Cyber Security Chris Hankin, Imperial College London November 2014
Overview Introduction Science of Cyber Security Game Theoretic Models Industrial Control Systems Conclusions
Hackmageddon.com
Hackmageddon.com
Hackmageddon.com
The Changing Cyber Security Landscape Recent issues: Heartbleed and ShellShock Worms: Stuxnet Remote Access Trojans: Havex Advanced Persistent Threats
Research Institute in the Science of Cyber Security Choice architecture for information security 4M programme, awarded 1 st Oct 2012 4 projects, coordinated by UCL How secure is my enterprise? How do we make beber security decisions? Productive Security Improving security compliance and productivity through measurement Games and Abstraction: The science of cyber security Cyber security cartographies: CySeCa
Science of Cyber Security Security is process, not a product people, processes, technology Moving to empirical, evidence-based security Collaboration between researchers and industry is essential better understanding of complexity of problems by academics (avoiding ivory tower mentality) because that s where the data is! Bringing scientific rigour to data collection, measurement, and decision-making
Games and Abstraction Game Theory can help Systems Administrators make better decisions about how to defend their systems. The Cyber Security Problem can be seen as a two player game consisting of an Attacker who wants to maximise damage and a Defender who wants to minimise downtime and protect resources. For example, once an http server has been compromised, the likely next steps of the attacker would be to deface the website or install a sniffer. Defences include re-installing the compromised account or installing a sniffer detector. Attackers are far more likely to just deface the website and so the best defence is therefore to re-install the compromised account. We have designed a scientific programme to make this kind of analysis a robust and tractable problem.
Expected outcomes New theory and understanding of Game Theory and its application to cyber defence. Proof-of-concept implementation of a decision support tool based on adaptive, imperfect information stochastic games with intermediate results relating to simpler systems. Empirical evaluation of the implementation against data sets from real stakeholders. Policy advice on cyber security strategy.
Our Model
Concepts (1) q Target q Vulnerability: The particular attack method q Depth: The network location of the data assets q Control q Level: The Degree to which a control is implemented q Mitigation: The amount of damage that is expected to be stopped by implementing this control q Direct Cost: The cost to implement and maintain a control q Indirect Cost: Costs related to the implementation of a control not seen as direct costs q Organisational Profile: Characteristics unique to the Company or organisation
Concepts (2) q Control Games q q Study Each Control Individually q Calculate a Mixed Strategy for Each Level of Implementation Optimisation q Find the Optimum Allocation of a Budget for Defence of an Organisation q Uses a Weakest Target Model q Formulated as a 0-1 Multiple-Choice Multi- Objective Knapsack Problem
Control Games q Control Games All sub-games of a single control identifying the best strategy for each possible level. q Control Sub-Game The analysis of each possible combination of levels of a single control up to the maximum level denoted by the sub-game. q Representation q Two Player, Zero Sum Game
Solving the Games A Python Based Min-Max Solver We have used a method based on Singular Value Decomposition (SVD) to compute equilibria in large games where a large number of assets of the defending party must be protected against adversaries. Our method provides reasonably close solutions to the original game solutions and a significant speed up to the computation.
Case Sudy (1) Tables from Cybersecurity Games and Investments: A Decision Support Approach Gamesec 2014
Case Study (2) Table and Graph from Cybersecurity Games and Investments: A Decision Support Approach Gamesec 2014
Game Modelling - Future Work q Larger Scale Games q More Resources and Vulnerabilities q Comparison of results to Cyber Essentials q Solving The Summation of Effectiveness Problem q Defender Payoffs represented by Benefits not Damage q New Data Sources q Common Attack Pattern Enumeration and Classification (CAPEC) 1 as the source for Attacks q Integration of findings from Qualitative Research 1 https://capec.mitre.org
Advanced Persistent Threats q The Current Model design doesn t effectively support the decision making required for Advance Persistent Threat attacks. q Currently working on designing a model for more accurately representing the interactions in Advance Persistent Threat attacks.
Industrial Control System operation NIST
Convergence of ICS and Enterprise IT...... but with major differences: Time critical versus high throughput Continuous operation Increased importance of edge clients Complex interactions with physical processes Resource constraints Legacy issues: 15-20+ years of operation Access to components can be difficult
A change of emphasis... C I A Espionage Sabotage A I C... not forgetting: Maintainability, Reliability and Safety
Focus of Phase 1 State of the Market To document current approaches and praceces To idenefy successes and failures Barriers To report on the cultural barriers that prevent innovaeon and adopeon of good praceces Foresight To idenefy emerging technologies and threats that are likely to improve or exacerbate idenefied challenges
Key Questions / Challenges for Phase 2 Do we understand the harm threats pose to our ICS systems and business? Can we confidently arcculate these threats as business risk? What could be novel effeccve and efficient intervencons?
Research Institute in Trustworthy Industrial Control Systems CAPRICA: Converged approach towards resilient industrial control systems and cyber assurance MUMBA: Multifaceted metrics for ICS business risk analysis 2.4M programme, 5 coordinated projects. Phase 1 (Directorship) awarded 01/01/14, Chris Hankin, Imperial College London. Phase 2 awarded 01/10/14. Key challenges: 1. Mapping cyber threat to physical harm: do we understand the harm that threats pose to ICS and business? 2. Do we understand and can we confidently areculate these threats as business risk? 3. What are the novel effeceve and efficient interveneons? CECRICS: Communicating and evaluating cyber risk and dependencies in ICS SCEPTICS: A systematic evaluation process for threats to ICS (incl. national grid and rail networks) RITICS: Novel, effective and efficient interventions
Imperial: A multi-scale approach Single organisations Local clique National Infrastructure International
Imperial: Themes Connectedness what is the level of connectedness in organisations at the various scales? Propagation of effects how far is a successful attack likely to migrate (cascading failures)? Defensive strategies Link to RISCS Economic consequences what are the consequences at each scale? Mitigation particularly for worst case threats.
Thank you Pasquale Malacaria Fabrizio Smeraldi Tom Hoehn Deeph Chana Andrew Burton Denise McGurk Andrew Fielder Manos Panaousis Zeynep Gurguc c.hankin@imperial.ac.uk