Where the Wild Things Are The Most Difficult Problems for Incident Response Tom Longstaff, JHU/APL (Story and Images Based on “Where the Wild Things Are” by Maurice Sendak)

What’s the Point? • Our stovepipe policies are designed to monitor and control our adversaries • We think we own and control our infrastructures • Technology has created a cyber ecosystem that cannot be directly controlled • Our main problems in CSIRTs must be addressed in this context •

L. Northrop, P. Feiler, R. P. Gabriel, J. Goodenough, R. Linger, T. Longstaff, R. Kazman, M. Klein, D. Schmidt, K. Sullivan, and K. Wallnau, Ultra-Large-Scale Systems: The Software Challenge of the Future. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.

The Johns Hopkins Applied Physics Laboratory The core purpose of APL is to enhance the security of the nation through the application of science and technology APL is firmly committed to space science and technology and other challenging areas that are synergistic with our core purpose The Lab also supports the University in areas that are important to JHU’s other missions 3

Cast THE NIGHT MAX WORE HIS WOLF SUIT AND MADE MISCHIEF OF ONE KIND AND ANOTHER. Criminals Terrorists State-Like Conflicting ideologies NGOs

• All exert influence • Each believes they are right and have a right to use the technology

Developing The Threat Model • Successive levels of refinement • Upward and downward information flow • Processes (emergent and otherwise) that transform one level into the next

Heritage Style Viewgraphs

5 29

1998

1998 Howard-Longstaff Incident Taxonomy

2010 Incident (Strategic Adversary Model) Attack (Tactical) Action

Event (Observed)

Attackers

Tradecraft

Vulnerability

Action

Target

Result

Objectives

National Military

Deep Penetration

User Behavior

Spoof

Nation State

Positioning

Political Gain

Exfiltration

Supply Chain Access

Modify

DIB

Control

Financial Gain

Under Protocols

0 Day Code Errors

Bypass

Executives

Corruption

Strategic Advantage

Stealth

CIP Vulnerabilities

Read

Vendors

Access

Re-route

Data

Deletion

User Manipulation

Copy

Cloud

Denial

Cloud nets

Re-play

Service

Theft

Multiple Accts

Deny

Network

Mis-direction

Probe

Computer

Scan

Component

Flood

Process

Spies Criminal Networks Cyber Militia Mercenaries

Infrastructure control

Hacker Collectives

Social exploitation

Vandals

Hardware privs

Threat Impact

Account

Tactical Advantage National Objectives Military Objectives Industrial Espionage Damage Challenge/thri ll

Our Current Mindset Us

Them

The Internet

HIS MOTHER CALLED HIM "WILD THING!” AND MAX SAID: "I'LL EAT YOU UP!!” SO HE WAS SENT TO BED WITHOUT EATING ANYTHING.

So What’s Wrong? • Collapsing under – – – – –

Increasing traffic Hidden activity Social networking Multiple languages …

• And…. • That’s not where the action really is!

2011 Data from International Corporations Attacker Hactivist Local competitor

Tradecraft Timebomb Spear phishing

Nation-state

Remote control

Insider / opportunist Criminal gang Disgruntled administrator Organized crime Unidentified foreign power Former employee

Action Spoof Reroute

Target Ports IP addresses

Result Theft Data loss

Objective Financial gain Political protest

Copy

People

Control

Generic hacking tools Social engineering

Vulnerability Excessive access Open export (soft & hard copy) Lack of egress control User behavior

Read

Bid data

Destroy

Zero day

Probe

Social networks

Privilege escalation

Scan

Classified information Web server

Reputational damage Lawsuits

Intellectual property Strategic advantage Mayhem

Drive-by download Torpig

User manipulation Lack of physical security Lack of detection controls Lack of segmentation Outdated technology Unpatched systems Organizational vulnerabilities No input validation

Bypass Flood

MAC address Wintel systems

Monetary loss Deny

Deny

Customer data

Identity fraud

Contacts

Shareholder action Regulatory investigation

Masquerade Got job – gain trust Infiltrate

Keys Bank account Credentials

Reconnaissance

Payment system

Malware Infrastructure control SQL injection Exfiltration tools Ion cannon Infiltration Internet reconnaissance Credential sniffing Network vulnerability Key logging E-mail sniffing Brute force entry

Network vulnerabilities Trust Lack of endpoint controls Well known exploits Split tunnels Publishing role – specific information

Export Clear-up Cover tracks Google hacking Install Delete

Bragging rights Devalue brand Damage economy Industrial espionage

A Better Representation • Us, them, and everyone else are mixed in an amoeba soup – – – –

Ownership? Control? Governance? Threat?

THAT VERY NIGHT IN MAX'S ROOM A FOREST GREW, AND GREW, AND GREW UNTIL THE CEILING HUNG WITH VINES AND THE WALLS BECAME THE WORLD ALL AROUND AND AN OCEAN TUMBLED BY

“Big Rock” Problems in Operations • An analysis of collected R&D requirements identified several pervasive problems in applying technologies to operations – Enrichment – Confidence in the Data and Analysis – Interoperability and Use of Standards

• These are common themes in both R&D and technology acquisition for cyber operations • These are inter-related problems that are difficult to address in isolation 12

We’re all in this (mess) together …WITH A PRIVATE BOAT FOR MAX. AND HE SAILED OFF THROUGH NIGHT AND DAY AND IN AND OUT OF WEEKS AND ALMOST OVER A YEAR TO WHERE THE WILD THINGS ARE!

Everyone else

Them Us

AND WHEN HE CAME TO THE PLACE WHERE THE WILD THINGS ARE THEY ROARED THEIR TERRIBLE ROARS! AND GNASHED THEIR TERRIBLE TEETH AND ROLLED THEIR TERRIBLE EYES! AND SHOWED THEIR TERRIBLE CLAWS!

Parts are Parts Other Stuff

Web

Mail

Cloud

Who Controls this Infrastructure? Home Users International Corporations IETF Law Enforcement

Criminals International Agreements IT/Telecom

IT Vendors

Everyone?

Financial Guards

Research And Education

Military

Environmental Factors Metabolomics for CyberSpace

Be Still! • The power of influence – Control is an illusion: both for our system and theirs – Policy, training, incentives, deterrence, and deception are all examples of Influence – We have no science of cyber influence TILL MAX SAID: "BE STILL!"AND TAMED THEM WITH THE MAGIC TRICK OF STARING INTO ALL THEIR YELLOW EYES WITHOUT BLINKING ONCE

Image by Gary Lucus http://www.garylucas.com/www/rvw/Wild_Rumpus_Press_2_1000.jpg

AND THEY WERE FRIGHTENED AND CALLED HIM THE MOST WILD THING OF ALL!! AND MADE HIM KING OF ALL WILD THINGS. "AND NOW, LET THE WILD RUMPUS START!!

• Actions prompt reactions • Both attack and defense actions create unintended consequences • Holistic analysis with partial information is hard! • Interdependencies at all levels of abstraction lead to emergent behaviors

What’s the Point? • Our stovepipe policies are designed to monitor and control our adversaries • We think we own and control our infrastructures • Technology has created a cyber ecosystem that cannot be directly controlled • Our main problems in CSIRTs must be addressed in this context •

L. Northrop, P. Feiler, R. P. Gabriel, J. Goodenough, R. Linger, T. Longstaff, R. Kazman, M. Klein, D. Schmidt, K. Sullivan, and K. Wallnau, Ultra-Large-Scale Systems: The Software Challenge of the Future. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.

Data Enrichment • • •

Operational decisions must often be made upon speculative information To support decision making, speculative data is annotated with known information from other sources, both speculative (imperfect confidence) and non-speculative This constitutes a challenging problem – Context of input data may not match, or match imperfectly – Data formats from different tools and different systems must be consumed seamlessly – Level of abstraction is necessarily different in different systems, and from various data sources, and must be reconciled

• •

Data Enrichment allows an analyst to more accurately establish the confidence level of speculative information by automatically presenting related information and evidence in an organized fashion A more accurate and justifiable confidence level allows more informed decisions on how to act on data which is speculative, or from a source which is untrusted

Confidence and Security • Although establishing heightened confidence levels in our tools and data does not itself result in security, it is never the less a critical requirement which is pervasive across all technical areas – What is the confidence that our models are correct? Sensors? Damage assessment (both offensive and defensive)?

• Establishing a justifiable confidence level in collected data, derived data, and analytics is necessary to make an informed decision • To add to the challenge, the confidence level of individual components (and the confidence level of results when combining components and data) must be presentable in a form which is easy for an operator or analyst to understand at a glance • As an analyst uses the tools and adds their own confidence analysis to automated calculations, that information is fed back into the system as a new input, and is included in subsequent analysis

Enrichment + Confidence = Actionable Predictive Data • Enrichment and justifiable confidence allows decision makers to make better, more informed decisions on how to act on predictive data • This is the same problem a stock market investor faces every day – Bombarded with data from multiple sources, possibly conflicting, and of uncertain confidence and trustworthiness/origin – Before risking money, an individual investor wants the best information possible, and some way of establishing confidence in both its truth and predictive power

• For defense analysts, the stakes are even higher – Solving these problems can save lives

Interoperability and Standards • Modular solutions needed in a rapidly changing environment – Static, vertical solutions are obsolete before they are deployed – Rapid plug-and-play modular solutions can be constructed as the response needs change – Most available solutions do not support rapid integration, but require extensive integration – This is both easy and hard… 23

Standards • Use of open data exchange and storage standards supports a dynamic integration model • Proprietary protocols, internal non-standard data formats, closed user interfaces, and incompatible execution environments are common in our currently available solutions • The vertical business model for security solutions at all levels of abstraction is the problem • “My product can read your data format” and “you can write a script to extract the information you need” are not valid solutions as they do not really integrate the functions of the technology 24

Even Harder Problems • Syntactic versus semantic interoperability – Maintain the meaning during data exchange – Resolving and exposing disagreement between analytical results

• Multiple data streams – Handling different time scales, data types, different levels of confidence

• Multiple levels of abstraction – From data to information to knowledge to shared understanding – Individual to network scales

• Privacy protection – Some modules will strip PII creating a downstream impact – These must be mitigated while maintaining policy-based separation

25

Where do we go from here? “Data Finds Data” Analytics to study the amoeba Feedback loop for influence Study the science of influence for cyber! • Implications for education are profound MAX STEPPED INTO HIS PRIVATE • • • •

NOW, STOP!” AND SENT THE WILD THINGS OFF TO BED WITHOUT THEIR SUPPER....AND MAX THE KING OF ALL WILD THINGS, SAID: "I'M LONELY!” AND WANTED TO BE WHERE SOMEONE LOVED HIM BEST OF ALL

BOAT AND WAVED GOOD-BYE AND SAILED BACK ALMOST OVER A YEAR AND IN AND OUT OF WEEKS AND THROUGH A DAY AND INTO THE NIGHT OF MY OWN ROOM WHERE HE FOUND HIS SUPPER WAITING FOR HIM …

… AND IT WAS STILL HOT!