Defensive Information Warfare Active National Information Infrastructure Intrusion Defense

1
Defensive Information Warfare Active
National Information Infrastructure Intrusion
Defense
2
Don R. Smith 402.203.3184
Nelsonah_at_GlobeTranz.com
3
War is an act of violence based upon
irreconcilable disagreement FMFM 1, Warfighting.

• The Violence need not be physical.
• Physical, cybernetic, and moral levels.
• This is a departure from a pure Clausewitzian
  view.
• Information Age Warfare requires leaders,
  sensors, processors, transmitters, information
  and shooters.
• IW Targets leaders, sensors, processors,
  transmitters,information and shooters.

4
moral forces exert a greater influence on the
nature and outcome of war than do physical.
FMFM 1, Warfighting

• Any view of the nature of war would hardly be
  accurate or complete without consideration of the
  effects of danger, fear, exhaustion, and
  privation on those who must endure the
  fighting

5
National Need

• There have been several embarrassingly simple
  attacks that have resulted in significant damage
  that show that the current approaches are not
  adequate.
• There is reason to believe that both criminal
  elements and our national adversaries view this
  area as a highly cost-effective way of
  confronting the U.S. without coming into direct
  contact with U.S. legal, political, and military
  power.
• The role of Information Technology (IT) in
  supporting key economic, political and military
  operations becomes continually more critical,
  which simultaneously creates a new battle space
  . .
• that in many ways is different than
  traditional battle spaces.
• Consequently, it is urgent to explore
  organizational adjustments and structures,
  policies, concepts of operations, and
  technologies to address this new form of national
  competion.

6
Long Term National Objectives

• Develop technologies policies and procedures for
  the Secret Service, FBI, Department of Commerce,
  SPACECOM, the JTF-CND, and NSA to create the
  ability to flag and protect United States Owned
  Global E-commerce.
• Create Predictive, not reactive, security
  intrusion and detection mechanism to avert
  criminal misappropriation, cyber terrorism and
  foreign adversary attacks, in such a way as to
  preserve and protect constitutionally guaranteed
  freedoms.
• Create the first Virtual Organization for a
  Commerce Attack Response Team ( CART )
• Create tools and methodologies to determine
  origination, transit path, and destination of
  critical electronic commerce transactions,
  TranSource (transactional sourcing)

7
CART

• In todays environment it is important to
  understand that our adversaries have many
  targets Command and Control, Critical
  Infrastructure, Information Infrastructure and
  Financial Infrastructure.
• CART, seeks to prevent adversaries from gaining
  advantage through cyber theft of commerce and
  transactional data, or destroying commerce as
  leverage for political objectives.

8
TranSource

• Tracking the source, transit, and the destination
  of transactions allows for Governments and
  financial institutions to assess, mitigate, and
  assign risk.
• Continuously monitor and immediately determine
  the change in the validity of any critical
  transaction.
• Route these invalid transactions through special
  procedures and authentication to prevent
  unintended automatic transfer of funds.

9
Hypothesis
A system built based on Virtual Organizations,
Autonomic Smart Agents, and Anomaly Detections
naturally maps into a distributed defendable
cyber space, and will be more effective for
engaging in defensive information operations than
the current systems/frameworks that exist, are
under development, or under consideration at the
present time. As Anomaly Detection Matures
10
Short Term Objectives

• Demonstrate a Cyber Defense capability that is
• Capable of improved intrusion detection and
  warning through anomaly detection, active sensor
  cross-cueing, and autonomic tracing
• Provide the capability for limited autonomic
  attack response (attack path blocking, flood
  attack flow limitation, and target illumination)
  as a first line of defense
• Provide for operation of distributed virtual
  cyber defense coordination to manage autonomic
  responses, mobilize IA reserves, assist
  corporations, localities, Federal Agencies, users
  and stewards of the Global Information Grid
• Precursor to offensive response

11
Short Term Objectives

• Demonstrate a Cyber Defense capability
• Provide the first massively distributed cyber
  defense capability that maps to the cyber battle
  space
• Scale it linearly from the laboratory to the
  National Information Infrastructure (NII) and
  then to the Global Information Grid.

12
Relevant Structures, Policy and Virtual IA
Organization Background

• SPACECOM, effective 1 October 1999, is
  responsible for U.S. Military Computer Network
  Defense and will begin to publicly conduct the
  Military Computer Network Attack mission effect 1
  October 2000 (with a lot of help from STRATCOM).
• DISA, NSA and SPACECOM have been exploring and
  modeling feasible strategies for limited
  isolation of NIPRnet when under severe attack.
• The Reserve Component Employment Study 2005
  called for the formation of a "joint reserve
  component virtual information operations
  organization and tasked various senior-level DOD
  organizations to complete a "proof of concept"
  study for creating the unit by June 30, 2000.

13
Global Information Grid5 Classes of Potential
Cyber Attacks
insider attacks
CONTINENTAL U.S. Infrastructure Reachback
GII
hardware, Software distribution attacks
Joint Staff
Theater Infrastructure Reachback
Intel Centers
Camps, Posts, Stations
CINC
Deployed Warfighters
Log Support Depots
CONUS
Internet Public ATM Infrastructure
Gateway Routers Switches
Intermediate Support Bases
passive intercept attacks
Camps, Posts, Stations
Service Components
active network- based attacks
close-in network- based attacks
OCONUS Internet Public ATM Infrastructure
Exploitation, Disruption, Denial, Deception
One-to-many Many-to-one
Many-to-many
Must focus on continuity of MISSION CRITICAL
Information and Applications
14
Global Information GridExisting IA Centers
CONUS Infrastructure Reachback
NIPC
DoD CERT
NSA
GII
JTF-CND
Joint Staff
IA Centers of Excellence
Theater Infrastructure Reachback
GNOSC
IA Reserve Units
Intel Centers
Service CERTs
RCERT
Camps, Posts, Stations
CINC
Service IWCs
RNOSC
Deployed Warfighters
Log Support Depots
CONUS
Internet Public ATM Infrastructure
Gateway Routers Switches
Intermediate Support Bases
Camps, Posts, Stations
Service Components
TCCC
JCCC
Key
OCONUS Internet Public ATM Infrastructure
XXXX
Centers for the monitoring protection of
Joint and Services Capabilities on the
Global Information Grid (GIG)
Note Bastion Defense (e.g., firewalls) at all
sites
15
How the intrusion detection response process
works today
time
IAVA (Info Assurance Vulnerability Assessment)
Assessment recovery determination by IA Experts
Publish through IAVA process
Strategic warning
Services GNOSC Reporting
A PRIORI PROTECTION ADVISORIES
Recommended Repair Actions
Regional Reporting Assessment
JTF-CND / CERT Warning to GIG users
Local Containment Actions
Local Recovery Actions
Local Containment Actions
Local Assessment
Install Protect Mechanisms (e.g., anti-virus)
Event Damage Propagation (e.g.,
I Love You virus)

Suspected Intrusion Event Detection
Attacks Averted
Other sites along attack path
Unrepaired Event Repropagation
Attacks
16
The Requirement

• Understand the Cyber Battlespace
• At once . . . instantaneous and time extended
• . . . local and global
• Develop Cyber Defensive Tools and the Culture to
  match
• Provide a carefully-limited, autonomic response
  as close to the sources of the action as possible
• Detect anomalies in the critical data and
  functions that we wish to assure, and respond
• cueing/cross-cueing, attacker ID, path tracing,
  target illumination correlation, honey pot
  diversion, attack rate limiting or blocking
  within the protected enclave
• Develop a CONOPS to bring decision makers into
  the detection, localization containment process
  faster

Technical Revolutions - Technology, Concepts,
Organizations.
17
Advanced Technologies and Concept to Support
Active National Information Infrastructure
Intrusion Defense Requirement

• Detection Sensing Techniques
• State of Practice Signature Matching (e.g., I
  Love You and Melissa and Breaches of Policy
  (e.g., illegal log-in, port scanning, or route
  tracing)
• State of Art Anomaly Detection (as technology
  matures)
• Agent-based Intrusion Detection and Isolation
• Network Priority Multicast For ALERTS
• Controlled Autonomic Response
• Virtual (IA) Organization (VO) for Rapid GIG
  Augmen-tation by Reservists and IA Centers of
  Excellence
• Virtual Training of IA Operators (e.g., Red Team
  Gaming)
• Rapid Call-Up of IA Experts into VO
• Collaboration on Intrusion response strategies
  and on real-time responses
• Common Cyber Defensive Warfare Toolbox and CONOPS

18
Advanced Conceptthe To be Example Process
19
Advanced Conceptthe To Be Functions.
Deep Trend Analysis
IAVA (Info Assurance Vulnerability Assessment)
Visualization
Training
Repository
GII/NII Coordination
less time
Assessment Reaction byVirtual IA Team
A PRIORI PROTECTION ADVISORIES
Damage Recovery by Virtual IA Team
Global Distributed Sensor Families Patterns,
Policy, Anomalies
Install Protect Mechanisms (e.g., anti-virus)
Global Distributed Agent Families Invoke Experts,
Visualize, Illumination, React
Suspected Intrusion Event Detection
Unrepaired Repropagation Averted
Attacks Averted
Attacks Averted
Propogation Averted
Other sites along attack path
Attacks
20
Virtual OrganizationTechniques and Technologies
QoS-capable, multicast network augmentation of
the GIG
Joint Info Operations Center

• Virtual Training of IA Operators (e.g., Red Team
  Gaming)
• Rapid Call-Up of IA Experts into VO
• Collaboration on Intrusion response strategies
  and on real-time responses
• Common Cyber Warfare Toolbox and CONOPS

IA Event Capture Replay
Cyber Warfare Toolbox
Red Teaming
Joint and Services Ops Security Ctrs
Joint and Services CERTs
IA Centers of Excellence
IA Reserve Units
21
State of The Research Intrusion Detection and
Isolation Technologies
Agent Framework
CDIF

• Common Detection Intrusion Framework (CDIF)
• - Intrusion Detection Isolation Protocol
  (IDIP)
• - Sensor agent initiation of trace, flow
  limitation, flow blocking messages
• - Discovery Coordinator for human intervention
• - Vendor implementations
• Jini/Cooperative Agent Based Systems (CoAbs)
• Emerging commercial framework for information
  resources visibility mgmt
• HYPER AGENTS
• - Detection, Identification, Localization,
  Correlation, Dissemination, Engagement, and
  Battle Damage Assessment.

path tables
Jini / CoAbs
22
Common Detection Intrusion Framework (CDIF)
Secure Multicast Intrusion Detection Isolation
Protocol (IDIP)

• Framework for multi-vendor Intrusion Detection
  system interoperability
• Framework for inter-sensor, autonomic response
• Several significant vendors have implemented
  IDIP-compliant products

23
Agent based frameworks

• Sensor agents extract assemble data elements
  from information system components (e.g.,
  routers, firewalls, ID systems, hosts)
• Analysis agents process data into useful,
  assembled info
• Visualization agents provide network, IA, IDM
  monitoring to enterprise managers
• Agent Architecture can support addition of
  plug-ins for response coordination execution

24
Operational System Model

• Operational Model
• Clusters of responders constituted dynami-cally
  in response to critical missions, events
• Rapid, informal communication to augment
  traditional hierarchical reporting. Damage can
  occur in seconds to minutes
• Cyber-warrior must be a technical expert on cyber
  tactics and cyber-operations in this new
  battlespace
• System Model
• Virtual shared dataspaces constituted dynamically
  to share intrusion data, assessment, trace info,
  system status
• Distributed smart agents for detection, analysis,
  agent-to-agent notification, reaction enabled
  for first response to multiple, simultaneous
  attacks
• Remote sensors to include present sensor systems,
  plus anomaly-based sensors and capability to act
  as response agents

Rapid response
Anomaly detection
Autonomic Response
Immediate response
critical systems
critical information
critical networks
25
The Operational Model

• Virtual Organizations (VOs)
• Constituted dynamically in response to critical
  missions
• Rapid communication among distributed members vs.
  hierarchical reporting
• Damage can occur in seconds to minutes
• Characterized by Rapid Reaction/ Response
• Detection, analysis, prediction and reaction
• VO culture and training needed for rapid response
  (CONOPS)
• A Cyber-warrior must be a technical expert on
  cyber tactics and cyber-operations in this new
  battlespace

26
System Model

• Virtual Shared Dataspaces
• Constituted dynamically in response to critical
  missions
• Distributed smart agents
• Detection, analysis, and reaction
• Agent-to-agent notification / smart push
• Real-time publishing, subscription, pull among
  distributed processes humans
• Remote Sensors
• Anomaly-based augmented by signature based
  detection.

Alert
27
Virtual Organization Components
Dynamic
Specifications for interfaces
Processes/Players
28
Technical Assumptions - MOEs and MOPs

• Semi-autonomous agents can detect and provide
  valid, first response actions in real-time to
  adversarial behavior in distributed information
  systems
• . . . including attacks for which the system
  has not been primed,
• . . .while keeping the number of false alerts
  that require human intervention to fewer than 25
  percent
• . . . And the resistance to multiple,
  simultaneous attacks will be much greater than
  when relying on local plus limited centralized
  resources

ACT
VO VALIDATE OR NEGATE RESPONSE / ACT
Response Time from Detected Event
SEND ALERTS
FURTHER VO ANALYSIS
DECISION
VALIDATION OF FIRST RESPONSE
ANALYSIS
DISTRIB CORRELATION AUTO RESPONSE
ALERT CERT
ALERT NEIGHBORS / VO
DETECT
DETECT
1
Legend To-be system As-is systems
10
100
Number of Simultaneous Attacks
70
Increase number of valid detections even
under heavy attack by monitoring system anomalies
Percentage of Valid Alarms
Percentage of False Alarms
Cope with barrage of false alarms under
heavy attack
17
Legend To-be system solid line As-is
system dotted line
Number of Simultaneous Attacks
29
Risks

• Technology
• - Low to Medium
• Development of CONOPS
• - Low
• Acceptance of New Inter-Organizational
  Coordination Concepts
• - Medium to Medium-High

for acceptable operational payoff
for best operational payoff
30
Approach Demonstration
JTF-CND/ GNOSC
USCINCSPACE, NSA, R-CERT Scott

• Instrument a portion of the NII configuration
  with autonomic sensors
• Employ on clone version on backbone networks
  for first demos
• Employ IA Reserve Units as initial Virtual IA
  organization
• Add capability to JTF-CND and NIPC annually

TBD Centers of Excellence
CERT Augmentation Reserve Units
GCCS sites
GMC
31
Demos, Residuals and Transition

• DEVELOPMENT UTILITY ASSESSMENT
• FY01 Agent Framework Component Correlation
  Demonstration Constitute VO Dynamically
• FY02 Autonomic Trace Demonstration (Intrusion
  Framework Integrated) Exercise VO CONOPS
• FY03 Autonomic Response Demonstration Exercise
  VO CONOPS
• LEAVE BEHIND
• Interim Capability for CART, JTF-CND, NIPC, NSA,
  Department of Energy, IA Reserve Units Others

32
Summary
CART will demonstrate significant reduction in
response time and damage propagation for Cyber
Warfare attacks on the Commercial NII through
Improved intrusion detection and warning by
anomaly detection, active sensor
cueing/cross-cueing, and autonomic
tracing Limited autonomic attack response (attack
path blocking, flood attack flow limitation,
target illumination) as a first line of
defense Distributed virtual cyber defense
coordination to manage autonomic responses,
mobilize IA reserves, assist localities,
Federal Agencies, users and stewards of the
NII CART will provide first massively distributed
cyber defense capability that maps to the cyber
battle space and scales linearly from laboratory
to the NII