Paul Beraud, Alen Cruz, Suzanne Hassell, Juan
Sandoval, Jeffrey J WileyNovember 15th, 2010
CRW’10 2010:NETWORK MANEUVER
COMMANDER – Resilient Cyber Defense
Copyright © 2010 Raytheon Company. All rights reserved.Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Page 205/08/23
Agenda Introduction
– Overview on the project and topic Discussion
– Hacking process, cyber defense goals, and decision framework– Analysis framework, NMC architecture, and network collection points
Metrics– Development and collection of cyber dynamic defense metrics
Results– Research results from demonstration of Network Maneuver Commander
Conclusion– Recommendations, conclusions, and future work
Questions
Page 3
Introduction
Goals of Resilient Active Cyber Defense
Increase cost to the attacker
Increase the uncertainty that the attack was successful
Increase chance of detection and attribution
Minimize the magnitude of the attacker’s effect, survive
Network Maneuver Commander supports these goals through
artificial diversity, randomization, non-persistence and
deception.
Page 405/08/23
Research History Network Maneuver Commander (NMC)
– Internal research project funded by Raytheon Company started in March 2009
– Goals: Develop a prototype cyber command and control (C2) system that maneuvers
network-based elements preemptively Develop performance metrics to evaluate cyber dynamic defense solutions
Cyber Defense– Conventionally cyber defense employs defense in depth
Concentrated on perimeter protection and patching known attack vectors at each layer
– NMC’s maneuvering capability enhances each of the defense layers by introducing artificial diversity of components (hardware, operating systems, etc…)
Project Provides Cyber Dynamic Defense and Metrics to Evaluate this Class of Techniques
Page 5
Network Maneuver Commander
05/08/23
Page 66
Characterizing Cyber AttacksThe Hacking Process
– Footprint: identify network addresses– Scan: identify hosts, operating systems, services– Enumerate: identify accounts and shares– Gain Access: attempt access to host– Escalate Privileges: gain control of host– Pilfer: search and retrieve data
Page 705/08/23
Randomized Decision FrameworkDecision Framework Enables the NMC to
maneuver elements Parameters:
– Diversity– Move interval– Geographic destination
Page 805/08/23
Discussion Analysis Framework
– Force-on-force simulation– Each attack is treated independently– Statistics on attacks and defenses are
aggregated for resulting metrics NMC Architecture
– Collection of loosely coupled services– Orchestrated via Enterprise Service Bus– Generic plug-in framework to support
new applications Network Collection Points
– Capture of metrics through: Extension of existing tools Mining data already collected
Page 905/08/23
Metrics Basis for many metrics is time
– Used to measure an attack’s progress– Used to quantify the cost to the attacker
Metric calculations defined include– Percent of successful attacks– Percent of partially successful attacks– Mean number of attack disruptions– Time spent per phase– Duration of successful attack– Defensive efficiency– Defense factor
Metrics collection in the network– Defined possible methods and tools
Metrics Evaluate Pro-Active Dynamic Defense Methods
Page 1005/08/23
Results Demonstration included
– Movement of resources across: Platforms Virtual partitions Physical locations Hypervisor vendors
– Deployment and maneuvering of: Data Applications Network addresses
Results captured on a variety of simulated scenarios
Varying network sizes, defense factor,threat profile, etc…
Displayed the Effectiveness of NMC Using the Newly Defined Metrics
Page 1105/08/23
Conclusion Based on simulations and testing with real applications
– Maneuvering, artificial diversity and cleansing provide: Improved intrusion tolerance - lower percentage of attacks were successful Increased cost to attackers - more resources expended
Optimal maneuver frequency 2X time of attack on static network
Metrics allow for characterization of NMC and other cyber defense systems– Can be used to find optimal configuration of defenses for given threats
Raytheon Continues Research in Area, Exploring Candidate Algorithms and Technologies
Page 12
Technologies not designed to support resiliency
Coordination difficult (interfaces)
Visualization/Operational
Metrics
Vendor Licensing Models
Challenges
Page 1305/08/23
Questions?