CRUSOE: DATA MODEL FOR CYBER SITUATIONAL AWARENESS Tuesday 28 th - - PowerPoint PPT Presentation

CRUSOE: DATA MODEL FOR CYBER SITUATIONAL AWARENESS

Tuesday 28th August, 2018

Martin Husák

Jana Komárková Martin Laštovička Daniel Tovarňák

Introduction and Motivation

CRUSOE Data Model Page 2 / 23

Cyber Situational Awareness

Situational Awareness “Perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future.” [Endsley, 1988] Network-wide Situational Awareness Network Awareness Threat/Attack Awareness Operation/Mission Awareness Prediction & Data Fusion [Evancich, 2014]

CRUSOE Data Model Page 3 / 23

OODA Loop

Observe, Orient, Decide, Act [Boyd, 1976]

CRUSOE Data Model Page 4 / 23

CRUSOE Project

Research of Tools for Cyber Situational Awareness and Decision Support of CSIRT Teams in Protection of Critical Infrastructures Observe – network and host monitoring Orient – visualization, incident handling dashboard Decide – impact assessment, attack countermeasure suggestion Act – dry-run of attack countermeasures

CRUSOE Data Model Page 5 / 23

Contribution

Summary of the requirements on a data model that could be used for capturing cyber situational awareness. Proposal of a data model that fulfills the requirements and describe in details its entities and relationships. Description of the data sources that can be utilized to fill the model in fully automated or semi-automated fashion. Illustration of how does the proposed data model enhance incident response in common scenarios.

CRUSOE Data Model Page 6 / 23

Requirements

CRUSOE Data Model Page 7 / 23

Interviews with Incident Handlers

Interviews CSIRT/CERT teams from EU countries What do you lack in day-to-day operations and incident response? Common Answers Criticality estimation of attack target Vulnerability prioritization and dissemination Finding responsible person

CRUSOE Data Model Page 8 / 23

Selected NATO Use Cases

NATO CDSA RFI Cyber Defense Situational Awareness Request for Information 35 use cases for cyber defence situational awareness system UC10 – Single authoritative data source UC12 – View connections of asset UC15 – Fuse data UC03 – Drill down / Roll up UC06 – View asset dependencies UC11 – View interconnectivity

CRUSOE Data Model Page 9 / 23

Related Work

CyGraph System for improving cyber security posture Graph-based data model and database Layered design:

mission readiness cyber threats network infrastructure cyber posture

Other Data Models M2D2, Virtual Terrain, CAMUS, . . .

CRUSOE Data Model Page 10 / 23

Data Model

CRUSOE Data Model Page 11 / 23

Proposed Data Model

Key Characteristics All-embracing Comprehensive Attainable Sustainable Time-conscious Extensible Novelties compared to related work Adherence to automatically aquirable content Inclusion of Access Control Grouping mechanisms – host clustering, etc. Dependancy and redundancy nodes

CRUSOE Data Model Page 12 / 23

Layers

Threat Layer Detecon and Response Layer Host Layer System Layer Threa Mission Layer Access Control Layer Network Layer

CRUSOE Data Model Page 13 / 23

Host Layer

host host cluster

part of entrypoint

• n

software resource

is a

physical host virtual host

hosted on

network service

provides

redundancy node

redundancy primary instance

vulnerability software version

has in

node device

is a has identity

Data mostly obtainable via network monitoring Clustering and virtualization information inserted manually

CRUSOE Data Model Page 14 / 23

System Layer

software resource redundancy node

redundancy primary instance

component

provided by

dependency node

depends on dependency

confidentiality req. integrity req. availability req.

• rganization unit

for

• n

data

present on

application

has identity

mission

supports

Connects network hosts with components of critical systems Describes distribution of sensitive data

CRUSOE Data Model Page 15 / 23

Network Layer

IP domain name

resolves to

node

• rganization unit

is a has assigned connected

host subnet

part of

security event

target/source part of is a

• bservation point

Network topology, connections with organization units

CRUSOE Data Model Page 16 / 23

Detection and Response Layer

vulnerability

refers to

security event incident

relates to

response

response to

detection system

raises target/source

user IP

• bservation point

data input

node

is a

Placement of intrusion detection systems History of security incidents

CRUSOE Data Model Page 17 / 23

Access Control Layer

host device component application

has identity has identity

role user group

to assigned to member of

availability req.

• rganization unit

for part of

subnet permission

has

CRUSOE Data Model Page 18 / 23

Mission Layer

component confidentiality req. integrity req. availability req.

• rganization unit

for

• n

data

present on

mission

supports imposes

CRUSOE Data Model Page 19 / 23

Threat Layer

software resource vulnerability

in refers to

software version

subversion has in

CVE

refers to

security event Enumeration of vulnerabilities related to software resources

CRUSOE Data Model Page 20 / 23

Conclusion

CRUSOE Data Model Page 21 / 23

Conclusion and Future Work

Conclusion Seven-layer model for cyber situational awareness, automation of obtaining data preferred, novel concepts included (access control, host clustering, etc.), evaluated through discussions with incident handlers. https://github.com/CSIRT-MU/CRUSOE-Data-Model Future Work Implementation of cyber situational awareness system. Further examination of available data sources.

CRUSOE Data Model Page 22 / 23

THANK YOU FOR YOUR ATTENTION!

csirt.muni.cz

Martin Husák

@csirtmu husakm@ics.muni.cz