multinational - academia militar
TRANSCRIPT
MULTINATIONAL
MN CD2 – Cyber Defence Capability Development
3rd Smart Defence Projects Conference
- NATO UNCLASSIFIED -
Lisbon, 27-28 April 2017
- NATO UNCLASSIFIED -
AGENDA
1. MNCD2 program context
2. Distributed Multisource Collection and Correlation Infrastructure
3. Cyber Security Assessment Team
4. Cyber Information and Incident Coordination System
5. Dynamic Network Enumeration
6. Semi-Automated Responses
7. Cyber Defence Situational Awareness
8. Future Work
9. Concluding remarks
- NATO UNCLASSIFIED -
MNCD2 PROJECT CONTEXT
- NATO UNCLASSIFIED -
MNCD2 PROJECT CONTEXT
Smart Defence? ‘It is a renewed culture of cooperation that encourages
Allies to cooperate in developing, acquiring and maintaining military capabilities to undertake the Alliance’s
essential core tasks agreed in the new NATO strategic concept.’
‘That means pooling and sharing capabilities, setting priorities and coordinating efforts better.’
CLOSING CAPABILITY GAPS
COALITIONS OF THE WILLING
BENEFITS FOR THE PARTICIPATING NATIONS
WIN – WIN?
- NATO UNCLASSIFIED -
MNCD2 PROJECT CONTEXT
Key Principles
❉ EFFICIENCY
❉ EFFECTIVENESS
❉ AGILITY
❉ FLEXIBILITY
❉ LEVERAGE THE EXISTING
❉ SEEK INTEROPERABLE DESIGN AND SOLUTIONS
- NATO UNCLASSIFIED -
MNCD2 PROJECT CONTEXT
Investment 2013 - 2017
€ 3.616.000
- NATO UNCLASSIFIED -
MNCD2 PROJECT CONTEXT
Cyber Information and Incident Coordination System
Distributed Multi-sensor Collection and Correlation Infrastructure
Cyber Defence Situational Awareness
Cyber Security Assessment Team
Semi-Automated Responses
Dynamic Network Enumeration
PROCUREMENT OPTIONS
IN PROGRESS
IN PROGRESS
IN PROGRESS
IN PROGRESS
OPERATIONAL
MNCD2 PROJECT CONTEXT A Conceptual Cyber Defence Model
Cyber Information and Incident Coordination System
Distributed Multi-sensor Collection and Correlation Infrastructure
Cyber Defence Situational Awareness
Cyber Security Assessment Team
Semi-Automated Responses
Dynamic Network Enumeration
PROTECT
to prepare and implement the proper safeguards to ensure the delivery of
service assets (NIST, 2014)
RESPOND
developing and implementing processes and activities to discover
the occurrence of cyber events (NIST, 2014)
DETECT RECOVERY
developing and implementing the activities to respond to a detected
cyber event (NIST, 2014)
developing and implementing activities or processes that restore
the compromised or degraded services to its normal operation
(NIST, 2014)
- NATO UNCLASSIFIED -
- NATO UNCLASSIFIED -
MNCD2
Distributed Multisource Collection and Correlation Infrastructure
OBJECTIVE:
STATUS:
Advanced capability for detecting APTs, providing cyber defence analysts with the information needed to detect threats and prevent attacks
Proof of Concept planned to identify of sufficient mature algorithms for correlation of correlations are available
- NATO UNCLASSIFIED -
DMCCI
Ensure an efficient collection, aggregation, manipulation and correlation of large volumes of data harvested from
a variety of sources over a long period of time within one or several Communications and Information System
(CIS)
• Detect malicious activities • Facilitate damage assessment • Facilitate attack assessment
Infrastructure
Supporting human analysts
Ob
ject
ives
- NATO UNCLASSIFIED -
DMCCI P
r
o
c
e
s
s
m
a
n
a
g
e
I
n
t
e
r
f
a
c
e
• Distributed data processing
• API for modular processing
• Classified data processing
• Dynamic data collection and retention
• Forecasting of resource requirements
• Modular and scalable architecture
• Data management service
• Manage time synchronization and precision
• Access control
• Query interface
• Graphical interface
• Interoperability interfaces
- NATO UNCLASSIFIED -
DMCCI
Correlating data source with attacker actions
- NATO UNCLASSIFIED -
DMCCI
Example of action analysis
- NATO UNCLASSIFIED -
DMCCI
Architecture
- NATO UNCLASSIFIED -
DMCCI
Federated architecture
- NATO UNCLASSIFIED -
DMCCI
• Full Packet Capture, Deep Packet Inspection, Network and Host Intrusion Detection Systems, Netflow logs provide critical data source
• Existing SIEM solutions can be used for data pre-processing
• Big data challenges: Volume, Velocity, Variety and Veracity • petabytes of data from heterogeneous sources
• time synchronization between sources
• high performance data processing: the speed of data access and computing
• use of machine learning algorithms
• Security of DMCCI itself is a critical acceptance issue
Results of feasibility study
- NATO UNCLASSIFIED -
DMCCI
• Use a combination of open source and COTS components to perform complex correlation and determine DMCCI effectiveness in detecting APTs
• Four stages 1. Finalize Data Sets and Scenarios
2. Design and Build POC, Establish Test Environment
3. Test Scenarios, Develop Correlation Algorithm
4. Operationalize (Optional)
• Deliverables 1. Data set
2. DMCCI POC design
3. Post POC report
Next step: Proof of Concept
- NATO UNCLASSIFIED -
MNCD2
Dynamic Network Enumeration
OBJECTIVE:
STATUS:
Provide the capability to identify devices on a network by performing scanning, host discovery and passive traffic analysis and check identified devices against known vulnerabilities
First analysis in progress
- NATO UNCLASSIFIED -
DyNE
• Censys: Census of systems • Original name proposed for the project
• But also copyrighted name of existing solution to be commercialized!
• DyNE: Dynamic network enumeration • Product agnostic
• Network enumeration: discovery of devices and services on a network (both active and passive)
• Dynamic: enumeration is performed autonomously and available results are dynamically updated without need for user interaction
• DyNE: a unit of force equal to 10 micronewtons
From CENSYS to DyNE
- NATO UNCLASSIFIED -
DyNE
• Stage 1: Design, build, deploy, and assess solution • Design, engineer, and build solution
• Deploy and assess solution on a military network
• Stage 2: Operationalize solution • Prepare accreditation documentation (sufficient for NATO)
• Develop online help, tutorial, and training presentation
Staging the work
- NATO UNCLASSIFIED -
DyNE
• Provide a network enumeration framework customized for deployment on military and governmental classified and unclassified networks
• Based on open-source software
• Scan speed and address range configurable and schedulable to allow fine-grained control and manage network impact • Distributed scans
• Integration of passive network traffic scans (for SCADA devices)
• Solution rapidly deployable to support temporary and exercise networks
• A web interface to search scan results and do some basic data analysis • What devices are connected, what services are exposed, are there any vulnerable hosts /
services
Objectives
- NATO UNCLASSIFIED -
DyNE
1. Internal enumeration of a LAN
2. Internal and external enumeration of a LAN
3. Enumeration of a compartmentalized network
a) Single security classification, incl. deployed components
b) Complex multi-domain military network
4. Enumeration of networks with fragile systems and peripherals (e.g. SCADA)
Use cases and architecture
- NATO UNCLASSIFIED -
DyNE Ea
sy t
o u
se w
eb in
terf
ace
- NATO UNCLASSIFIED -
DyNE
Easy to use web interface
- NATO UNCLASSIFIED -
DyNE • Vulnerabilities can be detected automatically
• Search for specific vulnerabilities, any vulnerability, etc..
• Vulnerabilities are highlighted and a short
description is given
Vulnerability detection
- NATO UNCLASSIFIED -
DyNE
• Scans can be launched instantly or scheduled
• Is possible to choose a specific time and a repeat option can used to automatize frequent scans.
• Scans can use templates (Nmap)
Centralized scan scheduler
- NATO UNCLASSIFIED -
DyNE
• Nmap templates are automatically available and can be used for scans
• The user can reuse, customize or create scan templates
• Once a scan is launched the user does not have to intervene
• The results are automatically imported and a notification is shown on the server side
• The results are immediately imported and processed Scan templates and automation
- NATO UNCLASSIFIED -
DyNE
• Common Open Research Emulator (CORE) • a tool for emulating networks on one or more machines
• Emulated networks can be connected to live networks
• Powerful and easy to use • A simple GUI for building heterogeneous test networks
• Design of a custom topology
• Creation of new type of devices (e.g. data diode)
• Hosts can run different services to emulate a real network • e.g. SCADA devices, data diodes, firewalls, web servers
Testing DyNE with CORE
- NATO UNCLASSIFIED -
DyNE
DyNE topology In CORE
- NATO UNCLASSIFIED -
DyNE
• IPv6 support
• Less invasive scanning techniques
• Passive monitoring for SCADA
• Active scan exclusion lists for fragile devices
• Virtualized rapid deployment setup
• Validation at CWIX 2017
• Preparation of accreditation tests
Next Steps
- NATO UNCLASSIFIED -
DyNE
DyNE at CWIX
2017
Central Web Interface
Central Database
Agent in National Extensions
• Deploy the current Proof of Concept for this new capability in operationally-relevant environment
• Demonstrate viability and value in operational use
• Validate the current outcomes of the R&D process CWIX 2017 experiment
- NATO UNCLASSIFIED -
MNCD2
Semi-Automated Response
OBJECTIVE:
STATUS:
Research into the state of the art for semi-automated cyber defence response
First analysis in progress
- NATO UNCLASSIFIED -
Semi-Automated Response
The number and complexity of cyber attacks increase
Defenders are often overwhelmed and unable to respond to attacks effectively
Human response is sometimes too slow against automated attacks
• Many responses can be automated
• Allows more time for human analysis of complex threats
Ba
ckg
rou
nd