Collaboration and Automation for Threat Assessment and Mitigation
Presented as part of the 2016 HCSS conference.
ABSTRACT
Complex computer networks suffer from a huge number of potential attack surfaces: not just from vulnerabilities in systems, but also from social engineering attacks against the people who use them. Given the ever-changing threat landscape, large numbers of vulnerabilities, and complexity of network resources, human analysts don't have the luxury of carefully considering the severity and implication of each threat, and weighing potential mitigations against one other. The only way to keep up with the adversaries is to add automation to this analysis -- augmenting the human users with automated measurements of the system's security, in the current operational context.
This presentation covers the initial development phase of the Threat Fusion and Effective Response (TFER) project -- a reference implementation of a decision analysis system focused on such automation. The TFER system aims to make the best use of analyst's time in understanding and prioritizing potential threats, make the best use of mitigation resources to respond to those threats, and balance the work and priorities between related teams and organizations engaged in these activities. The reference implementation helps to answer the following three questions:
- Which Threats are most dangerous to the current operation?
- Which Assets are at greatest risk?
- Which Mitigations provide the greatest reduction of risk?
In this presentation we will demonstrate the pre-operational TFER system to show how an assortment of algorithms can assist multiple users in triaging and relating naturally expressed Threat and Mitigation information with computing assets (servers, workstations, laptops, cell phones, and so on). The resulting system automatically draws relationships between these three types of data to provide a baseline level of autonomy that can "fill the gaps" in the (limited) user input available from expert security analysts.
The TFER system demonstrates the feasibility of our general approach: the application of limited autonomy to augment and support multiple human experts, resulting in a cohesive view of the threat landscape as it applies to an operation. Multiple users are able to use the TFER interface to influence the automated reasoning systems, and the changes from those users can be aggregated to provide more holistic cyber situational awareness.
BIO
Forthcoming.