Cyber Security for Command and Control Systems - SIGE
Transcrição
Cyber Security for Command and Control Systems - SIGE
Cyber Security for C2 Systems SIGE XVII 30 September 2015 Per M. Gustavsson, PhD Principal Research Scientist [email protected] © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 2 DET SOCIALA KONTRAKTET Members in a state give up some of their rights for protection. From Wikipedia © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos C4I(SR) “Systems Include: People Individuals Organizations Process Standard Procedures Information Flows Decisions Rights Infrastructure Communications gear Computers Sensors Data © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Good System Design must have a balanced consideration of all these dimensions! C4I(SR) “Systems Include: People Individuals Organizations Process Standard Procedures Information Flows Decisions Rights Infrastructure Communications gear Computers Sensors Data © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Good System Design must have a balanced consideration of all these dimensions! ART OF WAR Know your self … © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 6 READINESS DESIGN ORGANISATION INPUT Education & Training © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Tasks Systems Equipment Supplies OUTPUT Capability & Readiness COMMAND AND CONTROL Versatile Maturity Complexity After Nato Newtwork Enabled Capabilities, Hayes et.al Focus and Convergence (2008), Per Gustavsson 2010 (Cope with Change) © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos DECISION MAKING PROCESS situation object sensing WARNO OPORD Observation © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos COLLABORATIVE DECISION MAKING situation object sensing Initial Intermediate order Intermediate order Completed order Observation © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Planning, C2 and Operational Maturity after Alberts & Hayes (2007) © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Operativt COMMAND AND CONTROL PAGE 12 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos CYBER Purposeful: Cyber Defence Threats: Cyber War Security Strategic: National, Organizational Prescriptive Resilience Policies, Planning, Education, Training Terrorism Information Assurance Intelligence Espionage Information Security Infrastructure Crime Telecommunications Systems Operational: Organizational Predictive, Pro-Active Respond, Mitigate , Recover Planning, Course of Action Analysis Connected Computing Devices Hacktivism Stored information Applications Hackers&Crackers Transmitted data Services Accidental: Personnel Natural Causes Miss configurations © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Tactical: Individual, Organizational Reactive, Pro-Active Respond Maneuvers, Actions, Mission Rehearsal Operativt CYBER STRATEGY OPERATIONS Absorb Invisible Deny objectives Response Deny objectives and Impose cost Low Visibility Proportional Deny objective, Impose Cots and Deter further attacks Divert, Disrupt, Destroy High visibility © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 15 C4I(SR) “Systems Include: People Individuals Organizations Process Standard Procedures Information Flows Decisions Rights Infrastructure Communications gear Computers Sensors Data © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Good System Design must have a balanced consideration of all these dimensions! The C2 Challenge GBS BFT/ FBCB2 TAIS AFATDS ISYSCON v4 SKL Warlock DCGS-A DCGS-L SIPR, NIPR VOIP DTSS BCS3 ADAM Cell Command Post CPOF EPLRS TACSAT AN/PRC-150C MCS IDM-T Smart-T 117G JNN IMETS GCCS-A BCCS DTSS ACT-E Enablers Displays, Shelters & ECUs * Partial System ASIP SINCGARS MC OTM Generators © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Listing A2C2S CSS VSAT © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 18 System Architecture Final Demonstration © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos INFORMATION CENTRIC INTEGRATION Transformation between two object models is defined in an object model transformation file. T T T T Transformation Transformation Datamanager Datamanager Object Model 1 Common Object Model Connectivity Driver <Protocol 1> Memory Datamanager Object Model 2 The structure of a database is defined in an object model file. The connectivity project file defines the combination of drivers, object models and object model transformations. Connectivity Driver <Protocol 2> Separate Application, Interface (Protocol) and Information from each other © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos RTO-MP-MSG-076 #14 2010-09-17 Per M. Gustavsson MULTILEVEL SECURITY – BY INFORMATION CENTRIC INTEGRATION Zone 1 © 2015 Zone 2 T(x) T(x) T(x) T(x) Datamanager Datamanager Datamanager Datamanager Information Zone 1 Object Model Information Exchange Object Model Information Exchange Object Model Information Zone 2 Object Model Connectivity Driver RTPS Connectivity Driver SSL Connectivity Driver SSL Connectivity Driver RTPS IP IPSec IPSec IP Network Network Network Network An Information Exchange Object Model Only contains information that are to be exchanged. Sieves and Filters (Data Diode) allows and prohibits information to leave and enter Per M. Gustavsson, SIGE XVII, Sao José dos Campos RTO-MP-MSG-076 #14 2010-09-17 Per M. Gustavsson © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 22 Central defence Abandoend 1900 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 24 Meeting new technology with old methods, often give old results © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 25 EMERGING TECHNOLGY TRENDS 2014 IoT Autonomus Vehicles Big Data Kritisk Infrastruktur Integritet Smart Robots Quantum Cloud Often no usable products exist Producers of the technology shake out or fail success stories and scores of failures © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos how the technology can benefit the enterprise start to crystallize 2nd-3rd generation Mainstream adoption starts to take off 26 © 2014 Gartner 2009 Expectations Visibility 2010 Cloud Computing 2011 2008 2012 2013 2014 Own IaaS PaaS SaaS Client Client Client Client Software Software Software Software Platform Platform Platform Platform Infrastructure Infrastructure Infrastructure Infrastructure You will not transfer the responsability Often no usable products exist Producers of the technology shake out or fail success stories and scores of failures © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos how the technology can benefit the enterprise start to crystallize 2nd-3rd generation Mainstream adoption starts to take off 27 After Gartner 2008-2014 Expectations Visibility 2014 Internet of Things 2013 2012 2011 Often no usable products exist Gadgets används på andra sätt än vad de byggdes för säkerhets utmaningar Mainstream adoption starts to Producers of the technology shake out or fail success stories and scores of failures © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos how the technology can benefit the enterprise start to crystallize 2nd-3rd generation take off 28 After Gartner 2008-2014 Expectations Visibility Autonomous Vehicles 2014 AV 2013 MR 2013 AV 2012 AV 2014 SR AV – Autonomous Vehicles SR – Smart Robots MR – Mobile Robots Often no usable products exist Producers of the technology shake out or fail success stories and scores of failures © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos how the technology can benefit the enterprise start to crystallize 2nd-3rd generation Mainstream adoption starts to take off 29 After Gartner 2008-2014 AUTONOMOUS SYSTEMS and Cyber SecurityHET COM ADS-B Mission plan Video Radar IR Control Systems Förhindra CPU/HW att fungera som tänkt – Buffer overflow, system resets, malicious code, HW förändringar GPS IMU Magnetometer Application Logic Felaktig data – Manipulering av sensorer, system status data, navigations data, C2 Guidance Navigation Control Communication Control System: Bryta sig in i kommunikationsprotokoll och därefter nå access Application Logic: EW Pitot system Hardware attack –Access to physical system Communication Attack – via communication or support systems Sensor Spoofing – False data © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 30 Expectations Visibility Quantum Computers 2014 2013 2012 © 2005 Roy Kasltschmidt 2011 Often no usable products exist Producers of the technology shake out or fail how the technology can benefit the enterprise start to crystallize 2nd-3rd generation © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Mainstream adoption starts to take off After Gartner 2008-2014 QUANTUM and Cyber Security Quant computers calculate faster Quant Crypto provide better key distribution © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos D Wave Systems Inv 32 QUANTUM and Cyber Security Quant computers calculate faster Quant Crypto provide better key distribution Vadim Makarov Lars Lydersen © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Eavesdropping Quantum Crypto key Distribution, 2010 33 cid:0C81BA14-3DA9-4238-BF5E-EC5B3406DE64 © 2015 Per M. 3 Gustavsson, SIGE XVII, Sao José dos Campos © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 35 C4I(SR) “Systems Include: People Individuals Organizations Process Standard Procedures Information Flows Decisions Rights Infrastructure Communications gear Computers Sensors Data © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Good System Design must have a balanced consideration of all these dimensions! © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Per M. Gustavsson, PhD, CIAO, CMSP Principal Research Scientist @ Combitech (since 2013) Cyber and Information Security Epert Principal Research Scientist @ Swedish National Defence College Command and Control Science – Focusing in the Effectiveness of using digital C2 systems (since 2013) Principal Research Scientist @ George Mason University, VA Center of Excelence in C4 (since 2007) CO-Chair IEEE/SISO (2006-2014) - C2SIM interoperability Coalition Battle management Language (C-BML) 2014 Military Scenario Definition language (MSDL) 2008 SAAB 2006-2013 Ericsson Microwave Systems 1998-2006 2nd Lieutenant Swedish Armed Forces 1986-1991 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 39 © 2015 Per M. Gustavsson, SIGE XVII, Sao Joséhttp://hackmageddon.com dos Campos 40 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos http://hackmageddon.com 41 http://hackmageddon.com/category/security/cyber-attacks-statistics/ © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos JANUARY 2015 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 43 10 FEBRUARI – NEWSWEEK - TWITTER © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 44 14 FEBRUARI 2015 - Al Ittihad - UAE © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 45 23 FEBRUARI 2015 – MOD - CHILE © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 46 8-9 APRIL 2015 – TV5MONDE - FRANCE APT28 Pawn Storm Phising malware i datorerna sedan Januari © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 47 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 48 Europeiska Unionen © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 6000 km from Brussels EU Headline Goal 2003,2010 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 50 VÄRLDEN © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 51 The world is as it used to be But it looks different © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 53 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 54 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 55 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 56 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 57 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 58 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 59 We re helpful We are curious by nature © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos © wikipedia C4I(SR) Systems Include: People Individuals Organizations Process Standard Procedures Information Flows Decisions Rights Infrastructure Communications gear Computers Sensors Data © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos GOVERNANCE Zachman Framework (1980s) C4ISR Architecture Framework (1990s) The Open Group Architecture Framework (TOGAF) (mid-1990s) DoD Architecture Framework (DoD AF) (2000s) History of Architecture Framework for Information Systems C4ISR Architecture Framework DoD AF 1.0 DoD AF 2.0 Operational View Systems View Technical Standards View Service View Capability View © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Zachman Architecture Framework © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Source: The Zachman Framework for Enterprise Architecture - 63 - Determining the Architecture Model Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture Operational Security Architecture Architecture is a high-level description of system. Intended use Scope Characteristics to be captured Organization of data for designing a system - 64 - Reference: Enterprise Security Architecture – A Business-Driven © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Information Security Requirements Assurance Requirements Example: SC-3: Security Function Isolation. Information Security Requirements Functional Requirements For defining security behavior of the IT product or system. The information system isolates security functions from non-security functions. Functional Requirements Example: Assurance VLAN technology shall be created to Requirements partition the network into multiple For establishing mission-specific security domains. confidence that the security function will The integrity of the internetworking perform as intended. architecture shall be preserved by the access control list (ACL). © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos - 65 - Managed Secuirty Services Core services MSS Operations Log management Network security Application security (D)DoS-mitigation Operations of security components Monitoring Intrusion Compliance Client specific rules KPI Analysis Intelligence Threat levels Trends © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Add on services Pre studies and design Requirements analysis Architecture Incident Response Team (IRT) Log management Continuity planning (BCM) Reoccurring proactive actives Practice and education Vulnerability scans System hardening Response services Crisis management Management and support in incident management Technical analysis and forensics Reference Monitor A reference monitor is an abstract machine that mediates all accesses to objects by subjects Reference monitor is performed by a reference validation mechanism where it is a system composed of hardware, Subject firmware, and software Security Policy Certification & Enforcement Rules Access Request Reference Access Permitted Monitor Validation Mechanism Objects Access Log Log information Reference: DoD 5200.28-STD, Trusted Computer System Evaluation Criteria (TCSEC), December 26, 1985. © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos - 67 - Team Mail SharePoin t Disk File Shredder Sign HIPS and Firewall Applicati on Control Network Access Control Cyber Wireless Security Device Control Content Encryptio n Antivirus Antispyw are Tactical Images from Combitech, Airbus, FOI, GMU, ITA, SAAB © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos APT - SA A Cyber Security Situational Awareness Framework to Track and Project Multistage Cyber Attacks INTRODUCTION/BACKGROUND Targeted attacks are formed around the activities of selection of targets and then launching attacks on such selected aims. On a highly sponsored level, they take the shape of multi-year intrusion campaigns with well-resourced and managed operations, such threat actors are known as Advanced Persistent Threats (APT). APTs usually perform multistage attacks (Vries et al. 2012) in which at each stage, the attackers gain a certain level of privileges to start a new stage, they proceed similarly to attain the final goal. A Security Operations Center (SOC) has its outmost goal to timely detect, respond to, protect from, restore and mitigate effects of Cyber-attacks in order to enable cyber defenders to react to events more efficiently, a SOC needs to be able to project the opponent’s next moves and intentions. Thus, it requires large scale data collection and analysis capability while obtaining Cyber Situational Awareness (CSA). The approach described in this study combines the use of Attack Trees and Intrusion Kill Chain to model the behavior of advanced multistage attacks against layered security architectures, while collecting and mining large amounts of event log data using Apache Hadoop and its related projects. FRAMEWORK This research framework has the following components: Layered Security architecture Model The security architecture structures the system to be protected in a series of layers of privilege levels. The rationale is to position the most valued assets inside internal layers of the architecture thus, to access those assets a multistage attack (at least one stage to bypass each layer) should be expected from the intruder. Privilege Prevention Devices Detection Devices External Assets External Host Files, Management team credentials Firewall,External Host ACL NIDS, HIDS at External Host Internal Ring Security Server Files, Firewall ACL, Internal Host files, Admin credential Firewall. Internal Host ACL NIDS, HIDS at Internal Host Level Ring Defenders must be confident that the attackers achieve their goals using a model with such phases (Hutchins et al. 2011). Intrusion Management System (IMS) The IMS provides rapid processing of large amounts of log data (structured or unstructured logs in text files) from different sources and collected during a big time frame (1-2 years or more). This system is adopted from our previous research (Bhatt, Yano 2013) and helps in searching out malicious kill chain patters in huge amounts of logs using Apache Hadoop and its related technologies for collecting, management and storage of huge amounts of log data. CONCLUSIONS Layered Security Architecture Multistage attack model In our proposal, multistage attacks are modelled using attack trees. The final goal of an attack is a privilege level required to access a desired asset Security Files Server Admin credential Internal Host access Firewall ACL External ring host access Management team credential Attack Tree for Layered Architecture For modelling stages of each intrusion we adopted the Intrusion Kill Chain Model. It consists of seven phases that an attacker must follow to carry out intrusions. The framework described in this research is based on Apache Hadoop and related technologies for processing huge amounts of log data collected from multiple sources. It helps in obtaining CSA by digging out important insights about malicious multistage attack patterns. Experiments with this framework were performed to reconstruct kill chains for each compromised layer of security architecture and their projection with attack trees, in order to understand the intent of the intruder and gain actionable intelligence for defending against next possible targets of a multistage attack. Finally, the CSA capabilities put forward in this study enhance a SOC to track and project multistage cyber-attacks REFERENCES Bhatt P., Yano E.T.(2013), “Analyzing Targeted Attacks using Hadoop applied to Forensic Investigation” The Eight International Conference on Forensic Computer Science. Bjarnolf P., Gustavsson P.M., Brax C., and Fredin M. (2008), Threat Analysis Using Goal-Oriented Action Planning. In Proceedings of the Fall Simulation Interoperability Workshop Factors: The Journal of the Human Factors and Ergonomics Society, vol. 37, pp. 32-64, 1995. G. P. Tadda och J. S. Salerno, ”Overview of Cyber Situation Awareness,” in Cyber Situational Awareness, S. Jajodia, P. Liu, V. Swarup och C. Wang, Red., Springer, 2010, pp. 15-25 Hutchins Eric M., Cloppert Michael J., Amin Rohan M,(2011) “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” ICIW2011 IMG-S Integrated Mission Group for Security (2012), “IMG-S Position paper for Horiztion 2020,” IMG-S, 2012. Kowtha S., Nolan L. and Daley R.,(2012) ”Cyber security operations center characterization model and analysis,” i 2012 IEEE Conference on Technologies for Homeland Security (HST) Parth Bhatt, Dr. Edgar Toshiro Yano, Dr. Joni Amorim, Dr. PerInstituto M.Tecnológico Gustavsson de Aeronáutica ,São José dos Campos, Brasil 1 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 3Combitech 2University of Skövde, Skövde, Sweden Sweden / Swedish National Defence College / George Mason University, USA Evaluation Criteria Canadian Criteria (CTCPEC) 1993 Orange Book (TCSEC) 1985 Federal Criteria Draft 1993 UK Confidence Levels 1989 German Criteria ISO 15408-1999 Common Criteria (CC) V1.0 1996 V2.0 1998 V2.1 1999 ITSEC 1991 French Criteria © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Trusted Computer System Evaluation Criteria (TCSEC) Evaluates Confidentiality Information Technology Security Evaluation Criteria (ITSEC) Evaluates Confidentiality, Integrity and Availability Common Criteria (CC) Provided a common structure and language It’s an International standard (ISO 15408) - 70 - © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 71 BUT WHERE DO I START LEADERSHIP NEED TO SUPPORT GOVERNANCE RISK MANAGMENT COMPLIANCE Require (when it make sens) ISO 270001 Certifiction from your vendors Common Criteria © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 72 DEVELOPER - read Viega and Mc Graw Principle 1: Secure the weakest link Principle 2: Practice defense in depth Principle 3: Fail securely Principle 4: Follow the principle of least privilege Principle 5: Compartmentalize Principle 6: Keep it simple Principle 7: Promote privacy Principle 8: Remember that hiding secrets is hard Principle 9: Be reluctant to trust Principle 10: Use your community resources. © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos USER – Whatch out ! Facebook? © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 74 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos Thank you for your attention ? © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 77 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 78 © 2015 Per M. Gustavsson, SIGE XVII, Sao José dos Campos 79