Resilient Architectures - Mitre Corporation · 2012. 6. 10. · 13% Deception 5% Analytic...
Transcript of Resilient Architectures - Mitre Corporation · 2012. 6. 10. · 13% Deception 5% Analytic...
© 2012 The MITRE Corporation. All rights reserved.
Approved for Public Release: 12‐2397. Distribution Unlimited
Approved for Public Release: 12‐2397. Distribution Unlimited2nd Annual Secure and Resilient Cyber Architectures Workshop
Resilient Architectures
Jeffrey Picciotto
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Transformation of Thought
2
Cyber Risk Remediation Engineering Analysis
Security Engineering
Assurance Practices
Anti‐Tamper
SCRM Practices
Identify Mission Dependencies on Cyber
Mission Impact Analysis
Cyber Threat Susceptibility Assessment
WHAT’S MOST IMPORTANT
WHAT ARE THE RISKS
HOW TO MITIGATE THE RISKS
Prioritize Missions
Cyber Threats & Intelligence
CONOPSUse Cases
End‐to‐End Flows
Mitigations
Resiliency Practices
WHAT RESOURCES ARE MOST IMPORTANT
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Bring community together towork collectively
Desired Outcome
3
The cyber resiliency foundation we develop & shapeis adopted by sponsors
so missions are more assured.Apply
ResiliencyIdentify
RequirementsCreate
SolutionsProve
Effectiveness
Use Case• Integration•Techniques•Operational context
Framework•Goals•Objectives•Techniques
Technology•Commercial products
•Research snapshot
•R&D tasks
Metrics•Cost•Performance
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Technology – Commercial Products
Diversity5%
Dynamic Positioning
5%
Non-Persistence5%
Adaptive Response
6%
Redundancy12%
Deception6%
Analytic Monitoring
22%
Privilege Restriction
14%
Substantiated Integrity
9%
Segmentation6%
Unpreditcability10%
Products By Technical Area
111 Resiliency Vendors
4
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Technology – Research Capabilities
5
320 publications‐Reviewed‐Characterized‐Analyzed
R&D Snapshot published
Research By Technical Area
AdaptiveResponse 10%
Cross-Area13%
Deception5%
Analytic Monitoring
29%
All Dynamic Categories
14%
Substantiated Integrity
11%
Isolation5%
Metrics13%
SERPENT
IBIP
MATA-RAMS
Crypto Binding
Labyrinth
Diversity through Virtualization
ADDER
CyCS COMMANDR
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Metrics
Understanding
DecisionMaking
Compliance Checking
AssessingCost
UsesStakeholders
…
Mission Commander
Program Manager
CyberDefender
Vendor
…
Researcher
Technical Operational
Cost
Performance
Intended Uses Type Metric How Obtained Approach Layer
Operations Perf Length of time an attacker remains contained in a controlled environment
Red team,observation, analysis
Deception • Cyber Resource(system / network)
Technical Cost Dollar and/or LOE cost of integrating diverse components to achieve resiliency
Cost estimation, Post‐hoc analysis
Diversity • Mission• Node• Informationasset
Technical Perf % mission‐essential capabilities for which two or more different instantiations are available
Analysis Diversity • Service• Software• Mission process
Operations Cost Degree of mission impact due to isolation of elements impeding information flow needed to act in a timely manner
Observation / post‐hoc analysis
Segmentation • Mission process
Technical Perf % data value assertions in a mission‐essential data store for which a gold copy exists
Analysis Substantiated Integrity
• Information asset
6
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Practical Options
Reviewed current technology options
Assessed viability today
Documented in terms of near, mid, and long term options
Resiliency Techniques
Near Term(<3 years)
Mid-Term(3-5 years)
Long-Term(> 5 years)
Coordinated Defense
Use of a defense in depth strategy within organization
Systematic process to identify dependencies and interactions among cyber defenses
Automated identification of conflicts and dependencies among defenses
Deception Honeypots (low interaction, based on commonly used attacker requested services)
Honeynets (network of honeypots intended to imitate activities of a real system)
Use of honeynets and virtualization to run deception nets that respond dynamically to adversary actions
Diversity Different browsers on operating systems (OSs)
Use of different protocols / communications diversity (e.g., over time, space, frequency)
Dynamically employ different OSs and different applications on laptops, desktops and servers
Non‐Persistence Desk top virtualization Applying virtualization to stateful services (e.g., active directory, routers)
Non‐persistence (media/device sanitization or data transformation via encryption) for smartphones and tablets
Privilege Restriction
Removal of admin rights from end users for their machines
Separate processing domains based on privilege
Dynamic escalation of privilege restrictions based on indications of adversary activities
7
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Framework Application
8
User
Data Products
Data Products
Data ProductsCatalog
Server
Goal
Withstand
Recover
Metric
‐‐‐
‐‐‐
‐‐‐
‐‐‐
‐‐‐
‐‐‐
Technology
Deception network
Hardware trusted path
Fine‐grained controls
RIAK
Multi‐cloud storage
Crypto bindings
Technique
Deception
Segmentation
Privilege Restriction
Redundancy
Substantiated Integrity
Objective
Constrain
Reconstitute
Continue
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Use Case Integration
Mission
Analyst
MetaData
Catalog
DP
DP
DP
Data Retrieval Application
Cyber Risk Remediation Engineering Analysis
Security Engineering
Assurance Practices Anti‐Tamper SCRM
Practices
Identify Mission Dependencies on Cyber
Mission Impact Analysis
Cyber Threat Susceptibility Assessment
WHAT’S MOST IMPORTANT
WHAT ARE THE RISKS
HOW TO MITIGATE THE RISKS
Prioritize Missions
Cyber Threats & Intelligence
CONOPSUse Cases
End‐to‐End Flows
Mitigations
Resiliency Practices
WHAT RESOURCES ARE MOST IMPORTANT
Apply the Resiliency Engineering Framework
ResiliencyGoals
RecoverWithstand
ResiliencyObjectives
ReconstituteConstrain
+
Non‐persistenceAdaptive Response
RedundancyAnalytic Monitoring
DeceptionSubstantiated Integrity
UnpredictabilityCoordinated Defense
RealignmentDynamic Representation
SegmentationPrivilege Restriction
DiversityDynamic Positioning
Withstand ->Constrain
SegmentationREDUNDANCY
NON PERSISTENCEDIVERSITY
RIAK
SECURITY AWARE DIVERSITY THRU VIRTUALIZATION
9
10
PRIVILEGE RESTRICTION
SUBSTANTIATED INTEGRITY
REDUNDANCY
COORDINATED DEFENSE
Fine‐grained controls
Mission Assurance through Availability
CRYPTOGRAPHIC HASH
CyCSCOMMANDR
5
6
7
8
ADAPTIVE RESPONSE
DECEPTION
ANALYTIC MONITORINGFIDELIS
Active Dynamic Defense
Deception network
1
2
3
4
Page 9
SEGMENTATIONHardware trusted Path
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
AMAZON
MITRE
INFRASTRUCTURE
10
A Resilient Architecture
ESXi Servers
VM
SERPENT CYCSCOMMANDR
IBIP
ROCS IBIP
RIAK
DIB LABYRINTH
VM
LABYRINTH
RIAKSADV
MATA
AMAZON
MATA
Adversary
FIREWALL
FIDELIS
MITRE
INFRASTRUCTURE
ADDER
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited 11
Demonstration
Resiliency Operators AdversaryAnalystCyOC
Operator
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
SIMEX – Cyber Resiliency Simulation Experiment
The Cyber Resiliency SIMEX examined tools, concepts, and the CONOPS/TTPs necessary to manage and conduct defensive cyber operations in support of mission operations
Carrier Strike Group
IWC GCCS-J BWC TargetingOfficer
ISR LNOIntelOfficer
DGO DCO
Regional Cyber Command CenterWhite Cell
SIMLead
RedLead EXCON
DataCol.Lead
Joint SurfaceWarfareScenario
12
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Before resiliency capabilities
o Use redundant routerso Shut down file serverso Turn off user privileges
Sample Cyber SIMEX Day
Denial of service based on router
vulnerability
Denial of Service
Pre‐planted malware
activates on target system
Loss of IntegritySubstantiated Integrity
DiversityRedundancy
DeceptionDynamic Redirection
Architect for resiliency capabilities and enable capabilitieso Dynamically position diverse
routerso Recognize integrity loss and
switch over to redundant capability
o Redirect potential C2
13
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Findings
Need TTPs to coordinate across CND and mission operators to distinguish cyber attacks from other events
Resiliency Engineering requires a team: Mission operators CND operators System engineers/architects
There are few resiliency capabilities deployed, and no C2 or SA tools
We lack trainers, models, & simulators for cyber operators
14
Resiliency comes from integrating techniques tailored based on mission priorities, threats, and vulnerabilities
© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited
Need
15
IncreasedAdoption
Solutions for current and future architectures
Evidence it works in real world environments
Transfer knowledge/solutions across community