If you haven’t heard
of the “Science of Security” before you’re not alone. This post will take a
quick look at the Science of Security and the core foundational themes within
the discipline to help provide some insight to understand why cyber security
scientists should be part of an organizations cyber security team.
Many cyber security
teams today struggle with making the leap from analyzing raw security data and
identifying patterns in security information to being able to expand or produce
new knowledge and enable predictability. Knowledge is the layer in the data
pyramid between the information layer and the intelligence layer. A cyber
security scientist, in a broad sense, is one engaging in a systematic activity
to acquire knowledge in the cyber security domain. They help turn the raw
security data and information into usable knowledge the organization can take
advantage of.
The Science of
Security term is well known within leading academic and government cyber
security / information assurance centers and is considered by experts to be one
of the fundamental “game-changing” concepts in cyber security.
Many cyber security university
graduates entering the workforce today have been involved with Science of
Security academic research projects. Organizations need to look at creating security
scientist positions on their security teams to take advantage of this more
fruitful way to ground research, and to nurture and sustain progress in the
kinds of cyber security solutions that benefit the organization.
There are also many
Science of Security scientists like myself who have conducted scientific
research in real-world, large scale cyber operations running both limited scope
experiments as well as at-scale predictability experiments across global
enterprises that are validated by analysis of real-world observations and
feedback.
The Science of
Security term has been around since 2010 when an independent science and technology
advisory committee for the U.S. Department of Defense concluded there is a science
of (cyber) security discipline. The committee made recommendations that the DOD
sponsor multiple cyber security science based centers and projects within
universities and other research centers.
The following year,
2011, the White House released “Trustworthy Cyberspace: Strategic Plan For The
Federal Cybersecurity Research And Development Program” formally establishing
the Science of Security as 1 of 4 key strategic thrusts for U.S. Federal
cybersecurity R&D programs.
The United States
government also signed a Science of Security Joint Statement of Understanding with
the governments of Canada and the United Kingdom in 2011 establishing 7 core themes
that together form the foundational basis for the Science of Security
discipline. The core themes are strongly inter-related, and mutually inform and
benefit each other. They are:
· Common Language
· Core Principles
· Measurable Security
· Agility
· Risk
· Human Factors
I’ve spent the last
couple decades working a wide range of cyber & intelligence positions inside
the Defense and Intelligence Community with the last several years focused on
the Science of Security core theme of Attack Analysis.
In this theme we
apply the scientific method to the analysis of cyber attacks. The scientific
method is also what many intelligence analysts use during the analysis and
production phase of the intelligence cycle.
In the data pyramid,
the intelligence layer sits between the knowledge layer and the wisdom layer. The
knowledge produced during attack analysis enables us to produce predictable
intelligence products that can be validated for accuracy with observations and
reported back through the intelligence feedback process.
Attack analysis
scientists seek to understand and explain the attack. The analysis is driven by
the data and information available to the scientist but generally includes
areas such as:
· The threat actor (type of threat actor, sophistication level, technology preferences, operating tempo, objectives, etc)
· If this attack is part of a larger campaign by the threat actor
· The threat actor’s tactics, techniques, and procedures (TTPs) to include attack patterns, tools, and malware
· The threat actors use the cyber terrain (People – Cyber Persona – Logical Layer (top 6 layers of the OSI) – Physical Layer – Geographic Layer)
· Identification of observables for different phases of the attack lifecycle that are indictors of the threat actor’s attack
· The threat actor’s exploit target within the defender’s cyber terrain (Configuration, Vulnerability, or Weakness)
· Analysis of the vulnerability score, weakness score customized for the defenders mission, and scoring how susceptible the defender is to the attack.
· Identification of courses of action (COA)the defender should take to mitigate or defend against the attack
· If the attack resulted in an incident, what actions did the threat actor take and what was the objective of those actions (cover tracks, data destruction, data modification, data theft, etc)
· The defenders use of their cyber terrain across the five layers
· The defenders tactics, techniques, and procedures (TTPs) to include tools and defender courses of action (COAs)
· Analysis / measurement of the defenders operations tempo and policies
· Analysis of the threat actors operational tempo vs the defenders operational tempo to determine threat susceptibility predictions
The knowledge
produced from attack analysis can be shared with other scientists through
publication to enable validation of the theory for those in academic or research
laboratory environments, shared as cyber threat intelligence for those working
in operational environments, or shared with engineers to development the next
generation of security solutions.
If you are going to
share knowledge with others, you should consider using a common language and
well defined core principles. We hear from the data science community all the
time that most data scientists spend 50% to 80% of their time just wrangling
the data into usable formats. The Science of Security Core theme of Common
Language focuses on the construction of a common language(s) and set of core
principles about which the security community can develop a shared
understanding and will facilitate the testing of hypotheses and validation of
concepts.
Common Languages and
well defined Core Principles are also strongly inter-related to the core theme
of Measurable Security. We want to be able to measure how secure a device is compared
to another device or rank a group of weaknesses or measure risk in standardized
repeatable ways.
A good example of activity
in this area that has been developed through government, industry, and academia
collaboration are the Making Security Measurable efforts lead by Mitre. These
common languages and formats are both human and machine readable. The use of
machine readable formats connects us to the Science of Security core theme of
Agility.
In the Science of
Security core theme of Agility, one of the key focuses is security automation to
include areas such as continuous monitoring, continuous diagnostics,
semi-automated and automated courses of action. Automated Courses of Action
(ACOAs) are strategies that incorporate decisions made and actions taken in
response to cyber situations. Automation frees humans to do what they do well –
think, ask questions, and make judgments about complex situations.
Automation allows
the speed of response to approach the speed of attack rather than relying on
human speed responses. It’s fairly common knowledge that if a defender wants to
get ahead of the threat actor, the defender needs to spin the defense cycle at
a faster speed then the threat actor spins the attack cycle. Automation is
aimed at helping the defender increase the spin rate of the defense cycle to
enable better resiliency against the attack cycle.
The U.S. Department
of Homeland Security described this in the 2011 paper “Enabling Distributed
Security in Cyberspace” which explores the idea of a healthy, resilient – and fundamentally
more secure – cyber ecosystem of the future, in which cyber participants, including
cyber devices, are able to work together in near-real time to
anticipate and prevent cyber attacks.
Another key focus of
the Agility theme is Interoperability. DHS describes three types of
interoperability that are fundamental to integrating the many disparate
participants into a comprehensive cyber defense system that can create new
intelligence and make and implement decisions at machine speed:
1. Semantic Interoperability: The ability of each sending party to communicate data and have receiving parties understand the message in the sense intended by the sending party.
2. Technical Interoperability: The ability for different technologies to communicate and exchange data based upon well defined and widely adopted interface standards.
3. Policy Interoperability: Common business processes related to the transmission, receipt, and acceptance of data among participants.
Interoperability
enables common operational pictures and shared situational awareness to emerge
and disseminate rapidly. The creation of new kinds of intelligence (such as
fused sensor inputs), coupled with rapid learning at both the machine and human
levels, could fundamentally change the cyber security ecosystem.
Within cyber
security, all three types of interoperability are being enabled through an
approach that has been refined over the past decade by many in industry,
academia, and government. Here are some examples.
· Enumerations such as common attack patterns (CAPEC) or public vulnerabilities (CVE).
· Languages and Formats for Structured Threat Information eXpression (STIX), Cyber Observable eXpression (CYBOX), and Malware (MAEC).
· Knowledge Repositories such as security best practices, security benchmarks, and security checklists.
Automation and
interoperability are exciting areas that hold a lot of promise for helping to
increase the spin rate of the defenders operational tempo. They are enablers
that teach machines how to read and write the languages developed by the
community. This lays the foundation for future work where we can better
organize and more formally represent the domain knowledge using technology such
as semantic web ontologies.
Ontologies in turn would
allow the machine understand the meaning of the data. Once machines understand
the meaning of the data we can then enable them to reason about domain
knowledge and the ability for machines to infer new knowledge based on existing
knowledge. This in turn could enable further automated courses of action in
areas that require reasoning before deciding on an action to take.
The Science of
Security is on the cutting edge of security R&D and security scientists are
leading the charge for the discovery of new domain knowledge. Organizations
should consider hiring cyber security scientists to help organizations in
developing a strong, rigorous scientific foundation to cyber security while
providing structure and organization to a broad-based body of knowledge in the
domain.
No comments:
Post a Comment