Asset Mapping- deep understanding of the cyber resources u r responsible for.
ACD
New concept developed by DARPA and US Air Force that is now being adapted within critical infrastructures and traditional public and private businesses.
The core concept is the anticipation of an attack against cyber assets and proactively preparing and responding
This talk focus on asset identification and resulting relationship with all other components of ACD.
Asset identification/ Network secuirty monitoring
Incident response
Threat identification and Manipulation
Threat intelligence consuption
Asset Mapping / Network security monitoring:
Detailed active and passive mapping of systems, networks and their "normal behavior" prior to an attack.
Detection of aberrant behavior (known signatures, heuristics, unusual changes or activity)
detailed active and passive mapping of systems and networks, not static snapshot(photo) but dynamic behavior monitor(video). Detect abnormal behavior (known signatures, heuristics, unusual changes or activity) compared to normal behavior. Challenge: diff vendor and system, so hard to do monitoring and analysis, new features added, system changes, how to get rid of false positive: identifying truely unique features/behaviors. Use variance using stats tools.
Using current tech but focus more on behavior not static data. Feature extraction of monitored behavior then classify those and create knowledgebase. Then train new tech to add to current methods. Now we can add new defense earlier. Train Neural net.
Incident response:
Preparation
Detection/Analysis
Containment 围堵措施;遏制措施;
Eradication 摧毁,根除
Recovery
Post Response
When an incident identified by asset mapping/ monitoring. Dynamic change the system (restore back to valid state, reconfigure to defend, share threat information).
Threat identification and Manipulation (start to get offensive):
Examing attack methods
identifying objectives
gaming the adversary : implement deceptive tech, create darknets in the internal network, nothing or noone should ever touch those ip. honeypot honeyfile and sensors on the darknets
identifying key characteristics
assessing the sophistication of the attack and attacker (analysis the malware, to know its)
determining location of attackers
Threat intelligence consuption (a lot of money):
Interpret threat information:
does this threat impact? how? do we want change to our system?
Examing attack methods
identifying objectives
gaming the adversary : implement deceptive tech, create darknets in the internal network, nothing or noone should ever touch those ip. honeypot honeyfile and sensors on the darknets
identifying key characteristics
assessing the sophistication of the attack and attacker (analysis the malware, to know its)
determining location of attackers
Threat intelligence consuption (a lot of money):
Interpret threat information:
does this threat impact? how? do we want change to our system?
why Asset mapping vital?
1. without it, the response to an attack is hampered by the lack of knowledage of the environment (potentially hack back to third party network)
2. Our ability to understand our adversary's methods or objectives would be imprecise and lethargic
3. Our ability to employ deceptive tech(traps, decoys etc) in order to game the adversary would be quite different.
4. Our ability to assess and consure threat intelligence reports and determine if/ how the report applies to our environment would be difficult.
Example 2014, heartbleed. (Many companies cannot answer whether they include openssl)
Apply ACD to heartbleed like incidents
1. Significantly improve asset identification that includes much deeper knowledge regarding the operating characteristics and software installed on every device.
2. Improvement in mapping of identified threat characteristics and CVE's to ICS assets during the threat intelligence consumption phase
3. Expansion of Alternate Operation Centers and Test Environments to allow for rapid testing of patches and updates along with the ability to actively scan these environments to better assess the impacts of the vulnerabilities/exploits in question as an early step in Incident Response
4. Improve the ability to instument network security monitoring capabilities with the latest threat data.
5. Improvement in the dissemination and specific details of threats like Heartbleed that provide Threat Identification details that fit into the ACDC cycle
Some examples of industrial control system(ICS) technologies are:
- SCADA – Supervisory Control and Data Acquisition
- DCS – Distributed Control System
- PLC – Programmable Logic Controller
hack-back disadvantage:
1. illegal
2. attribution (if make mistake, harm third party)
vs deceptive tech.
Active vs passive mapping:
Pros
Immediate Results Non-Intrusive
Trusted Tech Provides a broader view of system and network behaviors
Deep Results(Quickly) Provides details that can be missed by active mapping
Cons
Intrusive and cause system crashes Slow- cna take days or weeks to construct an accurate picture
Only provides a snapshot of results More difficult to develop detailed OS characteristics
can be fooled by sophisticated malware & APTs Requires access to massive amount of traffic (Large PCAPS)
Takewayskey considerations and critical thinking:
1. Anticipate intrusions and adapt to them in real-time
2. Continuous asset behavior mapping is vital - make sure papssive mapping is a key component in ur strategy
3. Integrate lures, traps and decoys into ur defensive strategy
4. When consuming threat intelligence make sure ur understand the potential direct impact on ur infrastructure
5. share key threat observations with peers and even competitors
The “Triptych of Cyber Security”: A Classification of Active Cyber Defence
categorising non-ACD measures as fortified cyber defence and resilient cyber defence instead of passive cyber defense.
An examination of the cyber security strategies of national actors will demonstrate that active, fortified and resilient cyber defence are employed in a collaborative triptych of approaches to cyber security: three independent but related concepts coming together to achieve the single goal of operating in cyberspace free from the risk of physical or digital harm.
“active defence” is common in the military as the idea of offensive action and counterattacks to deny advantage or position to the enemy6, the concept remains elusive when applied to the cyber domain7 and suffers a lack of clarity in related law and national policy8.
“…the synchronized, real_time capability to discover, detect, analyze, and mitigate threats. [Active cyber defence] operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems.”
This definition identifies a number of features of ACD, the most important of which is the realtime detection and mitigation of key threats before damage occurs. Specific measures include the deployment of “white worms”11, benign software similar to viruses but which seek out and destroy malicious software, identify intrusions12 or engage in recovery procedures13. A second active defence tactic is to repeatedly change the target device’s identity during data transmission, a process known as address hopping14. This has the dual role of masking the target’s identifying characteristics as well as confusing the attacker15. Address hopping can serve as a useful action to counter espionage by masking the identities of devices where particular data is stored. Active cyber defence therefore places emphasis on proactive measures to counteract the immediate effects of a cyber-incident, either by identifying and neutralising malicious software or by deliberately seeking to mask the online presence of target devices to deter and counter espionage.
There are, however, a number of more aggressive measures which can be taken to defend systems and networks. While white worms can be used to seek out and combat malicious software, Curry and Heckman describe how they can also be used to turn the tools of hackers and would-be intruders against them and identify not just the attacking software, but the servers and other hardware devices hosting and distributing the attacking code16. This is a process known as “hack-back”17. Once the source devices of an intrusion or attack have been identified steps can be taken to render those devices inoperative or otherwise prevent them from carrying out their goals. What makes these measures significant is that they are aggressive, offensive techniques which operate beyond the boundaries of the defender’s network18. They are taking the fight to the attackers.
ACD is therefore a security paradigm employing two methods: one, the real-time identification and mitigation of threats in defenders’ networks; two, the capacity to take aggressive, external offensive countermeasures. For the purposes of establishing, or at least beginning the process of developing, a lexicon of cyber security terminology, ACD can therefore be described as:
" an approach to achieving cyber security predicated upon the deployment of measures to detect, analyse, identify and mitigate threats to and from communications systems and networks in real-time, combined with the capability and resources to take proactive or offensive action against threats and threat entities including action in those entities’ home networks. "
4 issues:
- legal implications in the use of offensive external measures.
- cannot attribute with 100%. (utilising ACD as a policy or strategic choice must be considered carefully, given its inherent characteristic of action beyond the defender’s immediate network. Such risks raise a second problem when employing aggressive, extra-territorial measures: the accurate attribution of the initial incident given the anonymising capacity of cyberspace and its effects on accurately identifying perpetrators. The basic premise of the attribution problem is that one cannot know with 100% certainty that the identified origin location of a security breach is the true origin of that
breach32. )An examination of the cyber security strategies of national actors will demonstrate that active, fortified and resilient cyber defence are employed in a collaborative triptych of approaches to cyber security: three independent but related concepts coming together to achieve the single goal of operating in cyberspace free from the risk of physical or digital harm.
“active defence” is common in the military as the idea of offensive action and counterattacks to deny advantage or position to the enemy6, the concept remains elusive when applied to the cyber domain7 and suffers a lack of clarity in related law and national policy8.
“…the synchronized, real_time capability to discover, detect, analyze, and mitigate threats. [Active cyber defence] operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems.”
This definition identifies a number of features of ACD, the most important of which is the realtime detection and mitigation of key threats before damage occurs. Specific measures include the deployment of “white worms”11, benign software similar to viruses but which seek out and destroy malicious software, identify intrusions12 or engage in recovery procedures13. A second active defence tactic is to repeatedly change the target device’s identity during data transmission, a process known as address hopping14. This has the dual role of masking the target’s identifying characteristics as well as confusing the attacker15. Address hopping can serve as a useful action to counter espionage by masking the identities of devices where particular data is stored. Active cyber defence therefore places emphasis on proactive measures to counteract the immediate effects of a cyber-incident, either by identifying and neutralising malicious software or by deliberately seeking to mask the online presence of target devices to deter and counter espionage.
There are, however, a number of more aggressive measures which can be taken to defend systems and networks. While white worms can be used to seek out and combat malicious software, Curry and Heckman describe how they can also be used to turn the tools of hackers and would-be intruders against them and identify not just the attacking software, but the servers and other hardware devices hosting and distributing the attacking code16. This is a process known as “hack-back”17. Once the source devices of an intrusion or attack have been identified steps can be taken to render those devices inoperative or otherwise prevent them from carrying out their goals. What makes these measures significant is that they are aggressive, offensive techniques which operate beyond the boundaries of the defender’s network18. They are taking the fight to the attackers.
ACD is therefore a security paradigm employing two methods: one, the real-time identification and mitigation of threats in defenders’ networks; two, the capacity to take aggressive, external offensive countermeasures. For the purposes of establishing, or at least beginning the process of developing, a lexicon of cyber security terminology, ACD can therefore be described as:
" an approach to achieving cyber security predicated upon the deployment of measures to detect, analyse, identify and mitigate threats to and from communications systems and networks in real-time, combined with the capability and resources to take proactive or offensive action against threats and threat entities including action in those entities’ home networks. "
4 issues:
- legal implications in the use of offensive external measures.
- cannot attribute with 100%. (utilising ACD as a policy or strategic choice must be considered carefully, given its inherent characteristic of action beyond the defender’s immediate network. Such risks raise a second problem when employing aggressive, extra-territorial measures: the accurate attribution of the initial incident given the anonymising capacity of cyberspace and its effects on accurately identifying perpetrators. The basic premise of the attribution problem is that one cannot know with 100% certainty that the identified origin location of a security breach is the true origin of that
- The content/analytics based filters might be used by government to filter media and surveillance.
- The concept of combatting threats outside the network or systems under attack therefore raises a number of significant concerns, not least the capacity for defending actors to respond with kinetic military force and the ramifications of doing so. However, the extra-territoriality inherent to ACD is vital to our understanding of the concept as a methodological approach to cyber security due to the fact that it is this aggressive external action which differentiates ACD from other approaches. Such a description raises a fourth issue around ACD and current efforts to define the concept: the assumption that all other, non-active forms of cyber defence are “passive” or reactive in nature. (US military and UK)
a definition of FCD is also offered here:" constructing systemically secure communications and information networks in order to establish defensive perimeters around key assets and minimise intentional or unintentional incidents or damage. "
While the defining characteristic of ACD is aggressive action taken outside the defender’s
home network, the defining characteristic of FCD is that approach’s preventive, introspective
focus. FCD measures seek to establish defensive perimeters through systems of firewalls and
antivirus software in order to minimise the chances of access to target systems and networks. (Germany)
home network, the defining characteristic of FCD is that approach’s preventive, introspective
focus. FCD measures seek to establish defensive perimeters through systems of firewalls and
antivirus software in order to minimise the chances of access to target systems and networks. (Germany)
Resilience itself is predicated upon accepting that incidents will occur and focussing on the
ability to recover from those incidents62, either returning to the original state or adapting to
generate a new, adjusted state63.
ability to recover from those incidents62, either returning to the original state or adapting to
generate a new, adjusted state63.
RCD can therefore be defined as:" ensuring the continuity of system functionality and service provision by constructing communications and information networks with the systemic, inbuilt ability to withstand or adapt to intentional or unintentional incidents. "
While ACD and FCD seek to identify threats and intrusions as soon as possible and deal
with them, RCD advocates sharing vital information regarding security breaches among all
interested parties and potential future victims65 (EU and Japan)
with them, RCD advocates sharing vital information regarding security breaches among all
interested parties and potential future victims65 (EU and Japan)
Resilience is a common trait in current cyber security policy documents. The strategies of the
European Union (EU) and Japan favour this approach. They concentrate on sharing information
between public and private bodies, harmonising public infrastructure security measures and
developing uniform standards of security66 to ensure preparedness in the event of a natural or
malicious incident. The defining characteristic of RCD is this idea of functional continuity.
European Union (EU) and Japan favour this approach. They concentrate on sharing information
between public and private bodies, harmonising public infrastructure security measures and
developing uniform standards of security66 to ensure preparedness in the event of a natural or
malicious incident. The defining characteristic of RCD is this idea of functional continuity.
The EU is currently considering legislation which would make it a legal requirement for all relevant public and private actors to share security breach information69.
The result of this classification is the identification of not two modes of cyber defence (active or
passive), but three – active, fortified and resilient cyber defence. However the three paradigms
are not mutually exclusive. While very different given their varying techniques, each approach
operates in conjunction with the other to achieve a wider single goal, cyber security. By
concentrating not on the implementation of the measures themselves but their ultimate goals
these three paradigms together form a “Triptych of Cyber Security”: three parallel approaches
to achieving security when interacting with and utilising cyberspace.
passive), but three – active, fortified and resilient cyber defence. However the three paradigms
are not mutually exclusive. While very different given their varying techniques, each approach
operates in conjunction with the other to achieve a wider single goal, cyber security. By
concentrating not on the implementation of the measures themselves but their ultimate goals
these three paradigms together form a “Triptych of Cyber Security”: three parallel approaches
to achieving security when interacting with and utilising cyberspace.
Conclusion
Active cyber defence (ACD) is an approach to cyber security predicated upon proactive measures
to identify malicious codes and other threats, as well as aggressive external techniques designed
to neutralise threat agents. ACD is defined by the capacity and willingness to take action outside
the victim network72. Despite this, ACD is not mirrored by “passive cyber defence”. The
measures collated under this term should more accurately be classified as fortified and resilient
cyber defence. These terms clarify the nature of the action taken by focussing on the end goals
of the measures they describe.
to identify malicious codes and other threats, as well as aggressive external techniques designed
to neutralise threat agents. ACD is defined by the capacity and willingness to take action outside
the victim network72. Despite this, ACD is not mirrored by “passive cyber defence”. The
measures collated under this term should more accurately be classified as fortified and resilient
cyber defence. These terms clarify the nature of the action taken by focussing on the end goals
of the measures they describe.
The three types of cyber defence described here are not mutually exclusive. Instead they operate
in conjunction with one another in a triptych of measures further highlighting the inaccuracy
of a simple divide between active and passive approaches. The goal of cyber security is to
enable operations in cyberspace free from the risk of physical or digital harm. To that end, theof a simple divide between active and passive approaches. The goal of cyber security is to
three paradigms of defence postulated here work together to complement each other through
a range of measures designed to address specific issues around online security. Active cyber
defence focusses on identifying and neutralising threats and threat agents both inside and
outside the defender’s network, while fortified defence builds a protective environment. In
its turn resilience focusses on ensuring system continuity. The national strategies developed
over the last ten years demonstrate the complementarity of these three approaches. The US and
UK categorically adopt an active paradigm, whereby all available resources are deployed to
protect national interests, including proactively seeking out enemy actors and rendering them
ineffective. The US further retains the right to deploy the ultimate sanction of kinetic military
force in the event of a cyber-attack as a measure of last resort. However, neither the UK nor the
US are ignorant of the benefits of fortifying assets, or of making critical national infrastructures
resilient to the failures of the communications systems on which they rely73. For Germany the
policy of choice is FCD but network resilience is recognised in a commitment to protecting and
securing critical digital infrastructures due to their importance to physical social and economic
services74. The EU and Japan adopt a resilience-based framework, yet both are seeking to
develop active defence capabilities75.
What this demonstrates is a conscious acknowledgement that one single approach to cyber
security is not enough. Active cyber defence, including all the measures that that concept entails,is insufficient when seeking to achieve cyber security. Steps must be taken to fortify assets in
order to minimise the likelihood and effectiveness of cyber-incidents, as well as ensure system
and infrastructure continuity should an incident occur. Equally, FCD and RCD do not serve as
effective deterrents to would-be attackers. The willingness to identify and pursue threat agents
into their own home networks must be demonstrated alongside asset fortification and system
resilience. In short, the paradigms of cyber defence are not stand-alone approaches. Even for
those actors which place their strategies within an active framework, military or security agency
resources are not the only ones utilised. The consequence of this is the deployment of elements
of each approach simultaneously in a triptych of approaches intended to achieve a single goal
By contextualising ACD as an approach which is used collaboratively with its fortified and
resilient cousins in a triptych of cyber security, and highlighting the crucial difference ofaggressive action beyond the victim network, it is possible to distil a definition of the term
“active cyber defence”. This is in spite of ACD being fraught with unresolved legal and
diplomatic difficulties. For the purposes of classification, a definition of active cyber defence
is proposed here:" a method of achieving cyber security predicated upon the deployment of measures to detect, analyse, identify and mitigate threats to and from cyberspace in real-time, combined with the capability and resources to take proactive or aggressive action against threat agents in those
agents’ home networks "
The question of definition and classification in the cyber security debate will not be
resolved overnight. While active cyber defence is one feature of that debate, the definition
and classification offered here will go some way towards establishing a cohesive lexicon of
terminology, an exercise which will assist the development of legal and political solutions to
the complex issue of cyber security
Navy postgraduate MS thesis
Cyber Exploitation
This typology refers to the exploitation of computer systems involved in a cyber attack in order to obtain intelligence that can aid in the analysis of the attack and in determining attribution. (e.g. hack the compromised proxy computer and one by one to retrieve the path)
Counter Attack
In the case of a cyber attack, the equivalent would be to counter hack the attacker responsible for the cyber attack. (e.g. hack the C&C server for Botnet DDoS)
Preemptive Strikes
In the context of cyberspace, a preemptive strike can be described as “conducting
an attack on a system or network in anticipation of that system or networking conducting
an attack on your system.”68 (e.g. 1) disrupt potential attackers network 2) make presence in potential attacker network and deter the attack)
resolved overnight. While active cyber defence is one feature of that debate, the definition
and classification offered here will go some way towards establishing a cohesive lexicon of
terminology, an exercise which will assist the development of legal and political solutions to
the complex issue of cyber security
Navy postgraduate MS thesis
Cyber Exploitation
This typology refers to the exploitation of computer systems involved in a cyber attack in order to obtain intelligence that can aid in the analysis of the attack and in determining attribution. (e.g. hack the compromised proxy computer and one by one to retrieve the path)
Counter Attack
In the case of a cyber attack, the equivalent would be to counter hack the attacker responsible for the cyber attack. (e.g. hack the C&C server for Botnet DDoS)
Preemptive Strikes
In the context of cyberspace, a preemptive strike can be described as “conducting
an attack on a system or network in anticipation of that system or networking conducting
an attack on your system.”68 (e.g. 1) disrupt potential attackers network 2) make presence in potential attacker network and deter the attack)
A preventive cyber attack can be launched against a
hostile actor (both state and non-state) to prevent the latter from acquiring any cyber
offensive capability. (e.g. Stuxnet prevent Iran from building nuclear weapon)
ACTIVE CYBER DEFENSE
Active cyber defenses may one day offer strategic advantages similar to those for active defenses in conventional warfare. They can help establish attribution of a cyber attack, deter attacks by creating the fear of retaliatory attacks in potential attackers, or even preempt an imminent attack. The typologies of active cyber defense are cyber exploitation, counter cyber attack, preemptive cyber attack, and preventive cyber attack. Cyber exploitation refers to the hacking of third party or the attackers’ computers and networks for the purpose of gaining information about the attack, including the source of the attack, the methods and tools used, the scope of the attack, and data that may have been taken. Cyber exploitation, when carefully carried out, need not disrupt target computers and may even goes undetected.
Counter cyber attack refers to the launching of a cyber attack against an attacker. The objective could be to interrupt an attack in progress and limit its effects. The counter attack could take the form of DOS attack or intrusion into the attacker’s network.
Alternatively, if the attacker is stealing sensitive documents, it could take the form of booby-trapping the documents with a remote-controlled Trojan, which then could be used to collect information about the attacker and/or shut down the attacker’s computer or network.
Preemptive cyber attack refers to the launching of a cyber attack against an adversary in anticipation of an imminent cyber attack. Preventive cyber attack refers to the launching of a cyber attack against an adversary based on a judgment that the adversary will be attacking.
hostile actor (both state and non-state) to prevent the latter from acquiring any cyber
offensive capability. (e.g. Stuxnet prevent Iran from building nuclear weapon)
ACTIVE CYBER DEFENSE
Active cyber defenses may one day offer strategic advantages similar to those for active defenses in conventional warfare. They can help establish attribution of a cyber attack, deter attacks by creating the fear of retaliatory attacks in potential attackers, or even preempt an imminent attack. The typologies of active cyber defense are cyber exploitation, counter cyber attack, preemptive cyber attack, and preventive cyber attack. Cyber exploitation refers to the hacking of third party or the attackers’ computers and networks for the purpose of gaining information about the attack, including the source of the attack, the methods and tools used, the scope of the attack, and data that may have been taken. Cyber exploitation, when carefully carried out, need not disrupt target computers and may even goes undetected.
Counter cyber attack refers to the launching of a cyber attack against an attacker. The objective could be to interrupt an attack in progress and limit its effects. The counter attack could take the form of DOS attack or intrusion into the attacker’s network.
Alternatively, if the attacker is stealing sensitive documents, it could take the form of booby-trapping the documents with a remote-controlled Trojan, which then could be used to collect information about the attacker and/or shut down the attacker’s computer or network.
Preemptive cyber attack refers to the launching of a cyber attack against an adversary in anticipation of an imminent cyber attack. Preventive cyber attack refers to the launching of a cyber attack against an adversary based on a judgment that the adversary will be attacking.
没有评论:
发表评论