Network Mission Assurance

Transcription

1 Network Mission Assurance Michael F. Junod, Patrick A. Muckelbauer, PhD, Todd C. Hughes, PhD, Julius M. Etzl, and James E. Denny Lockheed Martin Advanced Technology Laboratories Camden, NJ Abstract The doctrine of Network Mission Assurance (NMA) evaluates the value of information assurance and the risk of computer threats based upon their impact on the organizational functions supported by the network. The NMA framework is comprised of four technical functions: Asset Identification, Infrastructure Model and Control, Threat Analysis and Prediction, and Response Coordination. Our research in support of the NMA investigates technical solutions for trust-based resource control, reflective and reconfigurable network services, autonomic network defense, and cyber-attack representation. We contend that NMA unifies the purpose and function of separate information assurance programs into a holistic, network-centric solution. 1. Introduction This document describes the Network Mission Assurance (NMA) doctrine of Lockheed Martin Advanced Technology Laboratories (ATL). This doctrine is used as a guide to focus our information assurance efforts in different research areas and ensure these efforts can work together in a dynamic distributed network environment and effectively leverage and incorporate point security solutions into a robust information assurance architecture. It is our belief that one cannot simply back-fit existing security point solutions onto existing architectures and expect to have an improved security infrastructure. In fact, this can result in a less secure architecture that requires a great deal of manual effort in maintenance and monitoring.

2 Point security products (e.g., vulnerability scanners, intrusion detection systems, firewalls) often operate in isolation. In contrast, according to NMA, security solutions should not only be integrated with, but orchestrated among, the components of a network infrastructure. NMA is a high level concept that spans a large area of information security and information assurance. In support of this doctrine, ATL is leveraging its applied research strengths in quality of service (QoS), distributed processing, data fusion, and intelligent agents to apply to the information assurance domains. We believe that research and technologies from many other academic, commercial, and government sources also support the NMA doctrine. 2. Network Mission Assurance Approach The ability to launch successful cyber attack campaigns is far outpacing the ability to defend against them. A fundamental problem in the information assurance arms race is simply its current scope. Since most security systems focus on relatively atomic attack actions (e.g., port scans, buffer overflows), they have difficulty defending against coordinated attack campaigns. An attack campaign has an overall goal and is composed of many atomic actions over time that must be carefully and successfully carried out to achieve the desired goal. The need for rapid assembly of tactical networks exacerbates the difficulty. In a dynamic coalition environment, one does not have the opportunity to perform the vulnerability assessment and red team testing one would on static configurations. Further, one cannot assume that the systems will always provide the same mission critical functionality. With future reconfigurable systems using open system architectures, what parts of the system are critical at any given time in the mission becomes a run-time rather than design-time decision. The goal of the Network Mission 2

3 Assurance (NMA) is to keep the missioncritical systems operational while under a cyber attack. This implies the ability to identify and map critical assets to operational support capabilities. It also requires efficient and judicious use of resources by focusing additional resources on threatened assets. In addition, we believe there is great value in leveraging offensive attack campaign or threat knowledge for better defense. This allows us to explore full life cycle response through simulation before reflecting any changes onto the infrastructure components. NMA is intended to work in concert with of new technologies to future operational environments. 3. ATL NMA Research Areas With these concepts in place the four main research areas of Lockheed Martin Advanced Technology Laboratories Network Mission Assurance (NMA) are: (1) Asset Identification, (2) Infrastructure Model and Control, (3) Threat Analysis and Prediction, and (4) Response Coordination. Figure 1 provides a conceptual overview that illustrates the functional relationship between the technology components of the NMA research areas. existing information assurance efforts, which we believe are both necessary and effective. However, we also contend that there must be a higher level vision that drives requirements, metrics, and capabilities for transition Figure 1. Network Mission Assurance conceptual overview 3

4 3.1 Asset Identification The functions of asset identification are to identify critical mission objectives dynamically and continuously and to map, possibly through multiple levels of abstraction, the criticality of mission objectives to low-level infrastructure assets. For example, in mission terms it might be important to identify at the high level a critical unmanned autonomous vehicle (UAV) video feed. In system terms, this video feed would map at the low level to network flows, ports, and processors on hosts in the operational equipment. While others have recognized the need for critical asset identification, we believe there is a need to make this process continuous and dynamic, and we have outlined an approach for realizing this process. In addition, we have identified how to integrate the results of critical asset identification with other security components of a distributed system. For example, results from critical asset identification can enable more effective, reactive, and proactive responses by protecting assets that are most relevant to mission success, and provide a valuable discriminator for resource allocation. 3.2 Infrastructure Model and Control We believe that infrastructure models for information assurance must satisfy two important conditions. First, they must represent the state of the infrastructure in a manner that allows a system to reason about itself. Second, they must actuate changes in the model in the infrastructure itself. The models we have in mind are, therefore, reflective. Specifically, the reflective infrastructure provides a representation of the infrastructure that maintains infrastructure state and critical asset analysis; threat history, analysis, and projection; and responses and status. Changes to the model, however, need not be reflected immediately into the actual infrastructure but rather be considered as a 4

5 hypothetical state. This supports the ability to reason over proposed changes using simulation before actuating the changes back on to the infrastructure components. 3.3 Threat Analysis and Prediction Current network security measures are designed to make it more difficult for attackers to penetrate the boundary of an infrastructure. However, if an adversary is successful in penetrating this line of defense while eluding detection, very little stands in the way of total compromise of the infrastructure. There is a good reason this model is so pervasive: sealing an infrastructure against a potential adversary, for all its complexity, is far less complicated than recognizing and analyzing the attack of an actual adversary. Threat Analysis and Prediction research seeks to reduce this complexity by looking at three types of necessary tasks. First, systems must correlate events occurring throughout the infrastructure and deduce correctly that they constitute threat actions by an adversary. Second, systems must predict what the adversary is likely to do next. Third, systems must project the impact of the adversary s trajectory on infrastructure assets, in particular the assets critical to mission success. These functions are crucial for planning and implementing an effective response to an attack campaign. Performing these tasks in less time than attackers perform their own tasks is particularly difficult now that so many attacks are heavily scripted and distributed. We believe that automation in these areas is crucial. Threat Analysis and Prediction research is necessary to fill this current gap in infrastructure security. 3.4 Response Coordination Information assurance decisions have probabilistic and interdependent effects upon an organization s operations. The complexity of decisions can overwhelm human operators in large infrastructures. Thus, timely response 5

6 for infrastructure defense necessitates automated response coordination. Response Coordination seeks to enable automated threat response decision making. It integrates with components for threat analysis and network control through infrastructure models. We believe decision-theoretic concepts such as belief, action, and utility map well to infrastructure defense concepts such as threat, control, and mission. These mappings can be leveraged to reason about effective responses, even in conditions of uncertainty. 4. ATL Work in Support of NMA This section provides brief overviews of the specific areas of research that Advanced Technology Laboratories (ATL) is working in to support the Network Mission Assurance (NMA). Our goal is to provide mission assurance by ensuring survivability of high value assets and continued operation of critical infrastructure components. 4.1 Dynamic Trust-based Resources Cooperation and sharing of resources on a network requires some degree of trust between the entities involved. In current systems, this degree of trust manifests itself through static configuration of authentication and access control mechanisms that determine trust levels and map them to access rights. This approach requires a great deal of planning and effort. As the time provided to organize collaborative computer infrastructures decreases and their interactions become more complex, it is increasingly unlikely the proper degree of trust can be determined at system configuration time. Clearly this is the case for self-organizing, autonomous systems where cooperating entities may not even be known at configuration time. Current solutions, in and of themselves, are too rigid, require too much human intervention, and are inadequate for managing resources among rapidly assembling, 6

7 dynamic, active network components. What is needed in such cases is a dynamic, adaptive determination of trust that is integrated with resource allocation mechanisms, so that as trust in an entity degrades, so does its access to resources. Such trust-based resource allocation mechanisms are necessary to limit and ultimately completely restrict the disruptive behavior of an entity and ensure fault tolerance. The goal of Dynamic Trust-based Resources (DyTR), which ATL is currently developing under the DARPA Fault Tolerant Networks program, is to go beyond traditional authentication-based approaches to trust and build systems where the trustworthiness of entities adapts over time based on system events. DyTR provides an adaptive trustassessment methodology that allocates resources dynamically to an initial level of credentials, continually assesses trust, and adaptively allocates resources in accordance with changes in perceived trust. DyTR will tightly couple this continually assessed trust with low-level resource-allocation mechanisms to ensure that requesting processes are trusted and, thus, permitted to use system resources. If a requesting process exhibits suspicious behavior, DyTR will degrade its level of trust for that process, and subsequently reduce that process s access to system resources, so that other critical resources can continue to operate to achieve fault-tolerant behavior. 4.2 ATL s Next Generation Infrastructure ATL s Next Generation Infrastructure (ANGI) project has developed technology for building systems that can be deployed in increasingly more dynamic, distributed, and open environments. This includes an integrated set of services for dynamic system modeling as well as for system QoS. ANGI is a library of tools and executable services for developing and deploying distributed objects. Among these services are model sharing and sensor mechanisms that 7

8 allow systems to discover and monitor their own configuration and environment. We have also developed for ANGI a rich set of QoS controls for classifying and shaping traffic flows, which provide the foundation for managing and securing the shared network infrastructure and, in particular, protecting a system against distributed denial of service attacks. The QoS controls are superior to traditional firewall filters because they provide wider and more fine-grained range of influence. They also provide an end-to-end solution allowing greater latitude over where to place the controls. This allows confinement of potentially malicious flows through limits and priorities and protection of critical flows that are necessary to mission success. 4.3 Decision Network Technology Decision networks also known as influence diagrams use a graph structure to represent dependencies between possible decisions and uncertain beliefs, also associating utility (value or cost) with some of those actions and beliefs. It is a probabilistic reasoning technique that extends the concepts of Bayesian networks and decision trees. ATL is applying this technique to information assurance by evaluating sensor findings and specific threat alerts in a model of potential responses and their impact upon network services and assets. Then the decision network selects the action with maximal expected utility, which factors certainty and priority in a holistic manner for mission assurance. The primary challenge of this research is to identify and incorporate a technology for response selection which functions to provide mission assurance under the inherent uncertainty and incompleteness of data/control in large infrastructures. 4.4 Distributed Autonomic Response Coordinator ATL is developing a prototype Distributed Autonomic Response Coordinator (DARC) 8

9 that uses the ANGI framework as the foundation to deploy and manage the distributed sensor information as well as ANGI s dynamic QoS capabilities for response mechanisms. The DARC prototype uses existing intrusion detection and vulnerability assessment products as sensors. We intend to apply decision network logic to develop autonomic response to more devastating and more rapid cyber attacks. The challenge is to develop an autonomic response mechanism that can understand an attack campaign to determine the best response in a dynamic environment given the uncertainty of intrusion detection and vulnerability assessment sensor information. This will ensure mission assurance in the presence of an attack. The goal of DARC is to provide a distributed, autonomic response capable of detecting, adapting, and collaboratively responding to cyber attacks. It will enable the coordination and monitoring of start-to-end responses against single- and multi-node attacks. 4.5 Cyber Attack Workstation In keeping with our belief that leveraging offensive attack campaign knowledge makes for better defense, ATL has also developed a prototype Cyber Attack Workstation (CAW). The CAW provides a pluggable API and GUI for adding, integrating, and executing cyber reconnaissance and attack scripts. The interface generates a map of the network as reconnaissance information is gathered, which allows the user to target specific hosts with particular vulnerabilities. The interface also allows users to select the level of risk they are willing to accept, and the CAW will adjust the parameters of attacks accordingly. Future versions of the CAW will automatically and dynamically formulate and execute cyber offensive attack campaigns that meet mission objectives and constraints. The CAW will determine the appropriate steps of the campaign based on the intent of the user 9

10 and the risks the user is willing to accept. The Metabase ( long-term goal is to incorporate the attackcampaign understanding and decision-model logic developed for DARC in order to produce more sophisticated offensive attack campaigns. 4.6 Attacker Capability Ontology A key enabler of ATL s future work in information assurance is the formal representation of, and reasoning about, cyber attack data. Two important aspects of this domain we have attempted to capture are: (1) the relationship between software vulnerabilities and the capabilities that attackers gain by exploiting them on actual systems, and (2) the relationships among these capabilities. For this effort we have developed the Attacker Capability Ontology. The Attacker Capability Ontology is implemented in both Resources Description Framework Schema (RDFS) and DARPA Agent Markup Language (DAML). It has also been integrated with the ICAT Vulnerability meaning that capability attributions have been assigned to the vulnerabilities listed in the database. This formal representation will allow advanced reasoning for correlating, predicting, and projecting attacks. 5. Future Work ATL continues its research and development in information assurance in each of the projects described above, using the NMA doctrine as a guide. As NMA technology matures, we seek to deploy information assurance products technology as well as transfer the results of our research into the broader information assurance community. Acknowledgements Defense Advanced Research Projects Agency/Air Force Rome Laboratory, contract Number F C References NMA Home Page: external.lmco.com/projects/ia/ 10