Paul Beraud, Alen Cruz, Suzanne Hassell, Juan

Sandoval, Jeffrey J WileyNovember 15th, 2010

CRW’10 2010:NETWORK MANEUVER

COMMANDER – Resilient Cyber Defense

Copyright © 2010 Raytheon Company. All rights reserved.Customer Success Is Our Mission is a registered trademark of Raytheon Company.

Page 205/08/23

Agenda Introduction

– Overview on the project and topic Discussion

– Hacking process, cyber defense goals, and decision framework– Analysis framework, NMC architecture, and network collection points

Metrics– Development and collection of cyber dynamic defense metrics

Results– Research results from demonstration of Network Maneuver Commander

Conclusion– Recommendations, conclusions, and future work

Questions

Page 3

Introduction

Goals of Resilient Active Cyber Defense

Increase cost to the attacker

Increase the uncertainty that the attack was successful

Increase chance of detection and attribution

Minimize the magnitude of the attacker’s effect, survive

Network Maneuver Commander supports these goals through

artificial diversity, randomization, non-persistence and

deception.

Page 405/08/23

Research History Network Maneuver Commander (NMC)

– Internal research project funded by Raytheon Company started in March 2009

– Goals: Develop a prototype cyber command and control (C2) system that maneuvers

network-based elements preemptively Develop performance metrics to evaluate cyber dynamic defense solutions

Cyber Defense– Conventionally cyber defense employs defense in depth

Concentrated on perimeter protection and patching known attack vectors at each layer

– NMC’s maneuvering capability enhances each of the defense layers by introducing artificial diversity of components (hardware, operating systems, etc…)

Project Provides Cyber Dynamic Defense and Metrics to Evaluate this Class of Techniques

Page 5

Network Maneuver Commander

05/08/23

Page 66

Characterizing Cyber AttacksThe Hacking Process

– Footprint: identify network addresses– Scan: identify hosts, operating systems, services– Enumerate: identify accounts and shares– Gain Access: attempt access to host– Escalate Privileges: gain control of host– Pilfer: search and retrieve data

Page 705/08/23

Randomized Decision FrameworkDecision Framework Enables the NMC to

maneuver elements Parameters:

– Diversity– Move interval– Geographic destination

Page 805/08/23

Discussion Analysis Framework

– Force-on-force simulation– Each attack is treated independently– Statistics on attacks and defenses are

aggregated for resulting metrics NMC Architecture

– Collection of loosely coupled services– Orchestrated via Enterprise Service Bus– Generic plug-in framework to support

new applications Network Collection Points

– Capture of metrics through: Extension of existing tools Mining data already collected

Page 905/08/23

Metrics Basis for many metrics is time

– Used to measure an attack’s progress– Used to quantify the cost to the attacker

Metric calculations defined include– Percent of successful attacks– Percent of partially successful attacks– Mean number of attack disruptions– Time spent per phase– Duration of successful attack– Defensive efficiency– Defense factor

Metrics collection in the network– Defined possible methods and tools

Metrics Evaluate Pro-Active Dynamic Defense Methods

Page 1005/08/23

Results Demonstration included

– Movement of resources across: Platforms Virtual partitions Physical locations Hypervisor vendors

– Deployment and maneuvering of: Data Applications Network addresses

Results captured on a variety of simulated scenarios

Varying network sizes, defense factor,threat profile, etc…

Displayed the Effectiveness of NMC Using the Newly Defined Metrics

Page 1105/08/23

Conclusion Based on simulations and testing with real applications

– Maneuvering, artificial diversity and cleansing provide: Improved intrusion tolerance - lower percentage of attacks were successful Increased cost to attackers - more resources expended

Optimal maneuver frequency 2X time of attack on static network

Metrics allow for characterization of NMC and other cyber defense systems– Can be used to find optimal configuration of defenses for given threats

Raytheon Continues Research in Area, Exploring Candidate Algorithms and Technologies

Page 12

Technologies not designed to support resiliency

Coordination difficult (interfaces)

Visualization/Operational

Metrics

Vendor Licensing Models

Challenges

Page 1305/08/23

Questions?