Developing Systems for Cyber Situational Awareness* James Okolica, - - PowerPoint PPT Presentation

developing systems for cyber situational awareness
SMART_READER_LITE
LIVE PREVIEW

Developing Systems for Cyber Situational Awareness* James Okolica, - - PowerPoint PPT Presentation

Dec 21, 2023 150 likes •358 views

Air Force Institute of Technology Develop America's Airmen Today ... for Tomorrow Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L. Peterson, Robert F. Mills, and Michael W. Haas Center for

slide-1
SLIDE 1

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

1

Air Force Institute of Technology

Developing Systems for Cyber Situational Awareness*

James Okolica, J. Todd McDonald, Gilbert L. Peterson, Robert F. Mills, and Michael W. Haas Center for Cyberspace Research Air Force Institute of Technology WPAFB, OH

*The views expressed in this article are those of the authors and do not reflect the official policy

  • r position of the United States Air Force, Department of Defense, or the U.S. Government
slide-2
SLIDE 2

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

2

Overview

  • Defining Cyber Situational Awareness
  • The Cyber SA Problem Space
  • Developing a Cyber SA System
  • The Perception/ Prediction Loop
  • Understanding the Environment
  • Putting it all together
  • Future Work
slide-3
SLIDE 3

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

3

The Problem

  • April 28, 2007 - Distributed denial of service

(DDOS) attacks began on a media website in Estonia and would later spread to Estonia’s critical infrastructure including banks, ministries, and police.

  • Feb 18, 2001 - Robert Hansen arrested for

selling American secrets to Moscow for 22 years

slide-4
SLIDE 4

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

4

Situational Awareness

slide-5
SLIDE 5

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

5

Cyber SA

slide-6
SLIDE 6

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

6

Cyber SA

PERCEPTION Comprehension

slide-7
SLIDE 7

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

7

Cyber SA

slide-8
SLIDE 8

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

8

Insider Threat Cyber SA

Threats

Nation state Non-nation state Petty Crime/Hackers Insiders Email Application Logs User applications Proxy server apps Firewall server apps Other server apps System Logs Registry Ports Processes DLLs Packet Traffic Firewall Anti-Virus Intrusion Detection Systems Content EXE files Documents Images … Memory Page Files Mission Impact Disaster Planning Mission Efficiencies

Sense Evaluate Assess

Individual Devices Data Environment Business/Mission Environment

Vulnerabilities

Data (e.g., backdoor) System (e.g., rootkit)

  • Off. Operation

Data Exflitration Data Modification Attack Preparation Network Mapping

slide-9
SLIDE 9

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

9

Perception/ Prediction Loop

  • Model the Attack Process
  • Extract sensor requirements for each step in the process
  • Categorize sensors as
  • Distant Early Warning (DEW) line sensors – with minimal footprint to host systems,

provide a high confidence of anomaly detection – lots of false positives

  • Focused sensors – more intrusive, processor intensive sensors that are tailored to

detecting much more specific attacks

  • Develop and deploy sensors
  • Activate DEW line sensors
  • When DEW line is tripped, activate the focused sensors
slide-10
SLIDE 10

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

10

Multi-level Comprehension

slide-11
SLIDE 11

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

11

11

Developing a Cyber SA System

  • 1. Model the

Attack Process

  • 2a. Operational

Language Describing Operational Process

  • 2b. System

Language Describing Systems

  • 2c. Relationships

between System and Operational Languages

  • 3. Sensor

Requirements

  • 4. Correlation/

Comprehension Engines

  • 5. Visualization

Tools

slide-12
SLIDE 12

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

12

Next Steps

  • Develop Cyber Attack Models for multiple types of attacks
  • Extract requirements and develop sensors
slide-13
SLIDE 13

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

13

What about BPM?

  • Organizations design may oppose BPM - Stature by how large/ how much money
  • Wisdom of putting BPM on a networked computer
  • Cyber SA in place to secure network
  • However, Cyber SA depends on BPM for mission impact
  • BPM defines critical nodes and single points of failure
  • Tradeoff
  • Increased responsiveness & improved management situational awareness
  • Greater vulnerability to precision attack
slide-14
SLIDE 14

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

14

Questions

?

slide-15
SLIDE 15

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

15

Backup Slides

slide-16
SLIDE 16

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

16

Cyber SA Environment

slide-17
SLIDE 17

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

17

IDMEF Data Model

Alert Heartbeat Analyzer Analyzer CreateTime DetectTime AnalyzeTime Source Target Classification Assessment AdditionalData CreateTime AdditionalData

Node User Process Service Node User Process Service File

IDMEF-Message

slide-18
SLIDE 18

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

18

Target Centric Ontology

HOST

System Component Network System Process

Attack Input Means

Input Validation Error Logic Exploit

Location

Local Remote TCP/IP IP TCP UDP Buffer Overflow Buffer Overflow Buffer Overflow UDP Socket TCP Socket Exception Condition Race Condition Serialization Error Atomicity Error Consequence Denial

  • f

Service Remote to Local User to Root Probe

Victim Of Effected By Causing Sub class Of

slide-19
SLIDE 19

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

19

Information Relativity

  • Consider the data object “mission”
  • Does an object mean different things at different

levels?

  • Does an object mean different things within a level

depending on the producer/consumer of the object?