Defensive Information Warfare Active National Information Infrastructure Intrusion Defense
description
Transcript of Defensive Information Warfare Active National Information Infrastructure Intrusion Defense
Defensive Information Warfare
Active National Information Infrastructure Intrusion Defense
2UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Don R. Smith 402.203.3184
[email protected]@GlobeTranz.com
3UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
“War is an act of violence based upon irreconcilable disagreement” FMFM 1, Warfighting.
• The Violence need not be physical. – Physical, cybernetic, and moral levels.– This is a departure from a pure Clausewitzian
view.– Information Age Warfare requires leaders,
sensors, processors, transmitters, information and shooters.
– IW Targets leaders, sensors, processors, transmitters,information and shooters.
4UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
“…moral forces exert a greater influence on the nature and outcome of war than do physical.” FMFM 1, Warfighting
• “Any view of the nature of war would hardly be accurate or complete without consideration of the effects of danger, fear, exhaustion, and privation on [those] who must [endure] the fighting …”
5UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
National Need
• There have been several embarrassingly simple attacks that have resulted in significant damage that show that the current approaches are not adequate.
• There is reason to believe that both criminal elements and our national adversaries view this area as a highly cost-effective way of confronting the U.S. without coming into direct contact with U.S. legal, political, and military power.
• The role of Information Technology (IT) in supporting key economic, political and military operations becomes continually more critical, which simultaneously creates a new ‘battle’ space . .
that in many ways is different than traditional battle spaces.
• Consequently, it is urgent to explore organizational adjustments and structures, policies, concepts of operations, and technologies to address this new form of national competion.
6UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Long Term National Objectives
• Develop technologies policies and procedures for the Secret Service, FBI, Department of Commerce, SPACECOM, the JTF-CND, and NSA to create the ability to ‘flag’ and protect United States Owned Global E-commerce.
• Create Predictive, not reactive, security intrusion and detection mechanism to avert criminal misappropriation, cyber terrorism and foreign adversary attacks, in such a way as to preserve and protect constitutionally guaranteed freedoms.
• Create the first Virtual Organization for a Commerce Attack Response Team ( CART )
• Create tools and methodologies to determine origination, transit path, and destination of critical electronic commerce transactions, TranSource (transactional sourcing)
7UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
CART
• In today’s environment it is important to understand that our adversaries have many targets: Command and Control, Critical Infrastructure, Information Infrastructure and Financial Infrastructure.
• CART, seeks to prevent adversaries from gaining advantage through cyber theft of commerce and transactional data, or destroying commerce as leverage for political objectives.
8UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
TranSource
• Tracking the source, transit, and the destination of transactions allows for Governments and financial institutions to assess, mitigate, and assign risk.
• Continuously monitor and immediately determine the change in the validity of any critical transaction.
• Route these invalid transactions through special procedures and authentication to prevent unintended automatic transfer of funds.
9UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Hypothesis
A system built based on Virtual Organizations, Autonomic Smart Agents, and *Anomaly Detections naturally maps into a distributed defendable cyber space, and will be more effective for engaging in defensive information operations than the current systems/frameworks that exist, are under development, or under consideration at the present time.
*As Anomaly Detection Matures
10UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Short Term Objectives
Demonstrate a Cyber DefenseCyber Defense capability that is : • Capable of improved intrusion detection and warning through anomaly detection, active sensor cross-cueing, and autonomic tracing• Provide the capability for limited autonomic attack response (attack path blocking, flood attack flow limitation, and target illumination*) as a first line of defense• Provide for operation of distributed “virtual” cyber defense coordination to manage autonomic responses, mobilize IA reserves, & assist corporations, localities, Federal Agencies, users and stewards of the Global Information Grid
* Precursor to offensive response
11UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Short Term Objectives
Demonstrate a Cyber DefenseCyber Defense capability:
•Provide the first massively distributed cyber defense capability that maps to the cyber battle space
• Scale it linearly from the laboratory to the National Information Infrastructure (NII) and then to the Global Information Grid.
12UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Relevant Structures, Policy and Virtual IA Organization Background
• SPACECOM, effective 1 October 1999, is responsible for U.S. Military Computer Network Defense and will begin to publicly conduct the Military Computer Network Attack mission effect 1 October 2000 (with a lot of help from STRATCOM).
• DISA, NSA and SPACECOM have been exploring and modeling feasible strategies for limited isolation of NIPRnet when under severe attack.
• The Reserve Component Employment Study 2005 called for the formation of a "joint [reserve component] virtual information operations organization” and tasked various senior-level DOD organizations to complete a "proof of concept" study for creating the unit by June 30, 2000.
13UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Gateway Gateway Routers Routers
& Switches & Switches
Global Information Grid5 Classes of Potential Cyber Attacks
DeployedDeployedWarfightersWarfighters
TheaterTheaterInfrastructureInfrastructure& Reachback& Reachback
CONTINENTAL U.S.CONTINENTAL U.S.InfrastructureInfrastructure& Reachback& ReachbackGIIGIIGIIGII
CINCCINC
Joint StaffJoint Staff
Camps, Posts,Camps, Posts,StationsStations
Log & SupportLog & SupportDepotsDepots
IntermediateIntermediateSupport BasesSupport Bases
Camps, Posts,Camps, Posts,StationsStations
ServiceServiceComponentsComponents
IntelIntelCentersCenters
CONUS CONUS Internet & Public Internet & Public
ATM InfrastructureATM Infrastructure
OCONUS Internet & PublicOCONUS Internet & PublicATM InfrastructureATM Infrastructure
passiveinterceptattacks
activenetwork-
basedattacks
close-innetwork-
basedattacks
insiderattacks
hardware,Software
distributionattacks
Exploitation, Disruption,Exploitation, Disruption,Denial, Deception:Denial, Deception: One-to-manyOne-to-many Many-to-oneMany-to-one Many-to-manyMany-to-many Must Must focusfocus on continuity of MISSION CRITICAL Information and Applications on continuity of MISSION CRITICAL Information and Applications
14UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Gateway Gateway Routers Routers
& Switches & Switches
Global Information GridExisting IA Centers
DeployedDeployedWarfightersWarfighters
TheaterTheaterInfrastructureInfrastructure& Reachback& Reachback
CONUSCONUSInfrastructureInfrastructure& Reachback& ReachbackGIIGIIGIIGII
DoD CERTDoD CERT
Service CERTsService CERTs
JCCCJCCC
TCCCTCCC
RNOSCRNOSC
GNOSCGNOSCIA CentersIA Centers
of Excellenceof Excellence
NIPCNIPC
JTF-CNDJTF-CND
RCERTRCERT
IA ReserveIA ReserveUnitsUnits
NSANSA
Service IWCsService IWCs
CINCCINC
Joint StaffJoint Staff
Camps, Posts,Camps, Posts,StationsStations
Log & SupportLog & SupportDepotsDepots
IntermediateIntermediateSupport BasesSupport Bases
Camps, Posts,Camps, Posts,StationsStations
ServiceServiceComponentsComponents
IntelIntelCentersCenters
XXXXXXXX
Key:Key:
= Centers for the monitoring & protection= Centers for the monitoring & protection of Joint and Services’ Capabilities on theof Joint and Services’ Capabilities on the Global Information Grid (GIG)Global Information Grid (GIG) Note: Bastion Defense (e.g., firewalls) at Note: Bastion Defense (e.g., firewalls) at allall sites sites
CONUS CONUS Internet & Public Internet & Public
ATM InfrastructureATM Infrastructure
OCONUS Internet & PublicOCONUS Internet & PublicATM InfrastructureATM Infrastructure
15UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Attacks Attacks AvertedAverted
How the intrusion detection & response process works today
SuspectedIntrusion
EventDetection
LocalLocalAssessmentAssessment
LocalLocalContainmentContainment
ActionsActions
Install ProtectInstall ProtectMechanismsMechanisms
(e.g., anti-virus)(e.g., anti-virus)
AttacksAttacks
RegionalRegionalReporting &Reporting &AssessmentAssessment
Services &Services &GNOSCGNOSC
ReportingReporting
Assessment & recoveryAssessment & recoverydetermination bydetermination by
IA ExpertsIA Experts
Event DamagePropagation
(e.g., “I Love You” virus)
IAVAIAVA(Info Assurance(Info Assurance
VulnerabilityVulnerabilityAssessment)Assessment)
JTF-CND / CERTJTF-CND / CERTWarning toWarning toGIG usersGIG users
LocalLocalContainmentContainment
ActionsActions
RecommendedRecommendedRepair ActionsRepair Actions
LocalLocalRecoveryRecoveryActionsActions
UnrepairedEvent
Repropagation
timetime
PublishPublishthroughthroughIAVAIAVAprocessprocess
““Strategic” warningStrategic” warning
Other sites alongOther sites alongattack pathattack path
A PRIORIA PRIORIPROTECTIONPROTECTIONADVISORIESADVISORIES
16UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
The Requirement
• Understand the Cyber Battlespace– At once . . . instantaneous and time extended
. . . local and global• Develop Cyber Defensive Tools and the Culture to match
– Provide a carefully-limited, “autonomic response” as close to the sources of the action as possible
– Detect anomalies in the critical data and functions that we wish to assure, and respond
• cueing/cross-cueing, attacker ID, path tracing, target illumination & correlation, honey pot diversion, attack rate limiting or blocking within the protected enclave
– Develop a CONOPS to bring decision makers into the detection, localization & containment process faster
Technical Revolutions - Technology, Concepts, Organizations.
17UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Advanced Technologies and Conceptto Support Active National Information Infrastructure
Intrusion Defense Requirement
• Detection Sensing Techniques– State of Practice: Signature Matching (e.g., “I Love You” and “Melissa”
and Breaches of Policy (e.g., illegal log-in, port scanning, or route tracing)
– State of Art: Anomaly Detection (as technology matures) • Agent-based Intrusion Detection and Isolation:
– Network Priority Multicast For ALERTS– Controlled Autonomic Response
• Virtual (IA) Organization (VO) for Rapid GIG Augmen-tation by Reservists and IA Centers of Excellence– Virtual Training of IA Operators (e.g., Red Team Gaming)– Rapid “Call-Up” of IA Experts into VO
– Collaboration on Intrusion response strategies and on real-time responses
– Common Cyber Defensive Warfare Toolbox and CONOPS
18UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Intrusion Defense CELLVIRTUAL(CND)
DETECTION TOOLBOX
SUBJECT MATTER EXPERTS
Intrusion Response CELLVIRTUAL (CNA)
DISCOVERY
DISCOVERY
DISCOVERY
INFOWARRIOR
USER
IDAGENT
IDAGENT
EVENT
PUBLISH NOTIFY
IDAGENT SUBSCRIBE
IRAGENT
RESPONSE TOOLBOX
RECOVERY TOOLBOX
Advanced Concept:the “To be” Example Process
19UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
lesstime
Attacks Attacks AvertedAverted
Advanced Concept:the “To Be” Functions.
SuspectedIntrusion
EventDetection
Global Distributed Sensor FamiliesGlobal Distributed Sensor FamiliesPatterns, Policy, & AnomaliesPatterns, Policy, & Anomalies
AttacksAttacks
Assessment & ReactionAssessment & ReactionbyVirtual IA TeambyVirtual IA Team
IAVAIAVA(Info Assurance(Info Assurance
VulnerabilityVulnerabilityAssessment)Assessment)
Attacks Attacks AvertedAverted
UnrepairedUnrepaired Repropagation Repropagation
AvertedAverted
Other sites along attack pathOther sites along attack path
Install ProtectInstall ProtectMechanismsMechanisms
(e.g., anti-virus)(e.g., anti-virus)
A PRIORIA PRIORIPROTECTIONPROTECTIONADVISORIESADVISORIES
Propogation Propogation Averted Averted
Global Distributed Agent FamiliesGlobal Distributed Agent FamiliesInvoke Experts, Visualize, Illumination, ReactInvoke Experts, Visualize, Illumination, React
Damage RecoveryDamage Recoveryby Virtual IA Teamby Virtual IA Team
VisualizationVisualizationTrainingTraining RepositoryRepository GII/NIIGII/NIICoordinationCoordination
Deep Trend AnalysisDeep Trend Analysis
20UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Virtual OrganizationTechniques and Technologies
• Virtual Training of IA Operators (e.g., Red Team Gaming)
• Rapid “Call-Up” of IA Experts into VO
• Collaboration on Intrusion response strategies and on real-time responses
• Common Cyber Warfare Toolbox and CONOPS
Gateway Gateway Routers Routers
& Switches & Switches
GIGGIGGIGGIGDoD CERTDoD CERT
Service CERTsService CERTs
JCCCJCCC
TCCCTCCC
RNOSCRNOSC
GNOSCGNOSCIA CentersIA Centersof Excellenceof Excellence
NIPC NIPC
JTF-CNDJTF-CND
RCERTRCERT
IA ReserveIA ReserveUnitsUnits
NSA NSA
Service IWCsService IWCs
CINCCINC
Joint StaffJoint Staff
Camps, Posts,Camps, Posts,StationsStations
Log & SupportLog & SupportDepotsDepots
IntermediateIntermediateSupport BasesSupport Bases
Camps, Posts,Camps, Posts,StationsStations
ServiceServiceComponentsComponents
IntelIntelCentersCenters
CONUS CONUS Internet & Public Internet & Public
ATM InfrastructureATM Infrastructure
OCONUS Internet & PublicOCONUS Internet & PublicATM InfrastructureATM Infrastructure
QoS-capable, multicast network augmentation of the GIGQoS-capable, multicast network augmentation of the GIG
Joint Info Operations CenterJoint Info Operations Center
Red TeamingRed Teaming IA Event Capture & ReplayIA Event Capture & Replay Cyber Warfare ToolboxCyber Warfare Toolbox
IAIAReserve UnitsReserve Units
IA Centers ofIA Centers ofExcellenceExcellence
Joint and ServicesJoint and ServicesCERTsCERTs
Joint and ServicesJoint and ServicesOps & Security CtrsOps & Security Ctrs
21UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
“State of The Research” Intrusion Detection and Isolation Technologies
Common Detection & Intrusion Framework (CDIF):- Intrusion Detection & Isolation Protocol (IDIP)- Sensor agent initiation of trace, flow limitation, flow blocking messages- Discovery Coordinator for human intervention- Vendor implementations
Jini/Cooperative Agent Based Systems (CoAbs)-Emerging commercial framework for information resources visibility & mgmt
HYPER AGENTS- Detection, Identification, Localization, Correlation, Dissemination, Engagement, and Battle Damage Assessment.
LOOKUP
ID CELLVIRTUALORG: TS
LOOKUP
PUBLIC GROUP:UNCLASS
IR CELLVIRTUAL ORG: SCI
DISCOVERY
DISCOVERY
DISCOVERYINFOWARRIOR
GCSSUSER
IDAGENT
IDAGENT
LOOKUP
EVENT
PUBLISH NOTIFYID
AGENTSUBSCRIBE
IRAGENT
sensoragent
sensoragent
analysisagent
analysisagent
Knowledge Base
visualiznagent
visualiznagent
sense &response
agent
networks, hosts, apps, firewalls, NSM & ID systems
visualiznagent
responseagent
Handler
coordi-nator
NSM IDM IA
IDIP
IDIP
sensoragent
DiscoveryCoordinator
Trace Message: - intrusion detection - action: trace path - action: limit user flow on path - action: block user flow on path
TraceMessage
TraceReport
Messages
sense &
responseagent
StopTrace
pathtables
alert
CDIFCDIF Agent FrameworkAgent Framework
Jini /Jini /CoAbsCoAbs
pathtables
22UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Common Detection & Intrusion Framework (CDIF)
• Framework for multi-vendor Intrusion Detection system interoperability
• Framework for inter-sensor, autonomic response
• Several significant vendors have implemented IDIP-compliant products
Secure MulticastIntrusion Detection & Isolation Protocol (IDIP)
sensoragent
DiscoveryCoordinator
Trace Message: - intrusion detection - action: trace path - action: limit user flow on path - action: block user flow on path
TraceMessage
TraceReport
Messages
sense &
responseagent
StopTrace
pathtables alert
pathtables
23UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Agent based frameworks
• Sensor agents extract & assemble data elements from information system components (e.g., routers, firewalls, ID systems, hosts)
• Analysis agents process data into useful, assembled info
• Visualization agents provide network, IA, IDM monitoring to enterprise managers
• Agent Architecture can support addition of “plug-ins” for response coordination & execution
sensoragent
sensoragent
analysisagent
analysisagent
Knowledge Base
visualiznagent
visualiznagent
sense &
responseagent
networks, hosts, apps, firewalls, NSM & ID systems
visualiznagent
responseagent
Handler
coordi-nator
NSM IDM IA
IDIP
IDIP
24UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Operational & System Model
• Operational Model– Clusters of responders constituted dynami-
cally in response to critical missions, events– Rapid, informal communication to augment
traditional hierarchical reporting. Damage can occur in seconds to minutes
– Cyber-warrior must be a technical expert on cyber tactics and cyber-operations in this new battlespace
• System Model– Virtual shared dataspaces constituted
dynamically to share intrusion data, assessment, trace info, system status
– Distributed smart agents for detection, analysis, agent-to-agent notification, reaction … enabled for “first response” to multiple, simultaneous attacks
– Remote sensors to include present sensor systems, plus anomaly-based sensors and capability to act as response agents
criticalcriticalsystemssystemscriticalcritical
informationinformation criticalcriticalnetworksnetworks
CriticalFunctions
instrumentedfor anomaly
detection
Anomalydetection
AutonomicResponse
IA ResponseAugmentationto develop and
validate responsestrategies
Rapid responseRapid response
Immediate responseImmediate response
25UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
The Operational Model
• Virtual Organizations (VOs)– Constituted dynamically in
response to critical missions
• Rapid communication among distributed members vs. hierarchical reporting– Damage can occur in seconds to
minutes
• Characterized by Rapid Reaction/ Response– Detection, analysis, prediction and
reaction
• VO culture and training needed for rapid response (CONOPS)– A Cyber-warrior must be a
technical expert on cyber tactics and cyber-operations in this new battlespace
CriticalFunctions
instrumentedfor anomaly
detection
Anomalydetection
AutonomicResponse
VirtualOrganization
to develop andvalidate response
strategies
JTF-CND/GNOSC
Service, CINC, &Regional CERTs
IA Centersof Excellence
ReserveComponents
26UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
System Model
• Virtual Shared Dataspaces– Constituted dynamically in
response to critical missions
• Distributed smart agents– Detection, analysis, and
reaction– Agent-to-agent notification /
smart push– Real-time publishing,
subscription, & pull among distributed processes & humans
• Remote Sensors
– Anomaly-based augmented by signature based detection.
JTF-CND/GNOSC
Service, CINC, &Regional CERTs
IA Centersof Excellence
ReserveComponents
RemoteSmartAgents
Anomalydetection
AutonomicResponse
VirtualShared Dataspace
Publish Subscribe
Alert
27UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Supporting Infrastructureand Tools
Mission Components
Data Schema
World-view“COP”
CultureReferences
Process andRelationshipDescriptions
Reactive /Autonomic
ReactionTeam
NCA
CoreMembers
CoordinatingMembers
ConsultingMembers /Specialists
Ad HocMembers
MISSIONDB ORGANIZATION
DB
SYSTEMARCHITECTURE
OPERATIONAL ARCHITECTURE
TECHNICALARCHITECTURE
Virtual Organization Components
Specifications for interfaces
Processes/Players
Dynamic
28UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Technical Assumptions - MOEs and MOPs
• Semi-autonomous agents can detect and provide valid, first response actions in real-time to adversarial behavior in distributed information systems
. . . including attacks for which the system has not been primed,
. . .while keeping the number of false alerts that require human intervention to fewer than 25 percent
. . . And the resistance to multiple, simultaneous attacks will be much greater than when relying on local plus limited centralized resources
Number of Simultaneous Attacks
Pe
rce
nta
ge
of
Va
lid
A
larm
s
Per
cen
tage
of
Fal
se A
larm
s
Legend: To-be system: solid line As-is system: dotted line
Number of Simultaneous Attacks
ACT
SEND ALERTS
DECISION
ANALYSIS
ALERT CERT
DETECT
Res
po
nse
Tim
e fr
om
Det
ecte
d E
ven
t
DETECT
ALERT NEIGHBORS / VO
DISTRIB CORRELATION& AUTO RESPONSE
VALIDATION OF FIRST RESPONSE
FURTHER VO ANALYSIS
VO VALIDATE OR NEGATE RESPONSE / ACT
1 10 100 Legend:To-be systemAs-is systems
Cope withCope withbarrage ofbarrage of
false alarmsfalse alarmsunder heavyunder heavy
attackattack
IncreaseIncreasenumber ofnumber of
valid detectionsvalid detectionseven undereven under
heavy attackheavy attackby monitoringby monitoring
system anomaliessystem anomalies
17%17%
70%70%
29UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Risks
• Technology - Low to Medium
• Development of CONOPS - Low
• Acceptance of New Inter-Organizational Coordination Concepts- Medium to Medium-High
for acceptablefor acceptableoperationaloperational
payoffpayoff
for bestfor bestoperationaloperational
payoffpayoff
30UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Approach & Demonstration
• Instrument a portion of the NII configuration with autonomic sensors– Employ on “clone”
version on backbone networks for first demos
• Employ IA Reserve Units as initial Virtual IA organization– Add capability to JTF-
CND and NIPC annually
CriticalFunctions
instrumentedfor anomaly
detection
Anomalydetection
AutonomicResponse
VirtualOrganization
to develop andvalidate response
strategies
JTF-CND/GNOSC
USCINCSPACE,NSA, R-CERT Scott
TBD Centersof Excellence
GCCS sitesGMC
CERT AugmentationReserve Units
31UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Demos, Residuals and Transition
• DEVELOPMENT & UTILITY ASSESSMENT– FY01: Agent Framework Component & Correlation
Demonstration; Constitute VO Dynamically – FY02: Autonomic Trace Demonstration (Intrusion
Framework Integrated); Exercise VO CONOPS – FY03: Autonomic Response Demonstration; Exercise VO
CONOPS
• LEAVE BEHIND– Interim Capability for CART, JTF-CND, NIPC, NSA,
Department of Energy, IA Reserve Units & Others
32UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
UnClassifiedUnClassified
Summary
CART will demonstrate significant reduction in response time and damage propagation for Cyber Cyber WarfareWarfare attacks on the Commercial NII through: Improved intrusion detection and warning by anomaly detection, active sensor cueing/cross-cueing, and autonomic tracingLimited autonomic attack response (attack path blocking, flood attack flow limitation, target illumination) as a first line of defenseDistributed “virtual” cyber defense coordination to manage autonomic responses, mobilize IA reserves, & assist localities, Federal Agencies, users and stewards of the NIICART will provide first massively distributed cyber defense capability that maps to the cyber battle space and scales linearly from laboratory to the NII