1. Preliminary System Dynamics Maps of the Insider & Outsider Cyber-threat Problems�Vr. 1.0 A Presentation of Main Products from�System Dynamics Modeling for Information Security:�A Group Modeling Workshop�February 16-20, 2004 at SEI/CERT, Pittsburgh, PA
2. The Initiative In February 2004 Agder University College, CERT Coordination Center/SEI, CMU and TECNUN, University of Navarra organized the second workshop on system dynamics and cyber security.
The event was sponsored by CyLab and hosted by CERT Coordination Center/SEI (both Carnegie Mellon University, Pittsburgh, PA).
The workshop built on and extended experiences and procedures from the first workshop on system dynamics and security, held at Agder University College, Norway, in February 2003.
A new dimension of the second workshop was the involvement of both system dynamics modelers and problem owners (represented by CERT/CC).
3. Objectives of the Workshop Develop preliminary system dynamics models of the insider and outsider threat problem.
Assess if it is feasible to develop system dynamics models for insider & outsider threat that will be useful to all organizations, or at least all organizations within a single critical infrastructure sector.
Note: “Feasibility” implies more than just being able to identify causal structure, stocks and flows and relevant data: Models must build on aggregate data that completely respect the confidentiality constraints regulating the relations of CERT/CC with clients and all reporting organizations.
Identify additional data on the problem that is unknown or unavailable, but needed for future progress on this problem.
Investigate possible collaborations for longer-term work to propose to prospective sponsors.
4. Modeling the Insider Threat For methods and procedure, cf. the complementing presentation ”Using System Dynamics and Group Model Building to Support Cyber-security Research”
Products
Stakeholder analysis
Policy levers �and clusters
Raw reference modes
Hypothesizing dynamic �mechanisms
System dynamics models
Hypothesizing dynamic �mechanisms
5. Stakeholder Analysis
6. Policy Levers and Clusters
7. List of Raw Reference Modes
8. Diagrams of Raw Reference Modes
9. Hypothesizing dynamic �mechanisms Management:
Systematic under-investment
Detection trap
Organizational Learning
Learning from incidents
Learning from detected events
Learning via formal audits
Trust:
Main effects of trust are good
The trust trap
10. System Dynamics Models Learning from experience, audits and detection
Growth of motive
Trust and deterrence
11. Learning from Experience, Audits and Detection
12. Growth of Motive
13. Trust and Deterrence
14. Systematic under-investment
Detection trap Two stories why smart managers can make unsmart security decisions
15. Learning from incidents
Learning from detected events
Learning via formal audits Three stories about organizational learning
16. Unknowable motives trigger complex patterns of events
Unobserved emboldment
Dynamic triggers
Repeated attacks
Disabling detection as an attack strategy
Deterrence
Supportive culture Seven stories about how focal actors do their work Here are the seven stories:
Unknowable motives can trigger an initial motivation to attack, increasing the focal actor’s risk tolerance and predisposition to commit precursor events
Left undetected, precursor events reduce a focal actor’s perception of risk. In turn, reduced perceptions of risk lead to additional precursor events. This reinforcing cycle of emboldment can be unobservable by management (absent detection of precursor events –see detection trap loop)
Here are the seven stories:
Unknowable motives can trigger an initial motivation to attack, increasing the focal actor’s risk tolerance and predisposition to commit precursor events
Left undetected, precursor events reduce a focal actor’s perception of risk. In turn, reduced perceptions of risk lead to additional precursor events. This reinforcing cycle of emboldment can be unobservable by management (absent detection of precursor events –see detection trap loop)
17. Two Stories About Trust as a Double-edged Sword Main effects of trust are good
The trust trap
18. What’s not here (but should be?) Costs of measures to get costs and benefits measures
Recovery dynamics and costs
Acquisition processes (e.g., what to acquire and install)
Forensic investigation structure
Disaggregate security procedures, detection capabilities, and supportive culture
Tune generic model to some specific sector
Add explicit vulnerability detecting structure
Ethics of focal actor
Social norms within the organization
Dynamics by which management makes decisions
Disabling detections as precursors
…
19. Modeling the Outsider Threat For details of methods and procedure, cf. the complementing presentation ”Using System Dynamics and Group Model Building to Support Cyber-security Research”.
Main keywords:
Attempt to produce runnable system dynamic model(s)
Approach based on prototype models of simple cases
Products
Model of Single Vulnerability Problem (SVP)
Models of Rise and Use of Distributed Denial of Service (DDoS) Attacks
20. The Single Vulnerability Problem (SVP) The main objective is to understand the determinants of the life cycle of a single vulnerability.
Key elements of the problem are found in Arbaugh, W.A., W.L. Fithen, and J. McHugh. 2000. Windows of Vulnerability: A Case Study Analysis. Computer 33 (12):52-59 and several SEI/CERT papers, presentations & reports
A qualitative, idealized reference behavior mode for the SVP follows.
21. ’Intuitive’ Reference Behavior for the SVP © Arbaugh, W.A., W.L. Fithen, and J. McHugh. 2000
22. Actual Findings for the SVP © Arbaugh, W.A., W.L. Fithen, and J. McHugh. 2000. Figs. 4 & 5, describing two other cases, yield similar results.
23. SVP Model Conceptualization (Part 1)
24. SVP Model Conceptualization (Part 2) Dynamic hypothesis
The driving mechanism for the increase of attacks is scripting. Arbaugh et al.: «…we found that automating a vulnerability, not just disclosing it, serves as the catalyst for widespread intrusions.» A possible reason might be a dominating reinforcing feedback loop following scripting.
Defensive actions do not take off until late in the lifecycle. Arbaugh et al.: «Further, the patches were generally available shortly after or concurrent with the vulnerability’s public disclosure. Thus, while open disclosure obviously works, the availability of patches prior to the upswing in intrusions implies that deployment of corrections is woefully inadequate.» This suggests a balancing feedback loop that is triggered by the increasing number of intrusions and becomes stronger toward the end of the lifecycle.
25. SVP Model
26. SVP Model Behavior, Part One
27. SVP Model Behavior, Part Two
28. Discussion of Findings for SVP Model Behavior over time is in qualitative agreement with reference behavior
Calibration of model might provide estimates of otherwise hard to observe data (such as e.g. size of hacker communities, rate of spread of scripts, efficacy of scripts, patching policies, etc)
29. Rise and Use of DDoS Attacks Key events
1995: DoS, not scripted
1996: SynFlood, DoS, not distributed
1998: ”Mixter” and ”Randomizer” fight for chat rooms (”turf war”)
1998-2000: Succession of increasingly more� sophisticated scripts. Packages for system compromise (Rootkit). Stolen websites.
Two German hacker groups involved 1998-2000
Known after their leading experts Mixter and Randomizer
30. Suggested Stories Turf War for Chat Rooms
Effectiveness of Communication in Chat Rooms
Competition for Bragging Rights
Display & Diffusion of Tools on Stolen Websites
Mutual Espionage
Defender R&D Reducing Incidents but Accelerating Hacker R&D
External Hacker Development of Tools
Word of Mouth Spreading Hacker Tools
31. System Dynamics Model – Basic
32. SD Model – Complex�Hacker ”civil war”
33. SD Model – Complex�Hackers vs. Internet World
34. An Observer’s (from Sandia Labs) View of the Problem
35. Discussion of DDoS Models All models are qualitative and highly preliminary:
They were developed from an oral description by Timothy J. Shimeall, CERT CC
Time shortage (the models were developed within a few hours on the last day of the workshop)
Suggested stories (slide #30) seem to come out right – plus more stories suggested by models
Models will be checked against literature sources
One expects further model-based insights into otherwise unobservable hacker behavior
36. Workshop Objectives vs. Results Developed preliminary system models of both problems (i.e. insider and outsider threat)
General agreement among participants that system dynamics methods and models add new perspectives and increase dimension of cyber security research
For further progress, the modeling effort must demonstrate that useful quantified, parameterized and calibrated models can be built while fully safeguarding data confidentiality
Research agenda based on double-loop learning (next slide)
A number of potential collaboration patterns and ways of funding will be pursued in near future. (Indeed, a proposal for a NSF grant (within the Human and Social Dynamics program) involving most participating institutions will be submitted March 2004.)
37. Double-loop Learning Research Agenda
38. Participants 1/4
39. Participants 2/4
40. Participants 3/4
41. Participants 4/4
