320 likes | 510 Views
Defensive Information Warfare Active National Information Infrastructure Intrusion Defense. Don R. Smith 402.203.3184. Nelsonah@GlobeTranz.com. “War is an act of violence based upon irreconcilable disagreement” FMFM 1, Warfighting. The Violence need not be physical.
E N D
Defensive Information Warfare Active National Information Infrastructure Intrusion Defense
Don R. Smith 402.203.3184 Nelsonah@GlobeTranz.com
“War is an act of violence based upon irreconcilable disagreement” FMFM 1, Warfighting. • The Violence need not be physical. • Physical, cybernetic, and moral levels. • This is a departure from a pure Clausewitzian view. • Information Age Warfare requires leaders, sensors, processors, transmitters, information and shooters. • IW Targets leaders, sensors, processors, transmitters,information and shooters.
“…moral forces exert a greater influence on the nature and outcome of war than do physical.” FMFM 1, Warfighting • “Any view of the nature of war would hardly be accurate or complete without consideration of the effects of danger, fear, exhaustion, and privation on [those] who must [endure] the fighting …”
National Need • There have been several embarrassingly simple attacks that have resulted in significant damage that show that the current approaches are not adequate. • There is reason to believe that both criminal elements and our national adversaries view this area as a highly cost-effective way of confronting the U.S. without coming into direct contact with U.S. legal, political, and military power. • The role of Information Technology (IT) in supporting key economic, political and military operations becomes continually more critical, which simultaneously creates a new ‘battle’ space . . • that in many ways is different than traditional battle spaces. • Consequently, it is urgent to explore organizational adjustments and structures, policies, concepts of operations, and technologies to address this new form of national competion.
Long Term National Objectives • Develop technologies policies and procedures for the Secret Service, FBI, Department of Commerce, SPACECOM, the JTF-CND, and NSA to create the ability to ‘flag’ and protect United States Owned Global E-commerce. • Create Predictive, not reactive, security intrusion and detection mechanism to avert criminal misappropriation, cyber terrorism and foreign adversary attacks, in such a way as to preserve and protect constitutionally guaranteed freedoms. • Create the first Virtual Organization for a Commerce Attack Response Team ( CART ) • Create tools and methodologies to determine origination, transit path, and destination of critical electronic commerce transactions, TranSource (transactional sourcing)
CART • In today’s environment it is important to understand that our adversaries have many targets: Command and Control, Critical Infrastructure, Information Infrastructure and Financial Infrastructure. • CART, seeks to prevent adversaries from gaining advantage through cyber theft of commerce and transactional data, or destroying commerce as leverage for political objectives.
TranSource • Tracking the source, transit, and the destination of transactions allows for Governments and financial institutions to assess, mitigate, and assign risk. • Continuously monitor and immediately determine the change in the validity of any critical transaction. • Route these invalid transactions through special procedures and authentication to prevent unintended automatic transfer of funds.
Hypothesis A system built based on Virtual Organizations, Autonomic Smart Agents, and *Anomaly Detections naturally maps into a distributed defendable cyber space, and will be more effective for engaging in defensive information operations than the current systems/frameworks that exist, are under development, or under consideration at the present time. *As Anomaly Detection Matures
Short Term Objectives • Demonstrate a Cyber Defense capability that is : • Capable of improved intrusion detection and warning through anomaly detection, active sensor cross-cueing, and autonomic tracing • Provide the capability for limited autonomic attack response (attack path blocking, flood attack flow limitation, and target illumination*) as a first line of defense • Provide for operation of distributed “virtual” cyber defense coordination to manage autonomic responses, mobilize IA reserves, & assist corporations, localities, Federal Agencies, users and stewards of the Global Information Grid • * Precursor to offensive response
Short Term Objectives • Demonstrate a Cyber Defense capability: • Provide the first massively distributed cyber defense capability that maps to the cyber battle space • Scale it linearly from the laboratory to the National Information Infrastructure (NII) and then to the Global Information Grid.
Relevant Structures, Policy and Virtual IA Organization Background • SPACECOM, effective 1 October 1999, is responsible for U.S. Military Computer Network Defense and will begin to publicly conduct the Military Computer Network Attack mission effect 1 October 2000 (with a lot of help from STRATCOM). • DISA, NSA and SPACECOM have been exploring and modeling feasible strategies for limited isolation of NIPRnet when under severe attack. • The Reserve Component Employment Study 2005 called for the formation of a "joint [reserve component] virtual information operations organization” and tasked various senior-level DOD organizations to complete a "proof of concept" study for creating the unit by June 30, 2000.
Global Information Grid5 Classes of Potential Cyber Attacks insider attacks CONTINENTAL U.S. Infrastructure & Reachback GII hardware, Software distribution attacks Joint Staff Theater Infrastructure & Reachback Intel Centers Camps, Posts, Stations CINC Deployed Warfighters Log & Support Depots CONUS Internet & Public ATM Infrastructure Gateway Routers & Switches Intermediate Support Bases passive intercept attacks Camps, Posts, Stations Service Components active network- based attacks close-in network- based attacks OCONUS Internet & Public ATM Infrastructure Exploitation, Disruption, Denial, Deception: One-to-many Many-to-one Many-to-many Must focus on continuity of MISSION CRITICAL Information and Applications
Global Information GridExisting IA Centers CONUS Infrastructure & Reachback NIPC DoD CERT NSA GII JTF-CND Joint Staff IA Centers of Excellence Theater Infrastructure & Reachback GNOSC IA Reserve Units Intel Centers Service CERTs RCERT Camps, Posts, Stations CINC Service IWCs RNOSC Deployed Warfighters Log & Support Depots CONUS Internet & Public ATM Infrastructure Gateway Routers & Switches Intermediate Support Bases Camps, Posts, Stations Service Components TCCC JCCC Key: OCONUS Internet & Public ATM Infrastructure XXXX = Centers for the monitoring & protection of Joint and Services’ Capabilities on the Global Information Grid (GIG) Note: Bastion Defense (e.g., firewalls) at all sites
How the intrusion detection & response process works today time IAVA (Info Assurance Vulnerability Assessment) Assessment & recovery determination by IA Experts Publish through IAVA process “Strategic” warning Services & GNOSC Reporting A PRIORI PROTECTION ADVISORIES Recommended Repair Actions Regional Reporting & Assessment JTF-CND / CERT Warning to GIG users Local Containment Actions Local Recovery Actions Local Containment Actions Install Protect Mechanisms (e.g., anti-virus) Local Assessment Event Damage Propagation (e.g., “I Love You” virus) Suspected Intrusion Event Detection Attacks Averted Other sites along attack path Unrepaired Event Repropagation Attacks
The Requirement • Understand the Cyber Battlespace • At once . . . instantaneous and time extended . . . local and global • Develop Cyber Defensive Tools and the Culture to match • Provide a carefully-limited, “autonomic response” as close to the sources of the action as possible • Detect anomalies in the critical data and functions that we wish to assure, and respond • cueing/cross-cueing, attacker ID, path tracing, target illumination & correlation, honey pot diversion, attack rate limiting or blocking within the protected enclave • Develop a CONOPS to bring decision makers into the detection, localization & containment process faster • Technical Revolutions - Technology, Concepts, Organizations.
Advanced Technologies and Concept to Support Active National Information Infrastructure Intrusion Defense Requirement • Detection Sensing Techniques • State of Practice: Signature Matching (e.g., “I Love You” and “Melissa” and Breaches of Policy (e.g., illegal log-in, port scanning, or route tracing) • State of Art: Anomaly Detection (as technology matures) • Agent-based Intrusion Detection and Isolation: • Network Priority Multicast For ALERTS • Controlled Autonomic Response • Virtual (IA) Organization (VO) for Rapid GIG Augmen-tation by Reservists and IA Centers of Excellence • Virtual Training of IA Operators (e.g., Red Team Gaming) • Rapid “Call-Up” of IA Experts into VO • Collaboration on Intrusion response strategies and on real-time responses • Common Cyber Defensive Warfare Toolbox and CONOPS
IR AGENT EVENT USER ID AGENT ID AGENT ID AGENT SUBJECT MATTER EXPERTS PUBLISH NOTIFY SUBSCRIBE Intrusion Defense CELL VIRTUAL (CND) DETECTION TOOLBOX RECOVERY TOOLBOX DISCOVERY Intrusion Response CELL VIRTUAL (CNA) RESPONSE TOOLBOX DISCOVERY INFO WARRIOR DISCOVERY Advanced Concept:the “To be” Example Process
Advanced Concept:the “To Be” Functions. Deep Trend Analysis IAVA (Info Assurance Vulnerability Assessment) Training Visualization Repository GII/NII Coordination less time A PRIORI PROTECTION ADVISORIES Assessment & Reaction byVirtual IA Team Damage Recovery by Virtual IA Team Install Protect Mechanisms (e.g., anti-virus) Global Distributed Sensor Families Patterns, Policy, & Anomalies Global Distributed Agent Families Invoke Experts, Visualize, Illumination, React Suspected Intrusion Event Detection Unrepaired Repropagation Averted Attacks Averted Attacks Averted Propogation Averted Other sites along attack path Attacks
QoS-capable, multicast network augmentation of the GIG NIPC DoD CERT NSA JTF-CND GIG Joint Staff IA Centers of Excellence GNOSC IA Reserve Units Intel Centers Service CERTs RCERT Camps, Posts, Stations CINC Service IWCs RNOSC Log & Support Depots CONUS Internet & Public ATM Infrastructure Gateway Routers & Switches Intermediate Support Bases Camps, Posts, Stations Service Components TCCC JCCC OCONUS Internet & Public ATM Infrastructure Virtual OrganizationTechniques and Technologies Joint Info Operations Center • Virtual Training of IA Operators (e.g., Red Team Gaming) • Rapid “Call-Up” of IA Experts into VO • Collaboration on Intrusion response strategies and on real-time responses • Common Cyber Warfare Toolbox and CONOPS Cyber Warfare Toolbox IA Event Capture & Replay Red Teaming Joint and Services Ops & Security Ctrs Joint and Services CERTs IA Centers of Excellence IA Reserve Units
visualizn agent visualizn agent visualizn agent Discovery Coordinator NSM IDM IA coordi- nator Knowledge Base Trace Message Trace Report Messages Stop Trace IDIP Handler analysis agent analysis agent alert sensor agent sense & response agent path tables response agent sensor agent sensor agent sense & response agent Trace Message: - intrusion detection - action: trace path - action: limit user flow on path - action: block user flow on path IDIP networks, hosts, apps, firewalls, NSM & ID systems EVENT GCSS USER ID AGENT ID AGENT IR AGENT PUBLIC GROUP: UNCLASS NOTIFY PUBLISH ID AGENT SUBSCRIBE ID CELL VIRTUAL ORG: TS LOOKUP LOOKUP DISCOVERY IR CELL VIRTUAL ORG: SCI LOOKUP DISCOVERY INFO WARRIOR DISCOVERY “State of The Research” Intrusion Detection and Isolation Technologies Agent Framework CDIF Common Detection & Intrusion Framework (CDIF): - Intrusion Detection & Isolation Protocol (IDIP) - Sensor agent initiation of trace, flow limitation, flow blocking messages - Discovery Coordinator for human intervention - Vendor implementations Jini/Cooperative Agent Based Systems (CoAbs) • Emerging commercial framework for information resources visibility & mgmt HYPER AGENTS - Detection, Identification, Localization, Correlation, Dissemination, Engagement, and Battle Damage Assessment. path tables Jini / CoAbs
Common Detection & Intrusion Framework (CDIF) Discovery Coordinator Trace Message Trace Report Messages Stop Trace alert sensor agent sense & response agent path tables path tables Trace Message: - intrusion detection - action: trace path - action: limit user flow on path - action: block user flow on path Secure Multicast Intrusion Detection & Isolation Protocol (IDIP) • Framework for multi-vendor Intrusion Detection system interoperability • Framework for inter-sensor, autonomic response • Several significant vendors have implemented IDIP-compliant products
Agent based frameworks visualizn agent visualizn agent visualizn agent NSM IDM IA coordi- nator Knowledge Base IDIP Handler analysis agent analysis agent response agent sensor agent sensor agent sense & response agent IDIP networks, hosts, apps, firewalls, NSM & ID systems • Sensor agents extract & assemble data elements from information system components (e.g., routers, firewalls, ID systems, hosts) • Analysis agents process data into useful, assembled info • Visualization agents provide network, IA, IDM monitoring to enterprise managers • Agent Architecture can support addition of “plug-ins” for response coordination & execution
Operational & System Model IA Response Augmentation to develop and validate response strategies Critical Functions instrumented for anomaly detection • Operational Model • Clusters of responders constituted dynami-cally in response to critical missions, events • Rapid, informal communication to augment traditional hierarchical reporting. Damage can occur in seconds to minutes • Cyber-warrior must be a technical expert on cyber tactics and cyber-operations in this new battlespace • System Model • Virtual shared dataspaces constituted dynamically to share intrusion data, assessment, trace info, system status • Distributed smart agents for detection, analysis, agent-to-agent notification, reaction … enabled for “first response” to multiple, simultaneous attacks • Remote sensors to include present sensor systems, plus anomaly-based sensors and capability to act as response agents Rapid response Anomaly detection Autonomic Response Immediate response critical systems critical information critical networks
The Operational Model Service, CINC, & Regional CERTs JTF-CND/ GNOSC Critical Functions instrumented for anomaly detection Reserve Components IA Centers of Excellence Virtual Organization to develop and validate response strategies Anomaly detection Autonomic Response • Virtual Organizations (VOs) • Constituted dynamically in response to critical missions • Rapid communication among distributed members vs. hierarchical reporting • Damage can occur in seconds to minutes • Characterized by Rapid Reaction/ Response • Detection, analysis, prediction and reaction • VO cultureand training needed for rapid response (CONOPS) • A Cyber-warrior must be a technical expert on cyber tactics and cyber-operations in this new battlespace
System Model Service, CINC, & Regional CERTs JTF-CND/ GNOSC Reserve Components IA Centers of Excellence Virtual Shared Dataspace Publish Subscribe Anomaly detection Autonomic Response Remote Smart Agents • Virtual Shared Dataspaces • Constituted dynamically in response to critical missions • Distributed smart agents • Detection, analysis, and reaction • Agent-to-agent notification / smart push • Real-time publishing, subscription, & pull among distributed processes & humans • Remote Sensors • Anomaly-based augmented by signature based detection. Alert
Virtual Organization Components Dynamic Specifications for interfaces Processes/Players
Technical Assumptions - MOEs and MOPs • Semi-autonomous agents can detect and provide valid, first response actions in real-time to adversarial behavior in distributed information systems • . . . including attacks for which the system has not been primed, • . . .while keeping the number of false alerts that require human intervention to fewer than 25 percent • . . . And the resistance to multiple, simultaneous attacks will be much greater than when relying on local plus limited centralized resources ACT VO VALIDATE OR NEGATE RESPONSE / ACT Response Time from Detected Event SEND ALERTS FURTHER VO ANALYSIS DECISION VALIDATION OF FIRST RESPONSE ANALYSIS DISTRIB CORRELATION & AUTO RESPONSE ALERT CERT ALERT NEIGHBORS / VO DETECT DETECT 1 Legend: To-be system As-is systems 10 100 Number of Simultaneous Attacks 70% Increase number of valid detections even under heavy attack by monitoring system anomalies Percentage of Valid Alarms Percentage of False Alarms Cope with barrage of false alarms under heavy attack 17% Legend: To-be system: solid line As-is system: dotted line Number of Simultaneous Attacks
Risks • Technology • - Low to Medium • Development of CONOPS • - Low • Acceptance of New Inter-Organizational Coordination Concepts • - Medium to Medium-High for acceptable operational payoff for best operational payoff
Approach & Demonstration Critical Functions instrumented for anomaly detection Virtual Organization to develop and validate response strategies Anomaly detection Autonomic Response USCINCSPACE, NSA, R-CERT Scott JTF-CND/ GNOSC • Instrument a portion of the NII configuration with autonomic sensors • Employ on “clone” version on backbone networks for first demos • Employ IA Reserve Units as initial Virtual IA organization • Add capability to JTF-CND and NIPC annually TBD Centers of Excellence CERT Augmentation Reserve Units GCCS sites GMC
Demos, Residuals and Transition • DEVELOPMENT & UTILITY ASSESSMENT • FY01: Agent Framework Component & Correlation Demonstration; Constitute VO Dynamically • FY02: Autonomic Trace Demonstration (Intrusion Framework Integrated); Exercise VO CONOPS • FY03: Autonomic Response Demonstration; Exercise VO CONOPS • LEAVE BEHIND • Interim Capability for CART, JTF-CND, NIPC, NSA, Department of Energy, IA Reserve Units & Others
Summary • CART will demonstrate significant reduction in response time and damage propagation for Cyber Warfare attacks on the Commercial NII through: • Improved intrusion detection and warning by anomaly detection, active sensor cueing/cross-cueing, and autonomic tracing • Limited autonomic attack response (attack path blocking, flood attack flow limitation, target illumination) as a first line of defense • Distributed “virtual” cyber defense coordination to manage autonomic responses, mobilize IA reserves, & assist localities, Federal Agencies, users and stewards of the NII • CART will provide first massively distributed cyber defense capability that maps to the cyber battle space and scales linearly from laboratory to the NII