A na­tional model for Cy­ber pro­tec­tion-raytheon way

SP's MAI - - INTERNAL SECURITY - [ By Lt Gen­eral (Retd) Naresh Chand]

In to­day’s cy­ber se­cu­rity en­vi­ron­ment there is no way to pre­vent a de­ter­mined in­truder from get­ting into a net­work as long as one al­lows e-mail and web surf­ing. The rea­sons for this are due to the ma­jor­ity of in­for­ma­tion as­sur­ance ar­chi­tec­tures rely on patch­ing and con­fig­u­ra­tion con­trol for pro­tec­tion. It also re­lies on sig­na­tures for both pro­tec­tion and de­tec­tion. There­fore, when you have to let the at­tack vec­tor (an e-mail or a web ad­dress) past your perime­ter to the desk­top, you are vir­tu­ally guar­an­teed to have suc­cess­ful pen­e­tra­tions. Raytheon thus be­lieves the best way to ad­dress this is to recog­nise that at­tack­ers will get into your net­work and ex­pand our de­fen­sive ac­tions to de­tect, dis­rupt, and deny at­tacker’s com­mand and con­trol (C2) com­mu­ni­ca­tions back out to the net­work. Such a strat­egy fo­cuses on iden­ti­fy­ing the web­sites and IP ad­dresses that at­tack­ers use to com­mu­ni­cate with ma­li­cious code al­ready in­fil­trated onto our com­put­ers. While some of th­ese sites are le­git­i­mate sites which have been com­pro­mised, the ma­jor­ity are usu­ally new do­mains reg­is­tered by at­tack­ers solely for the pur­poses of com­mand and con­trol. There is lit­tle dan­ger of un­in­tended con­se­quences from block­ing th­ese web­sites and their as­so­ci­ated IP ad­dresses for out­bound traf­fic. Raytheon has had success with this strat­egy, but it re­quires a sig­nif­i­cant in­vest­ment. It is of pri­mary im­por­tance to mea­sure the threat is the in­truder’s dwell time in the net­work then the num­ber of pen­e­tra­tions thus the ef­fort should be for mak­ing the ef­fec­tive dwell time zero.

Dwell Time

There are two ways to re­duce the dwell time of an in­truder, both of which are be­ing pur­sued by Raytheon. The first is to de­tect the ma­li­cious out­bound traf­fic in a net­work but re­quires a large in­vest­ment. The other method is col­lab­o­ra­tion with other op­er­a­tional en­ti­ties which is af­ford­able by all. Many other or­gan­i­sa­tions reg­u­larly report C2 chan­nels which can be shared with oth­ers for­mally or in­for­mally through In­for­ma­tion shar­ing and anal­y­sis cen­tres, de­fence in­dus­trial base cy­ber task force, in­fra­guard, etc. It is in the col­lab­o­ra­tion realm that Raytheon be­lieves there is an op­por­tu­nity for a na­tional scale ef­fort that can turn col­lec­tive ef­fort to our ad­van­tage in the cy­ber bat­tle.

While there is no na­tional-scale frame­work in place, there is a model that has al­ready proven ef­fec­tive fight­ing other cy­ber se­cu­rity prob­lems. The model in­volves a set of trusted en­ti­ties de­vel­op­ing threat in­for­ma­tion and re­port­ing vol­un­tar­ily (with non-at­tri­bu­tion) to a cen­tral source, which con­sol­i­dates the in­for­ma­tion and rapidly dis­sem­i­nates it to a very large user com­mu­nity which is al­ready be­ing used for the highly suc­cess­ful an­tivirus and spam fil­ter­ing in­dus­tries. Raytheon pro­poses the same model be used to dis­sem­i­nate in­for­ma­tion on at­tacker C2 URLs and IP ad­dresses and au­to­mat­i­cally block out­bound traf­fic to them. If at­tack­ers get into your net­work but can­not get back out the at­tack is ef­fec­tively thwarted.

Raytheon thus pro­poses a model for set­ting up a Na­tional Cy­ber Threat Pro­tec­tion Ser­vice to im­ple­ment a C2 dis­rup­tion strat­egy. The model in­cludes pos­i­tive in­cen­tives for ev­ery par­tic­i­pant. This is a vol­un­tary In­dus­try-Government Co­op­er­a­tive Model for Dis­rupt­ing Ma­li­cious Cy­ber Com­mand and Con­trol which in­volve three types of en­ti­ties: • Threat Re­porters. Threat re­porters are or­gan­i­sa­tions with the

de­tec­tion and an­a­lyt­i­cal ca­pa­bil­ity to dis­cover com­mand and con- trol sites via mal­ware re­verse en­gi­neer­ing or traf­fic anal­y­sis. Or­gan­i­sa­tions, be they com­mer­cial, pri­vate, or gov­ern­men­tal, would ap­ply to be cer­ti­fied as threat re­porters and have their re­ports of C2 chan­nels ac­cepted as valid. Some third party, pre­sum­ably a government en­tity, an in­dus­try con­sor­tium or some hy­brid of the two, would be re­spon­si­ble for cer­ti­fy­ing po­ten­tial threat re­porters against a mod­er­ate stan­dard of in­house ca­pa­bil­i­ties. Na­tional Cy­ber Threat Re­sponse Cen­tre (NC­TRC). The role of the NC­TRC is to serve as a cen­tral threat clear­ing house for pro­cess­ing re­ports of C2 URLs and IP ad­dresses from threat re­porters and rapidly dis­tribut­ing them to the com­mu­nity of fire­wall de­vice ven­dors. By hav­ing a cen­tral point dis­sem­i­nat­ing the in­for­ma­tion to all ven­dors equally we avoid the prob­lem we face with an­tivirus to­day where not all ven­dors de­tect all threats. The NC­TRC would also de­con­flict er­ro­neous re­port­ing that re­sulted in dis­rup­tion to le­git­i­mate ac­tiv­i­ties. The NC­TRC would main­tain a ‘rep­u­ta­tion in­dex’ (e.g. cred­i­bil­ity rat­ing) for each re­porter much like seller rat­ings on eBay. By this feed­back loop a threat re­porter could be de­cer­ti­fied (i.e. no longer have their re­ports ac­cepted or be able to claim Threat re­porter sta­tus in their mar­ket­ing). The NC­TRC must be a sin­gle or­gan­i­sa­tion fo­cused on rapid dis­sem­i­na­tion of ac­tion­able in­for­ma­tion. Fire­wall Ven­dors. Ven­dors for fire­wall de­vices (the term here be­ing used in its most generic sense) would ac­cept the new threat in­for­ma­tion and push it out to their de­vices in the field the same way an­tivirus and spam fil­ter­ing ven­dors push new def­i­ni­tions to­day. Pro­duc­ers of de­vices that are ca­pa­ble of block­ing out­bound web traf­fic would ac­cept the data from the clear­ing house, re­for­mat it as ap­pro­pri­ate for their de­vice, and push it out to their cus­tomers as quickly as pos­si­ble. Tra­di­tional desk­top or net­work fire­walls, web prox­ies, and routers would all be ca­pa­ble of per­form­ing this func­tion, thus giv­ing net­work own­ers a wide va­ri­ety of prod­ucts from which to se­lect based on their ar­chi­tec­ture and in­vest­ment tol­er­ance. The ven­dors would dif­fer­en­ti­ate them­selves from each other not only on price, but also on their speed of up­dates and value-added ser­vices such as the abil­ity of their cus­tomers to man­u­ally over­ride the lists or their abil­ity to pro­vide re­ports to net­work own­ers.

Com­mon Op­er­a­tional Pic­ture

Per­haps one of the key side ben­e­fits of this model is that it could be the ba­sis of a true Com­mon Op­er­a­tional Pic­ture (COP). If ev­ery fire­wall de­vice sup­port­ing this model not only blocked the out­bound traf­fic, but also—again, vol­un­tar­ily—re­ported back to the clear­ing house that there was a blocked C2 at­tempt from their IP ad­dress it would, given the po­ten­tially hun­dreds of thou­sands of de­vices re­port­ing in, rep­re­sent a very ac­cu­rate pic­ture of the scope of any given at­tack or cam­paign. For ex­am­ple if the IP space of all nu­clear power plants is known, a COP could show at­tempts to ac­cess the same C2 sites from mul­ti­ple power plants which could in­di­cate a con­certed ef­fort to com­pro­mise the plants.


The main risk as­so­ci­ated with this model is the risk of block­ing a le­git­i­mate web­site that has been taken over by an at­tacker for use as a C2 site or down­loader site but this risk will be small com­pared to the gain.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.