CRUSOE: DATA MODEL FOR CYBER SITUATIONAL AWARENESS Tuesday 28 th August, 2018 Martin Husák Jana Komárková Martin Laštovička Daniel Tovarňák
Introduction and Motivation CRUSOE Data Model Page 2 / 23
Cyber Situational Awareness Situational Awareness “Perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future.” [Endsley, 1988] Network-wide Situational Awareness Network Awareness Threat/Attack Awareness Operation/Mission Awareness Prediction & Data Fusion [Evancich, 2014] CRUSOE Data Model Page 3 / 23
OODA Loop Observe, Orient, Decide, Act [Boyd, 1976] CRUSOE Data Model Page 4 / 23
CRUSOE Project Research of Tools for Cyber Situational Awareness and Decision Support of CSIRT Teams in Protection of Critical Infrastructures Observe – network and host monitoring Orient – visualization, incident handling dashboard Decide – impact assessment, attack countermeasure suggestion Act – dry-run of attack countermeasures CRUSOE Data Model Page 5 / 23
Contribution Summary of the requirements on a data model that could be used for capturing cyber situational awareness. Proposal of a data model that fulfills the requirements and describe in details its entities and relationships. Description of the data sources that can be utilized to fill the model in fully automated or semi-automated fashion. Illustration of how does the proposed data model enhance incident response in common scenarios. CRUSOE Data Model Page 6 / 23
Requirements CRUSOE Data Model Page 7 / 23
Interviews with Incident Handlers Interviews CSIRT/CERT teams from EU countries What do you lack in day-to-day operations and incident response? Common Answers Criticality estimation of attack target Vulnerability prioritization and dissemination Finding responsible person CRUSOE Data Model Page 8 / 23
Selected NATO Use Cases NATO CDSA RFI Cyber Defense Situational Awareness Request for Information 35 use cases for cyber defence situational awareness system UC10 – Single authoritative data source UC12 – View connections of asset UC15 – Fuse data UC03 – Drill down / Roll up UC06 – View asset dependencies UC11 – View interconnectivity CRUSOE Data Model Page 9 / 23
Related Work CyGraph System for improving cyber security posture Graph-based data model and database Layered design: mission readiness cyber threats network infrastructure cyber posture Other Data Models M2D2, Virtual Terrain, CAMUS, . . . CRUSOE Data Model Page 10 / 23
Data Model CRUSOE Data Model Page 11 / 23
Proposed Data Model Key Characteristics All-embracing Attainable Time-conscious Comprehensive Sustainable Extensible Novelties compared to related work Adherence to automatically aquirable content Inclusion of Access Control Grouping mechanisms – host clustering, etc. Dependancy and redundancy nodes CRUSOE Data Model Page 12 / 23
Layers Detec � on and Response Layer Mission Access Control Threat Network Layer Layer Layer Layer Threa System Layer Host Layer CRUSOE Data Model Page 13 / 23
Host Layer physical host virtual host hosted on is a node is a part of host host cluster entrypoint has identity device on redundancy network service provides software resource redundancy node primary instance has in software version vulnerability Data mostly obtainable via network monitoring Clustering and virtualization information inserted manually CRUSOE Data Model Page 14 / 23
System Layer redundancy software resource redundancy node primary instance provided by depends on dependency node component has identity application dependency supports present on data mission organization unit on for confidentiality req. integrity req. availability req. Connects network hosts with components of critical systems Describes distribution of sensitive data CRUSOE Data Model Page 15 / 23
Network Layer observation point host domain name is a is a resolves to node IP security event has assigned target/source part of connected organization unit subnet part of Network topology, connections with organization units CRUSOE Data Model Page 16 / 23
Detection and Response Layer vulnerability IP refers to security event incident target/source relates to raises response to user detection system response data input node observation point is a Placement of intrusion detection systems History of security incidents CRUSOE Data Model Page 17 / 23
Access Control Layer availability req. subnet for organization unit part of host user has identity role assigned to member of device has group permission to application has identity component CRUSOE Data Model Page 18 / 23
Mission Layer component present on data organization unit on for confidentiality req. integrity req. availability req. imposes supports mission CRUSOE Data Model Page 19 / 23
Threat Layer CVE security event refers to refers to vulnerability in in software resource software version has subversion Enumeration of vulnerabilities related to software resources CRUSOE Data Model Page 20 / 23
Conclusion CRUSOE Data Model Page 21 / 23
Conclusion and Future Work Conclusion Seven-layer model for cyber situational awareness, automation of obtaining data preferred, novel concepts included (access control, host clustering, etc.), evaluated through discussions with incident handlers. https://github.com/CSIRT-MU/CRUSOE-Data-Model Future Work Implementation of cyber situational awareness system. Further examination of available data sources. CRUSOE Data Model Page 22 / 23
THANK YOU FOR YOUR ATTENTION! Martin Husák csirt.muni.cz @csirtmu husakm@ics.muni.cz
Recommend
More recommend