Network Mission Assurance - Advanced Technology Laboratories

3 downloads 47364 Views 271KB Size Report
attack campaigns is far outpacing the ability to defend ... attack campaign has an overall goal and is .... We believe that automation in these areas is crucial.
Network Mission Assurance Michael F. Junod, Patrick A. Muckelbauer, PhD, Todd C. Hughes, PhD, Julius M. Etzl, and James E. Denny Lockheed Martin Advanced Technology Laboratories Camden, NJ 08102 {mjunod,pmuckelb,thughes,jetzl,jdenny}@atl.lmco.com

Abstract

1. Introduction

The doctrine of Network Mission

This document describes the Network

Assurance (NMA) evaluates the value of

Mission Assurance (NMA) doctrine of

information assurance and the risk of

Lockheed Martin Advanced Technology

computer threats based upon their impact on

Laboratories (ATL). This doctrine is used as a

the organizational functions supported by the

guide to focus our information assurance

network. The NMA framework is comprised

efforts in different research areas and ensure

of

Asset

these efforts can work together in a dynamic

Identification, Infrastructure Model and

distributed network environment and

Control, Threat Analysis and Prediction, and

effectively leverage and incorporate point

Response Coordination. Our research in

security solutions into a robust information

support of the NMA investigates technical

assurance architecture.

four

technical

functions:

solutions for trust-based resource control,

It is our belief that one cannot simply

reflective and reconfigurable network

back-fit existing security point solutions onto

services, autonomic network defense, and

existing architectures and expect to have an

cyber-attack representation. We contend that

improved security infrastructure. In fact, this

NMA unifies the purpose and function of

can result in a less secure architecture that

separate information assurance programs into

requires a great deal of manual effort in

a holistic, network-centric solution.

maintenance and monitoring.

Point security products (e.g., vulnerability

race is simply its current scope. Since most

scanners, intrusion detection systems,

security systems focus on relatively atomic

firewalls) often operate in isolation. In

attack actions (e.g., port scans, buffer

contrast, according to NMA, security

overflows), they have difficulty defending

solutions should not only be integrated with,

against coordinated attack campaigns. An

but orchestrated among, the components of a

attack campaign has an overall goal and is

network infrastructure.

composed of many atomic actions over time

NMA is a high level concept that spans a

that must be carefully and successfully carried

large area of information security and

out to achieve the desired goal.

information assurance. In support of this

The need for rapid assembly of tactical

doctrine, ATL is leveraging its applied

networks exacerbates the difficulty. In a

research strengths in quality of service (QoS),

dynamic coalition environment, one does not

distributed processing, data fusion, and

have the opportunity to perform the

intelligent agents to apply to the information

vulnerability assessment and red team testing

assurance domains. We believe that research

one would on static configurations. Further,

and technologies from many other academic,

one cannot assume that the systems will

commercial, and government sources also

always provide the same mission critical

support the NMA doctrine.

functionality. With future reconfigurable

2. Network Mission Assurance Approach

systems using open system architectures,

The ability to launch successful cyber

what parts of the system are critical at any

attack campaigns is far outpacing the ability

given time in the mission becomes a run-time

to defend against them. A fundamental

rather than design-time decision.

problem in the information assurance arms

The goal of the Network Mission

2

Assurance (NMA) is to keep the mission-

of new technologies to future operational

critical systems operational while under a

environments.

cyber attack. This implies the ability to

3. ATL NMA Research Areas

identify and map critical assets to operational

With these concepts in place the four main

support capabilities. It also requires efficient

research areas of Lockheed Martin Advanced

and judicious use of resources by focusing

Technology Laboratories’ Network Mission

additional resources on threatened assets.

Assurance

(NMA)

are:

(1)

Asset

In addition, we believe there is great value

Identification, (2) Infrastructure Model and

in leveraging offensive attack campaign or

Control, (3) Threat Analysis and Prediction,

threat knowledge for better defense. This

and (4) Response Coordination. Figure 1

allows us to explore full life cycle response

provides a conceptual overview that illustrates

through simulation before reflecting any

the functional relationship between the

changes onto the infrastructure components.

technology components of the NMA research

NMA is intended to work in concert with existing

areas.

information

assurance efforts, which we believe are both necessary and effective. However, we also contend that there must be a higher level vision that drives requirements, metrics, and capabilities for transition

Figure 1. Network Mission Assurance conceptual overview

3

3.1 Asset Identification

identification can enable more effective,

The functions of asset identification are to identify

critical

mission

reactive, and proactive responses by

objectives

protecting assets that are most relevant to

dynamically and continuously and to map,

mission success, and provide a valuable

possibly through

discriminator for resource allocation.

multiple

levels of

abstraction, the criticality of mission

3.2 Infrastructure Model and Control

objectives to low-level infrastructure assets.

We believe that infrastructure models for

For example, in mission terms it might be

information assurance must satisfy two

important to identify at the high level a

important conditions. First, they must

critical unmanned autonomous vehicle (UAV)

represent the state of the infrastructure in a

video feed. In system terms, this video feed

manner that allows a system to reason about

would map at the low level to network flows,

itself. Second, they must actuate changes in

ports, and processors on hosts in the

the model in the infrastructure itself. The

operational equipment.

models we have in mind are, therefore,

While others have recognized the need for

reflective. Specifically, the reflective

critical asset identification, we believe there is

infrastructure provides a representation of the

a need to make this process continuous and

infrastructure that maintains infrastructure

dynamic, and we have outlined an approach

state and critical asset analysis; threat history,

for realizing this process. In addition, we have

analysis, and projection; and responses and

identified how to integrate the results of

status.

critical asset identification with other security

Changes to the model, however, need not

components of a distributed system. For

be reflected immediately into the actual

example, results from critical asset

infrastructure but rather be considered as a

4

hypothetical state. This supports the ability to

they constitute threat actions by an adversary.

reason over proposed changes using

Second, systems must predict what the

simulation before actuating the changes back

adversary is likely to do next. Third, systems

on to the infrastructure components.

must project the impact of the adversary’s

3.3 Threat Analysis and Prediction

trajectory on infrastructure assets, in

Current network security measures are

particular the assets critical to mission

designed to make it more difficult for

success.

attackers to penetrate the boundary of an

These functions are crucial for planning

infrastructure. However, if an adversary is

and implementing an effective response to an

successful in penetrating this line of defense

attack campaign. Performing these tasks in

while eluding detection, very little stands in

less time than attackers perform their own

the way of total compromise of the

tasks is particularly difficult now that so many

infrastructure. There is a good reason this

attacks are heavily scripted and distributed.

model

an

We believe that automation in these areas is

infrastructure against a potential adversary,

crucial. Threat Analysis and Prediction

for all its complexity, is far less complicated

research is necessary to fill this current gap in

than recognizing and analyzing the attack of

infrastructure security.

an actual adversary.

3.4 Response Coordination

is

so

pervasive:

sealing

Threat Analysis and Prediction research

Information assurance decisions have

seeks to reduce this complexity by looking at

probabilistic and interdependent effects upon

three types of necessary tasks. First, systems

an organization’s operations. The complexity

must correlate events occurring throughout

of decisions can overwhelm human operators

the infrastructure and deduce correctly that

in large infrastructures. Thus, timely response

5

for infrastructure defense necessitates

4.1 Dynamic Trust-based Resources

automated response coordination.

Cooperation and sharing of resources on a

Response Coordination seeks to enable

network requires some degree of trust

automated threat response decision making. It

between the entities involved. In current

integrates with components for threat analysis

systems, this degree of trust manifests itself

and network control through infrastructure

through static configuration of authentication

models. We believe decision-theoretic

and access control mechanisms that determine

concepts such as belief, action, and utility

trust levels and map them to access rights.

map well to infrastructure defense concepts

This approach requires a great deal of

such as threat, control, and mission. These

planning and effort. As the time provided to

mappings can be leveraged to reason about

organize

effective responses, even in conditions of

infrastructures decreases and their interactions

uncertainty.

become more complex, it is increasingly

4. ATL Work in Support of NMA

unlikely the proper degree of trust can be

collaborative

computer

This section provides brief overviews of

determined at system configuration time.

the specific areas of research that Advanced

Clearly this is the case for self-organizing,

Technology Laboratories (ATL) is working in

autonomous systems where cooperating

to support the Network Mission Assurance

entities may not even be known at

(NMA). Our goal is to provide mission

configuration time.

assurance by ensuring survivability of high

Current solutions, in and of themselves,

value assets and continued operation of

are too rigid, require too much human

critical infrastructure components.

intervention, and are inadequate for managing resources among rapidly assembling,

6

dynamic, active network components. What is

tightly couple this continually assessed trust

needed in such cases is a dynamic, adaptive

with

determination of trust that is integrated with

mechanisms to ensure that requesting

resource allocation mechanisms, so that as

processes are trusted and, thus, permitted to

trust in an entity degrades, so does its access

use system resources. If a requesting process

to resources. Such trust-based resource

exhibits suspicious behavior, DyTR will

allocation mechanisms are necessary to limit

degrade its level of trust for that process, and

and ultimately completely restrict the

subsequently reduce that process’s access to

disruptive behavior of an entity and ensure

system resources, so that other critical

fault tolerance.

resources can continue to operate to achieve

The goal of Dynamic Trust-based

low-level

resource-allocation

fault-tolerant behavior.

Resources (DyTR), which ATL is currently

4.2 ATL’s Next Generation Infrastructure

developing under the DARPA Fault Tolerant

ATL’s Next Generation Infrastructure

Networks program, is to go beyond traditional

(ANGI) project has developed technology for

authentication-based approaches to trust and

building systems that can be deployed in

build systems where the trustworthiness of

increasingly more dynamic, distributed, and

entities adapts over time based on system

open environments. This includes an

events. DyTR provides an adaptive trust-

integrated set of services for dynamic system

assessment methodology that allocates

modeling as well as for system QoS.

resources dynamically to an initial level of

ANGI is a library of tools and executable

credentials, continually assesses trust, and

services for developing and deploying

adaptively allocates resources in accordance

distributed objects. Among these services are

with changes in perceived trust. DyTR will

model sharing and sensor mechanisms that

7

allow systems to discover and monitor their

associating utility (value or cost) with some of

own configuration and environment.

those actions and beliefs. It is a probabilistic

We have also developed for ANGI a rich

reasoning technique that extends the concepts

set of QoS controls for classifying and

of Bayesian networks and decision trees.

shaping traffic flows, which provide the

ATL is applying this technique to

foundation for managing and securing the

information assurance by evaluating sensor

shared network infrastructure and, in

findings and specific threat alerts in a model

particular, protecting a system against

of potential responses and their impact upon

distributed denial of service attacks. The QoS

network services and assets. Then the

controls are superior to traditional firewall

decision network selects the action with

filters because they provide wider and more

maximal expected utility, which factors

fine-grained range of influence. They also

certainty and priority in a holistic manner for

provide an end-to-end solution allowing

mission assurance.

greater latitude over where to place the

The primary challenge of this research is

controls. This allows confinement of

to identify and incorporate a technology for

potentially malicious flows through limits and

response selection which functions to provide

priorities and protection of critical flows that

mission assurance under the inherent

are necessary to mission success.

uncertainty

4.3 Decision Network Technology

data/control in large infrastructures.

Decision networks—also known as

and

incompleteness

of

4.4 Distributed Autonomic Response

influence diagrams—use a graph structure to

Coordinator

represent dependencies between possible

ATL is developing a prototype Distributed

decisions and uncertain beliefs, also

Autonomic Response Coordinator (DARC)

8

that uses the ANGI framework as the

responses against single- and multi-node

foundation to deploy and manage the

attacks.

distributed sensor information as well as

4.5 Cyber Attack Workstation

ANGI’s dynamic QoS capabilities for

In keeping with our belief that leveraging

response mechanisms. The DARC prototype

offensive attack campaign knowledge makes

uses existing intrusion detection and

for better defense, ATL has also developed a

vulnerability assessment products as sensors.

prototype Cyber Attack Workstation (CAW).

We intend to apply decision network logic

The CAW provides a pluggable API and GUI

to develop autonomic response to more

for adding, integrating, and executing cyber

devastating and more rapid cyber attacks. The

reconnaissance and attack scripts. The

challenge is to develop an autonomic

interface generates a map of the network as

response mechanism that can understand an

reconnaissance information is gathered, which

attack campaign to determine the best

allows the user to target specific hosts with

response in a dynamic environment given the

particular vulnerabilities. The interface also

uncertainty of intrusion detection and

allows users to select the level of risk they are

vulnerability assessment sensor information.

willing to accept, and the CAW will adjust the

This will ensure mission assurance in the

parameters of attacks accordingly.

presence of an attack.

Future versions of the CAW will

The goal of DARC is to provide a

automatically and dynamically formulate and

distributed, autonomic response capable of

execute cyber offensive attack campaigns that

detecting, adapting, and collaboratively

meet mission objectives and constraints. The

responding to cyber attacks. It will enable the

CAW will determine the appropriate steps of

coordination and monitoring of start-to-end

the campaign based on the intent of the user

9

and the risks the user is willing to accept. The

Metabase

long-term goal is to incorporate the attack-

meaning that capability attributions have been

campaign understanding and decision-model

assigned to the vulnerabilities listed in the

logic developed for DARC in order to

database. This formal representation will

produce more sophisticated offensive attack

allow advanced reasoning for correlating,

campaigns.

predicting, and projecting attacks.

4.6 Attacker Capability Ontology

5. Future Work

A key enabler of ATL’s future work in

ATL

(http://icat.nist.gov/icat.cfm),

continues

its

research

and

information assurance is the formal

development in information assurance in each

representation of, and reasoning about, cyber

of the projects described above, using the

attack data. Two important aspects of this

NMA doctrine as a guide. As NMA

domain we have attempted to capture are: (1)

technology matures, we seek to deploy

the

software

information assurance products technology as

vulnerabilities and the capabilities that

well as transfer the results of our research into

attackers gain by exploiting them on actual

the

systems, and (2) the relationships among

community.

these capabilities. For this effort we have

Acknowledgements

relationship

between

developed the Attacker Capability Ontology.

broader

information

assurance

Defense Advanced Research Projects

The Attacker Capability Ontology is

Agency/Air Force Rome Laboratory, contract

implemented in both Resources Description

Number F30602-02-C-0109.

Framework Schema (RDFS) and DARPA

References

Agent Markup Language (DAML). It has also

NMA

been integrated with the ICAT Vulnerability

Home

Page:

external.lmco.com/projects/ia/

10

http://www.atl.