developing systems for cyber situational awareness
play

Developing Systems for Cyber Situational Awareness* James Okolica, - PowerPoint PPT Presentation

Air Force Institute of Technology Develop America's Airmen Today ... for Tomorrow Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L. Peterson, Robert F. Mills, and Michael W. Haas Center for


  1. Air Force Institute of Technology Develop America's Airmen Today ... for Tomorrow Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L. Peterson, Robert F. Mills, and Michael W. Haas Center for Cyberspace Research Air Force Institute of Technology WPAFB, OH * The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the U.S. Government Air University: The Intellectual and Leadership Center of the Air Force 1 Integrity - Service - Excellence

  2. Overview Develop America's Airmen Today ... for Tomorrow • Defining Cyber Situational Awareness • The Cyber SA Problem Space • Developing a Cyber SA System • The Perception/ Prediction Loop • Understanding the Environment • Putting it all together • Future Work Air University: The Intellectual and Leadership Center of the Air Force 2 Integrity - Service - Excellence

  3. The Problem Develop America's Airmen Today ... for Tomorrow • April 28, 2007 - Distributed denial of service (DDOS) attacks began on a media website in Estonia and would later spread to Estonia’s critical infrastructure including banks, ministries, and police. • Feb 18, 2001 - Robert Hansen arrested for selling American secrets to Moscow for 22 years Air University: The Intellectual and Leadership Center of the Air Force 3 Integrity - Service - Excellence

  4. Situational Awareness Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force 4 Integrity - Service - Excellence

  5. Cyber SA Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force 5 Integrity - Service - Excellence

  6. Cyber SA Develop America's Airmen Today ... for Tomorrow Comprehension PERCEPTION Air University: The Intellectual and Leadership Center of the Air Force 6 Integrity - Service - Excellence

  7. Cyber SA Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force 7 Integrity - Service - Excellence

  8. Insider Threat Cyber SA Develop America's Airmen Today ... for Tomorrow Business/Mission Individual Devices Data Environment Environment Email Application Logs User applications Threats Proxy server apps Nation state Firewall server apps Non-nation state Other server apps Petty Crime/Hackers System Logs Insiders Registry Ports Processes Off. Operation Mission Impact DLLs Data Exflitration Packet Traffic Data Modification Disaster Planning Firewall Attack Preparation Anti-Virus Network Mapping Mission Intrusion Detection Efficiencies Systems Vulnerabilities Content Data (e.g., backdoor) EXE files Documents System (e.g., rootkit) Images … Memory Page Files Sense Evaluate Assess Air University: The Intellectual and Leadership Center of the Air Force 8 Integrity - Service - Excellence

  9. Perception/ Prediction Loop Develop America's Airmen Today ... for Tomorrow • Model the Attack Process • Extract sensor requirements for each step in the process • Categorize sensors as • Distant Early Warning (DEW) line sensors – with minimal footprint to host systems, provide a high confidence of anomaly detection – lots of false positives • Focused sensors – more intrusive, processor intensive sensors that are tailored to detecting much more specific attacks • Develop and deploy sensors • Activate DEW line sensors • When DEW line is tripped, activate the focused sensors Air University: The Intellectual and Leadership Center of the Air Force 9 Integrity - Service - Excellence

  10. Multi-level Comprehension Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force 10 Integrity - Service - Excellence

  11. Developing a Cyber SA System Develop America's Airmen Today ... for Tomorrow 2a. Operational Language Describing Operational 2c. Relationships Process between System 1. Model the and Operational Attack Process Languages 2b. System Language 5. Visualization Describing Tools Systems 4. Correlation/ 3. Sensor Comprehension Requirements Engines Air University: The Intellectual and Leadership Center of the Air Force 11 11 Integrity - Service - Excellence

  12. Next Steps Develop America's Airmen Today ... for Tomorrow • Develop Cyber Attack Models for multiple types of attacks • Extract requirements and develop sensors Air University: The Intellectual and Leadership Center of the Air Force 12 Integrity - Service - Excellence

  13. What about BPM? Develop America's Airmen Today ... for Tomorrow • Organizations design may oppose BPM - Stature by how large/ how much money • Wisdom of putting BPM on a networked computer • Cyber SA in place to secure network • However, Cyber SA depends on BPM for mission impact • BPM defines critical nodes and single points of failure • Tradeoff • Increased responsiveness & improved management situational awareness • Greater vulnerability to precision attack Air University: The Intellectual and Leadership Center of the Air Force 13 Integrity - Service - Excellence

  14. Questions Develop America's Airmen Today ... for Tomorrow ? Air University: The Intellectual and Leadership Center of the Air Force 14 Integrity - Service - Excellence

  15. Backup Slides Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force 15 Integrity - Service - Excellence

  16. Cyber SA Environment Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force 16 Integrity - Service - Excellence

  17. IDMEF Data Model Develop America's Airmen Today ... for Tomorrow IDMEF-Message Alert Heartbeat Analyzer Analyzer CreateTime CreateTime AdditionalData DetectTime AnalyzeTime Source Node User Process Service Target Node User Process Service File Classification Assessment AdditionalData Air University: The Intellectual and Leadership Center of the Air Force 17 Integrity - Service - Excellence

  18. Target Centric Ontology Develop America's Airmen Today ... for Tomorrow HOST Victim Of Attack System Consequence Component Effected By Sub class Of Denial of Probe Service Input Network System Process Remote to Local User to Causing Root UDP TCP Means Location IP Input Logic Validation Local Remote Exploit Error TCP/IP Buffer Atomicity Overflow Exception Error Buffer Condition Overflow TCP UDP Buffer Race Serialization Overflow Condition Error Socket Socket Air University: The Intellectual and Leadership Center of the Air Force 18 Integrity - Service - Excellence

  19. Information Relativity Develop America's Airmen Today ... for Tomorrow • Consider the data object “mission” • Does an object mean different things at different levels? • Does an object mean different things within a level depending on the producer/consumer of the object? Air University: The Intellectual and Leadership Center of the Air Force 19 Integrity - Service - Excellence

Recommend


More recommend