions Prove Effectiveness Apply Resiliency Framework Goals Objectives Techniques Bring community together to Technology work collectively Metrics Commercial Cost products Research snapshot R&D tasks Performance Use Case Integration Techniques Operational context 3
Technology Commercial Products Products By Technical Area 111 Resiliency Vendors Segmentation 6% Substantiated Integrity 9% Privilege Restriction 14% Unpreditcability 10% Diversity 5% Analytic Monitoring 22% Dynamic Positioning 5% Non-Persistence 5% Redundancy 12% Deception 6% Adaptive Response 6% 4
Technology Research Capabilities 320 publications Reviewed Characterized Analyzed R&D Snapshot published Substantiated Integrity 11% Isolation 5% Research By Technical Area All Dynamic Categories ADDER 14% Metrics 13% Adaptive Response 10% Analytic MATA-RAMS Monitoring 29% Cross-Area 13% Deception 5% CyCS COMMANDR IBIP Labyrinth SERPENT Diversity through Virtualization Crypto Binding 5
Metrics Intended Uses Stakeholders Uses Operations Perf Length of time an attacker remains contained in a controlled environment Mission Technical Understanding Commander Cost Dollar and/or LOE cost of integrating diverse components to achieve Program Decision Manager resiliency Making Technical Perf % mission essential Cyber capabilities Compliance for which two Defender or more Checking different instantiations are available Operations Cost Degree of mission impact Assessing Vendor due to isolation of elements impeding Cost information flow needed to act in a timely Researcher manner Type Metric How Obtained Approach Layer Technical Perf % data value assertions in a mission essential data store for which a gold copy exists Red team, observation, analysis Cost estimation, Post hoc analysis Cost Performance Deception Diversity Technical Cyber Resource (system / network) Mission Node Information asset Operational Analysis Diversity Service Software Mission process Observation / post hoc analysis Analysis Segmentation Substantiated Integrity Mission process Information asset 6
Practical Options Resiliency Near Term Techniques (<3 years) Reviewed current Coordinated technology options Defense Use of a defense in depth strategy within organization Assessed viability today Deception Documented in terms of near, mid, and long term options Diversity Honeypots (low interaction, based on commonly used attacker requested services) Different browsers on operating systems (OSs) Mid-Term (3-5 years) Systematic process to identify dependencies and interactions among cyber defenses Honeynets (network of honeypots intended to imitate activities of a real system) Use of different protocols / communications diversity (e.g., over time, space, frequency) Long-Term (> 5 years) Automated identification of conflicts and dependencies among defenses Use of honeynets and virtualization to run deception nets that respond dynamically to adversary actions Dynamically employ different OSs and different applications on laptops, desktops and servers Non Persistence Desk top virtualization Applying virtualization to stateful services (e.g., active directory, routers) Non persistence (media/device sanitization or data transformation via encryption) for smartphones and tablets Privilege Restriction Removal of admin rights from end users for their machines Separate processing domains based on privilege Dynamic escalation of privilege restrictions based on indications of adversary activities 7
Framework Application Data Products Data Products Catalog Data Products User Server Goal Objective Technique Technology Metric Withstand Constrain Deception Deception network Segmentation Hardware trusted path Privilege Restriction Fine grained controls Recover Reconstitute Redundancy RIAK Multi cloud storage Continue Substantiated Integrity Crypto bindings 8
Use Case Integration Mission DP Meta Data Catalog Withstand -> Constrain Analyst DP 1 FIDELIS ANALYTIC MONITORING 2 Active Dynamic Defense ADAPTIVE RESPONSE Data Retrieval Application 3 Adaptive Response Non persistence 4 DP Deception network DECEPTION Fine grained controls PRIVILEGE RESTRICTION WHAT S MOST IMPORTANT CONOPS Use Cases End to End Flows Prioritize Missions Analytic Monitoring Identify Mission Dependencies on Cyber Redundancy WHAT RESOURCES ARE MOST IMPORTANT Substantiated Integrity Deception Mission Impact Analysis Cyber Threats & Intelligence Coordinated Defense Cyber Threat Susceptibility Assessment Dynamic Representation Mitigations Engineering Practices Dynamic Positioning 6 Unpredictability HOW TO MITIGATE THE RISKS Realignment SCRM Segmentation Anti Tamper Practices Resiliency Practices Diversity CRYPTOGRAPHIC HASH SUBSTANTIATED INTEGRITY 7 Resiliency GoalsCyCS 8 SECURITY AWARE DIVERSITY Recover THRU VIRTUALIZATION 9 RIAK REDUNDANCY 10 Hardware trusted Path SEGMENTATION WHAT ARE THE RISKS Cyber Risk Remediation Engineering Analysis Security Assurance Privilege Restriction Mission Assurance through REDUNDANCY Apply the Resiliency 5 Availability Engineering Framework COMMANDR + Withstand Resiliency Objectives COORDINATED DEFENSE NON PERSISTENCE Reconstitute DIVERSITY Constrain Page 9
A Resilient Architecture DIB ESXi Servers LABYRINTH FIDELIS Adversary VM ADDER RIAK FIREWALL MATA VM LABYRINTH IBIP MITRE INFRASTRUCTURE SADV RIAK MATA AMAZON SERPENT ROCS IBIP CYCS COMMANDR 10
Demonstration CyOC Operator Resiliency Operators Analyst Adversary 11
SIMEX Cyber Resiliency Simulation Experiment The Cyber Resiliency SIMEX examined tools, concepts, and the CONOPS/TTPs necessary to manage and conduct defensive cyber operations in support of mission operations Joint Surface Warfare Scenario Carrier Strike Group IWC GCCS-J Intel Officer BWC Targeting Officer ISR LNO White Cell Regional Cyber Command Center SIM Lead Red Lead Data Col. Lead EXCON DGO DCO 12
Sample Cyber SIMEX Day Denial of Service Denial of service based on router vulnerability Deception Dynamic Redirection Before Architect resiliency for resiliency capabilities capabilities and enable capabilities o Dynamically position diverse Use redundant routers routers Shut down file servers o Recognize integrity loss and Turn off user privileges switch over to redundant capability o Redirect potential C2 Substantiated Integrity Diversity Redundancy Loss of Integrity Pre planted malware activates on target system 13
Findings Resiliency comes from integrating techniques tailored based on mission priorities, threats, and vulnerabilities Need TTPs to coordinate across CND and mission operators to distinguish cyber attacks from other events Resiliency Engineering requires a team: Mission operators CND operators System engineers/architects There are few resiliency capabilities deployed, and no C2 or SA tools We lack trainers, models, & simulators for cyber operators 14
Need Increased Adoption Solutions for current and future architectures Evidence it works in real world environments Transfer knowledge/solutions across community 15