Paul Beraud, Alen Cruz, Suzanne Hassell, Juan Sandoval, Jeffrey J Wiley November 15 th, 2010 CRW’ : NETWORK MANEUVER COMMANDER – Resilient Cyber Defense Copyright © 2010 Raytheon Company. All rights reserved. Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Page 23/3/2016 Agenda Introduction – Overview on the project and topic Discussion – Hacking process, cyber defense goals, and decision framework – Analysis framework, NMC architecture, and network collection points Metrics – Development and collection of cyber dynamic defense metrics Results – Research results from demonstration of Network Maneuver Commander Conclusion – Recommendations, conclusions, and future work Questions
Page 3 Introduction Goals of Resilient Active Cyber Defense Increase cost to the attacker Increase the uncertainty that the attack was successful Increase chance of detection and attribution Minimize the magnitude of the attacker’s effect, survive Network Maneuver Commander supports these goals through artificial diversity, randomization, non-persistence and deception.
Page 43/3/2016 Research History Network Maneuver Commander (NMC) – Internal research project funded by Raytheon Company started in March 2009 – Goals: Develop a prototype cyber command and control (C2) system that maneuvers network-based elements preemptively Develop performance metrics to evaluate cyber dynamic defense solutions Cyber Defense – Conventionally cyber defense employs defense in depth Concentrated on perimeter protection and patching known attack vectors at each layer – NMC’s maneuvering capability enhances each of the defense layers by introducing artificial diversity of components (hardware, operating systems, etc…) Project Provides Cyber Dynamic Defense and Metrics to Evaluate this Class of Techniques
Page 5 Network Maneuver Commander 3/3/2016
Page 6 6 Characterizing Cyber Attacks The Hacking Process – Footprint: identify network addresses – Scan: identify hosts, operating systems, services – Enumerate: identify accounts and shares – Gain Access: attempt access to host – Escalate Privileges: gain control of host – Pilfer: sea rch and retrieve data
Page 73/3/2016 Randomized Decision Framework Decision Framework Enables the NMC to maneuver elements Parameters: – Diversity – Move interval – Geographic destination
Page 83/3/2016 Discussion Analysis Framework – Force-on-force simulation – Each attack is treated independently – Statistics on attacks and defenses are aggregated for resulting metrics NMC Architecture – Collection of loosely coupled services – Orchestrated via Enterprise Service Bus – Generic plug-in framework to support new applications Network Collection Points – Capture of metrics through: Extension of existing tools Mining data already collected
Page 93/3/2016 Metrics Basis for many metrics is time – Used to measure an attack’s progress – Used to quantify the cost to the attacker Metric calculations defined include – Percent of successful attacks – Percent of partially successful attacks – Mean number of attack disruptions – Time spent per phase – Duration of successful attack – Defensive efficiency – Defense factor Metrics collection in the network – Defined possible methods and tools Metrics Evaluate Pro-Active Dynamic Defense Methods
Page 103/3/2016 Results Demonstration included – Movement of resources across: Platforms Virtual partitions Physical locations Hypervisor vendors – Deployment and maneuvering of: Data Applications Network addresses Results captured on a variety of simulated scenarios Varying network sizes, defense factor, threat profile, etc… Displayed the Effectiveness of NMC Using the Newly Defined Metrics
Page 113/3/2016 Conclusion Based on simulations and testing with real applications – Maneuvering, artificial diversity and cleansing provide: Improved intrusion tolerance - lower percentage of attacks were successful Increased cost to attackers - more resources expended Optimal maneuver frequency 2X time of attack on static network Metrics allow for characterization of NMC and other cyber defense systems – Can be used to find optimal configuration of defenses for given threats Raytheon Continues Research in Area, Exploring Candidate Algorithms and Technologies
Page 12 Technologies not designed to support resiliency Coordination difficult (interfaces) Visualization/Operational Metrics Vendor Licensing Models Challenges
Page 133/3/2016 Questions?