© 2012 The MITRE Corporation. All rights reserved.

Approved for Public Release: 12‐2397. Distribution Unlimited

Approved for Public Release: 12‐2397. Distribution Unlimited2nd Annual Secure and Resilient Cyber Architectures Workshop

Resilient Architectures

Jeffrey Picciotto

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Transformation of Thought

2

Cyber Risk Remediation Engineering Analysis

Security Engineering

Assurance Practices

Anti‐Tamper

SCRM Practices

Identify Mission Dependencies on Cyber

Mission Impact Analysis

Cyber Threat Susceptibility Assessment

WHAT’S MOST IMPORTANT

WHAT ARE THE RISKS

HOW TO MITIGATE THE RISKS

Prioritize Missions

Cyber Threats & Intelligence

CONOPSUse Cases 

End‐to‐End Flows

Mitigations

Resiliency Practices

WHAT RESOURCES ARE MOST IMPORTANT

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Bring community together towork collectively

Desired Outcome

3

The cyber resiliency foundation  we develop & shapeis adopted by sponsors

so missions are more assured.Apply

ResiliencyIdentify

RequirementsCreate

SolutionsProve

Effectiveness

Use Case• Integration•Techniques•Operational context

Framework•Goals•Objectives•Techniques

Technology•Commercial products

•Research snapshot

•R&D tasks

Metrics•Cost•Performance

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Technology – Commercial Products

Diversity5%

Dynamic Positioning

5%

Non-Persistence5%

Adaptive Response

6%

Redundancy12%

Deception6%

Analytic Monitoring

22%

Privilege Restriction

14%

Substantiated Integrity

9%

Segmentation6%

Unpreditcability10%

Products By Technical Area

111 Resiliency Vendors

4

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Technology – Research Capabilities

5

320 publications‐Reviewed‐Characterized‐Analyzed

R&D Snapshot published

Research By Technical Area

AdaptiveResponse 10%

Cross-Area13%

Deception5%

Analytic Monitoring

29%

All Dynamic Categories

14%

Substantiated Integrity

11%

Isolation5%

Metrics13%

SERPENT

IBIP

MATA-RAMS

Crypto Binding

Labyrinth

Diversity through Virtualization

ADDER

CyCS COMMANDR

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Metrics

Understanding

DecisionMaking

Compliance Checking

AssessingCost

UsesStakeholders

…

Mission Commander

Program Manager

CyberDefender

Vendor

…

Researcher

Technical Operational

Cost

Performance

Intended Uses Type Metric How Obtained Approach Layer

Operations Perf Length of time an attacker remains contained in a controlled environment

Red team,observation, analysis

Deception • Cyber Resource(system / network)

Technical Cost Dollar and/or LOE cost of integrating diverse components to achieve resiliency 

Cost estimation, Post‐hoc analysis

Diversity • Mission• Node• Informationasset

Technical Perf % mission‐essential capabilities for which two or more different instantiations are available

Analysis Diversity • Service• Software• Mission process

Operations Cost Degree of mission impact due to isolation of elements impeding information flow needed to act in a timely manner

Observation / post‐hoc analysis

Segmentation • Mission process

Technical Perf % data value assertions in a mission‐essential data store for which a gold copy exists

Analysis Substantiated Integrity

• Information asset 

6

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Practical Options

Reviewed current technology options

Assessed viability today

Documented in terms of near, mid, and long term options

Resiliency Techniques

Near Term(<3 years)

Mid-Term(3-5 years)

Long-Term(> 5 years)

Coordinated Defense

Use of a defense in depth strategy within organization

Systematic process to identify dependencies and interactions among cyber defenses

Automated identification of conflicts and dependencies among defenses

Deception Honeypots (low interaction, based on commonly used attacker requested services)

Honeynets (network of honeypots intended to imitate activities of a real system)

Use of honeynets and virtualization to run deception nets that respond dynamically to adversary actions

Diversity Different browsers on operating systems (OSs)

Use of different protocols / communications diversity (e.g., over time, space, frequency)

Dynamically employ different OSs and different applications on laptops, desktops and servers 

Non‐Persistence Desk top virtualization Applying virtualization to stateful services (e.g., active directory, routers)

Non‐persistence (media/device sanitization or data transformation via encryption) for smartphones and tablets

Privilege Restriction

Removal of admin rights from end users for their machines

Separate processing domains based on privilege

Dynamic escalation of privilege restrictions based on indications of adversary activities

7

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Framework Application

8

User

Data Products

Data Products

Data ProductsCatalog

Server

Goal

Withstand

Recover

Metric

‐‐‐

‐‐‐

‐‐‐

‐‐‐

‐‐‐

‐‐‐

Technology

Deception network

Hardware trusted path

Fine‐grained controls

RIAK

Multi‐cloud storage

Crypto bindings

Technique

Deception

Segmentation

Privilege Restriction

Redundancy

Substantiated Integrity

Objective

Constrain

Reconstitute

Continue

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Use Case Integration

Mission

Analyst 

MetaData

Catalog

DP

DP

DP

Data Retrieval Application

Cyber Risk Remediation Engineering Analysis

Security Engineering

Assurance Practices Anti‐Tamper SCRM 

Practices

Identify Mission Dependencies on Cyber

Mission Impact Analysis

Cyber Threat Susceptibility Assessment

WHAT’S MOST IMPORTANT

WHAT ARE THE RISKS

HOW TO MITIGATE THE RISKS

Prioritize Missions

Cyber Threats & Intelligence

CONOPSUse Cases 

End‐to‐End Flows

Mitigations

Resiliency Practices

WHAT RESOURCES ARE MOST IMPORTANT

Apply the Resiliency Engineering Framework

ResiliencyGoals

RecoverWithstand

ResiliencyObjectives

ReconstituteConstrain

+

Non‐persistenceAdaptive Response

RedundancyAnalytic Monitoring

DeceptionSubstantiated Integrity

UnpredictabilityCoordinated Defense

RealignmentDynamic Representation

SegmentationPrivilege Restriction

DiversityDynamic Positioning

Withstand ->Constrain

SegmentationREDUNDANCY

NON PERSISTENCEDIVERSITY

RIAK

SECURITY AWARE DIVERSITY THRU VIRTUALIZATION

9

10

PRIVILEGE RESTRICTION

SUBSTANTIATED INTEGRITY

REDUNDANCY

COORDINATED DEFENSE

Fine‐grained controls

Mission Assurance through Availability

CRYPTOGRAPHIC HASH

CyCSCOMMANDR

5

6

7

8

ADAPTIVE RESPONSE

DECEPTION

ANALYTIC MONITORINGFIDELIS

Active Dynamic Defense

Deception network

1

2

3

4

Page 9

SEGMENTATIONHardware trusted Path

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

AMAZON

MITRE 

INFRASTRUCTURE

10

A Resilient Architecture  

ESXi Servers 

VM

SERPENT CYCSCOMMANDR

IBIP

ROCS IBIP

RIAK

DIB LABYRINTH

VM

LABYRINTH

RIAKSADV

MATA

AMAZON

MATA

Adversary

FIREWALL

FIDELIS

MITRE 

INFRASTRUCTURE

ADDER

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited 11

Demonstration

Resiliency Operators AdversaryAnalystCyOC

Operator

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

SIMEX – Cyber Resiliency Simulation Experiment

The Cyber Resiliency SIMEX examined tools, concepts, and the CONOPS/TTPs necessary to manage and conduct defensive cyber operations in support of mission operations

Carrier Strike Group

IWC GCCS-J BWC TargetingOfficer

ISR LNOIntelOfficer

DGO DCO

Regional Cyber Command CenterWhite Cell

SIMLead

RedLead EXCON

DataCol.Lead

Joint SurfaceWarfareScenario

12

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Before resiliency capabilities

o Use redundant routerso Shut down file serverso Turn off user privileges

Sample Cyber SIMEX Day

Denial of service based on router 

vulnerability 

Denial of Service

Pre‐planted malware 

activates on target system

Loss of IntegritySubstantiated Integrity

DiversityRedundancy

DeceptionDynamic Redirection

Architect for resiliency capabilities and enable capabilitieso Dynamically position diverse

routerso Recognize integrity loss and

switch over to redundant capability

o Redirect potential C2

13

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Findings

Need TTPs to coordinate across CND and mission operators to distinguish cyber attacks from other events

Resiliency Engineering requires a team: Mission operators CND operators System engineers/architects

There are few resiliency capabilities deployed, and no C2 or SA tools

We lack trainers, models, & simulators for cyber operators

14

Resiliency comes from integrating techniques tailored based on mission priorities, threats, and vulnerabilities

© 2012 The MITRE Corporation. All rights reserved.Approved for Public Release: 12‐2397. Distribution Unlimited

Need

15

IncreasedAdoption

Solutions for current and future architectures

Evidence it works in real world environments

Transfer knowledge/solutions across community