Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Transcription

1 Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense By: Daniel Harkness, Chris Strasburg, and Scott Pinkerton The Challenge The Internet is an integral part of daily life in America and around the world. Approximately 2 billion people use at least 12 billion computers and other networked devices. These devices range from personal computers and tablets to the servers and devices supporting our critical infrastructure, including industrial control systems. Malicious actors continue to grow in sophistication, organization, and financial backing. These actors seek to steal financial information, intellectual property, trade secrets, and other sensitive information from businesses, small and large. They also attempt to disrupt essential services, damage infrastructure assets, and potentially produce severe, cascading effects throughout the Energy Sector. As these actors capabilities grow, so does the risk to our critical infrastructure. As a Nation, it is vital that we develop the strategic capabilities to defend against the cyber threats that put our national and global interests at risk. Unfortunately, the ability of malicious actors to operate from anywhere in the world, the difficulty of eliminating software vulnerabilities, and the linkages between cyber and physical systems all contribute to making cyber defense a highly challenging endeavor. Couple this with the volume of attacks occurring every day and the limited manpower of any one organization, and the need for new approaches to cyber defense becomes clear. A New Approach: Beyond Access Control A major component of cyber defense is access control. This is evident in technologies such as firewalls, which traditionally control access based on source and destination information. Authentication schemes use various mechanisms to prevent unauthorized access to key resources. Unfortunately, many of today s cyber attacks work not because of cyber defenders lack of enabling access controls, but rather through weaknesses inherent in the controls themselves. Mistakes in software often create unintentional vulnerabilities that weaken otherwise useful controls (e.g., Heartbleed, Shellshock). Furthermore, social engineering can often enable malicious actors to exploit human traits such as

2 trust, curiosity, and memory limitations to bypass properly configured controls (e.g., spear phishing, password reuse). If, then, we recognize that access controls have weaknesses, what can we do? As the cyber community recognizes that access control has its shortcomings, a shift in mindset has begun. Increased monitoring of networks and systems is being done in hopes of identifying precursors to future attacks before they become compromises and identifying compromises before they become catastrophes. Dealing with the Flood: Enter Cyber Threat Information This increased monitoring brings with it a flood of data. There are firewall deny logs, traffic logs, web logs, system logs, intrusion detection system logs, antivirus logs, mail logs, and more. The manpower and time required to sift through all of this data properly, and in a timely manner, is unrealistic for even a small enterprise. Databases, correlation engines, and advanced tools such as security information and event management (SIEM) systems have come about to help deal with this problem. Ultimately, however, they still require a human to provide useful configuration, drive searches, and interpret abnormal data. To do their job well, analysts require both expertise and information, specifically information about the threats they must defend against. Cyber threat information includes indicators and intelligence. Cyber threat indicators are small pieces of information that can typically be acted upon in an automated manner at the machine level. An example of a cyber threat indicator is an internet protocol (IP) address engaged in malicious activity. Cyber threat intelligence may include indicators but generally also includes more detailed information to provide a bigger picture to analysts. Indicators help cyber defense in two ways. First, they can provide a good starting point for culling the data for indication of active threats, ideally while still in the reconnaissance phase. Second, if they are integrated into an active response system (by proactively acting upon them through blocking, sending to a blackhole, etc.) they can disrupt an ongoing attack and prevent future attacks. Intelligence not only helps inform analysts to better configure their defenses and better tailor their monitoring and analysis to current threats, but can also support situational awareness, potentially allowing threats to be anticipated before they reach critical targets. Integrating Cyber Threat Information through Machine-to-Machine Sharing Looking to the future, the authors believe the use of cyber threat information will likely be part of any mature cyber defense strategy. Building mature cyber defense strategies around cyber threat information generally consists of three phases: identifying, consuming, and producing cyber threat information. There exist many sources of cyber threat information. They can include internal

3 sources (such as intrusion detection logs, firewall denies, or antivirus signature matches) and external sources (such as blacklists, private intelligence companies, and government organizations). Sources will vary by volume, quality, timeliness, cost, and relevancy. Surveying the available sources and identifying which are of importance to you is the first phase of making use of cyber threat information. The second phase involves building processes to not only receive, but to consume and make use of cyber threat information. Consuming the information means not only receiving it, but parsing it and actually using it. For indicators, this includes automating the search of local data sources to identify previous interaction with the indicators. It can also include preventive measures such as pushing into perimeter protection devices to block known attacks or to redirect them to an analysis environment. For cyber threat intelligence, this includes providing a unified environment for analysts to access and consume the information, as well using the intelligence to tag and enrich existing data and indicators to provide greater situational awareness. In the third phase of maturing cyber defense strategies, consumers of cyber threat information recognize that the information that they are receiving is part of a shared situational awareness that can only improve as more entities contribute. The consumers then need to look at their own data and analysis processes to identify and provide their own relevant analysis to the broader community. This includes both the addition of new cyber threat information and the enrichment (adding knowledge) of information that was already known to the community. Throughout the maturing process, the speed of response is critical. When indicators come from an actual attack, mere seconds may pass before a weak link is discovered and allows the attack to turn into a compromise. The same urgency can be applied to the intelligence side, where, for example, the intelligence may provide information about a known upcoming attack. Moving to machine-to-machine information sharing removes the inherent delay that comes with human-to-human information sharing. Machine-to-machine sharing also improves the ability to automate analysis and, in some cases, response, thus allowing the analyst to spend more time focusing on discovering the unknown. Cyber Fed Model: A Reference Implementation In 2004, Argonne National Laboratory began researching the benefits of sharing cyber threat indicators among related peer organizations. This led to a grassroots movement to begin sharing indicators, and in 2009 the U.S. Department of Energy (DOE) Cyber Fed Model (CFM) program began providing a production capability for machine-to-machine sharing of cyber threat indicators among multiple DOE facilities. Since that time, the CFM program has expanded to support the Department of Homeland Security, multiple other U.S. Government organizations, and has begun

4 facilitating information sharing between government and private sector critical infrastructure owners and operators, particularly those in the energy sector. In addition, the CFM program has expanded beyond just cyber threat indicators to include the sharing of cyber threat intelligence and detection rules. As part of this expansion, CFM is committed to encouraging and supporting emerging standards such as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII), while continuing to provide support for the legacy and custom needs of existing participants or those who cannot fully adapt for other reasons. At the core of CFM are the beliefs that collective knowledge is better than individual knowledge and that real-world relationships (shared interests, common infrastructure, geographic location, etc.) often translate into cyber-world relationships. Experience has shown that these relationships are often used by malicious actors to exploit common vulnerabilities, gain greater sector-wide control, or steal the sector-wide body of knowledge. CFM leverages these relationships in distribution and receipt to improve cyber defense by focusing on cyber threat information that has real relevance. Cyber Fed Model: How it Works In CFM, participants are added to groups referred to as federations. These federations are based on relationships; participants each may be part of many federations. Using encrypted web communication on top of data-level encryption, participants use CFM to provide one-to-one and one-to-many distribution of cyber threat information. CFM utilizes a secure web application to transport cyber threat information. When a participant produces cyber threat information, the information is tagged with handling parameters, including a distribution list, and uploaded to the CFM repository. It is checked for proper formatting and against whitelisted entries, then made available to those on the distribution list. (In some cases [generally dependent on relationships], data is anonymized before being released.) Consumers query the CFM repository for new cyber threat information and retrieve it. Although CFM participants are welcome to connect to the application programming interface (API) on their own, client software is provided to handle the communication. Uploading is as simple as dropping a file in a folder and calling a script. Downloading is handled by the same script, which retrieves the files and organizes them based on type and format. Work is currently underway to adapt CFM features, such as federation-based distribution, data anonymization, and centralized feed aggregation, to the TAXII protocol, which will be the basis of the next generation of CFM enhancements. At this time, TAXII is already supported through the use of other TAXII server software.

5 Cyber Fed Model: The Features and Benefits Machine-to-machine information exchange increases perimeter protection for individual participants and the community as a whole. When one entity detects an attack, indicator information can quickly be distributed to all and used to preempt the same distributed attacks and sector targeting by advanced persistent threats. Through CFM s experience with cyber threat information sharing, the CFM team has developed various features to combat commonly encountered problems. These include the following: Uses secure web-based protocols to help avoid the politics of opening firewall holes; Supports current standards like STIX, legacy formats such as Intrusion Detection Message Exchange Format (IDMEF), and custom formats such as comma separated values (CSV) to minimize the burden on producers; Using relationships for grouping, provides simplified distribution lists; Carries handling permissions forward explicitly, enabling trust; and Support exists for new exchange protocols, such as TAXII, to support existing and emerging communities without burdening them to change protocols or software. The following are additional features and benefits of CFM: Supports cyber threat indicators (alerts) and cyber threat intelligence (reports), as well as detection rules; Operates in near real time; Responds automatically, using machine-to-machine protocols; Is highly available (using geographically-distributed servers); and Is scalable to thousands of participants. Cyber Fed Model: Into the Future As CFM continues to grow, new features and enhancements are developed as needed. Currently planned enhancements include the following: Tools for local threat detection that provide a consistent confidence rating of hostile behavior across numerous organizations and entities; Tools that simplify the integration of cyber threat information with existing IT infrastructure, such as perimeter protection devices, monitoring systems, and analysis tools; Reducing the current lag time associated with near real time, and moving to more real-time streaming of information; Distributed search capabilities; and Interoperability between legacy and modern cyber threat information representation formats.

6 Beyond Cyber Fed Model The CFM program is just one in an ecosystem of cyber threat information sharing programs. In recognition of the broader ecosystem, CFM seeks to develop relationships and partnerships with others working on the same challenges. Today, CFM is an active participant in the Enhanced Shared Situational Awareness (ESSA) program, led by the U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and National Security Agency (NSA). Together the ESSA partners strive to create a situational awareness capability that integrates actionable information about emerging trends, imminent threats, and the status of incidents that may affect critical infrastructure. In addition, the CFM program participates in information exchange with DHS s Cyber Information Sharing and Collaboration Program (CISCP) and the community of Information Sharing and Analysis Centers (ISACs). CFM is prepared to support machine-to-machine information exchange broadly across the energy sector and critical infrastructure today. Conclusion Malicious actors continue to grow in sophistication, organization, and financial backing. As a Nation, it is vital that we develop the strategic capabilities to defend against the cyber threats that put our national and global interests at risk. Through the integration of cyber threat information into our cyber defense strategies, we can coordinate responses to cyber threats and drive down the cost of cyber defense while increasing the costs for attackers. DOE s CFM, through experience, technology, and partnerships, is ready to help defend our Energy Sector and critical infrastructure. Ultimately, however, community backing and utilization of these efforts will be the key to future success.