The Future of Cyber Operations & Defense · The future of cyber operations depends on breaking away...

The Future of Cyber Operations & Defense

2017 Borderless Cyber Security

Neal Ziring, National Security Agency, USA

Information Assurance by the National Security Agency

• Strategic Considerations

• Past, Present, and Future Cyber Environment

• Operating and Defending in Future Cyberspace

• Keeping Secure in the Long Term

Outline


• What is driving change in cyber operations and cyber defense?

1. Greater reliance on cyber facilities:

networks, software, services, etc.

2. Continuous technological change

• New technologies & services are introduced rapidly,

but few, if any, old technologies are retired

3. Cyber threat actors increasing in number, sophistication, scope, and

aggressiveness

4. Greater variety/diversity of cyber environment

• Growing spectrum of cyber security

products & services, but still not integrated

Strategic Considerations


Strategic Considerations

Increased reliance on networks,cyber space, data services, etc.

Growth in value exposed to cyber attack

Increase in number, size, sophistication,and vigor of threat actor groups

Greater pressure to harden systemsand counter-act threats


• Basic practices in cyber operations grew out

of the environment of the 1980s and 1990s.

– Stable, mostly static

– Largely homogeneous

– Most critical networks were separate enclaves

– Managed by dedicated administrators

– “Mobility” was rare, usually tethered over a VPN

• The environment has changed dramatically, but

have our mindset and practices kept pace?

Past, Present, & Future Cyber Environment

Origins of Modern Cyber Operations


• Virtualized everything: compute, storage, networks …

• Migration to clouds

– Trend since 2006, even more evident since 2012

– New interactions, new layers, new attack surface

– Adds complexity for cyber defense operations

• Ubiquitous mobility

– Blurring traditional enclave perimeter

– Technology base evolving rapidly

• Increasing integration of cyber-physical systems


Today and Near-Future Technical Trends



Implications of Technical Trends

• Increased attack surface

• Broader scope

of potential impacts

• Larger scale for monitoring

and response

• Reduced utility for

perimeter defense

• Greater pressure for

integrated security services

1. Virtualized

Everything

2. Cloud

Migration

3. Ubiquitous

Mobility

4. Cyber-physical

Systems


• Current cyber operations practices are not

adequate for securing our future environment.

1. Human-intensive accreditation and monitoring don’t scale.

2. Separate, isolated visibility and point response insufficient

for distributed, mobile, cloud-hosted environments.

3. Threat actors shifting toward destruction and alteration

of data

• Purely reactive strategies inadequate

• Must be able to recover – manual rebuild processes inadequate

4. Designs still focused on simple hardening, not always

defensible or recoverable.

Operating in Cyberspace

Current Practices not Sufficient



Core Elements of Future Practice

Successful future operations will require evolution of

current practice, plus new approaches.

• Boost basic cyber hygiene

• Drive operations with data and analytics

(including both open and government intelligence)

• Execute adaptive, proactive operations

with automation and orchestration

• Design and manage systems to support

prevention, defense, and recovery

Evolutionary

Transformational



Future Practice: Cyber Hygiene

Basic cyber hygiene includes:

Managing privileged accounts•Keeping products •updated and patched

• Removing outdated accounts and privileges promptly

• Monitoring configurations and correcting mistakes

Enabling basic anti• -exploitation features – and testing them

• Training staff against common exploits – and testing them!

Segregating network functions•Using reputation services•(file, DNS, IP, URL …)

• Generating, collecting, and analyzing logs

• Managing trust relationships


All cyber operations

must be informed by data

• Local observations, measurements,

events, and alerts

• Local baselines and statistical norms

• Commercial threat intelligence and

Indicators of Compromise (IOCs)

• Specialized intelligence

• Coordination with peer cyber operators

Operating in Cyberspace Future Practice: Data-Driven Operations

Sensing & collection

Timely analysis & fusion

Situational awareness

Informed response



Future Practice: Data-Driven Operations

Threat actor techniques and security prioritization:

Reconnoiter Deliver Exploit Install & Propagate ControlExecute onObjectives

To carry out these steps in their operational model, attackers use

a variety of techniques. Recent work by MITRE and others have

categorized commonly used tradecraft to include:

PersistencePrivilege

EscalationDefense Evasion

Credential Access

Host Enum.

Lateral Movement

Execution Cmd. & Control Exfiltration

Credit: MITRE Corporation, ATT&CKTM Model 2015

ATT&CKTM is a trademark of The MITRE Corporation



Future Practice: Data-Driven Operations

© 2015 The MITRE Corporation.

All rights reserved.Approved for Public Release; Distribution Unlimited. Case Number 15-1288


Essential features of future operations•

ADAPTIVE1.

Operations directly integrate local posture and attacker data•

Operation actions adjusted as conditions change•

AUTOMATED2.

Simple actions executed at machine speed and scale•

Results fed back to analytics for situational awareness•

ORCHESTRATED3.

Activities coordinated across multiple action points •

(e.g. end-points, firewalls, services, IDS/IPS, etc.)

Multi• -step courses of action executed on precise timeline


Future Practice: Adaptive Operations


Proactive operations will only gain importance in years ahead.•

Detect threat actor activities early, before they have impact•

Isolate key services to sustain critical capabilities•

Trigger pre• -approved courses of action to limit damage

and constrain actors


Future Practice: Adaptive Operations

TIME

CYBER INCIDENT


Systems must be designed for defensibility and resilience.•

What does this entail?

Design for • visibility

Build in sensors, measurement, and logging − – and means to control them

Build in protected channels for data transfer to analytic facilities−

Conduct baseline analysis regularly−

Design to support • operations

Build in − “safe places to stand”

Identify cyber key terrain advance, pre− -deploy defensive mechanisms

Set up separate accounts, authentication mechanisms, and defender assets−

Design for • recovery and reconstitution

Protected backups and − “gold images” pre-placed, verifiable

Processes for common recovery actions scripted and stored−


Future Practice: Defensible Design


One solution is to reduce the utility of new tradecraft by establishing:•

Shared− visibility and understanding

Shared− response

By pooling visibility and analysis, we greatly increase the likelihood •

that we identify and characterize new tradecraft at initial use.

By executing common response, we prevent successful reuse of •

tradecraft against additional targets.

Security for the Long Term

KEY ATTACKER ADVANTAGE: REUSE OF TRADECRAFT

Threat actors get to develop sophisticated tradecraft once, then use it many times

against many targets. To achieve security long-term, we must break this advantage.


Top-level community

analytic leaders

(full sharing)

To defeat actors’

reuse of

tradecraft, we

need shared

visibility and

coordinated,

comprehensive

response.

Shared Visibility & Response Future Practice: Adaptive Operations

Community members

(contribute & consume)


Target 1

Target 2

Target 3

4

5

Global

Information

Keeping Security Achievable

for the Long Term

. . .

Threat

Actor

Top-level

Community

Analysis

Leader


The future of cyber operations depends

on breaking away from today’s status quo.

Operate in the new, evolving IT landscape•

Take threat actors trends and new attack surface into account•

Operating in cyberspace must:

Be supported by effective cyber hygiene•

Be proactive and adaptive•

Be enabled with data, automation, and orchestration•

Drive defensible design and implementation•

CONCLUSIONS


BACKUP SLIDES


Challenges we face mitigating mission risks with security measures:

Mapping:1. Hard to link mission priorities to specific security measures.

Dependency:2. Systems used for different missions all

depend on each other. The risk relationships are complex.

Opacity:3. Visibility into current security status and posture

is usually poor.

Brittleness:4. Many current systems are brittle against security failure.

One compromise and all their security properties are lost.

People:5. Systems depend on correct behavior by humans

to mitigate risks.

Why is Designing Effective

Security so Hard?


To optimize application of security measures, we must •

understand both our system’s lifecycle and the adversary’s

operational model.

Threat actors can choose – any stages of the

system lifecycle to attack.

Threat actors must usually complete – all the

stages of the “kill chain” to accomplish their objectives.

System Lifecycle and

Threat Actor Kill Chain


Threat Actor Techniques

and Security Prioritization

To carry out these steps in their operational model, attackers use

a variety of techniques. Recent work by MITRE and others have

categorized commonly used tradecraft to include:

PersistencePrivilege

EscalationDefense Evasion

Credential Access

Host Enum.

Lateral Movement

Execution Cmd. & Control Exfiltration

Recon Deliver Exploit Install & Propagate ControlExecute onObjectives

Credit: The MITRE Corporation, ATT&CKTM Model 2015

ATT&CKTM is a trademark of The MITRE Corporation


Core strategic principles that

enterprises can apply now:

1. Assess risks

2. Establish accountability

3. Ensure visibility

4. Extract understanding

5. Sustain responsiveness

6. Grow resilience

Practical Means for Achieving

Security in the Short Term


The approach outlined will slow or confound •

many current threat actors.

Threat actors will adapt and employ a diverse •

number of techniques.

Some actors are already doing this–

Focused application of tradecraft diversity•

will allow actors to amortize investment

across many targets/victims.


for the Long Term


The approach outlined will slow or•

confound many current threat actors.

Threat actors will adapt and•

employ a diversity of techniques.

Some actors are already doing this.–

Focused application of tradecraft diversity•

will allow actors to amortize investment

across many targets/victims.


for the Long Term


One solution is to reduce the utility of new tradecraft•

by establishing:

Shared visibility and understanding–

Shared response–

By pooling visibility and analysis, we greatly increase the •

likelihood we identify and characterize new tradecraft

at initial use.

By executing common response, we prevent successful•

reuse of tradecraft against additional targets.


for the Long Term


Target 1

Target 2

Target 3

Target 4

Target 5

Global

Information


for the Long Term

. . .

Threat

Actor

Analysis &Decision Entity


To realize this long-term vision, each sector of our society will have

a role to include:


for the Long Term

Security Industry

Create products and services that report for common•

visibility and can be orchestrated for common response.

Government

Provide unique intelligence into the global picture.•

Counter nation• -state level

threat actors.

Academia

Research new forms of tradecraft and response.•

Educate the workforce.•

Everybody

Contribute to the shared visibility.•

Execute shared response.•


Security is achievable by changing how we approach it.

– Drive security from mission goals.

In the short term, optimize security investment by:

– Considering the full system lifecycle.

– Understanding the threat actor operational model.

In the long term, defeat the threat actor benefit model by:

– Establishing shared visibility and understanding.

– Employing shared response.

Conclusions

The Future of Cyber Operations & Defense · The future of cyber operations depends on breaking away...

Documents

Transcript of The Future of Cyber Operations & Defense · The future of cyber operations depends on breaking away...