Enhanced Attribution

Similar documents
ONLINE RECONNAISSANCE

Defensible Strategy To. Cyber Incident Response

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

Introduction to Cyber Security / Information Security

Foundstone ERS remediation System

Critical Controls for Cyber Security.

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Actionable information for security incident response

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Cybersecurity Delivering Confidence in the Cyber Domain

Department of Homeland Security

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Click to edit Master title style

PENETRATION TESTING GUIDE. 1

Data Security Concerns for the Electric Grid

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

WHITE PAPER: THREAT INTELLIGENCE RANKING

Dealing with Big Data in Cyber Intelligence

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Common Cyber Threats. Common cyber threats include:

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

How to Detect and Prevent Cyber Attacks

Patch Management SoftwareTechnical Specs

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Fight fire with fire when protecting sensitive data

Department of Management Services. Request for Information

Metasploit The Elixir of Network Security

Getting the Most Out of SIEM. Presentation Title. Data in Big Data. Presented By: Dr. Char Sample, CERT

Protecting critical infrastructure from Cyber-attack

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Retention & Destruction

Developing Secure Software in the Age of Advanced Persistent Threats

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Taxonomic Modeling of Security Threats in Software Defined Networking

Addressing the United States CIO Office s Cybersecurity Sprint Directives

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Facilitated Self-Evaluation v1.0

Information Security Attack Tree Modeling for Enhancing Student Learning

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Enterprise Security Tactical Plan

Additional Security Considerations and Controls for Virtual Private Networks

Audit Report. Management of Naval Reactors' Cyber Security Program

Thomas J. Schlagel Chief Information Officer, BNL

Data Driven Assessment of Cyber Risk:

Fusing Vulnerability Data and Actionable User Intelligence

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Analysis of Network Beaconing Activity for Incident Response

Security Intelligence Services.

6. Exercise: Writing Security Advisories

Information and Understanding (IFU) Overview

Hearing on Commercial Cyber Espionage and Barriers to Digital Trade in China

Threat Intelligence UPDATE: Cymru EIS Report. cymru.com

Threat Advisory: Accellion File Transfer Appliance Vulnerability

Six Days in the Network Security Trenches at SC14. A Cray Graph Analytics Case Study

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Network/Internet Forensic and Intrusion Log Analysis

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Protecting Your Organisation from Targeted Cyber Intrusion

IEEE International Conference on Computing, Analytics and Security Trends CAST-2016 (19 21 December, 2016) Call for Paper

Business Process Automation through Application Software

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Report on Cyber Security Alerts Processed by CERT-RO in 2014

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Information Security Services

How To Manage Security On A Networked Computer System

Cyber Watch. Written by Peter Buxbaum

Certification Programs

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Hearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission

Deep Security Vulnerability Protection Summary

EVILSEED: A Guided Approach to Finding Malicious Web Pages

Virtual Patching: a Proven Cost Savings Strategy

Beyond Aurora s Veil: A Vulnerable Tale

Session 3: IT Infrastructure Security Track ThreatExchange Winning through collaboration. Tomas Sander HP Labs

IBM Security Strategy

Advance Malware protection in distribution and manufacturing environments. Rob Dolci, April 2016, copyright aizoon USA.

CDM Vulnerability Management (VUL) Capability

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Vulnerability Management Policy

No. 33 February 19, The President

DYNAMIC DNS: DATA EXFILTRATION

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

CyberSecurity Solutions. Delivering

Combating Spear-phishing:

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Identity and Access Management Solutions MWC 2016

Developing Microsoft SharePoint Server 2013 Advanced Solutions MOC 20489

Transcription:

Enhanced Attribution Angelos Keromytis Information Innovation Office (I2O) Proposers Day Briefing April 25, 2016

Program Goal Develop mechanisms and algorithms to: 1. Collect and fuse all-sources information to enable at-scale attribution of individual malicious cyber operators 2. Validate and enrich the collected corpus with additional information to enable convincing public attribution of malicious cyber activity

Impact Entity Sources Accuracy Timeliness Scale Shareability Commercial Blue space low low low high Government Red space high low low low Enhanced Attribution Red & Blue high high high high If successful, we will enable a range of response options, including many that require public disclosure of evidence Examples of Response Options Sanctions Name and Shame Selective Revelation Mass Disclosure Law Enforcement Cyber Effects

Attribution is Accomplished Poorly or at Small Scale The same campaign attributed to 4 different intrusion sets by 3 commercial cybersecurity providers, based on different observables CVE-2014-0322 exploited visitors to French Aerospace Association site CERT advisory published CVE-2014-0322 exploited visitors to vfw.org Public exploit published by egyp7 Symantec attributes Hidden Lynx Microsoft patches CVE-2014-0322 Second public exploit released 20 Jan 30 Jan 9 Feb 19 Feb 1 Mar 11 Mar 21 Mar 31 Mar 10 Apr Vulnerability published Crowdstrike attributes Aurora Panda First exploitation detected by Microsoft Security Raytheon attributes DeputyDog & EphemeralHydra Microsoft Security Advisory released Microsoft releases "Fix it" solution Attribution Rationale C&C Infrastructure Domain Registrations Exploit Techniques Metasploit exploit published Q: Who is UglyGorrilla? A: Wang Dong Attribution is really really hard we re using the totality of the sources and methods we have to help inform that. [But] because those advanced persistent threats aren t going away we can t bring all that information to the fore and be fully transparent about everything we know and how we know it. - Rob Joyce, Chief NSA/TAO at USENIX Enigma 2016 How do we know? DNS registrations DNS use PLA alumni website Binary metadata Passwords Social media

Monitoring and Understanding of Adversary Cyber Operator Actions Through Collection in Red Space TA1 Ground Truth via All-Sources Monitoring TA2 From Data To Information TA3 Find Adversary Mistakes External Information Sources Cyber Operator Commercial Threat Feed OSINT (e.g., social networks) Network IDS End Host Logs (e.g. HBSS, TC) SIGINT Network Monitoring Fuse & Predict Validation & Enrichment Target Shareable Information Primary challenge: multi-resolution fusion at scale

TA1: Activity Tracking and Summarization Create software modules for tracking adversary operators from various vantage points Assume initial access and communications channel is provided Ops desktop, mobile phone, IoT, captured C2 nodes, network infrastructure, Track personas, extract relevant cyber actions, and link personas to identities Possible approaches Behavioral biometrics techniques Decompose attack software toolchain into units of action (e.g., port scan, send spearphishing email); extract and emit associated metadata (which represents ground truth) Challenges Maintaining a low computational-resource profile requires new algorithmic approaches to behavioral biometrics Software partitioning and whole-system analysis at low footprint Keyboard/Mouse/Touch behavioral biometrics

TA2: Data Fusion and Activity Prediction Develop multi-int fusion and tracking for the cyber domain Key enabler: ground truth generated by TA1 Develop predictive profiles using downstream observables Capture ambiguous data associations across diverse data set Possible approach: heterogeneous information networks Leverage, reason over, and contribute to structure Scalable and extensible to support wide range and types of data Challenges Association Ambiguity Out of Sequence Data Large Data Volume Signal Noise Ops Terminal & Personal Devices Network Midpoint Captured Redirector Target Host Time events received

TA3: Validation & Enrichment Identify adversary mistakes and externally observable indicators Pattern-matching over an activity graph Fuse and integrate external information sources Compose disclosable explanatory narrative Use analytic techniques to expose known but hidden structure Create convincing explanation using external data Operate fast enough to make use of rich but transient data Adversary Mistakes Weak passwords Vulnerable software Weak cryptography Infrastructure reuse "the Chinese developers left clues aplenty about their identities and locations, even Tweeting about vulnerability days in advance of its use in the wild. External Indicators OSINT Commercial Threat Feeds Network IDS/analytics End Host (e.g. HBSS)

Program Structure and Schedule Program duration: 54 months Three 18-month program phases All TAs working in parallel Frequent informal evaluations using various datasets Increasing realism/environments Be in position to conduct on-demand testing in real conditions as opportunities arise, possibly starting early in the program TA1 Profile/Activity Precision TA2 Reconstruction Precision TA3 Enrichment Completeness Year 1 Year 2 Year 3 Year 4 Year 5 Phase 1 Phase 2 Phase 3 60% 75% 90% 35% 50% 75% 20% 35% 50%

Evaluation Details Each performer conducts their own evaluation for each phase Provide data and prototypes to DARPA and AFRL to conduct an independent validation Government reserves the right to engage third parties to independently validate the results DARPA anticipates integrated evaluations early in the program DARPA will pursue access to unclassified data sets Proposers strongly encouraged to pursue their own data sets that will facilitate initial development

Program Classification and Clearance Requirements The program will be conducted at the UNCLASSIFIED level Technical development Performer-internal testing TA2 and TA3 teams required to include personnel with TS clearance and eligible for SCI Adequate number to allow for extensive T&E in the Washington, DC area Not all team personnel need to be cleared For multi-organization teams, not all participating organizations must have cleared personnel No requirement for SCIF access TA1 teams encouraged to include personnel with similar clearances

Human Subjects Research (HSR) Depending on technical approach, TA1 teams may need to consider HSR implications DARPA encourages TA1 teams to consult their IRB and address this matter in their proposals Ideal scenario: proposal includes letter with IRB determination Second best scenario: proposal includes submission to IRB

Programmatic Details Proposals due on June 7, 2016 Anticipated program start date: 1 November 2016 One proposal per organization as Prime Procurement Contract or Other Transaction (no Grants) To expedite award contracting, proposers are encouraged to have sub-award agreements in place ahead of award notification Anticipated number of awards TA1: multiple TA2: one or more TA3: one or more Proposals may address any combination of TAs Technical work and cost must be separable to enable partial selection TA2 performers must be prepared to work with all TA1 and TA3 teams

Meetings and Reporting Requirements Two Annual Principal Investigator (PI) Meetings Quarterly Technical Reviews between PI Meetings Monthly Progress Reports Technical Report describing progress, resources expended and issues requiring Government attention, provided 10 days after the end of each month Financial/Technical Progress Reporting to the DARPA Technology Financial Information Management System (TFIMS) Final Technical Report See BAA for full details Anticipate high frequency interactions with DARPA technical team Agent: AFRL/RIGB

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information