1 / 27

A Strategy for Cyber Defense Strategy

A Strategy for Cyber Defense Strategy. John C. Mallery ( jcma@mit.edu ) Computer Science & Artificial Intelligence Laboratory Massachusetts Institute of Technology. 10/4/2014 5:16:58 PM.

rusty
Télécharger la présentation

A Strategy for Cyber Defense Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Strategy for Cyber Defense Strategy John C. Mallery (jcma@mit.edu) Computer Science & Artificial Intelligence Laboratory Massachusetts Institute of Technology 10/4/2014 5:16:58 PM Presentation at the 2010 Workshop on Cyber Security and Global Affairs & Security Confabulation IV, Zurich, July 7-9, 2010.

  2. Message • Decompose the cyber elephant! • Identify attacker business models • Make prioritized architectural moves to disrupt attacker business models • Increase the work factor for attackers • Lower the work factor for defenders • Plan defensive campaigns across life cycles of attack and defense • Disrupt the attacker business model at choke points • Channel the attacker to more defensible attack surfaces • Seize the initiative • Change the game to the advantage of defense • Change the incentive structures -> virtuous cycles • Align security and mission incentives

  3. Threat Actors And Capabilities

  4. Integration of Technical and Economic Perspectives Security Economics analyzes incentives and risks Value Monetization Political Return Value at Risk Threat Actors Attack Vectors Security Engineering defends and attributes

  5. Asymmetries of Cyber Attack and Defense

  6. Laws of Information Assurance • Centralization Risk: Concentration of value attracts better resourced attackers whenever the attacker work factor does not increase faster than the value at risk. • Corollary: Attackers can gain economies of scale through common mode vulnerability (low diversity) • Corollary: Multiplexing functionality on the same platform aggregates the individual threat models • Markowitz’s Law: A minimal complexity system has fewer attack surfaces. • Corollary: Eliminate unnecessary functionality • Gosler’s Law: Architectural change displaces preferred attack points. • Corollary: Move attack points to where they can be best defended. • Architectural Leverage: Effective security can be achieved through synergistic architectural moves targeting attacker work factors • Success is achieved by raising attacker work factor across attack surfaces beyond the resources available to the attacker, or worthy of the target.

  7. Defensive Complexity Analysis • Meta-metric for security focuses on difficulty of tasks an attacker or defender must perform • Work factor is the difficulty of executing tasks • Analogous to computational difficulty in crypto • Extends beyond the technical designs to domain embeddings • Dimensions of work factors • Resources • Computational complexity • Cost • Expertise and Knowledge • Planning, execution and information management • Cognitive difficulty (non-linear planning) • Learning difficulty • Organizational effectiveness/dysfunction • Risk • Uncertainty • Culture • Make technical or policy moves that cumulatively • Impose hard problems on attackers • Facilitate coordinated defense

  8. High Leverage Solutions:Eliminate Whole Classes Of Vulnerability By Design Fixing security vulnerabilities at their source retires an entire attack surface, and its consequences. Tree Descent Is Exponential Leverage means fixing the cause rather than the symptoms. Failure to fix the cause results in multiplicative vulnerabilities and multiplicative impacts on defender work factors. Example: Runtime type checking and array bounds checking eliminates 99% of penetration exploits on COTS operating systems. – Source: Alexander Sotirov (Solved in the 1970s – use it!) Example: Lack of separation in COTs operating systems means one Trojan in the supply chain can subvert downstream products and systems. (See separation kernels) Example: Ubiquitous input validation eliminates code injection attacks (e.g., SQL injection) (see CLIM)

  9. Cyber Security Leverage is highest at base of IT Innovation Hierarchy No Scope Examples Agility Type Flexible, adaptive within frameworks Mainstream 4 “Edge innovation,” leverage of IT infrastructures • Social networking • Use of cloud computing • Digital organizations • Application software • Personal computing, global Interweb Large-scale IT infrastructures • Large-scale E-commerce frameworks • E- financial & payment systems • DoD Global Information Grid • Global network infrastructure • IT capital goods industry Slow, large investments, incremental change Commerce framing ecosystems 3 Core technologies supporting IT infrastructure • Commodity computing technologies • High performance routers • Global Internet protocols & structure • Commodity ICs & storage Low external flexibility due to constraints of other levels 2 Technology base Disruptive foundational technologies • Crypto, computer/network security • Packet-switched networking • Fiber Optics, quantum communication • Computer architecture, PL/OS models • Transistor, VLSI, quantum computing? Intellectually Difficult 1 Scientific basis

  10. Attack/Defense Work Factors atEvery Stage In System Life Cycles  The attacker can choose to attack the weakest surface at the most inopportune time for the defender.  The sophisticated attacker can deploy multi-spectrum techniques in a well-resourced coordinated plan.  The sophisticated attacker can attack anywhere along the supply chain.  The defender must protect all attack surfaces at all times, including those in the supply chain

  11. Attacker Work Factors at Every Stage in the Offensive Life Cycle (days)

  12. Defender Work Factors at Every Stage in The Defensive Life Cycle (years)

  13. Today’s COTs: Even Partial Solutions Can Impact The Attacker Work Factor • Microsoft introduced a series of partial moves against penetration over past 10 years • Penetration is when the attacker gets his first function to run before he escalates privilege • None of MS counter measures are fully effective • Some break existing code and are not turned on • Yet, the impact on the attacker work factor increased the time to develop an exploit from 3 days in the late 1990s to 3 weeks in 2010 • Assumes exploit development (but not packaging) must be done by a single person • Source: Alexander Sotirov, February, 2010 • Still not outside the 4 week patch cycle?

  14. Medium-term (3-5 yrs): Enhancing Power Grid Security • Create secure SCADA cyber infrastructure based on: • Minimal complexity hosts with high assurance • Minimal connectivity overlay networks • Approach • Separation: Build on existing platforms like separation kernels • Safety: Use safe programming languages • Type checking & buffer bounds checking • Correctness: Verify critical code, including compiler • Input Checking: Use comprehensive syntactic input validation • Example: CLIM presentation system • Model Checking: Build semantic model to validate input • Massoud Amin (U. Minn.) claims that 60% of parameter input sets could be checked for safety • Resilience: Build in via strong adaptive capacity • Redundancy: Use physically redundant networking with out of band control • Adapt approach to other critical infrastructures • WF Impact: Major, state of the art security, push the attacks into the supply chain and insiders

  15. Mid-term (3-5 yrs): Prophylactic Networking Strategy (HTTP and SMTP) • Eliminate exploitable vulnerabilities from the network application stack so as to deny botnets and bad actors a vector through which to subvert COTs OSes. • Reimplement the TCP/IP and SSL stacks in a safe language. • Reimplement HTTP and SMTP servers and clients in safe languages. • Provide a competent security model and sandboxing for mobile code (e.g., JavaScript). • Use virtualized COTS OS + app (e.g. word, multimedia code) in a one-shot-then-reset mode to view embedded media or attachments. • Parse and rewrite any media or attachments that are returned to the primary host environment. • Industry knows how to implement these systems • For probably $1B, the HTTP and SMTP range of software could be reimplemented within 2-3 years. • Some legal requirements for “network safety” would incentivize the development and update. • Spear phishing eliminated by design (maybe spam too) • Drive-by Web site attacks eliminated by design • WF Impact: Significant, push attacker on to other penetration vectors, make him do R&D

  16. Long-term (5-10 yrs): Transformational Architectures • Eliminate single point failures leading to collapse of security in: • System architectures (e.g., monolithic privileged kernel) • Crypto (e.g., secret key leakage) • ID management (e.g., insider) • Application architectures • Principles: • Bake in security • Eliminate vulnerabilities by design • Enforce strong fine-grained separation • Factor components • Ground trust in multiple separate ways forcing an attack to compromise all simultaneously • Enhance resilience through adaptive software forcing an attacker to impair all functional variants simultaneously • Raise productivity dramatically based on semi-automatic program synthesis using verified and composable components • WF Impact: Dramatic, over the horizon, push attacks into the supply chain

  17. Work Factor Analysis Can Help Guide Policy Formation • Non-technical architectures have an impact on attacker and defender work factors • International Law: Distinguish attack rising to “armed force” from espionage • Separate exploitation targets from C2 architecturally to enable clear response? • Design component sourcing so that supply chain attacks must compromise multiple branches to succeed. • Eliminate single point supply chain vulnerabilities • Multiply suppliers and randomize component sourcing • Technical architectures interact with policy choices • Isolation: Separate functions across systems so that compromise of a single system does not compromise multiple systems • Costs more money • Self-knowledge: Map systems to build situational awareness of functions at risk to infer attacker goals and business model • Layout systems so they can be used to instrument attacker objectives • Work factors can clarify leverage to help prioritize policy moves

  18. Legal Moves: Black Markets For Cyber Crime • Black markets provide: • Scalable cyber crime • Empower low-end state actors (over 100) • A number of activities may not be illegal! • Target reconnaissance • Attack tools • Cryptographic support • Extend legal system to cover support activities for cyber crime • Outlaw activities without non-criminal applications • Control “dual use” activities with high criminal leverage • WF Impact: Increase work factor by raising legal risk • LE focus on high leverage supply activities • Increase scarcity & price of high leverage ingredients

  19. Legal Moves: Separate Cyber Crime From Terrorists • Terrorist may seek cyber attack capabilities in criminal black markets • Cyber criminals are economic actors • Pursue a business model • Seek to reduce risk to continuity of operations • Make legal moves against transfer of cyber attack data, tools or expertise to terrorist organizations • Raise response to national security level using military and intelligence resources • Institute exceptionally severe penalties, especially for critical infrastructure attacks • Channel activity away from terrorism • Make the risk reward calculus uneconomic • WF Impact: Reinforce incentives against aid to terrorists

  20. Economics: Monetizing Cyber Security & Modernizing the IT Sector • Success: • Market forces spread reasonably high assurance throughout society and continue to innovate (Precedent: 1990s build out of civilian Internet) • Requirements: • Ability to accurately measure and compare system security characteristics • Predictive metrics • Historical data series • Ability of buyers of IT to reliably understand & measure risk • Anticipate and measure threat levels • Estimate losses due to potential cyber attacks • Determine commensurate levels of investment in security • Transformation of the IT technology plane for security and agility • Strongly bias work factors in favor of defender against attacker • Dramatically harden systems • Architect for adaptive resilience and rapid recovery • Radically increase productivity of secure system development, certification, accreditation, and operation • Align security with functionality by making it inherent and largely transparent • Deliver faster development cycles and superior total ownership cost than current generation COTS • Alignment of market incentives for uptake – ultimately next gen COTS • Stratify markets according to assurance needs to provide a learning curve and a path to scale • Phased introduction of safety regulations, liability and meaningful cyber insurance as industry is genuinely able to respond based on transformational technologies • Attenuate rigidities in IT capital goods ecosystem that impede technical evolution

  21. Message • Decompose the cyber elephant! • Identify attacker business models • Make prioritized architectural moves to disrupt attacker business models • Increase the work factor for attackers • Lower the work factor for defenders • Plan defensive campaigns across life cycles of attack and defense • Disrupt the attacker business model at choke points • Channel the attacker to more defensible attack surfaces • Seize the initiative • Change the game to the advantage of defense • Change the incentive structures -> virtuous cycles • Align security and mission incentives

  22. Appendix

  23. Received Notions Of Sustainability • Developmental Economics: Growth based on resources available in sufficient supply in the future • Foreign exchange bottleneck • Environmental degradation • Sustainable development -> appropriate resource usage • Green Technology: Reduced impact on environment (output) and improved utilization of depletable resources (input) • Renewable resources -> sustainability • Clean energy sources to reduce CO2 emissions and climate impact • Efficient resource utilization (inputs & outputs/externalities) • Computational Sustainability: Use of computation to improve resource utilization (e.g., Smart Grid) • Core notion is continuity of dissipative systems • Non-equilibrium thermodynamics (Prigogine) looks at how living systems maintain themselves in the face of entropy via matter energy exchange with their environments • Living System (autopoesis): a network of component producing processes that recreate the network over time

  24. Cyber As A Computational Sustainability Conundrum • Cyber refers to the embedding or integration of computation and communication within human organizations and social systems • Human systems are understood as living systems • Dissipative structures face perpetual challenge of continuity • Must repair internal failures of essential components • Must adapt to changing environments • Usually face intelligent competitors • Cyber impacts continuity • Benefits: Greater adaptive potential through better information and computation • Challenges: Environmental change driven by cyber • Requires internal and external adaptation • Entropy: Cyber attack/exploitation consume resources • Direct impact of lost information or degraded operation • Indirect cost of recovery or investment in cyber security • Social costs of cyber pollution - export of risk, externalities • Cyber sustainability involves: • Designing for reliability to manage complexity • Adapting to changes in the environment, often cyber fueled • Resisting cyber attack and exploitation • Dialectic of computation: benefits come with vulnerabilities

  25. Focus: Cyber Attack/Exploitation • Cyber attack/exploitation undermines organizational autonomy • Computers become disloyal to owners, working against them • Reduced organizational integrity impairs goal seeking behavior and weakens adaptive capacity • Everyday cyber impacts – death by 1000 cuts • Economic: Drag on GNP of cyber crime, recovery, cyber security investment • Innovation: Loss of intellectual property, trade secrets, know-how, plans • National security: Degraded systems, loss of classified information • Potential existential threats via cyber • Industrial espionage: Loss of commercial or national advantage • Economic disruption: Degradation of critical infrastructures • Cyber war: Impairment of national security functions

  26. Attacker Resources Required for Cyber Impacts Low Frequency Low Frequency Cyber War with Peers High Interdiction of Global Communication Major Critical Infrastructure Attacks Impact Interception of Global Communication Cyber Terrorism? Cyber War Moderate Frequency Espionage High Frequency Industrial Espionage Cyber Crime Low Most Cyber Data High Low Attacker Resources

  27. Strategy Decomposition • Cyber technology base • IT capital goods industry • Computers, embedded, mobile • Networking • Telecommunications operators • Identity management & crypto industries • Defense domains • Military & intelligence systems • Defense industrial base • Critical infrastructure • Government systems • Research infrastructure • Supply Chain • Major enterprise • Enterprise • Consumer • International cooperation • Allies • Trading partners • Global

More Related