defensive information warfare active national information infrastructure intrusion defense

Defensive Information Warfare

Active National Information Infrastructure Intrusion Defense

2UnClassifiedUnClassified

UnClassifiedUnClassified



Don R. Smith 402.203.3184

[email protected]@GlobeTranz.com





“War is an act of violence based upon irreconcilable disagreement” FMFM 1, Warfighting.

• The Violence need not be physical. – Physical, cybernetic, and moral levels.– This is a departure from a pure Clausewitzian

view.– Information Age Warfare requires leaders,

sensors, processors, transmitters, information and shooters.

– IW Targets leaders, sensors, processors, transmitters,information and shooters.





“…moral forces exert a greater influence on the nature and outcome of war than do physical.” FMFM 1, Warfighting

• “Any view of the nature of war would hardly be accurate or complete without consideration of the effects of danger, fear, exhaustion, and privation on [those] who must [endure] the fighting …”





National Need

• There have been several embarrassingly simple attacks that have resulted in significant damage that show that the current approaches are not adequate.

• There is reason to believe that both criminal elements and our national adversaries view this area as a highly cost-effective way of confronting the U.S. without coming into direct contact with U.S. legal, political, and military power.

• The role of Information Technology (IT) in supporting key economic, political and military operations becomes continually more critical, which simultaneously creates a new ‘battle’ space . .

that in many ways is different than traditional battle spaces.

• Consequently, it is urgent to explore organizational adjustments and structures, policies, concepts of operations, and technologies to address this new form of national competion.





Long Term National Objectives

• Develop technologies policies and procedures for the Secret Service, FBI, Department of Commerce, SPACECOM, the JTF-CND, and NSA to create the ability to ‘flag’ and protect United States Owned Global E-commerce.

• Create Predictive, not reactive, security intrusion and detection mechanism to avert criminal misappropriation, cyber terrorism and foreign adversary attacks, in such a way as to preserve and protect constitutionally guaranteed freedoms.

• Create the first Virtual Organization for a Commerce Attack Response Team ( CART )

• Create tools and methodologies to determine origination, transit path, and destination of critical electronic commerce transactions, TranSource (transactional sourcing)





CART

• In today’s environment it is important to understand that our adversaries have many targets: Command and Control, Critical Infrastructure, Information Infrastructure and Financial Infrastructure.

• CART, seeks to prevent adversaries from gaining advantage through cyber theft of commerce and transactional data, or destroying commerce as leverage for political objectives.





TranSource

• Tracking the source, transit, and the destination of transactions allows for Governments and financial institutions to assess, mitigate, and assign risk.

• Continuously monitor and immediately determine the change in the validity of any critical transaction.

• Route these invalid transactions through special procedures and authentication to prevent unintended automatic transfer of funds.





Hypothesis

A system built based on Virtual Organizations, Autonomic Smart Agents, and *Anomaly Detections naturally maps into a distributed defendable cyber space, and will be more effective for engaging in defensive information operations than the current systems/frameworks that exist, are under development, or under consideration at the present time.

*As Anomaly Detection Matures





Short Term Objectives

Demonstrate a Cyber DefenseCyber Defense capability that is : • Capable of improved intrusion detection and warning through anomaly detection, active sensor cross-cueing, and autonomic tracing• Provide the capability for limited autonomic attack response (attack path blocking, flood attack flow limitation, and target illumination*) as a first line of defense• Provide for operation of distributed “virtual” cyber defense coordination to manage autonomic responses, mobilize IA reserves, & assist corporations, localities, Federal Agencies, users and stewards of the Global Information Grid

* Precursor to offensive response





Short Term Objectives

Demonstrate a Cyber DefenseCyber Defense capability:

•Provide the first massively distributed cyber defense capability that maps to the cyber battle space

• Scale it linearly from the laboratory to the National Information Infrastructure (NII) and then to the Global Information Grid.





Relevant Structures, Policy and Virtual IA Organization Background

• SPACECOM, effective 1 October 1999, is responsible for U.S. Military Computer Network Defense and will begin to publicly conduct the Military Computer Network Attack mission effect 1 October 2000 (with a lot of help from STRATCOM).

• DISA, NSA and SPACECOM have been exploring and modeling feasible strategies for limited isolation of NIPRnet when under severe attack.

• The Reserve Component Employment Study 2005 called for the formation of a "joint [reserve component] virtual information operations organization” and tasked various senior-level DOD organizations to complete a "proof of concept" study for creating the unit by June 30, 2000.





Gateway Gateway Routers Routers

& Switches & Switches

Global Information Grid5 Classes of Potential Cyber Attacks

DeployedDeployedWarfightersWarfighters

TheaterTheaterInfrastructureInfrastructure& Reachback& Reachback

CONTINENTAL U.S.CONTINENTAL U.S.InfrastructureInfrastructure& Reachback& ReachbackGIIGIIGIIGII

CINCCINC

Joint StaffJoint Staff

Camps, Posts,Camps, Posts,StationsStations

Log & SupportLog & SupportDepotsDepots

IntermediateIntermediateSupport BasesSupport Bases


ServiceServiceComponentsComponents

IntelIntelCentersCenters

CONUS CONUS Internet & Public Internet & Public

ATM InfrastructureATM Infrastructure

OCONUS Internet & PublicOCONUS Internet & PublicATM InfrastructureATM Infrastructure

passiveinterceptattacks

activenetwork-

basedattacks

close-innetwork-

basedattacks

insiderattacks

hardware,Software

distributionattacks

Exploitation, Disruption,Exploitation, Disruption,Denial, Deception:Denial, Deception: One-to-manyOne-to-many Many-to-oneMany-to-one Many-to-manyMany-to-many Must Must focusfocus on continuity of MISSION CRITICAL Information and Applications on continuity of MISSION CRITICAL Information and Applications







Global Information GridExisting IA Centers

DeployedDeployedWarfightersWarfighters

TheaterTheaterInfrastructureInfrastructure& Reachback& Reachback

CONUSCONUSInfrastructureInfrastructure& Reachback& ReachbackGIIGIIGIIGII

DoD CERTDoD CERT

Service CERTsService CERTs

JCCCJCCC

TCCCTCCC

RNOSCRNOSC

GNOSCGNOSCIA CentersIA Centers

of Excellenceof Excellence

NIPCNIPC

JTF-CNDJTF-CND

RCERTRCERT

IA ReserveIA ReserveUnitsUnits

NSANSA

Service IWCsService IWCs

CINCCINC








XXXXXXXX

Key:Key:

= Centers for the monitoring & protection= Centers for the monitoring & protection of Joint and Services’ Capabilities on theof Joint and Services’ Capabilities on the Global Information Grid (GIG)Global Information Grid (GIG) Note: Bastion Defense (e.g., firewalls) at Note: Bastion Defense (e.g., firewalls) at allall sites sites








Attacks Attacks AvertedAverted

How the intrusion detection & response process works today

SuspectedIntrusion

EventDetection

LocalLocalAssessmentAssessment

LocalLocalContainmentContainment

ActionsActions

Install ProtectInstall ProtectMechanismsMechanisms

(e.g., anti-virus)(e.g., anti-virus)

AttacksAttacks

RegionalRegionalReporting &Reporting &AssessmentAssessment

Services &Services &GNOSCGNOSC

ReportingReporting

Assessment & recoveryAssessment & recoverydetermination bydetermination by

IA ExpertsIA Experts

Event DamagePropagation

(e.g., “I Love You” virus)

IAVAIAVA(Info Assurance(Info Assurance

VulnerabilityVulnerabilityAssessment)Assessment)

JTF-CND / CERTJTF-CND / CERTWarning toWarning toGIG usersGIG users

LocalLocalContainmentContainment

ActionsActions

RecommendedRecommendedRepair ActionsRepair Actions

LocalLocalRecoveryRecoveryActionsActions

UnrepairedEvent

Repropagation

timetime

PublishPublishthroughthroughIAVAIAVAprocessprocess

““Strategic” warningStrategic” warning

Other sites alongOther sites alongattack pathattack path

A PRIORIA PRIORIPROTECTIONPROTECTIONADVISORIESADVISORIES





The Requirement

• Understand the Cyber Battlespace– At once . . . instantaneous and time extended

. . . local and global• Develop Cyber Defensive Tools and the Culture to match

– Provide a carefully-limited, “autonomic response” as close to the sources of the action as possible

– Detect anomalies in the critical data and functions that we wish to assure, and respond

• cueing/cross-cueing, attacker ID, path tracing, target illumination & correlation, honey pot diversion, attack rate limiting or blocking within the protected enclave

– Develop a CONOPS to bring decision makers into the detection, localization & containment process faster

Technical Revolutions - Technology, Concepts, Organizations.





Advanced Technologies and Conceptto Support Active National Information Infrastructure

Intrusion Defense Requirement

• Detection Sensing Techniques– State of Practice: Signature Matching (e.g., “I Love You” and “Melissa”

and Breaches of Policy (e.g., illegal log-in, port scanning, or route tracing)

– State of Art: Anomaly Detection (as technology matures) • Agent-based Intrusion Detection and Isolation:

– Network Priority Multicast For ALERTS– Controlled Autonomic Response

• Virtual (IA) Organization (VO) for Rapid GIG Augmen-tation by Reservists and IA Centers of Excellence– Virtual Training of IA Operators (e.g., Red Team Gaming)– Rapid “Call-Up” of IA Experts into VO

– Collaboration on Intrusion response strategies and on real-time responses

– Common Cyber Defensive Warfare Toolbox and CONOPS





Intrusion Defense CELLVIRTUAL(CND)

DETECTION TOOLBOX

SUBJECT MATTER EXPERTS

Intrusion Response CELLVIRTUAL (CNA)

DISCOVERY

DISCOVERY

DISCOVERY

INFOWARRIOR

USER

IDAGENT

IDAGENT

EVENT

PUBLISH NOTIFY

IDAGENT SUBSCRIBE

IRAGENT

RESPONSE TOOLBOX

RECOVERY TOOLBOX

Advanced Concept:the “To be” Example Process





lesstime


Advanced Concept:the “To Be” Functions.

SuspectedIntrusion

EventDetection

Global Distributed Sensor FamiliesGlobal Distributed Sensor FamiliesPatterns, Policy, & AnomaliesPatterns, Policy, & Anomalies

AttacksAttacks

Assessment & ReactionAssessment & ReactionbyVirtual IA TeambyVirtual IA Team

IAVAIAVA(Info Assurance(Info Assurance

VulnerabilityVulnerabilityAssessment)Assessment)


UnrepairedUnrepaired Repropagation Repropagation

AvertedAverted

Other sites along attack pathOther sites along attack path

Install ProtectInstall ProtectMechanismsMechanisms

(e.g., anti-virus)(e.g., anti-virus)

A PRIORIA PRIORIPROTECTIONPROTECTIONADVISORIESADVISORIES

Propogation Propogation Averted Averted

Global Distributed Agent FamiliesGlobal Distributed Agent FamiliesInvoke Experts, Visualize, Illumination, ReactInvoke Experts, Visualize, Illumination, React

Damage RecoveryDamage Recoveryby Virtual IA Teamby Virtual IA Team

VisualizationVisualizationTrainingTraining RepositoryRepository GII/NIIGII/NIICoordinationCoordination

Deep Trend AnalysisDeep Trend Analysis





Virtual OrganizationTechniques and Technologies

• Virtual Training of IA Operators (e.g., Red Team Gaming)

• Rapid “Call-Up” of IA Experts into VO

• Collaboration on Intrusion response strategies and on real-time responses

• Common Cyber Warfare Toolbox and CONOPS



GIGGIGGIGGIGDoD CERTDoD CERT

Service CERTsService CERTs

JCCCJCCC

TCCCTCCC

RNOSCRNOSC

GNOSCGNOSCIA CentersIA Centersof Excellenceof Excellence

NIPC NIPC

JTF-CNDJTF-CND

RCERTRCERT

IA ReserveIA ReserveUnitsUnits

NSA NSA

Service IWCsService IWCs

CINCCINC











QoS-capable, multicast network augmentation of the GIGQoS-capable, multicast network augmentation of the GIG

Joint Info Operations CenterJoint Info Operations Center

Red TeamingRed Teaming IA Event Capture & ReplayIA Event Capture & Replay Cyber Warfare ToolboxCyber Warfare Toolbox

IAIAReserve UnitsReserve Units

IA Centers ofIA Centers ofExcellenceExcellence

Joint and ServicesJoint and ServicesCERTsCERTs

Joint and ServicesJoint and ServicesOps & Security CtrsOps & Security Ctrs





“State of The Research” Intrusion Detection and Isolation Technologies

Common Detection & Intrusion Framework (CDIF):- Intrusion Detection & Isolation Protocol (IDIP)- Sensor agent initiation of trace, flow limitation, flow blocking messages- Discovery Coordinator for human intervention- Vendor implementations

Jini/Cooperative Agent Based Systems (CoAbs)-Emerging commercial framework for information resources visibility & mgmt

HYPER AGENTS- Detection, Identification, Localization, Correlation, Dissemination, Engagement, and Battle Damage Assessment.

LOOKUP

ID CELLVIRTUALORG: TS

LOOKUP

PUBLIC GROUP:UNCLASS

IR CELLVIRTUAL ORG: SCI

DISCOVERY

DISCOVERY

DISCOVERYINFOWARRIOR

GCSSUSER

IDAGENT

IDAGENT

LOOKUP

EVENT

PUBLISH NOTIFYID

AGENTSUBSCRIBE

IRAGENT

sensoragent

sensoragent

analysisagent

analysisagent

Knowledge Base

visualiznagent

visualiznagent

sense &response

agent

networks, hosts, apps, firewalls, NSM & ID systems

visualiznagent

responseagent

Handler

coordi-nator

NSM IDM IA

IDIP

IDIP

sensoragent

DiscoveryCoordinator

Trace Message: - intrusion detection - action: trace path - action: limit user flow on path - action: block user flow on path

TraceMessage

TraceReport

Messages

sense &

responseagent

StopTrace

pathtables

alert

CDIFCDIF Agent FrameworkAgent Framework

Jini /Jini /CoAbsCoAbs

pathtables





Common Detection & Intrusion Framework (CDIF)

• Framework for multi-vendor Intrusion Detection system interoperability

• Framework for inter-sensor, autonomic response

• Several significant vendors have implemented IDIP-compliant products

Secure MulticastIntrusion Detection & Isolation Protocol (IDIP)

sensoragent

DiscoveryCoordinator

Trace Message: - intrusion detection - action: trace path - action: limit user flow on path - action: block user flow on path

TraceMessage

TraceReport

Messages

sense &

responseagent

StopTrace

pathtables alert

pathtables





Agent based frameworks

• Sensor agents extract & assemble data elements from information system components (e.g., routers, firewalls, ID systems, hosts)

• Analysis agents process data into useful, assembled info

• Visualization agents provide network, IA, IDM monitoring to enterprise managers

• Agent Architecture can support addition of “plug-ins” for response coordination & execution

sensoragent

sensoragent

analysisagent

analysisagent

Knowledge Base

visualiznagent

visualiznagent

sense &

responseagent

networks, hosts, apps, firewalls, NSM & ID systems

visualiznagent

responseagent

Handler

coordi-nator

NSM IDM IA

IDIP

IDIP





Operational & System Model

• Operational Model– Clusters of responders constituted dynami-

cally in response to critical missions, events– Rapid, informal communication to augment

traditional hierarchical reporting. Damage can occur in seconds to minutes

– Cyber-warrior must be a technical expert on cyber tactics and cyber-operations in this new battlespace

• System Model– Virtual shared dataspaces constituted

dynamically to share intrusion data, assessment, trace info, system status

– Distributed smart agents for detection, analysis, agent-to-agent notification, reaction … enabled for “first response” to multiple, simultaneous attacks

– Remote sensors to include present sensor systems, plus anomaly-based sensors and capability to act as response agents

criticalcriticalsystemssystemscriticalcritical

informationinformation criticalcriticalnetworksnetworks

CriticalFunctions

instrumentedfor anomaly

detection

Anomalydetection

AutonomicResponse

IA ResponseAugmentationto develop and

validate responsestrategies

Rapid responseRapid response

Immediate responseImmediate response





The Operational Model

• Virtual Organizations (VOs)– Constituted dynamically in

response to critical missions

• Rapid communication among distributed members vs. hierarchical reporting– Damage can occur in seconds to

minutes

• Characterized by Rapid Reaction/ Response– Detection, analysis, prediction and

reaction

• VO culture and training needed for rapid response (CONOPS)– A Cyber-warrior must be a

technical expert on cyber tactics and cyber-operations in this new battlespace

CriticalFunctions


detection

Anomalydetection

AutonomicResponse

VirtualOrganization

to develop andvalidate response

strategies

JTF-CND/GNOSC

Service, CINC, &Regional CERTs

IA Centersof Excellence

ReserveComponents





System Model

• Virtual Shared Dataspaces– Constituted dynamically in

response to critical missions

• Distributed smart agents– Detection, analysis, and

reaction– Agent-to-agent notification /

smart push– Real-time publishing,

subscription, & pull among distributed processes & humans

• Remote Sensors

– Anomaly-based augmented by signature based detection.

JTF-CND/GNOSC

Service, CINC, &Regional CERTs

IA Centersof Excellence

ReserveComponents

RemoteSmartAgents

Anomalydetection

AutonomicResponse

VirtualShared Dataspace

Publish Subscribe

Alert





Supporting Infrastructureand Tools

Mission Components

Data Schema

World-view“COP”

CultureReferences

Process andRelationshipDescriptions

Reactive /Autonomic

ReactionTeam

NCA

CoreMembers

CoordinatingMembers

ConsultingMembers /Specialists

Ad HocMembers

MISSIONDB ORGANIZATION

DB

SYSTEMARCHITECTURE

OPERATIONAL ARCHITECTURE

TECHNICALARCHITECTURE

Virtual Organization Components

Specifications for interfaces

Processes/Players

Dynamic





Technical Assumptions - MOEs and MOPs

• Semi-autonomous agents can detect and provide valid, first response actions in real-time to adversarial behavior in distributed information systems

. . . including attacks for which the system has not been primed,

. . .while keeping the number of false alerts that require human intervention to fewer than 25 percent

. . . And the resistance to multiple, simultaneous attacks will be much greater than when relying on local plus limited centralized resources

Number of Simultaneous Attacks

Pe

rce

nta

ge

of

Va

lid

A

larm

s

Per

cen

tage

of

Fal

se A

larm

s

Legend: To-be system: solid line As-is system: dotted line

Number of Simultaneous Attacks

ACT

SEND ALERTS

DECISION

ANALYSIS

ALERT CERT

DETECT

Res

po

nse

Tim

e fr

om

Det

ecte

d E

ven

t

DETECT

ALERT NEIGHBORS / VO

DISTRIB CORRELATION& AUTO RESPONSE

VALIDATION OF FIRST RESPONSE

FURTHER VO ANALYSIS

VO VALIDATE OR NEGATE RESPONSE / ACT

1 10 100 Legend:To-be systemAs-is systems

Cope withCope withbarrage ofbarrage of

false alarmsfalse alarmsunder heavyunder heavy

attackattack

IncreaseIncreasenumber ofnumber of

valid detectionsvalid detectionseven undereven under

heavy attackheavy attackby monitoringby monitoring

system anomaliessystem anomalies

17%17%

70%70%





Risks

• Technology - Low to Medium

• Development of CONOPS - Low

• Acceptance of New Inter-Organizational Coordination Concepts- Medium to Medium-High

for acceptablefor acceptableoperationaloperational

payoffpayoff

for bestfor bestoperationaloperational

payoffpayoff





Approach & Demonstration

• Instrument a portion of the NII configuration with autonomic sensors– Employ on “clone”

version on backbone networks for first demos

• Employ IA Reserve Units as initial Virtual IA organization– Add capability to JTF-

CND and NIPC annually

CriticalFunctions


detection

Anomalydetection

AutonomicResponse

VirtualOrganization

to develop andvalidate response

strategies

JTF-CND/GNOSC

USCINCSPACE,NSA, R-CERT Scott

TBD Centersof Excellence

GCCS sitesGMC

CERT AugmentationReserve Units





Demos, Residuals and Transition

• DEVELOPMENT & UTILITY ASSESSMENT– FY01: Agent Framework Component & Correlation

Demonstration; Constitute VO Dynamically – FY02: Autonomic Trace Demonstration (Intrusion

Framework Integrated); Exercise VO CONOPS – FY03: Autonomic Response Demonstration; Exercise VO

CONOPS

• LEAVE BEHIND– Interim Capability for CART, JTF-CND, NIPC, NSA,

Department of Energy, IA Reserve Units & Others





Summary

CART will demonstrate significant reduction in response time and damage propagation for Cyber Cyber WarfareWarfare attacks on the Commercial NII through: Improved intrusion detection and warning by anomaly detection, active sensor cueing/cross-cueing, and autonomic tracingLimited autonomic attack response (attack path blocking, flood attack flow limitation, target illumination) as a first line of defenseDistributed “virtual” cyber defense coordination to manage autonomic responses, mobilize IA reserves, & assist localities, Federal Agencies, users and stewards of the NIICART will provide first massively distributed cyber defense capability that maps to the cyber battle space and scales linearly from laboratory to the NII

defensive information warfare active national information infrastructure intrusion defense

Documents

autonomic sensorsemploy

autonomic responses

response actions

response act110100legend

ia reserves

responsefurther vo analysisvo

cyber warfare attacks

demosemploy ia reserve