This is two fold paper on how to analyze defensive tactics in Global Digitized Environment. In this part A is introduced the military confrontation in digitized environment and aspects on improving host based ICT security.
Part B will include description of survivable management system structure and describe learning, training and exercising of Security Operation skills and understanding.
This paper is explaining current trends in implementation of host based security within digital military environment. The paper is also presenting means to improve understanding of interrelationships within ICT System of systems. The host based information security and flexible cyber defence is studied in environment of national territorial military defence. The strategic confrontational situation defined so that defender may achieve only partial dominance in any dimension of space of operations. The opponent is assumed to own abilities and to follow the art of operation typical to 2nd and 3rd generation of war – industrial mass attraction or manoeuvrable forces enabled by network. Operations with other nature like peacekeeping, occupying or expeditionary and their possible 4th generation opponent should have their own specific analysis.
This study is first defining confrontation in digitized environment to possible agendas of cyber offensive, targeting and vulnerabilities of defended System of systems. Secondly paper is describing implementation of a host based IT security. Thirdly study is presenting a survivable structure for both physical and logical layers of security operations architecture. Fourthly there is definition of learning and training of human competence and skills to keep ahead of possible opponent.
Figure 1: A Simple model for analysing conflict between two military entities in digitized environment
Digitized environment is creating one additional dimension to normal military dimensions of land, air, sea and space. Digitized environment is creating complex interconnection between main opponents, their supporters and neutral parties. Digitized environment is making space of operation flat and global while reducing boundaries between crises and normal time and between fighting forces and other people. In digitized environment it is normal to use all possible means and avenues available to affect opponent. Friendly connected computers can be turned into attacking assets by turning them to remote controlled robots i.e. botnets. Opponent may utilize separate stake holders such as enthusiast, pro-movements or hired hackers to cover real sources of force. Russia was using their patriotic movement as a cover when attacking against Estonian governmental information assets. Opponent may steal critical personnel and logistics information. They may jump over air gaps and block or change the situation awareness picture. Opponent may attack critical industries to block critical supplies. They may even do as simple as send emails to commanders to lessen trust to technology and reveal the weakness of military network.
Both parties are structuring their military force by utilizing System of systems enabled capabilities. These capabilities are using connections between different nodes to gain better situation awareness, quicker reaction, tailored effect and more sustained operation. System of systems at best is producing exponentially multiplied military effect but at worst it may expose military to exponential or overconnectivity vulnerability.
Military force is resembling the society that has provided it. Current 2nd and 3rd generation forces are connected to a large body of nonmilitary support. This logistic chain is essential to sustain force in operation. There are both information service providers, software developers and technical component providers for military information and communications technology systems. This important value chain might be utilized by the opponent to either gain access into military domain or to affect its role.
Figure 2: An example of phasing of military operation evolved from Russian origins
Following Russian strategy there may be three overlapping phases of operation:
1. Projecting soft power and preparing for further measures,
Since using force does not mean waging war, there are many alternatives to project power and change both public, governmental and military behaviour before escalation to an armed conflict. Digitised environment provides number of means and avenues to collect information, to analyse structures of trust, to create targeting lists, to prepare space of operation and to effect on individual and collective opinion. This means destroying human trust in governance, public media and other people. In this phase more focused opponents have the luxury of persistence. They may operate with long goals, lessening risk of being detected and maximising effect when capturing valuable information and not bulk data. Recent sensation of NSA open-source intelligence gathering capabilities is just a proof that all nations are yielding digital sources. Military Intelligence in Israel declared that they are under sustained cyber-attack. According to Maj.Gen Kochavi the cyber means are "the biggest revolution in warfare, more than gunpowder and the air power during the past century" . It took about one year from global society to discover STUXNET. One should wonder, how many malevolent software based advanced attacks or information gathering operations there are currently that has not been detected. Undetected attacks are the most dangerous in digitised military environment. There are no fingerprints, signature or behaviour that can be configured to intrusion detection systems.
2. Achieving strategic or operational surprise
Electronic shock means that opponent is using all avenues and means available to achieve strategic surprise by suppressing opponents System of systems function in early phase of conflict. Means to achieve this might include anything between high burst electromagnetic pulse to triggering planted worms to deny electrical utility services. The United States has been doing this but with kinetic means when they are operating with ‘Shock and Awe’ style to gain rapid dominance. The main aim of this style of operation is to deny all network enabled capabilities and force multipliers and destroy both cohesion of forces and their systems. The center of gravity of this offensive is the human trust to his systems and information. This happened when thousands of Iraqi commanders painfully learnt that their "closed-loop" private network was compromised. They received emails by the internal system from US Central Command demanding to leave tanks and armoured vehicles in formation and abandon them.
3. Destroying forces and their base.
Conventional tactics is using kinetic means to destroy both opponent’s force and their base for support to gain dominance for example at political level. This phase includes isolating physical area of operation from global network and focus effect on public opinions and behaviour. Kinetic effect means that missiles, special operation forces and land component are used to destroy key targets. Main aim is to suppress opponent’s control over his forces and destroy enough assets that force is shattered to dysfunctional components. Electronic warfare is used widely at tactical level during this phase.
The opponent is using means that are available in time and politics, penetrable through defence and effective in target. In digitised environment these means include electromagnetic, cyber, physical, insider, man-in-the-middle and psychological tools. Rational opponent is preparing his space of operation and trying to detect vulnerabilities from System of system of opposite side. These preparations will provide fast delivery of force and gain initiative by surprise, which is a main goal in any military operation.
Targeting
Rational opponent is analysing the System of systems of their possible adversary with operational and system analysis tools. Opponent seeks vulnerable relationships from interrelated structure such as trust between humans, information exchange, complex processing and physical buildings of key resources. This is illustrated in figure 3.
Figure 3: Interrelated System of systems as a target structure
Individual key people, human to human relationship and human trust to technology are the weakest links in information intensive System of systems structure. These links are opponent’s main targets.
1. Individual key people has following weaknesses that might be utilised by opponent:
2. Trust between people is also a fruitful target
3. Information is being processed, stored and exchanged in digital format.
4. Synchronised processing and presenting functions are special targets
Most conventional way to disintegrate System of systems is to destroy them physically. This can be done by using both kinetic, explosive and non-kinetic warheads. A bullet through cable or antenna connection will cut transmission. One ordinary ballistic missile hit within 500 meters (CEP 500 m and warhead 800 kg) from unhardened communications facilities will destroy commercial of the shelf (COTS) devices. High powered electromagnetic pulse generated within couple of hundreds of meters from unshielded datacentre will destroy all integrated circuits. A special operation troop may breach and destroy a target per day and keep this pace up for two weeks behind enemy lines. Taking down general electricity or water distribution may disable whole digital infrastructure when normal backup services run out.
Topology of networked system is one of the main focus when analysing vulnerabilities. The aim is not to destroy all detected targets but those who give best disintegration as depicted in figure 4.
Figure 4: Topology as target
The rational opponent is not taking down targets as they appear in their sights but aim for more valuable attractions. For infantry these valued targets are leaders, antennas, engines, heavy weapon platforms, etc. Opponent is trying to disintegrate networked System of systems to pieces that are no more functional separately. One may think that 10 nodes of distribution and relatively good connectivity is enough to sustain services. If opponent understands the system structure, has means of effect available and can deliver them to targets, only four hits is needed to break the example network apart and most probably prevent service providing. Target list is even smaller if opponent can determine sensitive parts from ICT structure like synchronization hub, network management hub, network operation centres, access directories, home directories, database replication masters or master key managers. The center of gravity in network is not the number of nodes but centralised intelligence, logic and control of system.
The main task of Military Intelligence is to gather information of opponent’s resources, weapons, training, procedures, troops’ spirits and leaders’ behaviour. Intelligence is also gathering information of how opponent operates its forces in real situation. All this information is fused, analysed and used to build a model of opponent’s most probable behaviour in operation. This model is used as a basis for all enemy assessment, a skeleton for their force structure and a basis for anticipating their next movement. This legacy military intelligence process is trying to define the most probable future ‘modi operandi’ of the opponent by collecting large quantity of information from past actions and then projecting it to situation in hand. In physical world major enablers or constraints are troop skills, level of gear, fighting spirit and culture of their leaders. Thus force cannot execute operation that is beyond its unified competence, strength of command and control and culture.
This is not necessary the case when opponent is operating in digitized environment. Troops are rather small teams that can learn quicker and change their method faster than massed forces. There is no direct fear of death involved so troop unity is not important. Even low level organization culture can produce major effects, if there are competent and motivated individuals within teams. Cyber attacking weapons are as good as their users are skilled to build them thus there is a race to harness most potential and motivated individuals to defend their national cyber structure. Only simple spamming, virus producing or Distributed Denial of Service (DDoS) attacks do not require long experience or advanced skills.
One way to understand and possibly anticipate opponent is to assume all the possible actions as he may be able to execute in area of operation. Knowing how to attack is a knowledge base for defensive operations. Thus two-sided exercises (BLUE – RED) in real or near-real structure are imperative. Rotation of personnel between RED and BLUE crews should also be systematic. The other way is to shape the area of operations and design it so that opponent has only limited courses of action to choose. One has to create digital pits, honeypots and obstacles to capture attacker’s behavioural pattern. After pattern recognition one has to seek pattern breaks that might tell about attacker’s weaknesses, intentions or base of force. Exploiting these will give defender an advantage or asymmetric position in confrontation.
A generic list of cyber-attack examples in military digitized environment is presented in Annex 1.
Host Based Security System , HBSS was created in US DISA originally with McAfee and BAE Systems, who were given the contract to implement first monitor agents to all hosts in network. Hosts that either process data or store it are provided with firewall and application level blocking. After creating these mini fortifications from each host, DISA went to install set of agents or equal function that are installed to hosts and communication nodes to monitor events and produce required surveillance data to be forwarded to Security Operation Centre (SOC). SOC has control over IT Operations change management and configuration management and can quickly change system configuration, when malicious behaviour is detected from information environment as illustrated in figure 5.
Figure 5 an example of Host Based Security concept
As in physical space of operation this creates a continuous competition of measure – countermeasure – counter-countermeasure. This symmetric confrontation is not end state for military operational art but asymmetry is required.
Figure 6: Examples of setting threshold to detect different attack vectors
One may define normal baseline, set detection of anything outside of this content, protocol, size, time or user behaviour. One may also assess vulnerabilities after patching and set threshold to detect anything that is trying to exploit the remaining vulnerabilities. One may define normal behaviour between clients, network, application server and database server. Threshold is set to detect any anomaly outside this behaviour. A continuous tuning cycle was created when new threat was introduced, secure design was found by testing, configuration changes of ICT structure was implemented and detection thresholds were reset. This struggle is coming less and less effective to defender since within first quarter 2014 only there was record high 15 million new samples of malware created. More than 160 000 new malicious specimens per day like trojans, worms, viruses and adware are overwhelming any security organization if detection is based on analysed fingerprints of each version.
To meet this velocity and versatility of threat in digital environment, defenders have initiated following measures:
Figure 7: Example of Security and ITSM processes integration in military NOC
ICT components are patched and hardened before they are delivered to operations environment (MILNET) by IT Operations change, configuration and release management processes (see figure 7). This ongoing process keeps Operational ICT up-to-date and as sustainable as possible. In ICT systems, there are always known vulnerabilities, which cannot be remedied. To compensate these vulnerabilities, special thresholds could be installed around most vulnerable components to detect any attempts of exploitation as explained in figure 6.
Normally this proactive arm is integrated with risk management or presently in concept of Governance, Risk management and Compliance (GRC) processes. In military environment these processes are amalgamated to operation security processes of 3 branch, military intelligence processes of 2 branch and C5I processes of 6 branch for example in US DoD structure. These processes may present orientation to tactical SOC and NOC processes like:
Figure 8: An example of Security Operations Centre information management within Host Based Security
There is also a need to be connected with larger society of cyber experts that continuously monitor malevolent behaviour in networks, collaborate with them and make better sense out of incidents in networks. This is basic intelligence gathering from surrounding environment. There are number of societies that provide both vulnerability information (like CERT or NSA organizations), event data (like McAfee recent threats), attack profiles, vectors and signatures (like CyberISE) and information on attackers themselves (like SLIC threat feed, Arbor Networks, VeriSign iDefense). There is also major laboratories and SOC service companies that provide restricted services (like LocheedMartin, BAE Systems, Thales, Northrop Grumman, IBM, HP, RSA, Nokia, Ericsson). This information is analysed, modelled and transferred to scripts for anomaly detection agents in Operational Environment. Security Information and Event Management (SIEM) is gathering all alerts and events from detection agents and logs, correlating them in near-real-time and presenting picture of possible malevolent events within IT Operations environment. This is typical multisensory information fusion based military surveillance function. Typical challenges are: what is normal and abnormal, are analysts able to detect all malevolent incidents from mass of anomaly events, what if opponent can model the fusion method and can bypass it, what if opponent attacks against monitoring system itself and how to normalize data from different sensors to be able to detect same target?
There are several ways to improve detection probability and minimize effects of overload. So called Business Intelligence and Big Data methods are enabling correlation of information received from different sources.
As attacks are coming more advanced and persistent these analysis methods can be utilized to capture unknown attack profiles or detect silent signs of possible scenarios.
While number of hosts increases, their interrelated behaviour evolves faster, transmitted information increases or attacker’s skills improve, host based surveillance will produce more and more data. It will become more challenging to define malevolent events from this big data. This requires very skilled analysts that are committed to improve their skills indefinitely. There is a risk that attacker remains stronger in this confrontation, because he has time and tools in his side. Protected system and surveillance should provide more time to detect and react. To counter this basic military concept of defence in depth has been applied also in cyber space.
Following picture 9 is illustrating how combining these three depths of attack behaviour, technology and domain structure, defence can achieve a remarkable advantage over any attacker from both inside and outside.
Figure 9: An example of Defence in Depth concept in cyber space
Military cyber defence may have strong perimeter based defence (like Nato mission networks in Kosovo) or face world that interconnected systems are not any more separable (like Future Mission Networks). It is possible to build defensive perimeters inside each other by using both technical layers and domain layers of ICT structure that can be either self-cleaning or agile when implemented with Software Defined Infrastructure or Software Defined Security as defined by VMware salesmen . When this is combined with active intelligence, surveillance and active probing of surrounding domains, one can build agile defence with time to act and provide several means to counter attacks.
Air gap has been one of the most powerful domain perimeters. It is still preventing basic attacks but not advanced attacks that can hop over air gaps using for example traditional data media transfer, injected features or alternative communication means . Air gap is also creating a lot of human based data transfer which might be even more insecure that using well build and controlled cross domain gateway. Although military is using a lot of air gap isolation their security arm should extend their intelligence and surveillance far over these air gap cyber walls. Even Genghis khan’s nomadic force was able to take over well advanced Chinese fortification of Zhongdu (modern Beijing) in 1215.
Part B will include description of survivable management system structure and describe learning, training and exercising of Security Operation skills and understanding.
Introduction
Despite of high walls of defence (air gap, cross domain gateways, domain control, and physical access control) on the perimeters of digital structures, military is facing increasing challenges inside their ICT system of systems. The opponent is increasingly breaching walls and effecting inside the fortifications via insiders (Manning), sub-providers (Snowden), air-gap-leaping viruses (Russia) and ‘waterholeing’, spearheading and phishing normal users. Militaries are defending their digital fortresses with more flexible defence, which requires continuous surveillance (monitoring), intelligent detection of incidents, eliminating unrelated events and rapid action in countering detected threats. Magnificent physical fortresses like Maginot-line or Atlantic Wall were breached or by-passed in history. Today military engineers of digital fortresses are building more flexible defence both within their digital walls. This is to gain more time to react and enable more variations of defence with modern defence-in-depth concept.This paper is explaining current trends in implementation of host based security within digital military environment. The paper is also presenting means to improve understanding of interrelationships within ICT System of systems. The host based information security and flexible cyber defence is studied in environment of national territorial military defence. The strategic confrontational situation defined so that defender may achieve only partial dominance in any dimension of space of operations. The opponent is assumed to own abilities and to follow the art of operation typical to 2nd and 3rd generation of war – industrial mass attraction or manoeuvrable forces enabled by network. Operations with other nature like peacekeeping, occupying or expeditionary and their possible 4th generation opponent should have their own specific analysis.
This study is first defining confrontation in digitized environment to possible agendas of cyber offensive, targeting and vulnerabilities of defended System of systems. Secondly paper is describing implementation of a host based IT security. Thirdly study is presenting a survivable structure for both physical and logical layers of security operations architecture. Fourthly there is definition of learning and training of human competence and skills to keep ahead of possible opponent.
1.Military Mission in Digital Environment
Military Confrontation
Military mission occurs most often when two or more parties of confrontation have drifted to conflict. A simple model may be design to analyse basic interactions between parties and their environment as illustrated in figure 1.Figure 1: A Simple model for analysing conflict between two military entities in digitized environment
Digitized environment is creating one additional dimension to normal military dimensions of land, air, sea and space. Digitized environment is creating complex interconnection between main opponents, their supporters and neutral parties. Digitized environment is making space of operation flat and global while reducing boundaries between crises and normal time and between fighting forces and other people. In digitized environment it is normal to use all possible means and avenues available to affect opponent. Friendly connected computers can be turned into attacking assets by turning them to remote controlled robots i.e. botnets. Opponent may utilize separate stake holders such as enthusiast, pro-movements or hired hackers to cover real sources of force. Russia was using their patriotic movement as a cover when attacking against Estonian governmental information assets. Opponent may steal critical personnel and logistics information. They may jump over air gaps and block or change the situation awareness picture. Opponent may attack critical industries to block critical supplies. They may even do as simple as send emails to commanders to lessen trust to technology and reveal the weakness of military network.
Both parties are structuring their military force by utilizing System of systems enabled capabilities. These capabilities are using connections between different nodes to gain better situation awareness, quicker reaction, tailored effect and more sustained operation. System of systems at best is producing exponentially multiplied military effect but at worst it may expose military to exponential or overconnectivity vulnerability.
Military force is resembling the society that has provided it. Current 2nd and 3rd generation forces are connected to a large body of nonmilitary support. This logistic chain is essential to sustain force in operation. There are both information service providers, software developers and technical component providers for military information and communications technology systems. This important value chain might be utilized by the opponent to either gain access into military domain or to affect its role.
Issues of Offence
Potential opponent has wider variety of means in his reach in modern digitised environment than before, when he is facing a military force with system of systems structure. There are different targeting strategies shown in U.S. Gulf operation (Wardens targeting strategy) and Russian operations in Estonia, Georgia and Ukraine. Here is an example from Russian strategy of effect and operations with 2nd and 3rd generation force as depicted in figure 2.Figure 2: An example of phasing of military operation evolved from Russian origins
Following Russian strategy there may be three overlapping phases of operation:
1. Projecting soft power and preparing for further measures,
Since using force does not mean waging war, there are many alternatives to project power and change both public, governmental and military behaviour before escalation to an armed conflict. Digitised environment provides number of means and avenues to collect information, to analyse structures of trust, to create targeting lists, to prepare space of operation and to effect on individual and collective opinion. This means destroying human trust in governance, public media and other people. In this phase more focused opponents have the luxury of persistence. They may operate with long goals, lessening risk of being detected and maximising effect when capturing valuable information and not bulk data. Recent sensation of NSA open-source intelligence gathering capabilities is just a proof that all nations are yielding digital sources. Military Intelligence in Israel declared that they are under sustained cyber-attack. According to Maj.Gen Kochavi the cyber means are "the biggest revolution in warfare, more than gunpowder and the air power during the past century" . It took about one year from global society to discover STUXNET. One should wonder, how many malevolent software based advanced attacks or information gathering operations there are currently that has not been detected. Undetected attacks are the most dangerous in digitised military environment. There are no fingerprints, signature or behaviour that can be configured to intrusion detection systems.
2. Achieving strategic or operational surprise
Electronic shock means that opponent is using all avenues and means available to achieve strategic surprise by suppressing opponents System of systems function in early phase of conflict. Means to achieve this might include anything between high burst electromagnetic pulse to triggering planted worms to deny electrical utility services. The United States has been doing this but with kinetic means when they are operating with ‘Shock and Awe’ style to gain rapid dominance. The main aim of this style of operation is to deny all network enabled capabilities and force multipliers and destroy both cohesion of forces and their systems. The center of gravity of this offensive is the human trust to his systems and information. This happened when thousands of Iraqi commanders painfully learnt that their "closed-loop" private network was compromised. They received emails by the internal system from US Central Command demanding to leave tanks and armoured vehicles in formation and abandon them.
3. Destroying forces and their base.
Conventional tactics is using kinetic means to destroy both opponent’s force and their base for support to gain dominance for example at political level. This phase includes isolating physical area of operation from global network and focus effect on public opinions and behaviour. Kinetic effect means that missiles, special operation forces and land component are used to destroy key targets. Main aim is to suppress opponent’s control over his forces and destroy enough assets that force is shattered to dysfunctional components. Electronic warfare is used widely at tactical level during this phase.
The opponent is using means that are available in time and politics, penetrable through defence and effective in target. In digitised environment these means include electromagnetic, cyber, physical, insider, man-in-the-middle and psychological tools. Rational opponent is preparing his space of operation and trying to detect vulnerabilities from System of system of opposite side. These preparations will provide fast delivery of force and gain initiative by surprise, which is a main goal in any military operation.
Targeting
Rational opponent is analysing the System of systems of their possible adversary with operational and system analysis tools. Opponent seeks vulnerable relationships from interrelated structure such as trust between humans, information exchange, complex processing and physical buildings of key resources. This is illustrated in figure 3.
Figure 3: Interrelated System of systems as a target structure
Individual key people, human to human relationship and human trust to technology are the weakest links in information intensive System of systems structure. These links are opponent’s main targets.
1. Individual key people has following weaknesses that might be utilised by opponent:
- Human being is egocentric in his thinking. People forget information or avoid to notice facts that do not support the adopted line of thinking or contradicts profound beliefs and values. Most famous example of this was the landing in Normandy, when German leadership was prone to expect landing in Calais, thus kept reserve forces at place too long to be effective.
- People has also tendency to choose the path of least resistance. Information seeking individual uses the most convenient search method. The information seeking behaviour stops as soon as minimally acceptable results are found. People also have tendency to bypass any security control if that is the least effort way.
2. Trust between people is also a fruitful target
- It is hard to build trust between people, who do not know one another and are not working in closeness. Haphazardly organised task force or multinational, multiagency coalition has major challenges to align to one vision and cooperate with units they are not familiar with. This has been a major obstacle in NATO effort to reach Comprehensive Approach in ISAF operation.
- Trust is lost easily in stress and it is impossible to renew in short time. Only shared awareness, persistence in practise and overcome difficulties in exercises may prepare people and their relations for these kind of challenges. Overemphasized unity of command will be one of the first targets for opponent to try to break up.
3. Information is being processed, stored and exchanged in digital format.
- Information systems are so complex today, that it is difficult for individual or one control to define which action is normal (i.e. belongs to white list) and which is anomaly. Military information structure is volatile in time of crises. It needs special measures to be able to define between friendly and hostile.
- Planted data gatherers may be passive and give only weak signs when they are sending captured information to their masters. Worms may change content in databases so incrementally that it does not show in daily queries or periodic reports. Only systematic comparison will reveal changes. The ability to run correlations through masses of information in one hand and high velocity of information in other hand are problem for military security operations.
4. Synchronised processing and presenting functions are special targets
- Conventional multisensory tracking is suppressed by disabling synchronisation at datalink layer.
- Manipulating of network timing will destroy the integrity of inputs and prevent monitoring based on time series analyses.
- Changing the thickness of processor circuit will degrade quality of pseudo-random generator thus weakening encryption algorithms.
- Injecting backdoors to whole fleet of network switches will enable to take down entire transport layer with one trigger signal that gets through perimeter defence. Only thorough testing of all installed devices and strategic distribution of sources will minimize these risks.
Most conventional way to disintegrate System of systems is to destroy them physically. This can be done by using both kinetic, explosive and non-kinetic warheads. A bullet through cable or antenna connection will cut transmission. One ordinary ballistic missile hit within 500 meters (CEP 500 m and warhead 800 kg) from unhardened communications facilities will destroy commercial of the shelf (COTS) devices. High powered electromagnetic pulse generated within couple of hundreds of meters from unshielded datacentre will destroy all integrated circuits. A special operation troop may breach and destroy a target per day and keep this pace up for two weeks behind enemy lines. Taking down general electricity or water distribution may disable whole digital infrastructure when normal backup services run out.
Topology of networked system is one of the main focus when analysing vulnerabilities. The aim is not to destroy all detected targets but those who give best disintegration as depicted in figure 4.
Figure 4: Topology as target
The rational opponent is not taking down targets as they appear in their sights but aim for more valuable attractions. For infantry these valued targets are leaders, antennas, engines, heavy weapon platforms, etc. Opponent is trying to disintegrate networked System of systems to pieces that are no more functional separately. One may think that 10 nodes of distribution and relatively good connectivity is enough to sustain services. If opponent understands the system structure, has means of effect available and can deliver them to targets, only four hits is needed to break the example network apart and most probably prevent service providing. Target list is even smaller if opponent can determine sensitive parts from ICT structure like synchronization hub, network management hub, network operation centres, access directories, home directories, database replication masters or master key managers. The center of gravity in network is not the number of nodes but centralised intelligence, logic and control of system.
A Sense of the Enemy
Empathy is intellectual identification i.e. ability to think like other human being. Sun Tzu said that if you know yourself but not the enemy, for every victory gained you will also suffer a defeat. How does military gain knowledge of its potential opponents in digital environment?The main task of Military Intelligence is to gather information of opponent’s resources, weapons, training, procedures, troops’ spirits and leaders’ behaviour. Intelligence is also gathering information of how opponent operates its forces in real situation. All this information is fused, analysed and used to build a model of opponent’s most probable behaviour in operation. This model is used as a basis for all enemy assessment, a skeleton for their force structure and a basis for anticipating their next movement. This legacy military intelligence process is trying to define the most probable future ‘modi operandi’ of the opponent by collecting large quantity of information from past actions and then projecting it to situation in hand. In physical world major enablers or constraints are troop skills, level of gear, fighting spirit and culture of their leaders. Thus force cannot execute operation that is beyond its unified competence, strength of command and control and culture.
This is not necessary the case when opponent is operating in digitized environment. Troops are rather small teams that can learn quicker and change their method faster than massed forces. There is no direct fear of death involved so troop unity is not important. Even low level organization culture can produce major effects, if there are competent and motivated individuals within teams. Cyber attacking weapons are as good as their users are skilled to build them thus there is a race to harness most potential and motivated individuals to defend their national cyber structure. Only simple spamming, virus producing or Distributed Denial of Service (DDoS) attacks do not require long experience or advanced skills.
One way to understand and possibly anticipate opponent is to assume all the possible actions as he may be able to execute in area of operation. Knowing how to attack is a knowledge base for defensive operations. Thus two-sided exercises (BLUE – RED) in real or near-real structure are imperative. Rotation of personnel between RED and BLUE crews should also be systematic. The other way is to shape the area of operations and design it so that opponent has only limited courses of action to choose. One has to create digital pits, honeypots and obstacles to capture attacker’s behavioural pattern. After pattern recognition one has to seek pattern breaks that might tell about attacker’s weaknesses, intentions or base of force. Exploiting these will give defender an advantage or asymmetric position in confrontation.
A generic list of cyber-attack examples in military digitized environment is presented in Annex 1.
2. TRUST BASED ON MONITORING AND REACTION CAPABILITIES FOR MILITARY ICT SECURITY
Concept of host based security
Military security architecture has been evolving from physical site based structure to domain based and from there to host based security. Since number of interconnected domains became too big, trust relations too long and the size of singular domains reached tens of thousands users, it became evident that perimeter based IT security fortifications were not sufficient. There was something to be done behind high walls of domain perimeters to control security and react when malevolent incidents were detected. This remains of basic military tactics to survey larger space of operation and react with tactically positioned rapid reaction forces to counter any detected insurgency.Host Based Security System , HBSS was created in US DISA originally with McAfee and BAE Systems, who were given the contract to implement first monitor agents to all hosts in network. Hosts that either process data or store it are provided with firewall and application level blocking. After creating these mini fortifications from each host, DISA went to install set of agents or equal function that are installed to hosts and communication nodes to monitor events and produce required surveillance data to be forwarded to Security Operation Centre (SOC). SOC has control over IT Operations change management and configuration management and can quickly change system configuration, when malicious behaviour is detected from information environment as illustrated in figure 5.
Figure 5 an example of Host Based Security concept
As in physical space of operation this creates a continuous competition of measure – countermeasure – counter-countermeasure. This symmetric confrontation is not end state for military operational art but asymmetry is required.
Detection of anomalies
The first basic principle was to define ‘red list’ of known malevolent events that were configured into detectors to give alert when detected. Later the number of possible anomalies become too big to follow and ‘whitelist’ was created to baseline the authorized events in hosts and networks. Everything deviating from ‘whitelist’ was categorized as security incident. Then opponent become more professional and had time to be more persistent – Advanced Persistent Threats, APT . Detecting anomalies was done by comparing existing events either to baseline of authorized behaviour or to vectors of know malevolent attacks. This required capturing more events (Full Packet Capture) and storing them for longer periods (Big Data). Then complex task of correlating different events with time series, graphical presentation or statistical analysis methods was executed. Actual sense making requires highly skilled, motivated and experience individuals, which are expensive to train (min. 5 years) and hard to keep (current hype in cyber defence markets) within military forces. Collecting data for longer periods created a big data problem, which is being solved by virtualized information management and utilizing for example HADOOP data-set processing structure. Some examples of setting threshold are illustrated in following figure 6.Figure 6: Examples of setting threshold to detect different attack vectors
One may define normal baseline, set detection of anything outside of this content, protocol, size, time or user behaviour. One may also assess vulnerabilities after patching and set threshold to detect anything that is trying to exploit the remaining vulnerabilities. One may define normal behaviour between clients, network, application server and database server. Threshold is set to detect any anomaly outside this behaviour. A continuous tuning cycle was created when new threat was introduced, secure design was found by testing, configuration changes of ICT structure was implemented and detection thresholds were reset. This struggle is coming less and less effective to defender since within first quarter 2014 only there was record high 15 million new samples of malware created. More than 160 000 new malicious specimens per day like trojans, worms, viruses and adware are overwhelming any security organization if detection is based on analysed fingerprints of each version.
To meet this velocity and versatility of threat in digital environment, defenders have initiated following measures:
- Ecosystems has been created around detecting malevolent software threats, there are both private and public laboratories that are sharing information of both fingerprints of malware and signatures of attackers.
- National CERT or Cyber Defence Centres have created networks to share information on vulnerabilities, attacks and malevolent tools. European Network and Information Security Agency, ENISA has collected European Union national CERTs to share technical information.
- There are some taxonomy work ongoing between governments and cyber defence industry to help structuring information and sharing it. U.S. Department of Homeland Security sponsored Structured Threat Information eXpression (STIX) and its exchange format TAXII are widely developed and used. ITU-T is promoting their CYBEX standardization work. IETF has two standards called IODEF and RID to support the exchange of information.
- With collected big data one may improve analyses and gain ability to detect more advanced and persistent attack vectors, behavioural anomalies of possible insiders, etc.
- With strategic system management military organization may achieve multilayer approach to malware detection. Desktop based detection is done with one product based for example fingerprints. Server based detection is done with second product also based on fingerprints but independently created from first vendor. Gateway level protection is done with third product, which might be more heuristic based detection. Heuristic may be based for example on run time sandboxing, file and function analyses or virus DNA detection.
Reaction measures
When anomaly is detected, alert is forwarded to SOC, which creates security incident and starts executing countermeasures. Countermeasures include several configuration changes in IT Operations thus the process integration between security and Information Technology Service Management, ITSM is imperative for speed of reaction. Within military Network Operation Centre it is an advantage if security, communications and IT-services operation processes are as integrated as possible to ensure better awareness, quick reaction and integrity of information over all administrators. Thus it is normal that there is only one incident management process for all incidents to get widest awareness and quickest reaction for each incident. Change management is also integrated between ITSM and security operations since any change in ICT structure might also require change in thresholds and white lists. Service support (HelpDesk) is used to deliver information on effects of incident to users to further the recovery with backup services. Figure 7 is depicting this process integration. Reactive approach is further integrated for example by Booz and Co who call their integration as Dynamic Defence Approach to Cybersecurity.Figure 7: Example of Security and ITSM processes integration in military NOC
Proactive measures
Since reactive defence is always weaker than attack, a proactive arm was created. Security engineers are using Sandbox environment (referred as REFNET in figure 7) to maintain small copy of operational ICT system. Within this reference environment engineers are testing vulnerabilities of each ICT component, subsystem and System of systems. Testing includes scanning known vulnerabilities, penetration testing with variety of tools, fuzz testing to find unknown zero-day vulnerabilities and red team attacking against whole System of systems with variety of attack vectors.ICT components are patched and hardened before they are delivered to operations environment (MILNET) by IT Operations change, configuration and release management processes (see figure 7). This ongoing process keeps Operational ICT up-to-date and as sustainable as possible. In ICT systems, there are always known vulnerabilities, which cannot be remedied. To compensate these vulnerabilities, special thresholds could be installed around most vulnerable components to detect any attempts of exploitation as explained in figure 6.
Normally this proactive arm is integrated with risk management or presently in concept of Governance, Risk management and Compliance (GRC) processes. In military environment these processes are amalgamated to operation security processes of 3 branch, military intelligence processes of 2 branch and C5I processes of 6 branch for example in US DoD structure. These processes may present orientation to tactical SOC and NOC processes like:
- Value of assets to current mission by OPSEC
- Information requirements by MI
- Service protection requirements by C4ISR and
- Information Operation tasks by Cyber.
Intelligence in Cyber space
To avoid the syndrome of island defence and to extend information gathering to further area of interest, there is a need for even an isolated intranet defence to be connected to global world of Internet. Internet can host “honey pots”, which lure possible adversaries reconnoitre actions and exploitation attempts. Honey pots are used to capture first-hand attack vectors and malevolent behavioural features as depicted in figure 8.Figure 8: An example of Security Operations Centre information management within Host Based Security
There is also a need to be connected with larger society of cyber experts that continuously monitor malevolent behaviour in networks, collaborate with them and make better sense out of incidents in networks. This is basic intelligence gathering from surrounding environment. There are number of societies that provide both vulnerability information (like CERT or NSA organizations), event data (like McAfee recent threats), attack profiles, vectors and signatures (like CyberISE) and information on attackers themselves (like SLIC threat feed, Arbor Networks, VeriSign iDefense). There is also major laboratories and SOC service companies that provide restricted services (like LocheedMartin, BAE Systems, Thales, Northrop Grumman, IBM, HP, RSA, Nokia, Ericsson). This information is analysed, modelled and transferred to scripts for anomaly detection agents in Operational Environment. Security Information and Event Management (SIEM) is gathering all alerts and events from detection agents and logs, correlating them in near-real-time and presenting picture of possible malevolent events within IT Operations environment. This is typical multisensory information fusion based military surveillance function. Typical challenges are: what is normal and abnormal, are analysts able to detect all malevolent incidents from mass of anomaly events, what if opponent can model the fusion method and can bypass it, what if opponent attacks against monitoring system itself and how to normalize data from different sensors to be able to detect same target?
There are several ways to improve detection probability and minimize effects of overload. So called Business Intelligence and Big Data methods are enabling correlation of information received from different sources.
- One can combine both structured and unstructured data extracted from machine level transactions (like IP packets), actual content (like email writing), context information (like time, role, place), session information (relations between instances), process information (relations between functions). After combining and normalizing one should correlate data to first understand what is normal and then be able to detect abnormality. It requires complex data management to be able to correlate data from relational databases, nonSQL data stores, distributed HADOOP structures and HTML pages even near-real time.
- After data has been retrieved, there comes the most vulnerable phase of data reduction, normalizing and classifying. This is creating the basement for analyses and also the very information opponent might be using against defence if allowed.
- Big Data can be analysed with simple graphical tools at presentation layer that shows distribution of events from several dimensions, amount of events relative to other categories, amount of hits per time, tangents, integrals, curve fits and interpolations.
- Statistical analysis can be done for example over two sets of samples: behavioural data from past and present. While comparing these datasets there is a possibility to detect change and that change can be defined either as anomaly or evolutionary change of normal behaviour.
- Modelling is using some logical language to describe the behaviour of a defended system or offensive system. Modelling enables to play or simulate with different scenarios while changing variables. If model differs from real world, then it becomes master instead of slave like it has happened with financial models . There are several different algorithms and methods that can be used to model a phenomena.
- Predictive analysis is based on assumption that one observed behaviour is similar to another. There are algorithms like recommenders, classifiers and clusters that try to predict future based on probability.
- Clustering like k-means algorithm takes large set of data sets, arranges them with different clustering techniques and shows visual similarities. More advance way is to use several dimensions in cluster model like Bearing Points HyperCube.
- Classifier like k-nearest neighbour algorithm is assigning class to object whose class is unknown. It is imperative to choose k tailored to each environment of data retrieved.
- Recommender algorithm is measuring distances between two data items and recommending based on vicinity. Data objects that are closest to one another tend to have same preferences.
As attacks are coming more advanced and persistent these analysis methods can be utilized to capture unknown attack profiles or detect silent signs of possible scenarios.
While number of hosts increases, their interrelated behaviour evolves faster, transmitted information increases or attacker’s skills improve, host based surveillance will produce more and more data. It will become more challenging to define malevolent events from this big data. This requires very skilled analysts that are committed to improve their skills indefinitely. There is a risk that attacker remains stronger in this confrontation, because he has time and tools in his side. Protected system and surveillance should provide more time to detect and react. To counter this basic military concept of defence in depth has been applied also in cyber space.
Defence in Depth
There is the basic strategy of defence in depth that has been used in military operations and now it is being utilised also in ICT security and cyber defence . One can build depth in multitude ways:- By modelling opponent’s behaviour in particular space of operations, one can detect and prioritize countermeasures according to opponent’s lethality and aims. LocheedMartin defined their Kill Chain concept and published it 2011. Since then and parallel many de facto practises have included similar profiles for advanced threats.
- Information and Communications Technology provide multiple layers that can be utilized wither to tailor detection per layer or create defensive structure on one particular layer. In very basic model one can define four layers of endpoint, access, application and storage. ISO OSI layer structure provide model for both defence and attack in cyber space. There are specific strategies like Moving Target Defense (MTD) by Coronado Group that is using Self-Cleaning Intrusion Tolerant (SCIT) technology.
- Protected system itself provides depth similar to the terrain for Land Component. Skilled defence modifies the structure of their protected system to better enable monitoring and executing of countermeasures. These domains may include surrounding domain that enables to monitor opponent in action. Access domain where all users (both friendly, neutral and unfriendly) are forced to security scrutiny. Presentation domain where all sessions are checked and identities are connected to roles. Process domain defence is tailored to manage the behaviour of transaction and service query. Storage domain is the final line of defence against losing integrity and availability of data. There data may be encrypted both while resting and being processed.
Following picture 9 is illustrating how combining these three depths of attack behaviour, technology and domain structure, defence can achieve a remarkable advantage over any attacker from both inside and outside.
Figure 9: An example of Defence in Depth concept in cyber space
Military cyber defence may have strong perimeter based defence (like Nato mission networks in Kosovo) or face world that interconnected systems are not any more separable (like Future Mission Networks). It is possible to build defensive perimeters inside each other by using both technical layers and domain layers of ICT structure that can be either self-cleaning or agile when implemented with Software Defined Infrastructure or Software Defined Security as defined by VMware salesmen . When this is combined with active intelligence, surveillance and active probing of surrounding domains, one can build agile defence with time to act and provide several means to counter attacks.
Air gap has been one of the most powerful domain perimeters. It is still preventing basic attacks but not advanced attacks that can hop over air gaps using for example traditional data media transfer, injected features or alternative communication means . Air gap is also creating a lot of human based data transfer which might be even more insecure that using well build and controlled cross domain gateway. Although military is using a lot of air gap isolation their security arm should extend their intelligence and surveillance far over these air gap cyber walls. Even Genghis khan’s nomadic force was able to take over well advanced Chinese fortification of Zhongdu (modern Beijing) in 1215.
1 Annex: Threat scenarios
Estimated threat scenarios
With security operation functions implemented protected intrasystem should be able to stand following threat scenarios without availability loss more than 99%, maintain integrity of data with 95% of data asset and prevent higher classified information breaches totally.
Normal malevolent intents and user mistakes
(1) End user brings malevolent software from other sources via memory or some other device with installed programs and information. Either end user connects memory to terminal PC via USB or Bluetooth or end user connects device directly to network. This may cause cases like antivirus failed to clean, excessive scan timeouts from antivirus, scanning or probing during unauthorized time window, anomaly in suspicious activity baselines, anomaly in network baselines, anomaly in application baselines, etc.
(2) End user inputs incorrect data or executes some operation that violates information integrity. This may cause cases like anomaly in network baselines, anomaly in application baselines, anomaly in database query baselines, multiple logins from one location, device out of compliance, etc.
(3) End user downloads information to attached medium/device and takes it away (classical Manning case). This may cause cases like anomaly in suspicious activity baselines, unauthorized user access to confidential data, unauthorized device on the network, etc. Manning case is classical example of this.
(4) Admin installs malevolent program or makes mistake in installation. This may cause cases like excessive traffic on network, process failed to work, service account denied, anomaly in suspicious activity baselines, anomaly in application baselines, logging source stopped logging, etc.
(5) Admin gives important information to outsiders or insiders to utilize in security breach. This may cause cases like logs deleted from source, excessive exploit traffic, excessive traffic inbound (if gateway), anomaly in network traffic baselines, anomaly in application baselines, etc. A Classical social engineering by Mitnick is an example.
(6) Outsider gains access through cross domain gateway and injects programs that either collects data or violates its integrity. This may be seen as SMTP traffic from unauthorized host, excessive http traffic outbound, excessive exploit from single source, etc. A basic advanced persistence threat (APT) is typical example.
Generic opponent in preconflict situation
Before actual conflict opponent is utilizing all time to collect useful information either to capture better understanding of military decision making, force and planned operations or to prepare attack against information assets and services. This information collection is done in utmost secrecy because becoming revealed ignites countermeasures at other lines of operation.
Opponent has long time to prepare and resources in use but secrecy requires utmost clandestine approach. Opponent is also preparing computer network attack against system by installing countermeasures either against data integrity or service availability.
(7) Most cost-effective way would be providing devices with already installed information collection services. These malevolent features are often installed in operation system level, storage-programs or printer/scanner programs because it is within their normal function. Connection outside may be arranged by wireless or utilizing electricity system. Best location for data collection would be in data center, where no one person often recognises all devices or connections. Best way to manage installation would be either via vendor support or paid administrator. This may be seen as anomaly in application baselines, anomaly in SQL baselines, anomaly in network traffic baselines, anomaly in maintenance procedures, caps in logging, underperformance in devices or it will appear in vulnerability or fuzz testing. Classical example is US claims that there is unwanted features in Huawei switches.
(8) Special data collectors may also be installed in system where for example relational database is easily reachable via unmonitored SQL-connection. Data retrieval may be arranged via regular maintenance visit to premises. This may be seen as anomaly in network baselines, anomaly in SQL baselines, changes in database content, anomaly in backup procedures, etc. Data collectors are like network tap or packet analysers .
(9) If information systems have uncontrolled connections outside, a simple data collection software may be utilized. Flame was one of this kind intelligence gathering virus. This may be seen as excessive traffic outbound, service account access to outside, anomaly in network baselines, etc.
(10) Disposed storage mediums are classical data collection targets. It is almost impossible to wipe data out from electromagnetic disk or memory for ever. Collecting used disks, circuits and tapes is very cost-effective. Hard disks of printers tend to be most neglected items when disposed. This may be seen in audits.
(11) Attack preparations are done most effectively by leaving backdoors or installing triggered scripts to devices when they are being delivered to target system. Using these backdoors is another issue. This may be seen as abnormal performance difference, in vulnerability scanning and in reference testing with overload etc.
(12) Network worms and other programmable agents that migrate in networks and operation systems is another cost-effective way to prepare attack. They are easy to install in closed networks by paid end user or visiting maintenance. Triggering is another issue. This may be seen as anomaly in configuration baselines, anomaly in process baselines, anomaly in network baselines, problems in installations, etc. FLAME software is classical example of this.
(13) Preparing and manipulating key administrator of protected system is classical measure. Money and all vices are used to prepare person so that in the brink of attack he/she executes triggering or disables services within admin rights. This may be seen in security surveillance of personnel background, anomaly in social network, anomaly in email traffic, anomaly in physical access, etc. Classical infiltrations like Kim Philby, Ray Mawby or Vilho Pentikainen are examples for this.
(14) Normal user session downloads a malevolent application from Trojan web site. Malevolent application hides itself into MS server structure and starts capturing specific data. After collection is connecting to FTP-server or SMTP-server and sending out coded content in small portions. This may be seen as excessive traffic outbound, service account access to outside, anomaly in network baselines, etc. Spearfishing and waterhole attacks are classical examples.
Generic opponent in the brink of conflict
Just before attack or conflict is the best time to disable information systems or change data content massively. This creates a shock effect through all network users and people trust to information systems or their content is lost for long time. Digitized force may be paralyzed totally since their system of systems is not working any more. This happened example early in both Iraq operations, when centralized air defence system was disconnected as separate sensors and weapons unable to function together. Cyber-attack is also very possible in situation when disabling digitized force opens new possibilities for pressure at political level. Targets are usually amongst most important databases or registries, hubs of trust structures or management system.
(15) A script in ERM-system is triggered by paid admin and gradually changes all HR and Material information. This is seen as excessive DB activity, excessive application load, excessive network traffic, anomaly in storage load, anomaly in back up service, etc.
(16) Information in user registry is changed from root level downwards. This is especially effective in centralized trust structures of Single-Sign-On service. This may be seen as anomaly in any key registry, anomaly in replication procedure, anomaly in PKI service, anomaly in HR registry, etc.
(17) Erasing private keys from PKI root disables all related identification and encryption services. This is seen as denial of PKI service, anomalies in normal encryption services, widely noticed denial of access, etc,
(18) Uploading malevolent code within normal update of programs or even within fingerprint file for virus detection as is told to happen in first Gulf war to US troops. This may be seen as excessive scan timeouts from antivirus, tests in reference environment, etc.
(19) Management system is quite often least protected system since IT professionals do not want to restrict themselves. Disabling monitor system may be done either by emptying configuration items MIB’s or by destroying asset management information in both active and passive databases. Disabling often centralized control servers dismantles network operation center’s ability to do changes in coordination. This may be seen as loss of management connections, anomalies in management system performance, anomalies in management network traffic, excessive management traffic in-band, etc.
(20) As in any sensor system, opponent may also overload security monitors with number of cut’s in IT-systems and utilize this red screen time to do something more lethal in systems. This is seen as multiple alerts coming to both NOC and SOC monitors, electricity cuts, excessive booting activity, etc. A Classical Distributed Denial of Service (DDoS) creates overflow of security alerts. This is also happening in event of major power cut and major node destruction.
No comments:
Post a Comment