8 August 2015

How DoD is making cyberattacks more costly, less successful

John Edwards and Eve Keiser, 
August 5, 2015

One of the best ways to reduce the cyber threat is to make it harder and more costly for adversaries to initiate attacks, says Defense Department CIO Terry Halvorsen. Powerful and innovative security measures such as multifactor authentication and biometrics, along with strategic security planning and training, could make launching attacks on DoD resources time-consuming and futile.

“The approach to cyber defense is expanding from its original roots, which was to defend the network technically at the point of entry from the public Internet using firewalls and malware signature recognition,” said Mark Testoni, president and CEO of SAP National Security Services. “Instead, cyber is now being understood as a warfare domain, much like the other domains of air, sea, land and space.”

Cyber changes rapidly, according to Henry Muller, director of the U.S. Army Communications-Electronics Research, Development and Engineering Center (CERDEC). “In less than two decades, cyberspace has radically transformed how the Army operates and wages war,” he said. “Unlike the physical domains, cyberspace will continue to grow and is projected to reach over 100 billion connected devices within just the next 10 years.”

Bharat Doshi, CERDEC’s senior cybersecurity research scientist, noted that many different processes, policies and technologies can be used to make it costlier for adversaries to mount a successful attack. “Since the operational discipline and hygiene are critical first lines of defense, basic but persistent improvements in these areas will make it more expensive for an adversary to succeed,” he said.

CERDEC is currently researching several promising technologies, Doshi said. “One general class of technologies involves obfuscation, which prevents the adversary from getting valuable information even if they are able to observe our systems. Encryption of data at rest, data in transit and data in processing provides one way of obfuscation.”

Another approach designed to enhance cybersecurity is the “moving target defense,” in which several key network and processing system aspects change either periodically or randomly, preventing snoopers from developing a detailed understanding of operations. “Changes may also be executed after detection of a cyberattack ... to prevent the successful intruder from causing further damage,” Doshi said.

MFA and biometrics

The DoD and other agencies should be looking at multifactor authentication (MFA) to help reduce exposure caused by phishing campaigns and login compromise, said Steve Orrin, federal chief technologist for Intel. Orrin also recommended that agencies consider augmenting MFA with contextual security controls such as location, device identity, device trust attestation and network access point.

“Adding these controls to existing or new MFA-based approaches will provide better security posture and allow for more granular controls and policy enforcement,” he said.

An expansion of the use of MFA has been on DoD’s road map for a number of years and is slated to eventually become universally adopted across the department, said Adam Firestone, president and general manager of Kaspersky Government Security Solutions. He also said biometric authentication technologies are advancing and gaining operational traction.

CERDEC recognizes the advantages of biometrics for identification and authentication and believes its use will increase, Doshi said.

“CERDEC also recognizes challenges in using biometrics at the tactical edge in the middle of active fighting,” he added. “In this environment, soldiers may be required to operate in various levels of stress and mission-oriented protective postures, which hinder the use of biometrics.”

A combination of strong MFA along with an attribute-based access control forces an adversary to devote significantly greater resources to penetrating and effecting lateral movement within a network, Firestone said. “Encrypting everything reduces or eliminates the payoff for an attack,” he said. “Continuous monitoring reduces the amount of time an adversary has to exploit a breach, and a trap, or honeypot, causes the attacker to expend resources on a useless and potentially dangerous — to them — target.”

Promising innovations

Security innovations exist at both the platform layer and for the data center and security operations center, Orrin said. “New features in hardware and software allow for inline memory protection and containerization that provide security to applications and data in hostile environments subject to malware and other exfiltration attacks,” he said. “New models for software-defined networking and network function virtualization can allow a network to be more dynamic, resilient and can automate threat responses, mitigations and forensics/honeypotting.”

Analytics applied to threat intelligence represents the next wave for gaining better insight and faster detection of threats and attacks, he said.

Earl Matthews, a retired Air Force major general and vice president of enterprise security solutions for Hewlett-Packard, advocates the adoption of active hunting for pending attacks, encryption and using a diversified technology base.

“This is controversial, because a homogenous network is less costly to manage, patch and maintain in compliance,” Matthews said. “But static networks enable the adversary to perform long-term targeting operations and homogeneity actually narrows their attack solution.”

Under a diversified technology architecture, it is possible to decrease the technical vulnerability risk across the enterprise and reduce supply-chain risk while making the adversary spread their resources more thinly, he said.

“To strengthen our security posture, it’s time to think beyond the traditional perimeter,” Testoni said. Cybersecurity needs to be less about walls and moats and more about analyzing behavioral anomalies in networks and systems.

“In our current threat landscape, we have to assume that the wall has been breached in network defenses,” he said. “This is because the weakest link in cyber defense is the behavior of users and the effectiveness of social engineering methods, such as phishing, or even willful breaches by insiders.”

Testoni believes that behavioral analysis of network devices and users, utilizing machine-learning algorithms and other techniques, will be necessary to give commanders situational awareness and, ultimately, complete command and control over the cyber domain.

Training the weakest link

Humans are the weakest link in network security, so end-user training is critical, Doshi said.

“They are the first line of defense,” he said. “Lack of discipline and operational hygiene will provide an easy access for an adversary.”

Yet people can also serve as security sentinels. “End users reporting anomalies will help the system operators to identify intruders faster and more accurately,” he said. “Training could be very useful in leveraging these ‘human sensors.’ ”

Training programs must be geared toward specific user roles, said William Senich, global cyber solutions director for Alion Science and Technology.

“While there are basic security rules by which everyone must abide, people in certain jobs may require specialized training that teaches them how to recognize threats unique to their positions,” he said.

A technical specialist with high-level access privileges, for example, may require specialized training that differs greatly from the training needed by colleagues with limited system access.

“Of course, people in either role are vulnerable to the same commonly observed threats, from one-off penetration attempts to, in some instances, sustained persistent attacks,” Senich noted.

Approaches and tactics

The DoD and other agencies need to improve contextual security by integrating security products and technologies across security solutions and security domains, while also taking an end-to-end view of how to protect data and systems, Orrin said.

The best way to secure massive amounts of information in the shortest length of time is to follow a strategic, layered approach, Matthews said. The goal “is to ensure that the most valuable data has the most protection, and security resources are allocated accordingly,” he said.

Matthews also advocated taking the cyberwar directly to the adversaries. “Perform counter-intelligence operations to disrupt the adversary’s development, deployment, doctrine and dogma,” he said.

No comments: