C3E 2009 -- Ideas

 

Botnet Epidemiology
Cyber Situational Awareness
Data for Cyber Research and Testing 
Decoys
Diversity
Neighborhood Assessment
Public Challenge: Hacker's 10-pin Bowling
Think Like a Bad Guy
Unpredictablity


-1

Botnet Epidemiology
Problem:

Botnets are loosely defined as a set of “zombie” computers unwillingly controlled by a “botmaster” through other machines that serve communications, exploit delivery, and code delivery functions. In addition, zombie host machines may store or forward information or files to other computers. It is assumed that many botnets are operated by fiscally motivated 3rd parties who rent their services to botnet customers. Because of their potential size, botnets can leverage attacks that require scale, dispersion, or heterogeneity. For all of these reasons, it is difficult to parameterize the threat posed by a botnet or if a collection of computers is even a botnet at all.
 
Rajab, et al., identified challenges related to Botnet size estimation and other research efforts have proposed various approaches for size estimation. However, simply estimating the size of a botnet is not sufficient to quantify how effective, efficient, or robust a particular botnet may be. In addition, current assessments do not account for potential countermeasures employed by the botnet itself or its associated malware to defend itself or obscure its characteristics. Finally, reactive approaches may be ineffective for those botnets without zombies in a honeypot or whose countermeasures obscure them from observers, but it may be possible to intelligently detect some botnet activity through traffic analysis.


Proposal:

Botnet Potency Evaluation – The USG should work with academia, honeypot projects, the open source, and the commercial software industry. This approach would include developing tactics for measuring botnet activity, creating the associated algorithms, creating a sensor infrastructure for capturing botnet data, and creating a processing and analysis infrastructure for the data.


Submitted by Luanne Burns (2009-09-25 11:45:40)
2 Comments   Post a comment

 

2

Cyber Situational Awareness
Problem:

Network managers need to understand in real time the vulnerabilities of and threats being posed to their networks so they can take measures to optimally position their defenses to accomplish their mission. As part of this, multiple government and private sector entities are collecting information about cyber attacks, threat vectors, actors, etc… but are not able to easily exchange this information with each other partially because there are not agreed upon meanings for key terms and concepts among organizations. The inability to exchange this information is, in turn, limiting our ability to capitalize on what we know to defend ourselves in cyberspace. 


Proposal:

Cyber R&D to support situational awareness can be broken down into three areas: data acquisition, data modeling, processing, and presentation. Various research efforts are currently working on methods for processing and presenting data for analysis from netflow data, intrusion detection systems, and server logs. Opportunities exist for bringing in more diverse data, building complex models, and discovering information about how nodes in a network relate based on business processes.


Submitted by Luanne Burns (2009-09-25 11:51:58)
2 Comments   Post a comment

 

1

Data for Cyber Research and Testing 
Problem:

Researchers in the Cyber Security realm have difficulty getting high quality datasets to use in testing cyber analytics. Privacy rules make collecting live traffic difficult leaving researchers without a good source of test data.


Proposal:

The government should embark on a multi threaded approach to develop and make available for the research community high quality datasets that could be used in cyber security analytics research and testing.


Submitted by Luanne Burns (2009-09-25 11:47:34)
0 Comments   Post a comment

 


Decoys
Problem:

Computer networks connected to the internet are being constantly probed by humans and automated agents seeking to understand and map the network terrain, identify vulnerabilities and, when possible, use those vulnerabilities to penetrate computer defenses. Once within a defensive perimeter, these humans and agents continue their reconnaissance mapping networks, identifying resources and information stores, and gathering or reading sensitive information.


Proposal:

The government should invest in research on systems that reduce the likelihood that an adversary conducting reconnaissance of and within one’s systems will find sensitive information by instead guiding the adversary towards decoy information sources that will consume and waste their search efforts. This research would build on the existing body of knowledge related to honey pots and nets by developing capabilities to develop large-scale, high-quality decoy systems and dynamically steer adversaries towards this decoy information (or vice versa).


Submitted by Luanne Burns (2009-09-25 11:35:19)
2 Comments   Post a comment

 


Diversity
Problem:

In terms of functionality, homogeneous networks are advantageous to the users because of ease-of-use and ease-of-management. Recognizing these advantages, the government has launched initiatives to create a more homogeneous enterprise. A major consequence of this approach is that homogeneity favors the adversary since compromising one entity translates to wide-spread compromise. Experience has shown that it is not difficult for the adversary to gain single footholds in our networks; therefore, the risk incurred by the weakest link is incurred by the enterprise as a whole.


Proposal:

The government should research the feasibility and effectiveness of a designing and implementing a diverse network. The network should include a heterogeneous set of components and processes to make it more difficult for adversaries to completely compromise the system with a single attack vector. This diversity could be accomplished with virtual or physical machines and could also include diversity of performance (e.g., some systems can be really slow or inject processes to make that part of the system look really important.) Because the idea of heterogeneity as a mitigation strategy has already been well-researched, this study should focus on ensuring operational feasibility and discovering optimal diversity approaches. 


Submitted by Luanne Burns (2009-09-25 11:50:08)
1 Comments   Post a comment

 

1

Neighborhood Assessment
Problem:

The threat posed to an individual user, computer, or mobile device varies as a function of location and time (e.g., accessing the internet over a public wireless connection has fewer protections than a well-secured company intranet). There are, however, few clues or signals presented to users to help them decide whether they are in a “good” or “bad” computer neighborhood and few suggestions as to what actions they should take as a result. How would we determine the “badness” of a cyberspace neighborhood? How do we recognize when we have transitioned from a good cyber “neighborhood” into a bad one? What are the clues and warning signs? What signals indicate danger?


Proposal:

The government should invest in research to develop systems and algorithms that could be used to assess neighborhood trust and mission health.


Submitted by Luanne Burns (2009-09-25 11:41:42)
1 Comments   Post a comment

 

-1

Public Challenge: Hacker's 10-pin Bowling
Problem:

Remote intrusion detection/prevention/study


Proposal:

Not sure how to answer this question (I'm a "naive") but see detail below.  I think this might be a type of honeypot, but I see it as more of a  type of "Netflix Challenge"


Submitted by Christopher Rose (2009-10-18 23:51:06)
1 Comments   Post a comment

 

1

Think Like a Bad Guy
Problem:

The increased rate of proliferation over the past year of malware, botnets, and viruses demonstrates that many of our adversaries are gaining both an appreciation for the utility of cyber crime and proficiency in executing such crime.   As the number and strength of our adversaries grows it becomes more important for us to understand both what they are capable of and what motivates them so that we can best spend our scarce resources protecting against them.


Proposal:

The government should invest in research to better understand the capabilities and motivations of our adversaries in cyberspace. While many intelligence organizations are already doing this, the addition of more scientific research on the topic could help quantify and model specific ways in which our adversaries are behaving.


Submitted by Luanne Burns (2009-09-25 11:39:12)
0 Comments   Post a comment

 

2

Unpredictablity
Problem:

Infiltrators in information systems often attempt to mask their malicious activities within legitimate network activity to avoid detection and allow them to monitor, exfiltrate or compromise information. So long as the host network activities and routines are observable regular and predictable, adversaries will be able to easily blend into their environment and avoid detection.


Proposal:

The government should research methods that can be used on networks to help expose adversaries and agents who are hiding within legitimate network activity by varying that activity in ways that will make the adversary stand out. For example, if all legitimate services on a network could be programmed to not transmit during a specific but changing time slot of each day, any service that did transmit during that time would be suspect. 


Submitted by Luanne Burns (2009-09-25 11:37:28)
1 Comments   Post a comment

 

Suggest an idea