C3E Idea Detail - Cyber Situational Awareness

 



Submitted by Luanne Burns

Title: Cyber Situational Awareness

 

Problem:

Network managers need to understand in real time the vulnerabilities of and threats being posed to their networks so they can take measures to optimally position their defenses to accomplish their mission. As part of this, multiple government and private sector entities are collecting information about cyber attacks, threat vectors, actors, etc… but are not able to easily exchange this information with each other partially because there are not agreed upon meanings for key terms and concepts among organizations. The inability to exchange this information is, in turn, limiting our ability to capitalize on what we know to defend ourselves in cyberspace. 
 

Proposal:

Cyber R&D to support situational awareness can be broken down into three areas: data acquisition, data modeling, processing, and presentation. Various research efforts are currently working on methods for processing and presenting data for analysis from netflow data, intrusion detection systems, and server logs. Opportunities exist for bringing in more diverse data, building complex models, and discovering information about how nodes in a network relate based on business processes.

 

The following recommendations highlight possible situational awareness R&D areas:
 
Cyber Situational Awareness 1 – Data Cataloging – Cyber security situational awareness research has largely targeted logs from perimeter defense systems, externally facing servers, or network traffic [1- 5, 8-10]. A registry of common log types, messages, and properties (e.g. using the IETF standard IODEF) would be useful for helping data fusion and integration research efforts. A government program that creates such a registry and provides sample data for testing would be a valuable resource for researchers and developers.
 
Cyber Situational Awareness 2 – Non-Traditional Data Integration – In addition to leveraging IDS/IPS and log data, situational awareness and cognitive awareness requires context [2, 7]. This may include integrating information about the physical layer (server location, routing infrastructure location, etc.), social network, user activity patterns, and/or associated business processes/essential functions. The role of traditional military, financial, and other situational awareness systems should be explored as potential models. In addition, user activity and social network models should be evaluated for integration. Research that prioritizes inclusion of other data and articulates cost-benefit of data integration should be pursued.
 
Cyber Situational Awareness 3 – Knowledge Model Building – Data mining, multi-sensor data fusion, and complex event processing all require an underlying data model for processing and presenting information for visualization [1, 5]. As more diverse data are integrated into cyber situational awareness, a reusable model of sensor and situational awareness data will be necessary. Research and development should focus on large-scale, reusable, and distributed data models that allow collaborative processing while maintaining privacy, security, and intellectual property controls.
 
Cyber Situational Awareness 4 – Process Mining, Critical Paths, and Essential Function Discovery – While we can gain some situational awareness through traditional asset management data, we must also understand how an enterprise works as a system and be able to detect complex processes that humans may not be able to articulate. While knowing that a particular machine is being attacked is useful, to give full context we must be able to describe a node’s impact on the larger, complex system. Research into automatic business process discovery should work to help map critical processes as well as look at integrating attack data with process data to better understand attacker motivation and impact [11, 12].
 
Cyber Situational Awareness 5 - Visualization – Many security visualization titles have recently been published. However, few of these books cite any human factors or effectiveness measurements. D’Amico, et al, note that cyber analysts require familiarity with a particular network to effectively process the information they see and that information assurance analysis roles broke down into categories requiring specialized knowledge and sense making [2]. Research should be conducted on how to build in success measures into defense systems. In addition, fundamental research on making sense of cyber data should be funded to determine the types of visualizations most conducive to aiding particular CNO activities.
 
Cyber Situational Awareness 6 – Advanced Research – In addition to the efforts enumerated above cyber security would benefit from exploratory research into (1) a common cyber vocabulary and data exchange format, (2) distributed, heterogeneous data mining/data fusion architectures, and (3) complex event processing and semantic web reasoning on cyber data.
 

Strengths:

·         Cyber visualization and situational awareness (SA) are non-negotiable for CNO. Because of the distributed nature of the Internet, a common language and platform for cyber situational awareness would be very valuable.
·         Many attacks such as spear-fishing, keyboard attacks, or physical attacks could be completely missed by current SA methods. Overlaying of physical and social data onto perimeter and server data could provide insights not currently possible.
·         Business processes drive many governmental, military, and commercial IT architectures. Integrating process into cyber awareness would help provide the context missing in CNO that traditional warfare is able to derive from news, weather, or other physical world phenomena.
 

Weaknesses:

·         Even small enterprises can generate a phenomenal amount of data. While storage will continue to become cheaper and processing more powerful, sifting through cyber data and related information may be nearly impossible without effective filters and heuristics. Furthermore, it may be impossible for any organization to have the comprehensive common operating picture since significant amounts of relevant cyber data may be in private networks, sensitive, or otherwise inaccessible.
·         The Internet is an entity in motion and mapping cyber data to other domains such as the physical geospatial domain may prove very complex. This complexity is compounded by high-grade encryption, availability of proxies, availability of hacked computers/botnets, context aware services that present different data based on location or other parameters, etc.
·         Complex defenses may hinder the adversary, but may also make situational awareness and interagency coordination much more difficult. While camouflaging or fast-fluxing one’s own network may make it more robust, it may make it more complex to analyze data or leverage existing algorithms.
 

References:

National Cyber Leap Year Summit 2009 Participants’ Ideas Report, NITRD Program Office, September 16, 2009, pp 114-115
 
Bass, T. (2000). Intrusion Detection Systems and Multisensor Data Fusion. Communications of the ACM 43, no. 4: 99–105.
 
DAmico, A., Whitley, K., Tesone, D., OBrien, B. & Roth, E. (2005). Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts. Human Factors and Ergonomics Society Annual Meeting Proceedings, 49:229–233.
 
D'Amico, A., & Mark L. (2001). Methods of Visualizing Temporal Patterns in and Mission Impact of Computer Security Breaches. DARPA Information Survivability Conference and Exposition, 1: 0343.
 
Hamilton, S., & Hamilton, W. (2008). IFIP International Federation for Information Processing, Volume 278; Proceedings of the IFIP TC 11 23rd International Information Security Conference; ed. Jajodia S., et al, Boston: Springer, 461–475.
 
Perrochon, L., Eunhei J., & Luckham, D. (2000). Enlisting Event Patterns for Cyber Battlefield Awareness. DARPA Information Survivability Conference and Exposition, 2: 1411.
 
Phillips, Jr., Ting T., & Demurjian, S. (2002). Information Sharing and Security in Dynamic Coalitions. SACMAT '02: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, 87–96. New York, NY, USA: ACM.
 
Saydjari, O. (2004). Cyber Defense: Art to Science. Communications of the ACM 47, no. 3: 52–57.

 

Richard Howard One idea that came out in the conference is the development of a Rosetta Stone database for all threats. This would be a way to normalize all threat info across vulnerabilities, malcode and other threats so that all researchers are talking off the same sheet of music.

Reply

David Skillicorn There's a hidden assumption here, and that is that such systems are complicated but knowable, in the sense that there is a well defined mapping from inputs to output functionality. Snowden, most notably, and others have pointed out that most interesting real-world systems are not like this: they tend to be complex (e.g. highly non-linear) or chaotic. (There's a nice wikipedia article on the Cynefin framework for thinking about different kinds of systems.)

Reply