The Future of Cyber Operations & Defense · The future of cyber operations depends on breaking away...
Transcript of The Future of Cyber Operations & Defense · The future of cyber operations depends on breaking away...
The Future of Cyber Operations & Defense
2017 Borderless Cyber Security
Neal Ziring, National Security Agency, USA
Information Assurance by the National Security Agency
• Strategic Considerations
• Past, Present, and Future Cyber Environment
• Operating and Defending in Future Cyberspace
• Keeping Secure in the Long Term
Outline
Information Assurance by the National Security Agency
• What is driving change in cyber operations and cyber defense?
1. Greater reliance on cyber facilities:
networks, software, services, etc.
2. Continuous technological change
• New technologies & services are introduced rapidly,
but few, if any, old technologies are retired
3. Cyber threat actors increasing in number, sophistication, scope, and
aggressiveness
4. Greater variety/diversity of cyber environment
• Growing spectrum of cyber security
products & services, but still not integrated
Strategic Considerations
Information Assurance by the National Security Agency
Strategic Considerations
Increased reliance on networks,cyber space, data services, etc.
Growth in value exposed to cyber attack
Increase in number, size, sophistication,and vigor of threat actor groups
Greater pressure to harden systemsand counter-act threats
Information Assurance by the National Security Agency
• Basic practices in cyber operations grew out
of the environment of the 1980s and 1990s.
– Stable, mostly static
– Largely homogeneous
– Most critical networks were separate enclaves
– Managed by dedicated administrators
– “Mobility” was rare, usually tethered over a VPN
• The environment has changed dramatically, but
have our mindset and practices kept pace?
Past, Present, & Future Cyber Environment
Origins of Modern Cyber Operations
Information Assurance by the National Security Agency
• Virtualized everything: compute, storage, networks …
• Migration to clouds
– Trend since 2006, even more evident since 2012
– New interactions, new layers, new attack surface
– Adds complexity for cyber defense operations
• Ubiquitous mobility
– Blurring traditional enclave perimeter
– Technology base evolving rapidly
• Increasing integration of cyber-physical systems
Past, Present, & Future Cyber Environment
Today and Near-Future Technical Trends
Information Assurance by the National Security Agency
Past, Present, & Future Cyber Environment
Implications of Technical Trends
• Increased attack surface
• Broader scope
of potential impacts
• Larger scale for monitoring
and response
• Reduced utility for
perimeter defense
• Greater pressure for
integrated security services
1. Virtualized
Everything
2. Cloud
Migration
3. Ubiquitous
Mobility
4. Cyber-physical
Systems
Information Assurance by the National Security Agency
• Current cyber operations practices are not
adequate for securing our future environment.
1. Human-intensive accreditation and monitoring don’t scale.
2. Separate, isolated visibility and point response insufficient
for distributed, mobile, cloud-hosted environments.
3. Threat actors shifting toward destruction and alteration
of data
• Purely reactive strategies inadequate
• Must be able to recover – manual rebuild processes inadequate
4. Designs still focused on simple hardening, not always
defensible or recoverable.
Operating in Cyberspace
Current Practices not Sufficient
Information Assurance by the National Security Agency
Operating in Cyberspace
Core Elements of Future Practice
Successful future operations will require evolution of
current practice, plus new approaches.
• Boost basic cyber hygiene
• Drive operations with data and analytics
(including both open and government intelligence)
• Execute adaptive, proactive operations
with automation and orchestration
• Design and manage systems to support
prevention, defense, and recovery
Evolutionary
Transformational
Information Assurance by the National Security Agency
Operating in Cyberspace
Future Practice: Cyber Hygiene
Basic cyber hygiene includes:
Managing privileged accounts•Keeping products •updated and patched
• Removing outdated accounts and privileges promptly
• Monitoring configurations and correcting mistakes
Enabling basic anti• -exploitation features – and testing them
• Training staff against common exploits – and testing them!
Segregating network functions•Using reputation services•(file, DNS, IP, URL …)
• Generating, collecting, and analyzing logs
• Managing trust relationships
Information Assurance by the National Security Agency
All cyber operations
must be informed by data
• Local observations, measurements,
events, and alerts
• Local baselines and statistical norms
• Commercial threat intelligence and
Indicators of Compromise (IOCs)
• Specialized intelligence
• Coordination with peer cyber operators
Operating in Cyberspace Future Practice: Data-Driven Operations
Sensing & collection
Timely analysis & fusion
Situational awareness
Informed response
Information Assurance by the National Security Agency
Operating in Cyberspace
Future Practice: Data-Driven Operations
Threat actor techniques and security prioritization:
Reconnoiter Deliver Exploit Install & Propagate ControlExecute onObjectives
To carry out these steps in their operational model, attackers use
a variety of techniques. Recent work by MITRE and others have
categorized commonly used tradecraft to include:
PersistencePrivilege
EscalationDefense Evasion
Credential Access
Host Enum.
Lateral Movement
Execution Cmd. & Control Exfiltration
Credit: MITRE Corporation, ATT&CKTM Model 2015
ATT&CKTM is a trademark of The MITRE Corporation
Information Assurance by the National Security Agency
Operating in Cyberspace
Future Practice: Data-Driven Operations
© 2015 The MITRE Corporation.
All rights reserved.Approved for Public Release; Distribution Unlimited. Case Number 15-1288
Information Assurance by the National Security Agency
Essential features of future operations•
ADAPTIVE1.
Operations directly integrate local posture and attacker data•
Operation actions adjusted as conditions change•
AUTOMATED2.
Simple actions executed at machine speed and scale•
Results fed back to analytics for situational awareness•
ORCHESTRATED3.
Activities coordinated across multiple action points •
(e.g. end-points, firewalls, services, IDS/IPS, etc.)
Multi• -step courses of action executed on precise timeline
Operating in Cyberspace
Future Practice: Adaptive Operations
Information Assurance by the National Security Agency
Proactive operations will only gain importance in years ahead.•
Detect threat actor activities early, before they have impact•
Isolate key services to sustain critical capabilities•
Trigger pre• -approved courses of action to limit damage
and constrain actors
Operating in Cyberspace
Future Practice: Adaptive Operations
TIME
CYBER INCIDENT
Information Assurance by the National Security Agency
Systems must be designed for defensibility and resilience.•
What does this entail?
Design for • visibility
Build in sensors, measurement, and logging − – and means to control them
Build in protected channels for data transfer to analytic facilities−
Conduct baseline analysis regularly−
Design to support • operations
Build in − “safe places to stand”
Identify cyber key terrain advance, pre− -deploy defensive mechanisms
Set up separate accounts, authentication mechanisms, and defender assets−
Design for • recovery and reconstitution
Protected backups and − “gold images” pre-placed, verifiable
Processes for common recovery actions scripted and stored−
Operating in Cyberspace
Future Practice: Defensible Design
Information Assurance by the National Security Agency
One solution is to reduce the utility of new tradecraft by establishing:•
Shared− visibility and understanding
Shared− response
By pooling visibility and analysis, we greatly increase the likelihood •
that we identify and characterize new tradecraft at initial use.
By executing common response, we prevent successful reuse of •
tradecraft against additional targets.
Security for the Long Term
KEY ATTACKER ADVANTAGE: REUSE OF TRADECRAFT
Threat actors get to develop sophisticated tradecraft once, then use it many times
against many targets. To achieve security long-term, we must break this advantage.
Information Assurance by the National Security Agency
Top-level community
analytic leaders
(full sharing)
To defeat actors’
reuse of
tradecraft, we
need shared
visibility and
coordinated,
comprehensive
response.
Shared Visibility & Response Future Practice: Adaptive Operations
Community members
(contribute & consume)
Information Assurance by the National Security Agency
Target 1
Target 2
Target 3
4
5
Global
Information
Keeping Security Achievable
for the Long Term
. . .
Threat
Actor
Top-level
Community
Analysis
Leader
Information Assurance by the National Security Agency
The future of cyber operations depends
on breaking away from today’s status quo.
Operate in the new, evolving IT landscape•
Take threat actors trends and new attack surface into account•
Operating in cyberspace must:
Be supported by effective cyber hygiene•
Be proactive and adaptive•
Be enabled with data, automation, and orchestration•
Drive defensible design and implementation•
CONCLUSIONS
Information Assurance by the National Security Agency
BACKUP SLIDES
Information Assurance by the National Security Agency
Challenges we face mitigating mission risks with security measures:
Mapping:1. Hard to link mission priorities to specific security measures.
Dependency:2. Systems used for different missions all
depend on each other. The risk relationships are complex.
Opacity:3. Visibility into current security status and posture
is usually poor.
Brittleness:4. Many current systems are brittle against security failure.
One compromise and all their security properties are lost.
People:5. Systems depend on correct behavior by humans
to mitigate risks.
Why is Designing Effective
Security so Hard?
Information Assurance by the National Security Agency
To optimize application of security measures, we must •
understand both our system’s lifecycle and the adversary’s
operational model.
Threat actors can choose – any stages of the
system lifecycle to attack.
Threat actors must usually complete – all the
stages of the “kill chain” to accomplish their objectives.
System Lifecycle and
Threat Actor Kill Chain
Information Assurance by the National Security Agency
Threat Actor Techniques
and Security Prioritization
To carry out these steps in their operational model, attackers use
a variety of techniques. Recent work by MITRE and others have
categorized commonly used tradecraft to include:
PersistencePrivilege
EscalationDefense Evasion
Credential Access
Host Enum.
Lateral Movement
Execution Cmd. & Control Exfiltration
Recon Deliver Exploit Install & Propagate ControlExecute onObjectives
Credit: The MITRE Corporation, ATT&CKTM Model 2015
ATT&CKTM is a trademark of The MITRE Corporation
© 2015 The MITRE Corporation.
All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
Information Assurance by the National Security Agency
Core strategic principles that
enterprises can apply now:
1. Assess risks
2. Establish accountability
3. Ensure visibility
4. Extract understanding
5. Sustain responsiveness
6. Grow resilience
Practical Means for Achieving
Security in the Short Term
Information Assurance by the National Security Agency
The approach outlined will slow or confound •
many current threat actors.
Threat actors will adapt and employ a diverse •
number of techniques.
Some actors are already doing this–
Focused application of tradecraft diversity•
will allow actors to amortize investment
across many targets/victims.
Keeping Security Achievable
for the Long Term
Information Assurance by the National Security Agency
The approach outlined will slow or•
confound many current threat actors.
Threat actors will adapt and•
employ a diversity of techniques.
Some actors are already doing this.–
Focused application of tradecraft diversity•
will allow actors to amortize investment
across many targets/victims.
Keeping Security Achievable
for the Long Term
Information Assurance by the National Security Agency
One solution is to reduce the utility of new tradecraft•
by establishing:
Shared visibility and understanding–
Shared response–
By pooling visibility and analysis, we greatly increase the •
likelihood we identify and characterize new tradecraft
at initial use.
By executing common response, we prevent successful•
reuse of tradecraft against additional targets.
Keeping Security Achievable
for the Long Term
Information Assurance by the National Security Agency
Target 1
Target 2
Target 3
Target 4
Target 5
Global
Information
Keeping Security Achievable
for the Long Term
. . .
Threat
Actor
Analysis &Decision Entity
Information Assurance by the National Security Agency
To realize this long-term vision, each sector of our society will have
a role to include:
Keeping Security Achievable
for the Long Term
Security Industry
Create products and services that report for common•
visibility and can be orchestrated for common response.
Government
Provide unique intelligence into the global picture.•
Counter nation• -state level
threat actors.
Academia
Research new forms of tradecraft and response.•
Educate the workforce.•
Everybody
Contribute to the shared visibility.•
Execute shared response.•
Information Assurance by the National Security Agency
Security is achievable by changing how we approach it.
– Drive security from mission goals.
In the short term, optimize security investment by:
– Considering the full system lifecycle.
– Understanding the threat actor operational model.
In the long term, defeat the threat actor benefit model by:
– Establishing shared visibility and understanding.
– Employing shared response.
Conclusions