The Special Cyber Operations Research and Engineering (SCORE) Subcommittee sponsored the 2015 Computational Cybersecurity in Compromised Environments (C3E) workshop at the Carnegie Mellon University/Software Engineering Institute from 26-28 October 2015. The research workshop brought together a diverse group of top experts from academia, industry, and government to examine new ways of approaching the cybersecurity challenges facing the Nation and how to enable real-time decision-making in light of the complex and adversarial nature of Cyberspace.
This was the seventh in a series of annual C3E research workshops, drawing upon the efforts between 2009 and 2014 on adversarial behavior, the role of models and data, predictive analytics, and the need for understanding how best to employ human and machine-based decisions in the face of emerging cyber threats. Since its inception, C3E has had two overarching objectives: 1) development of ideas worth additional cyber research; and 2) the development of a Community of Interest (COI) around unique analytic and operational approaches to the persistent cyber security threat.
C3E 2015 continued to focus on the needs of the practitioner and leverage past C3E themes of predictive analytics, decision-making, and consequences, and visualization. To enhance the prospects of deriving applicable and adoptable results from C3E track work, the Government sponsors selected the track topics of Recognizing the Adversary and Adaptive Defense.
To accomplish its objectives, C3E 2015 drew upon the approaches that have been used in C3E since the beginning: (1) Keynote Speakers who provided tailored and provocative talks on a wide range of topics related to cyber security; (2) Track Work that involved dedicated small group focus on the two tracks identified above, and (3) a Discovery Problem that attracted the analytic attention of participants prior to C3E.
C3E 2015 Keynote Speakers were drawn from academia, industry, and government and spoke on the range of issues that contribute to the continuing cybersecurity threat. Admiral Rogers, Director of NSA, visited the event and shared his views on many of the topics being discussed during the sessions.
The purpose of the Recognizing the Adversary track was to engage a set of researchers from diverse backgrounds to explore attribution and its role in cyber defense. Issues addressed included the technical possibilities and limits in developing effective attribution capabilities, the timeliness of attribution and how to navigate the tensions between attribution and privacy. Four possible approaches to addressing the challenges posed in Recognizing the Adversary were proposed:
- Deploying IOT sensors for shared situational awareness
- Building Attribution Profiles
- Recognizing the adversary through smart data and hoop jumping
- Herding the adversary
The Adaptive Defense track focused on using some degree of attribution and technical information from an ongoing attack to adapt defenses to mitigate the consequences. The track sought to address how a defender can overcome the strategic bias that exists within security in favor of an attacker, and how we can pursue adaptive strategies in the compromised environment in which we find ourselves. Track participants identified three areas of focus:
- Built-in Adaptive Mission Management (BAMM)
- Defensive Deception
- Driving Resilience Using Metrics (DRUM)
The C3E 2015 Discovery Problem was identified as Novel Approaches to Avoid Misattribution of Malicious Cyber Activity. The discovery problem, likely to be a multi-year effort, seeks to identify novel approaches to distinguish between different cyber threat actors in order to potentially support the cybersecurity community in determining attribution of high interest events. The ability to achieve high confidence attribution can be a critical factor in the formulation of national cyber deterrence strategies. C3E 2015 included a panel discussion that included preliminary findings from four groups that have begun to evaluate the data as well as an assessment from industry, FireEye/Mandiant, about issues associated with attribution.
C3E remains focused on cutting-edge technology and understanding how people interact with systems and networks. While C3E is often oriented around research, the workshops have begun to incorporate practical examples of how different government, scientific, and industry organizations are actually using advanced analysis and analytics in their daily business and creating a path to applications for the practitioner, thus providing real solutions to address cyber problems.