Title: Defensive Information Warfare Active National Information Infrastructure Intrusion Defense
1Defensive Information Warfare Active
National Information Infrastructure Intrusion
Defense
2 Don R. Smith 402.203.3184
Nelsonah_at_GlobeTranz.com
3War is an act of violence based upon
irreconcilable disagreement FMFM 1, Warfighting.
- The Violence need not be physical.
- Physical, cybernetic, and moral levels.
- This is a departure from a pure Clausewitzian
view. - Information Age Warfare requires leaders,
sensors, processors, transmitters, information
and shooters. - IW Targets leaders, sensors, processors,
transmitters,information and shooters.
4moral forces exert a greater influence on the
nature and outcome of war than do physical.
FMFM 1, Warfighting
- Any view of the nature of war would hardly be
accurate or complete without consideration of the
effects of danger, fear, exhaustion, and
privation on those who must endure the
fighting
5National Need
- There have been several embarrassingly simple
attacks that have resulted in significant damage
that show that the current approaches are not
adequate. - There is reason to believe that both criminal
elements and our national adversaries view this
area as a highly cost-effective way of
confronting the U.S. without coming into direct
contact with U.S. legal, political, and military
power. - The role of Information Technology (IT) in
supporting key economic, political and military
operations becomes continually more critical,
which simultaneously creates a new battle space
. . - that in many ways is different than
traditional battle spaces. - Consequently, it is urgent to explore
organizational adjustments and structures,
policies, concepts of operations, and
technologies to address this new form of national
competion.
6Long Term National Objectives
- Develop technologies policies and procedures for
the Secret Service, FBI, Department of Commerce,
SPACECOM, the JTF-CND, and NSA to create the
ability to flag and protect United States Owned
Global E-commerce. - Create Predictive, not reactive, security
intrusion and detection mechanism to avert
criminal misappropriation, cyber terrorism and
foreign adversary attacks, in such a way as to
preserve and protect constitutionally guaranteed
freedoms. - Create the first Virtual Organization for a
Commerce Attack Response Team ( CART ) - Create tools and methodologies to determine
origination, transit path, and destination of
critical electronic commerce transactions,
TranSource (transactional sourcing)
7CART
- In todays environment it is important to
understand that our adversaries have many
targets Command and Control, Critical
Infrastructure, Information Infrastructure and
Financial Infrastructure. - CART, seeks to prevent adversaries from gaining
advantage through cyber theft of commerce and
transactional data, or destroying commerce as
leverage for political objectives.
8TranSource
- Tracking the source, transit, and the destination
of transactions allows for Governments and
financial institutions to assess, mitigate, and
assign risk. - Continuously monitor and immediately determine
the change in the validity of any critical
transaction. - Route these invalid transactions through special
procedures and authentication to prevent
unintended automatic transfer of funds.
9Hypothesis
A system built based on Virtual Organizations,
Autonomic Smart Agents, and Anomaly Detections
naturally maps into a distributed defendable
cyber space, and will be more effective for
engaging in defensive information operations than
the current systems/frameworks that exist, are
under development, or under consideration at the
present time. As Anomaly Detection Matures
10Short Term Objectives
- Demonstrate a Cyber Defense capability that is
- Capable of improved intrusion detection and
warning through anomaly detection, active sensor
cross-cueing, and autonomic tracing - Provide the capability for limited autonomic
attack response (attack path blocking, flood
attack flow limitation, and target illumination)
as a first line of defense - Provide for operation of distributed virtual
cyber defense coordination to manage autonomic
responses, mobilize IA reserves, assist
corporations, localities, Federal Agencies, users
and stewards of the Global Information Grid - Precursor to offensive response
11Short Term Objectives
- Demonstrate a Cyber Defense capability
- Provide the first massively distributed cyber
defense capability that maps to the cyber battle
space - Scale it linearly from the laboratory to the
National Information Infrastructure (NII) and
then to the Global Information Grid.
12Relevant Structures, Policy and Virtual IA
Organization Background
- SPACECOM, effective 1 October 1999, is
responsible for U.S. Military Computer Network
Defense and will begin to publicly conduct the
Military Computer Network Attack mission effect 1
October 2000 (with a lot of help from STRATCOM). - DISA, NSA and SPACECOM have been exploring and
modeling feasible strategies for limited
isolation of NIPRnet when under severe attack. - The Reserve Component Employment Study 2005
called for the formation of a "joint reserve
component virtual information operations
organization and tasked various senior-level DOD
organizations to complete a "proof of concept"
study for creating the unit by June 30, 2000.
13Global Information Grid5 Classes of Potential
Cyber Attacks
insider attacks
CONTINENTAL U.S. Infrastructure Reachback
GII
hardware, Software distribution attacks
Joint Staff
Theater Infrastructure Reachback
Intel Centers
Camps, Posts, Stations
CINC
Deployed Warfighters
Log Support Depots
CONUS
Internet Public ATM Infrastructure
Gateway Routers Switches
Intermediate Support Bases
passive intercept attacks
Camps, Posts, Stations
Service Components
active network- based attacks
close-in network- based attacks
OCONUS Internet Public ATM Infrastructure
Exploitation, Disruption, Denial, Deception
One-to-many Many-to-one
Many-to-many
Must focus on continuity of MISSION CRITICAL
Information and Applications
14Global Information GridExisting IA Centers
CONUS Infrastructure Reachback
NIPC
DoD CERT
NSA
GII
JTF-CND
Joint Staff
IA Centers of Excellence
Theater Infrastructure Reachback
GNOSC
IA Reserve Units
Intel Centers
Service CERTs
RCERT
Camps, Posts, Stations
CINC
Service IWCs
RNOSC
Deployed Warfighters
Log Support Depots
CONUS
Internet Public ATM Infrastructure
Gateway Routers Switches
Intermediate Support Bases
Camps, Posts, Stations
Service Components
TCCC
JCCC
Key
OCONUS Internet Public ATM Infrastructure
XXXX
Centers for the monitoring protection of
Joint and Services Capabilities on the
Global Information Grid (GIG)
Note Bastion Defense (e.g., firewalls) at all
sites
15How the intrusion detection response process
works today
time
IAVA (Info Assurance Vulnerability Assessment)
Assessment recovery determination by IA Experts
Publish through IAVA process
Strategic warning
Services GNOSC Reporting
A PRIORI PROTECTION ADVISORIES
Recommended Repair Actions
Regional Reporting Assessment
JTF-CND / CERT Warning to GIG users
Local Containment Actions
Local Recovery Actions
Local Containment Actions
Local Assessment
Install Protect Mechanisms (e.g., anti-virus)
Event Damage Propagation (e.g.,
I Love You virus)
Suspected Intrusion Event Detection
Attacks Averted
Other sites along attack path
Unrepaired Event Repropagation
Attacks
16The Requirement
- Understand the Cyber Battlespace
- At once . . . instantaneous and time extended
- . . . local and global
- Develop Cyber Defensive Tools and the Culture to
match - Provide a carefully-limited, autonomic response
as close to the sources of the action as possible - Detect anomalies in the critical data and
functions that we wish to assure, and respond - cueing/cross-cueing, attacker ID, path tracing,
target illumination correlation, honey pot
diversion, attack rate limiting or blocking
within the protected enclave - Develop a CONOPS to bring decision makers into
the detection, localization containment process
faster
Technical Revolutions - Technology, Concepts,
Organizations.
17Advanced Technologies and Concept to Support
Active National Information Infrastructure
Intrusion Defense Requirement
- Detection Sensing Techniques
- State of Practice Signature Matching (e.g., I
Love You and Melissa and Breaches of Policy
(e.g., illegal log-in, port scanning, or route
tracing) - State of Art Anomaly Detection (as technology
matures) - Agent-based Intrusion Detection and Isolation
- Network Priority Multicast For ALERTS
- Controlled Autonomic Response
- Virtual (IA) Organization (VO) for Rapid GIG
Augmen-tation by Reservists and IA Centers of
Excellence - Virtual Training of IA Operators (e.g., Red Team
Gaming) - Rapid Call-Up of IA Experts into VO
- Collaboration on Intrusion response strategies
and on real-time responses - Common Cyber Defensive Warfare Toolbox and CONOPS
18Advanced Conceptthe To be Example Process
19Advanced Conceptthe To Be Functions.
Deep Trend Analysis
IAVA (Info Assurance Vulnerability Assessment)
Visualization
Training
Repository
GII/NII Coordination
less time
Assessment Reaction byVirtual IA Team
A PRIORI PROTECTION ADVISORIES
Damage Recovery by Virtual IA Team
Global Distributed Sensor Families Patterns,
Policy, Anomalies
Install Protect Mechanisms (e.g., anti-virus)
Global Distributed Agent Families Invoke Experts,
Visualize, Illumination, React
Suspected Intrusion Event Detection
Unrepaired Repropagation Averted
Attacks Averted
Attacks Averted
Propogation Averted
Other sites along attack path
Attacks
20Virtual OrganizationTechniques and Technologies
QoS-capable, multicast network augmentation of
the GIG
Joint Info Operations Center
- Virtual Training of IA Operators (e.g., Red Team
Gaming) - Rapid Call-Up of IA Experts into VO
- Collaboration on Intrusion response strategies
and on real-time responses - Common Cyber Warfare Toolbox and CONOPS
IA Event Capture Replay
Cyber Warfare Toolbox
Red Teaming
Joint and Services Ops Security Ctrs
Joint and Services CERTs
IA Centers of Excellence
IA Reserve Units
21State of The Research Intrusion Detection and
Isolation Technologies
Agent Framework
CDIF
- Common Detection Intrusion Framework (CDIF)
- - Intrusion Detection Isolation Protocol
(IDIP) - - Sensor agent initiation of trace, flow
limitation, flow blocking messages - - Discovery Coordinator for human intervention
- - Vendor implementations
- Jini/Cooperative Agent Based Systems (CoAbs)
- Emerging commercial framework for information
resources visibility mgmt - HYPER AGENTS
- - Detection, Identification, Localization,
Correlation, Dissemination, Engagement, and
Battle Damage Assessment.
path tables
Jini / CoAbs
22 Common Detection Intrusion Framework (CDIF)
Secure Multicast Intrusion Detection Isolation
Protocol (IDIP)
- Framework for multi-vendor Intrusion Detection
system interoperability - Framework for inter-sensor, autonomic response
- Several significant vendors have implemented
IDIP-compliant products
23Agent based frameworks
- Sensor agents extract assemble data elements
from information system components (e.g.,
routers, firewalls, ID systems, hosts) - Analysis agents process data into useful,
assembled info - Visualization agents provide network, IA, IDM
monitoring to enterprise managers - Agent Architecture can support addition of
plug-ins for response coordination execution
24Operational System Model
- Operational Model
- Clusters of responders constituted dynami-cally
in response to critical missions, events - Rapid, informal communication to augment
traditional hierarchical reporting. Damage can
occur in seconds to minutes - Cyber-warrior must be a technical expert on cyber
tactics and cyber-operations in this new
battlespace - System Model
- Virtual shared dataspaces constituted dynamically
to share intrusion data, assessment, trace info,
system status - Distributed smart agents for detection, analysis,
agent-to-agent notification, reaction enabled
for first response to multiple, simultaneous
attacks - Remote sensors to include present sensor systems,
plus anomaly-based sensors and capability to act
as response agents
Rapid response
Anomaly detection
Autonomic Response
Immediate response
critical systems
critical information
critical networks
25The Operational Model
- Virtual Organizations (VOs)
- Constituted dynamically in response to critical
missions - Rapid communication among distributed members vs.
hierarchical reporting - Damage can occur in seconds to minutes
- Characterized by Rapid Reaction/ Response
- Detection, analysis, prediction and reaction
- VO culture and training needed for rapid response
(CONOPS) - A Cyber-warrior must be a technical expert on
cyber tactics and cyber-operations in this new
battlespace
26System Model
- Virtual Shared Dataspaces
- Constituted dynamically in response to critical
missions - Distributed smart agents
- Detection, analysis, and reaction
- Agent-to-agent notification / smart push
- Real-time publishing, subscription, pull among
distributed processes humans - Remote Sensors
- Anomaly-based augmented by signature based
detection.
Alert
27Virtual Organization Components
Dynamic
Specifications for interfaces
Processes/Players
28Technical Assumptions - MOEs and MOPs
- Semi-autonomous agents can detect and provide
valid, first response actions in real-time to
adversarial behavior in distributed information
systems - . . . including attacks for which the system
has not been primed, - . . .while keeping the number of false alerts
that require human intervention to fewer than 25
percent - . . . And the resistance to multiple,
simultaneous attacks will be much greater than
when relying on local plus limited centralized
resources
ACT
VO VALIDATE OR NEGATE RESPONSE / ACT
Response Time from Detected Event
SEND ALERTS
FURTHER VO ANALYSIS
DECISION
VALIDATION OF FIRST RESPONSE
ANALYSIS
DISTRIB CORRELATION AUTO RESPONSE
ALERT CERT
ALERT NEIGHBORS / VO
DETECT
DETECT
1
Legend To-be system As-is systems
10
100
Number of Simultaneous Attacks
70
Increase number of valid detections even
under heavy attack by monitoring system anomalies
Percentage of Valid Alarms
Percentage of False Alarms
Cope with barrage of false alarms under
heavy attack
17
Legend To-be system solid line As-is
system dotted line
Number of Simultaneous Attacks
29 Risks
- Technology
- - Low to Medium
- Development of CONOPS
- - Low
- Acceptance of New Inter-Organizational
Coordination Concepts - - Medium to Medium-High
for acceptable operational payoff
for best operational payoff
30Approach Demonstration
JTF-CND/ GNOSC
USCINCSPACE, NSA, R-CERT Scott
- Instrument a portion of the NII configuration
with autonomic sensors - Employ on clone version on backbone networks
for first demos - Employ IA Reserve Units as initial Virtual IA
organization - Add capability to JTF-CND and NIPC annually
TBD Centers of Excellence
CERT Augmentation Reserve Units
GCCS sites
GMC
31Demos, Residuals and Transition
- DEVELOPMENT UTILITY ASSESSMENT
- FY01 Agent Framework Component Correlation
Demonstration Constitute VO Dynamically - FY02 Autonomic Trace Demonstration (Intrusion
Framework Integrated) Exercise VO CONOPS - FY03 Autonomic Response Demonstration Exercise
VO CONOPS - LEAVE BEHIND
- Interim Capability for CART, JTF-CND, NIPC, NSA,
Department of Energy, IA Reserve Units Others
32Summary
CART will demonstrate significant reduction in
response time and damage propagation for Cyber
Warfare attacks on the Commercial NII through
Improved intrusion detection and warning by
anomaly detection, active sensor
cueing/cross-cueing, and autonomic
tracing Limited autonomic attack response (attack
path blocking, flood attack flow limitation,
target illumination) as a first line of
defense Distributed virtual cyber defense
coordination to manage autonomic responses,
mobilize IA reserves, assist localities,
Federal Agencies, users and stewards of the
NII CART will provide first massively distributed
cyber defense capability that maps to the cyber
battle space and scales linearly from laboratory
to the NII