Cyber defense management

session objectives Defensive system performance: - Which components are not performing as expected? - Where are there overlaps in defensive coverage? - Where are there gaps? Students should be able to understand: the difference between threat, risk, attack and vulnerability how threats materialize into attacks where to find information about threats, vulnerabilities and attacks typical threats, attacks and exploits and the motivations behind them high-level understanding of how example attacks work (e.g. DDOS, phishing and buffer overflow) how users are targeted in an attack and why this must be considered in defending against such attacks the concept of a threat landscape, its dynamic nature and how to create a landscape for an organization how to classify threats and example categories that there are different attacks, which have different patterns and different steps – for example be able to compare a DDOS to an attack designed to copy information how to classify threats and example categories that there are different types of malware – for example viruses, Trojans and spyware – their distribution mechanism and a detailed understanding of how they compromise information and systems that attacks can be combined for greater effect (e.g. phishing email, followed by social engineering phone call)

Framework components Framework Core Framework Tiers Framework Profile Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.

Framework CORE Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.

Cyber defense management What level of cyber protection currently exists? What is your resilience to different kinds and levels of cyber-attacks? What are your investment priorities? Assess (such as operationally test) program security and cybersecurity methods and techniques. For what level cyber threat In a contested environment! Your cybersecurity responsibilities compared to shared cybersecurity responsibilities

Current Cyber Protection

Addressing known threats “Most cyber defense systems today are based on a priori knowledge assumptions, in which the defender has optimized their system to address known threats, and is less well protected against unknown threats.” (p. 19)

DoD FISMA Reporting “DoD’s information security program did not receive an effective rating.”

Defender’s Dilemma Defender has to Protect all Points Attacker will Attack the Weakest Point Attacker has Advantage (p. 32)

Threat matrix (Defense Science Board, 2016, p. 21)

Sliding scale of cybersecurity (p. 14)

Resilience to Cyber Attacks

Cyber paradox “The paradox of cyber for modern warfare is that states may become extremely effective … as states become more dominant and move from digital enablement to digital dependence, they also become more reliant on networks to conduct operations, thus making them vulnerable.” (p. 4) 13

acquisition vignette

Contested environment “Training scenarios and exercises should reflect advanced contested environments” “Maintain operational effectiveness while absorbing successful attacks” “Operational movement and maneuver requires multiple agencies and CCMDs to plan, train, exercise, and execute together.” (p. 4) 13

Attack scenarios

known vulnerabilities “But researchers say they have discovered significant holes in the three key technologies sailors use to navigate: GPS, marine Automatic Identification System (AIS), and a system for viewing digital nautical charts called Electronic Chart Display and Information System (ECDIS).” (p. 1)

Threat – GPS Spoofing Available at http://radionavlab.ae.utexas.edu/index.php?option=com_content&view=category&layout=blog&id=29&Itemid=2

outcome – maritime collision

Threat concerns Core Questions: What is the potential loss from a successful attack What is the likelihood What is our tolerance for such a loss What is our strategy to mitigate or manage this loss

Investment Priorities

integration “Many cybersecurity requirements originate from mission objectives, laws, regulation, and policy. These must be aligned and deconflicted so that organizational cybersecurity dependencies become apparent. The requirements are then integrated into organizational cybersecurity risk management strategy and supportive activities. Those same requirements inform decision making about provisioning secure systems.” (p. 23)

DoD Cyber Strategy

Capability Opportunities FY 15 1 Capability B 2 Capability D 3 Capability G 4 Capability J 5 Capability L 6 Capability P 7 Capability AB FY 16 8 Capability C 9 Capability I 10 Capability K 11 Capability M 12 Capability P Enhancement 13 Capability R 14 Capability AD FY 17 15 Capability E 16 Capability J Enhancement 17 Capability K Enhancement 18 Capability N 19 Capability Q 20 Capability T 21 Capability W 22 Capability X 23 Capability AB Enhancement 24 Capability AD Enhancement 25 Capability AH 26 Capability AJ 27 Capability AM 28 Capability AR 29 Capability AX 30 Capability BB 31 Capability BC 32 Capability BF 33 Capability BJ Use of the Cybersecurity Framework allows a mapping of Security Capabilities to Function (Identify, Protect, Detect, Respond, & Recover). Great Idea for Future Investment Strategy to Identify Gaps!

strategy EXAMPLE

Risk diagram “The five Functions also balance prevention and reaction, including preparatory activities to enable the best possible outcome from that reaction. This balance allows Functions to act as a high level expression of risk management strategy and structure for risk assessment.” (p. 28)

Questions

Automated attacks “With an APT, the attacker is actively hunting for weaknesses in the defender’s security and patiently waiting for the defender to make a mistake.” “Hunting for weaknesses” activity will be automated to a degree that is not currently possible and perhaps occur faster than human-controlled defenses could effectively operate. “Any actor with the financial resources to buy an AI APT system could gain access to tremendous offensive cyber capability” (p. 19)