Collaborative Threat Mitigation or

(Collective Self Defense)  DOE’s  Cyber  Fed  Model  (CFM)      Sco5  Pinkerton  pinkerton@anl.gov  

www.anl.gov/it/cfm  

Agenda

§  What  is  DOE’s  Cyber  Fed  Model  

§  SubscripHon  vs.  parHcipaHon  §  Relevance  &  ROI  §  Why  are  we  here  ?  §  Conclusions  &  Takeaways  §  QuesHons  

2  Tech  for  Security  Summit  

Cyber Fed Model (CFM) is …

§  A  near  real-­‐Hme  exchange  of  cyber  threat  informaHon  focused  on  the  reduc&on  and  mi&ga&on  of  cyber  security  risk  across  large  enterprises  

–  Typically  every  300  second  –  AcHonable  –  blocking  –  Autonomic  –  Highly  Scalable    

3  Tech  for  Security  Summit  

Structured Threat Information

§  InformaHon  shared  uses  an  XML  syntax  

–  Based  upon  IODEF  (RFC  5070)  

–  Looking  to  support  OpenIOC  formats  in  the  future  for  sharing  malware  informaHon  

§  InformaHon  focuses  on  IP,  DNS,  URL,  e-­‐mail,  hash  strings  

4  Tech  for  Security  Summit  

How Cyber Fed Model (CFM) Works

§  High  Level:  Client-­‐server  data  exchange  §  Reality:  Central  repositories  providing  access  via  web  service  

–  Sites  control  who  can  see  the  data  they  upload  (by  PGP  key)  –  Sites  decide  how  to  use  data  they  download  

§  Repository  accepts  encrypted  files  on  upload  –  Contents  may  be  any  format    –  Simply  export  from  a  third  party  tool,  encrypt,  and  upload  

§  Output  comes  in  standardized  XML  format  –  Allows  for  predictability  –  Converters  can  translate  to  another  format  –  Scripts  can  convert  and  send  to  other  tools  inline  

Tech  for  Security  Summit   5  

High Level Architecture

Tech  for  Security  Summit  6  

Cyber Fed Model (CFM) maximizes local resources §  Premise  based  on  the  idea  

of  local  detecHon  and  global  response  

§  Enables  an  enterprise  to  focus  their  limited  resources  on  their  most  pressing  problems  

–  A5acks  that  are  occurring  on  their  infrastructure  and  no  where  else  

7  Tech  for  Security  Summit  

Effective Cyber Security Defense for an Enterprise

§  It  conHnues  to  be  a  hard  job    §  Doubly  so  for  those  supporHng  criHcal  infrastructure  

§  Doesn’t  appear  to  be  gefng  any  easier;  mostly  harder    §  Increasing  skill  &  sophisHcaHon  of  the  bad  guys;  commodity  

hacking  tools  

Tech  for  Security  Summit   8  

DOE’s Cyber Fed Model is not …

§  OpHmized  for  analysis  (the  transfer  of  “raw”  data)  

§  Focused  on  OS  or  ApplicaHon  advisories  (vulnerabiliHes)  

§  Sandboxing  or  other    

§  Shared  alerts  require  someone  to  first  detect  the  threat  

Tech  for  Security  Summit   9  

Subscription vs. Active Participation §  Can  you  just  subscribe  to  a  “feed”  of  hosHle  IP  addresses  and  

just  download  them  ?  –  Sure,  there  are  a  growing  number  of  “reputaHonal”  subscripHon  services  

–  But  will  they  be  RELEVANT  to  you  –  assuming  none  of  the  energy  owner/operators  are  contributors  

10  Tech  for  Security  Summit  

IP’s exploiting MS problem dujour

IP’s exploiting Adobe problem dujour

IP’s sending spam e-mail farming for username/PW

IP’s sending spam e-mail farming for bank account

IP’s probing for ssh servers

IP’s looking to attack the Energy Infra.

Volume of Information

Tech  for  Security  Summit  11  

Benefit: Relevance & ROI

Tech  for  Security  Summit  12  

We know collaboration is hard

§  Every  organizaHon  is  a  snow  flake  –  B2B/collaboraHons  vary  –  Blocking  the  wrong  thing  can  be  highly  disrupHve  

§  Legal  agreements  are  tricky  –  DefiniHons  of  terms  can  vary  

• What  does  MOU  mean  to  you?  ISA?  ToS?  etc.  

§  A5ribuHon  and  disclosure  concerns  

§  A5ack  vectors  change  

Tech  for  Security  Summit   13  

Why are we here ?

§  We  believe  ...  –  Cyber  threats  to  criHcal  infrastructure  exist  –  CollaboraHon  and  collecHve  defense  are  essenHal  –  DOE  Cyber  Fed  Model  (CFM)  can  be  part  of  the  soluHon  

§  We  want  to  ...  –  Help  protect  our  country’s  criHcal  infrastructure  –  Begin  a  pilot  to  assess  efficacy  in  electric  sector  –  See  threat  overlap  between  electric  sector  and  DOE  

§  We  have  ...  –  DOE  labs  willing  to  share  –  public-­‐private  sector  partnership  –  Electric  sector  enHHes  which  have  expressed  interest  –  Experience  in  collecHve  defense  

Tech  for  Security  Summit   14  

Conclusions & Takeaways

§  Common  adversaries  exist  and  are  acHve  

§  CollaboraHon  will  be  key  to  future  cyber  defense  

§  The  DOE  Cyber  Fed  Model  (CFM)  provides  collecHve  defense  in  a  flexible,  site-­‐controlled  manner  

§  CFM  can  help  maximize  your  cyber  security  resources  

15  Tech  for  Security  Summit  

Questions ??

Tech  for  Security  Summit  

www.anl.gov/it/cfm