Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Cyber awareness
prof dr ir Wim Mees
Royal Military Academy - Dept CISSBrussels, Belgium
December 2nd, 2014
wmees (rma - ciss) cyber awareness December 2nd, 2014 1 / 41
who are we ?
DG MRDG HR ACOS O&T ACOS Strat ACOS EvalDG BudFinDG JM
BE MOD
CHOD
DefColDFBO DSA
CLNG
ABAL COBO MECA
ACOS WBDG Com
CHCH PHYS CISS
POL
DEAO
DG Fmn ACOS IS
RMA
MWMW
. . .. . .RU1 CD RUN
SIC
SSMW
wmees (rma - ciss) cyber awareness December 2nd, 2014 2 / 41
outlineare we there yet ?
1 multi-space operational planning
2 (cyber) situation awareness
3 education
4 research
occupy the high groundon foot
all throughout history,
people have been fighting
( image credits: Pieter Brueghel the Elder )
wmees (rma - ciss) cyber awareness December 2nd, 2014 3 / 41
occupy the high groundon foot
all throughout history, people have been fighting
( image credits: Pieter Brueghel the Elder and [email protected] )
wmees (rma - ciss) cyber awareness December 2nd, 2014 3 / 41
occupy the high groundground vehicles
ground mobility was invented,
the first tank soon followed
( image credits: Elwood Haynes Museum )
wmees (rma - ciss) cyber awareness December 2nd, 2014 4 / 41
occupy the high groundground vehicles
ground mobility was invented, the first tank soon followed
( image credits: Elwood Haynes Museum and Imperial War Museum )
wmees (rma - ciss) cyber awareness December 2nd, 2014 4 / 41
occupy the high groundairspace
man conquered the air,
and used it to fight
( image credits: Library of Congress )
wmees (rma - ciss) cyber awareness December 2nd, 2014 5 / 41
occupy the high groundairspace
man conquered the air, and used it to fight
( image credits: Library of Congress and Wings Over The Rockies Air and Space Museum )
wmees (rma - ciss) cyber awareness December 2nd, 2014 5 / 41
occupy the high groundcyberspace
October 1969 September 1971
December 1969 December 1986
wmees (rma - ciss) cyber awareness December 2nd, 2014 6 / 41
occupy the high groundcyberspace
November 1988
Morris worm
March 1999
Melissa virus January 2003
SQL Slammer worm
( image credits: Boston Museum of Science )
wmees (rma - ciss) cyber awareness December 2nd, 2014 7 / 41
occupy the high groundcyberspace
November 1988
Morris wormMarch 1999
Melissa virus
January 2003
SQL Slammer worm
( image credits: Boston Museum of Science , sophos.com )
wmees (rma - ciss) cyber awareness December 2nd, 2014 7 / 41
occupy the high groundcyberspace
November 1988
Morris wormMarch 1999
Melissa virus January 2003
SQL Slammer worm
( image credits: Boston Museum of Science , sophos.com and Matrix NetSystems )
wmees (rma - ciss) cyber awareness December 2nd, 2014 7 / 41
occupy the high groundcyberspace
wmees (rma - ciss) cyber awareness December 2nd, 2014 8 / 41
occupy the high groundcyberspace
(source: Stuxnet 0.5: The Missing Link, Symantec, 26feb13)
wmees (rma - ciss) cyber awareness December 2nd, 2014 9 / 41
occupy the high groundwhat’s next ?
Duqu
Flame(r)/Skywiper
. . .
(Pandora opening her box, James Gillray, 1756-1815)
wmees (rma - ciss) cyber awareness December 2nd, 2014 10 / 41
occupy the high ground
our objective:coordinated command & control (C2) in acombined joint task force (CJTF)
some additional challenges:
federated mission networks(coalition partners bring in their own networks
→ integration, trust, security, . . . )
converged mobile tactical networks(data, voice, video combined with mobility, tactical data radios, . . . )
disadvantaged networks(low-bandwidth, high-latency, intermittent links, . . . )
wmees (rma - ciss) cyber awareness December 2nd, 2014 11 / 41
operational planning process (OPP)
of options military
assessment
COA
decision
brief
plan
brief
COA
decision
plan
approval
SOR
CONOPS
activation
directive
force
OPLAN
initiating
directive
execution
directive
initiation
orientation
concept
development
development
plan
plan
review
staff
activity
planning
stage
commander’s
inputcommander
brief to produced
document
resulting
directive
military
assessment
mission
analysis
COA
development
plan
development
plan review
& evaluation
mission
analysis
brief
vision &
guidance
commander’s
planning
guidance
assessment
wmees (rma - ciss) cyber awareness December 2nd, 2014 12 / 41
outlineare we there yet ?
1 multi-space operational planning
2 (cyber) situation awareness
3 education
4 research
situation awareness (SA)
The formal definition of SA is
the perception of the elements in the environmentwithin a volume of time and space,the comprehension of their meaning,and the projection of their status in the near future.
(Endsley, 1988)
wmees (rma - ciss) cyber awareness December 2nd, 2014 13 / 41
situation awareness (SA)
L1
actstate of the
environment
feedback
situation awareness
decideL3L2
model of situation awareness in dynamic decision making(Endsley, 1995)
wmees (rma - ciss) cyber awareness December 2nd, 2014 14 / 41
situation awareness (SA)
level 1: perception of the elements in the environment
level 2: comprehension of the current situation
level 3: projection of future status
(Endsley, 1995)
wmees (rma - ciss) cyber awareness December 2nd, 2014 15 / 41
situation awareness (SA)
externalcues projectioncomprehensionperception
situation awareness
mental model
schema
(Jones & Endsley, 2000)
wmees (rma - ciss) cyber awareness December 2nd, 2014 16 / 41
situation awareness (SA)
plans &
orders
state of the
environment
orient
operational
pictureobserve
situation
awarenessdecide
act
OODA loop(Boyd, 1987)
wmees (rma - ciss) cyber awareness December 2nd, 2014 17 / 41
situation awareness (SA)
persistent volatile
environment
knowledge
wisdom
information
data
operational
picture
situation
awareness
act
plans &
orders
decide
plan
courses
of action
observe
orient
state of the
wmees (rma - ciss) cyber awareness December 2nd, 2014 18 / 41
situation awareness (SA)
rule
based
knowledge
based
“without thinking”
(fast)
match system state to a known task
(limited congnitive effort → still quite fast)
requires effort and time
(slow)
skill
based
(Rasmussen, 1983)
wmees (rma - ciss) cyber awareness December 2nd, 2014 19 / 41
outlineare we there yet ?
1 multi-space operational planning
2 (cyber) situation awareness
3 education
4 research
educationcurrent situation
POL
180 ECTSBa Ma
120 ECTS
27 ECTS
Ma thesis
618 ECTS
3/10 A modules
2/11 B modules
wmees (rma - ciss) cyber awareness December 2nd, 2014 20 / 41
educationcurrent situation
POL: A modules
A1: applied fluid dynamics
A2: applied mechanical systems
A3: military and civil engineering
A4: material sciences
A5: ballistics
A6: weapon systems
A7: global monitoring for security
A8: communication systems
A9: information systems
A10: naval sciences
wmees (rma - ciss) cyber awareness December 2nd, 2014 21 / 41
educationcurrent situation
POL: module A9
TE013: telecommunication networks (6 ECTS)
IN005: operating systems (3 ECTS)
IN013: distributed systems (3 ECTS)
IN012: information security (6 ECTS)
wmees (rma - ciss) cyber awareness December 2nd, 2014 22 / 41
educationcurrent situation
POL: B modules
B1: global navigation systems for civil and military applications
B2: cyber security
B3: helicopter technology
B4: mechanical design
B5: complements in finite elements and numerical modelling
B6: intervention engineering
B7: forensic sciences
B8: non conventional weapons
B9: naval sciences I
B10: aeronautical sciences
B11: naval sciences II
wmees (rma - ciss) cyber awareness December 2nd, 2014 23 / 41
educationcurrent situation
POL: module B2
IN014: computer security incident response (3 ECTS)
MM011: cryptography (3 ECTS)
wmees (rma - ciss) cyber awareness December 2nd, 2014 24 / 41
educationcurrent situation
POL optimal cyber “specialist” path
Ba Ma
wmees (rma - ciss) cyber awareness December 2nd, 2014 25 / 41
outlineare we there yet ?
1 multi-space operational planning
2 (cyber) situation awareness
3 education
4 research
the research polewith its research units
signal & image centre
image processing
radar signal processing
VIPER
near field electromagnetics
terahertz
RCS and IR signatures
LEMA
hyperspectral imaging
audio signal processing
optical fibers
radio networks
geodesy and GNSS
cyberdefense
the collaboration betweeninter-department multidisciplinary
research units leads tointerdisciplinary cross-fertilization
wmees (rma - ciss) cyber awareness December 2nd, 2014 26 / 41
old threatsInternet facing services as a target
wmees (rma - ciss) cyber awareness December 2nd, 2014 27 / 41
old threatsRMA research on NIDS evasion
packet generator calibration NIDS evasion using PCRE loading
wmees (rma - ciss) cyber awareness December 2nd, 2014 28 / 41
old threatsRMA research on honeynets
C CC
S
S
S
SS
SInternet
S
S
wmees (rma - ciss) cyber awareness December 2nd, 2014 29 / 41
old threatsRMA research on honeynets
time series for zombie army ZA10
100 120 140 160 180 200 2200
200
400
600
800
1000
1200
1400
Time (by day)
Nr o
f sou
rces
origin subnets ZA10 & ZA11
−20 −10 0 10 20 30
−50
−40
−30
−20
−10
0
10
55555
55 5
5 55
5
888 2
2222
88
8
2
8
19
2 2
2 222 2
8
19
2
2
22
2
88
2192
2
1919
22
22
8
2
88
22
attackers
scanners
wmees (rma - ciss) cyber awareness December 2nd, 2014 30 / 41
recent threatsclient software as a target
wmees (rma - ciss) cyber awareness December 2nd, 2014 31 / 41
recent threatsRMA research on client honeypots
C C C
S
S
S
S
Internet
CS
S
wmees (rma - ciss) cyber awareness December 2nd, 2014 32 / 41
current COTS situation“holistic” solution
NIDS
SIEM
NIDS
IPS
HIDSEPSAV
IPS
wmees (rma - ciss) cyber awareness December 2nd, 2014 33 / 41
current COTS situationHIDS / EPS / AV
wmees (rma - ciss) cyber awareness December 2nd, 2014 34 / 41
current COTS situationSIEM
COTS vendors:
problem: SIEMs suffer from selection bias
solution: filter late/not
next:
problem: data volume
solution: data reduction → meta-data
detection:
rules: again selection bias . . .
“security analytics”: no info on what/how
wmees (rma - ciss) cyber awareness December 2nd, 2014 35 / 41
our solution
wmees (rma - ciss) cyber awareness December 2nd, 2014 36 / 41
intrusion detectionanomaly-based detection
m2
m1
normalanomalous
-3
2
3
-3 -2 -1 0 1 2 3
0
-1
-2
1
wmees (rma - ciss) cyber awareness December 2nd, 2014 37 / 41
intrusion detectionsignature-based detection
signature
m2
m1
-3
1
2
3
-3 -2 -1 0 1 2 3
-1
-2
0
wmees (rma - ciss) cyber awareness December 2nd, 2014 38 / 41
our solution
bring the human into the loop
pd
pfa0
1
0 1
systemmulti-agent
visualanalysis
data
dropdrop
data
alertalert
wmees (rma - ciss) cyber awareness December 2nd, 2014 39 / 41
multi-agent system
high-level design of the detection system
. . .
data
agent
agent
agent
agent
trigger
high-resourceagent
listordered
visualanalysis
aggregation
wmees (rma - ciss) cyber awareness December 2nd, 2014 40 / 41
questions or comments ?
wmees (rma - ciss) cyber awareness December 2nd, 2014 41 / 41