9 september 2014: automating cyber defence responses cde themed competition
DESCRIPTION
automating cyber defence responses CDE themed competition presentation from 9 September 2014 Innovation Network event in LondonTRANSCRIPT
Automating Cyber
Defence Responses
© Crown copyright 2013 Dstl
10 September 2014
Defence Cyber S&T
© Crown Copyright Dstl 2011
Strategic context ‘Cyber Security has been assessed as one of the highest priority national security risks to the UK’
‘a transformative programme for cyber security which addresses threats from states, criminals & terrorists’
‘to derive huge economic and social value from a vibrant, resilient and secure cyber space’
Cyber in MoD
• Falls under Joint Forces Command “work toward making military operations successful by making sure joint capabilities, like …cyber-operations, are efficiently managed and supported”
• 2 Key S&T programmes in Dstl: – Assured Information Infrastructure – Cyber
• £40 million S&T budget and growing
© Crown copyright 2013 Dstl
Cyber in Dstl
Assured Information Infrastructure
A continuously evolving single logical, reconfigurable,
resilient information infrastructure across UK and deployed, fixed and mobile
elements
Cyber Delivering digital resilience and projecting power and
influence to meet UK military, diplomatic and economic
objectives
The design, management and
normal use of cyberspace
The abuse of cyberspace
Cyber Foundation Capabilities Information Assurance
Architecture - network management - convergence - resilience - IA - spectrum
Coalition / Interoperability
Management - network - spectrum - IA
Experimentation, simulation & modelling
Disruptive technology
Technology Watch
Fundamental Science
Comms & Networks Assurance
Information Level Assurance
Enterprise Services IA
Crypto
Foundations of Trust
IA Human Factors
Competition focus
Decision Support
Situational Awareness
Cyber Defence
Human component
Cyber Offence
The Technical Cooperation Programme
• TTCP is a collaborative research programme between Australia, Canada, New Zealand, the United Kingdom and the United States of America, originally started in 1957
• TTCP has recently set up a strategic Cyber Challenge group
• Adopting Canadian Automated Computer Network Defence (ARMOUR) framework for collaborative cyber defence work – Google GD Canada ARMOUR
© Crown copyright 2013 Dstl
10 September 2014
The Defence Context
© Crown Copyright Dstl 2011
Complexity
• Large and varied – 70+ countries – 1200 UK Sites – 225,000 Users
• Deployed elements • Dynamic • Outsourced services
© Crown copyright 2013 Dstl
10 September 2014
The threat, the risk
• Increasing in complexity and scale
– CND + social engineering + insider
threat + …………
• “Non-traditional” cyber threats
– Electromagnetic attack
• Arms race
© Crown copyright 2013 Dstl
10 September 2014
Types of System
• Office-like • Radio Frequency • Constrained
bandwidth • High latency • Platforms
© Crown copyright 2013 Dstl
10 September 2014
Platforms
• Cyber Physical Systems • Tight coupling with Industry • Complex
© Crown copyright 2013 Dstl
10 September 2014
Coalition Working
• Mission Networks • Allies
– NATO – 5 eyes
• Partners
© Crown copyright 2013 Dstl
10 September 2014
Nirvana • Respond to the problem before it propagates through
the network, causing wider damage • Improved understanding of what is going on • Allows for human decision making when required • Works across the fixed and deployed spaces • Enables better defence in a coalition
© Crown copyright 2013 Dstl
10 September 2014
Technical Context
© Crown Copyright Dstl 2011
Cyber Defence
• Cyberspace is essential to our operations
• Adversaries will disrupt our systems
• Our defensive response requires – elements of automation – human intervention
© Crown copyright 2013 Dstl
10 September 2014
The Problem
• Concerning MOD systems – Reliance on cyberspace – Disruption from cyber attack – Speed, frequency, targeting, motivation – Sophisticated, distributed, stealthy – Unique threats (actors and environment) – Complex and dynamic
© Crown copyright 2013 Dstl
10 September 2014
Complexity & Connectivity
© Crown copyright 2013 Dstl
10 September 2014
The Context
© Crown copyright 2013 Dstl
10 September 2014
• Research proposals • Proof-of-concept • Tools and techniques for: Planning automated responses to threats and attacks on our systems N.B. not the defensive tools themselves
An automated or semi-automated capability to change systems in response to cyber events
The Need
Elements of the defence response
© Crown copyright 2013 Dstl
10 September 2014
Collecting information
Identifying the attack
Analysing potential courses of action
Responding
The Solution scope – Permanent infrastructure and deployed systems – Different responses – Human intervention – Identify defensive actions, processes, contexts – Significant capability improvement
© Crown copyright 2013 Dstl
10 September 2014
Scope - Courses of Action
© Crown copyright 2013 Dstl
10 September 2014
Observe - collecting situational awareness data
Orient - analysis to determine actual and possible attacks
Decide – determining/selecting courses of action
Act - taking the appropriate action
Collecting information
Identifying the attack
Analysing potential courses of action
Responding
Solution architecture constraints
• Other elements already exist • Function and interfaces not well
defined • Input / Output requirements on other
elements
© Crown copyright 2013 Dstl
10 September 2014
Collecting
Identifying
Courses of Action
Responding
Course of Action – input events
• Predicted / Detected attacks • Attack sources • Early indicators • Attack patterns • Vulnerabilities • System configuration and management data • Data sources
© Crown copyright 2013 Dstl
10 September 2014
Collecting
Identifying
Courses of Action
Responding
Course of Action - responses
• Compartmentalisation and connectivity • Configuration changes i.e. firewalls • Routing • Access controls and lockdown status • Service availability • Attack signatures and patch levels • Alerts and warnings, staffing levels • Security operating procedures and controls
© Crown copyright 2013 Dstl
10 September 2014
Collecting
Identifying
Courses of Action
Responding
Solution Architecture assumptions
• Courses of Action element: – Define functions / operations / interfaces – Identify data required / provided – Identify data sources
• Identify your assumptions • Identify metrics • Document test data & tests – data will not be
provided by MOD
© Crown copyright 2013 Dstl
10 September 2014
Collecting
Identifying
Courses of Action
Responding
Course of Action - metrics
• For each response action we need metrics – Effective prioritisation – Response actions vs threat/attack – Automatic response vs manual intervention – Impact and risk assessment
• Metrics themselves – Detailed definition and meaning – Value ranges – Use
© Crown copyright 2013 Dstl
10 September 2014
What we want
• Novel and innovative approaches to developing courses of action
• Final report • Proof of concept demonstration • A development plan beyond the initial proof-of-
concept phase • Solutions that consider the breadth of MOD systems,
end points, hosts etc
© Crown copyright 2013 Dstl
10 September 2014
What we don’t want
• Technology watch or horizon scanning • Existing technology products and tools • Demonstrations of the same • Marginal improvements in capability • Paper based studies • Focus / emphasis on presentation layer • Fully formed User Interface
© Crown copyright 2013 Dstl
10 September 2014
Exploitation – towards phase 2
• Tool or toolset – component of a wider system • Open source, service oriented architecture • Specific implementation not decided • Comms, messaging, data flow through Enterprise
Service Bus • Potential for collaboration with overseas partners
© Crown copyright 2013 Dstl
10 September 2014
Solution Architecture – phase 2
© Crown copyright 2013 Dstl
10 September 2014
Enterprise Service Bus
Data Analysis and Action
Course of Action Analyser
Data Storage
Data Presentation
Attack / Incident Analysers Response Coordinator
Data Source Connectors Course of
Action View
Course of Action Library and response
status
Effector Connectors
Infrastructure Management Systems
Infrastructure
Conclusion
© Crown Copyright Dstl 2011
In conclusion
• Opportunity! • Innovation • Demonstration • Focus
– Automation – Course of action – Decision, not action
© Crown copyright 2013 Dstl
10 September 2014
Don’t Forget! • Your bid must be made via the CDE Portal
– Emailed proposals will not be accepted – Don’t leave it until the last minute – the portal can only handle
a limited number of concurrent sessions
© Crown copyright 2013 Dstl
10 September 2014
… and finally … • Dstl have committed up to £1 million of funding for
the initial proof-of-concept demonstrators • No cap on the value of proposals
– However more likely that a larger number of lower value proposals (e.g. up to £100,000) will be funded at this stage
• Anticipated delivery within 6 months of being on contract (latest – March 2016)
© Crown copyright 2013 Dstl
10 September 2014
Submissions via the CDE Portal by 1700 Thursday 23rd October 2014
• Technical questions – [email protected]
• CDE questions – [email protected]
© Crown copyright 2013 Dstl
10 September 2014
© Crown copyright 2013 Dstl
10 September 2014