Historical Perspective
Computational Cybersecurity in a Compromised Environment (C3E)
Workshops
The Special Cyber Operations Research and Engineering (SCORE) Subcommittee sponsors the annual Computational Cybersecurity in Compromised Environments (C3E) workshops. To date (2009-2017), there have been nine workshops supported by the Committee. The research workshops bring together a diverse group of top academic, commercial, and government experts to examine new ways of approaching the cybersecurity challenges facing the Nation. Beyond exploring issues of cutting-edge research importance, C3E holds as a central purpose the creation of an enduring community of interest who can continue to innovate on the analytic and operational challenges we face in light of these threats.
The following is a brief summary of the themes covered for each of these workshops along with the challenge problems associated with the more recent events.
C3E 2017 (GTRI, Atlanta, GA)
Theme: Anticipating Future Threats and Response in Cyberspace
Analytic Areas of Focus
• Advancing the Methods of Attribution in Cyberspace: Previous C3E Workshops focused on analytic techniques to identify adversarial actors, distinguish normal, benign behavior from malicious behavior, and to examine misattribution as a source of risk to defense. Challenge Problems supported attribution themes. C3E 2017 focused on new activities designed to understand attribution methods.
• Shifting the Balance in the Attack-Defend Cycle: Endless vulnerabilities produce unsustainable cycle of intrusion, compromise discovery, patch development, recovery, an inherently reactive process. Examine strategies and techniques that help shift the balance toward the defender.
Challenge Problem (Continuation of 2016 Challenge Problem): Modeling Consequences of Ransomware on Critical Infrastructures
Task
• Provide insight into potential consequences that might result from crimeware attacks, specifically ransomware, on the critical infrastructure
Goal/Output: Report results of yearlong research to develop modeling approaches. Identify possible techniques to disrupt the cycle.
C3E 2016 (GTRI, Atlanta, GA)
Theme: Understanding Cyber Consequences with a Focus on Understanding Cyber Dependencies and Analytic Context for Understanding Resilience
Analytic Areas of Focus
• Understanding Cyber Dependencies: Validating known and discovering unknown interdependencies: what analytic methods or tools inform us of our interdependencies, and at what confidence levels?
• Improving Analytic Context for Cyber Resilience: Assuming that we cannot identify all interdependencies, how can we apply an improved understanding of the analytic context associated with resilience?
Challenge Problem: Modeling Consequences of Ransomware on Critical Infrastructures
Task
• Provide insight into potential consequences that might result from crimeware attacks, specifically ransomware, on the critical infrastructure
Goal/Output: Develop modeling approaches
C3E 2015 (SEI/CMU, Pittsburgh, PA)
Theme: Discuss adaptive defense and identifying the adversary
Analytic Areas of Focus
• Recognizing the Adversary: Attribution is defined as determining the identity or location of an attacker or an attacker’s intermediary. The ability to identify the ultimate source (computer/location and person/affiliation) of a cyberattack is then the basis for taking action against the attacker. Furthermore, attribution becomes central to the creation of a system of deterrence, the idea that one can dissuade attackers from acting through fear of some sort of retaliation.
• Fortification with Adaptation: Strategic conflicts that arise in cyber space are mostly ongoing games of imperfect and incomplete information that are played by computationally bounded players. The task of lifting the general method of strategic reasoning from MAD to APT is still open.
Challenge Problem: Novel Approaches to Avoid Misattribution of Malicious Cyber Activity
Tasks
• What malicious cyber event features are not standard technical or behavioral forensics analysis procedures?
• Are there features distinct from one group to another? Are there any threat actor procedural biases, quirks, or other subtleties that can be discerned from malicious cyber event data?
• Are any of these aspects or features of malicious cyber events useful to supplement traditional signatures to improve threat attribution assessments?
Goal/Output: Novel approaches to avoid misattribution of malicious activity
C3E 2014 (GTRI, Atlanta, GA)
Theme: Focus on the needs of the practitioner and leverage past C3E themes of predictive analytics, decision-making, consequences and visualization
Analytic Areas of Focus
• Security by Default: How can we flip the economics of cyberspace to favor the defenders, and disadvantage the attackers?
• Data Integrity: Data integrity relates to a broad set of issues affecting many disciplines, not the least of which is cyber security. For example, we are interested in data integrity as it relates to surprising change, not just routine corruption.
Challenge Problem: Metadata-based Malicious Cyber Discovery
Task: To invent and prototype approaches for identifying high interest, suspicious and likely malicious behaviors from meta-data that challenge the way we traditionally think about the cyber problem.
Research data sources: DHS PREDICT datasets
C3E 2013 (West Point, NY)
Theme: Discuss navigation and consequences of action in cyberspace
Analytic Areas of Focus
• Navigating cyberspace: Analysts have to deal with a crush of information in assessing developments in cyberspace. What emerging analytic tools and methods are available to help them anchor, navigate, assess and map developments in this domain?
• Cyberspace consequences: Following on last year’s focus on decision-making in cyberspace, how do analysts and practitioners understand and assess the consequences of action taken in cyberspace, especially those in response to threat?
Challenge Problem: APT Infection Discovery Using DNS
Task: To develop techniques for detecting malicious external hosts given the DNS logs for a site, and to identify potentially infected hosts in the process.
Research dataset: 1.4TB of randomized actual DNS traffic from a National Lab
C3E 2012 (West Point, NY)
Theme: Discuss decision making in cyberspace and how to best visualize data
Analytic Areas of Focus
• Decision-making and risk management: The ability to estimate the occurrence of future events using expertise, observation and intuition is critical to the human decision-making process. How to assist analysts and policymakers in providing better cybersecurity analysis and response through the enablement of a human-based approach to decision-making that is unhindered by cognitive and cultural biases.
• Visualization to Perception: The massive volumes of data being collected in the physical and cyber worlds are dwarfing our abilities to assess, identify, characterize, and prioritize items, objects, and issues of interest. How to take advantage of effective use of both humans and machines for the things that they each do best.
Challenge Problem: Identity Discovery Scenario: An Epidemic Contact Tracing and Data
Analysis: Unidentified Male Potentially Carrying Deadly and Highly Contagious VirusTasks: Who is the unidentified male? Where is the unidentified male?
Research results: Novel techniques to manipulate, analyze, and visualize the multiple datasets to respond requirements from analysts.
C3E 2011 (Keystone, CO)
Theme: Discuss predictive analytics and the role of intersecting anomalies and emergent behavior in supporting them
Analytic Areas of Focus
• Emergent Behavior: The concept of “emergence,” as used in modern science, usually refers to the complex behaviors that emerge from dynamic interactions between simple entities. Modeling emergent behavior in cyberspace can have a game-changing impact in the fight against cybercrime.
• Intersecting Anomalies: Within a compromised environment, anomalous behavior has been used to identify indicators of a wide variety of faults, both natural and malicious. With our ability to handle “big data,” we have the opportunity to discover anomalies from a wider variety of sources.
C3E 2010 (Santa Barbara, CA)
Theme: Understand state-of-the-art models and data practices that could inform strategy and tactics for the practitioner
Analytic Areas of Focus
• Models meet models: Do models of different behaviors inform how we think about operating in a compromised cyberspace environment? What are the emerging models that serve to defend and protect in a compromised environment
• Models meet data: How do we deal with the massive amounts of dynamically-changing data that the cyberspace environment holds, including the identification of adversarial behavior
• Models meet reality: How do models support real-time decision making by practitioners who deal with cyber threats every hour of every day? Are there gaps in the theoretical research that could help practitioners deal with existing, emerging, or even unanticipated problems?
C3E 2009 (Santa Fe, NM)
Theme: Understand how adversaries have insinuated themselves into our systems and networks, and how computational and other analytic approaches could be leveraged to mitigate their influence.
Analytic Areas of Focus
• The Infiltrator on the Inside: We assume that our adversaries have insinuated themselves among us. How can we learn to recognize them even though they may look like one of us?
• Bad Neighborhoods: How do we recognize when we have transitioned from a good “neighborhood” into a bad one? What are the clues and warning signs? What signals indicate danger?
• Camouflage, also known as Operating Under Hostile Conditions: How do we continue to operate when under the surveillance of our adversaries? Can we carry on with “business as usual” or “almost as usual?”