Tuesday, September 9, 2014

Science of Security: Does Your Cyber Security Team Include Cyber Security Scientists?


If you haven’t heard of the “Science of Security” before you’re not alone. This post will take a quick look at the Science of Security and the core foundational themes within the discipline to help provide some insight to understand why cyber security scientists should be part of an organizations cyber security team.

Many cyber security teams today struggle with making the leap from analyzing raw security data and identifying patterns in security information to being able to expand or produce new knowledge and enable predictability. Knowledge is the layer in the data pyramid between the information layer and the intelligence layer. A cyber security scientist, in a broad sense, is one engaging in a systematic activity to acquire knowledge in the cyber security domain. They help turn the raw security data and information into usable knowledge the organization can take advantage of.

The Science of Security term is well known within leading academic and government cyber security / information assurance centers and is considered by experts to be one of the fundamental “game-changing” concepts in cyber security.

Many cyber security university graduates entering the workforce today have been involved with Science of Security academic research projects. Organizations need to look at creating security scientist positions on their security teams to take advantage of this more fruitful way to ground research, and to nurture and sustain progress in the kinds of cyber security solutions that benefit the organization.

There are also many Science of Security scientists like myself who have conducted scientific research in real-world, large scale cyber operations running both limited scope experiments as well as at-scale predictability experiments across global enterprises that are validated by analysis of real-world observations and feedback.

The Science of Security term has been around since 2010 when an independent science and technology advisory committee for the U.S. Department of Defense concluded there is a science of (cyber) security discipline. The committee made recommendations that the DOD sponsor multiple cyber security science based centers and projects within universities and other research centers.


The following year, 2011, the White House released “Trustworthy Cyberspace: Strategic Plan For The Federal Cybersecurity Research And Development Program” formally establishing the Science of Security as 1 of 4 key strategic thrusts for U.S. Federal cybersecurity R&D programs.


The United States government also signed a Science of Security Joint Statement of Understanding with the governments of Canada and the United Kingdom in 2011 establishing 7 core themes that together form the foundational basis for the Science of Security discipline. The core themes are strongly inter-related, and mutually inform and benefit each other. They are:

·         Attack Analysis
·         Common Language
·         Core Principles
·         Measurable Security
·         Agility
·         Risk
·         Human Factors


I’ve spent the last couple decades working a wide range of cyber & intelligence positions inside the Defense and Intelligence Community with the last several years focused on the Science of Security core theme of Attack Analysis.

In this theme we apply the scientific method to the analysis of cyber attacks. The scientific method is also what many intelligence analysts use during the analysis and production phase of the intelligence cycle.

In the data pyramid, the intelligence layer sits between the knowledge layer and the wisdom layer. The knowledge produced during attack analysis enables us to produce predictable intelligence products that can be validated for accuracy with observations and reported back through the intelligence feedback process.

Attack analysis scientists seek to understand and explain the attack. The analysis is driven by the data and information available to the scientist but generally includes areas such as:

·         The threat actor (type of threat actor, sophistication level, technology preferences, operating tempo, objectives, etc)
·         If this attack is part of a larger campaign by the threat actor
·         The threat actor’s tactics, techniques, and procedures (TTPs) to include attack patterns, tools, and malware
·         The threat actors use the cyber terrain (People – Cyber Persona  – Logical Layer (top 6 layers of the OSI) – Physical Layer  – Geographic Layer)
·         Identification of observables for different phases of the attack lifecycle that are indictors of the threat actor’s attack
·         The threat actor’s exploit target within the defender’s cyber terrain (Configuration, Vulnerability, or Weakness)
·         Analysis of the vulnerability score, weakness score customized for the defenders mission, and scoring how susceptible the defender is to the attack.
·         Identification of courses of action (COA)the defender should take to mitigate or defend against the attack
·         If the attack resulted in an incident, what actions did the threat actor take and what was the objective of those actions (cover tracks, data destruction, data modification, data theft, etc)
·         The defenders use of their cyber terrain across the five layers
·         The defenders tactics, techniques, and procedures (TTPs) to include tools and defender courses of action (COAs)
·         Analysis / measurement of the defenders operations tempo and policies
·         Analysis of the threat actors operational tempo vs the defenders operational tempo to determine threat susceptibility predictions


The knowledge produced from attack analysis can be shared with other scientists through publication to enable validation of the theory for those in academic or research laboratory environments, shared as cyber threat intelligence for those working in operational environments, or shared with engineers to development the next generation of security solutions.

If you are going to share knowledge with others, you should consider using a common language and well defined core principles. We hear from the data science community all the time that most data scientists spend 50% to 80% of their time just wrangling the data into usable formats. The Science of Security Core theme of Common Language focuses on the construction of a common language(s) and set of core principles about which the security community can develop a shared understanding and will facilitate the testing of hypotheses and validation of concepts.

Common Languages and well defined Core Principles are also strongly inter-related to the core theme of Measurable Security. We want to be able to measure how secure a device is compared to another device or rank a group of weaknesses or measure risk in standardized repeatable ways.

A good example of activity in this area that has been developed through government, industry, and academia collaboration are the Making Security Measurable efforts lead by Mitre. These common languages and formats are both human and machine readable. The use of machine readable formats connects us to the Science of Security core theme of Agility.


In the Science of Security core theme of Agility, one of the key focuses is security automation to include areas such as continuous monitoring, continuous diagnostics, semi-automated and automated courses of action. Automated Courses of Action (ACOAs) are strategies that incorporate decisions made and actions taken in response to cyber situations. Automation frees humans to do what they do well – think, ask questions, and make judgments about complex situations.  

Automation allows the speed of response to approach the speed of attack rather than relying on human speed responses. It’s fairly common knowledge that if a defender wants to get ahead of the threat actor, the defender needs to spin the defense cycle at a faster speed then the threat actor spins the attack cycle. Automation is aimed at helping the defender increase the spin rate of the defense cycle to enable better resiliency against the attack cycle.

The U.S. Department of Homeland Security described this in the 2011 paper “Enabling Distributed Security in Cyberspace” which explores the idea of a healthy, resilient – and fundamentally more secure – cyber ecosystem of the future, in which cyber participants, including cyber devices, are able to work together in near-real time to anticipate and prevent cyber attacks.


Another key focus of the Agility theme is Interoperability. DHS describes three types of interoperability that are fundamental to integrating the many disparate participants into a comprehensive cyber defense system that can create new intelligence and make and implement decisions at machine speed:

1.  Semantic Interoperability: The ability of each sending party to communicate data and have receiving parties understand the message in the sense intended by the sending party.
2.  Technical Interoperability: The ability for different technologies to communicate and exchange data based upon well defined and widely adopted interface standards.
3.  Policy Interoperability: Common business processes related to the transmission, receipt, and acceptance of data among participants.

Interoperability enables common operational pictures and shared situational awareness to emerge and disseminate rapidly. The creation of new kinds of intelligence (such as fused sensor inputs), coupled with rapid learning at both the machine and human levels, could fundamentally change the cyber security ecosystem.

Within cyber security, all three types of interoperability are being enabled through an approach that has been refined over the past decade by many in industry, academia, and government. Here are some examples.

·         Enumerations such as common attack patterns (CAPEC) or public vulnerabilities (CVE).
·         Languages and Formats for Structured Threat Information eXpression (STIX), Cyber Observable eXpression (CYBOX), and Malware (MAEC).
·         Knowledge Repositories such as security best practices, security benchmarks, and security checklists.

Automation and interoperability are exciting areas that hold a lot of promise for helping to increase the spin rate of the defenders operational tempo. They are enablers that teach machines how to read and write the languages developed by the community. This lays the foundation for future work where we can better organize and more formally represent the domain knowledge using technology such as semantic web ontologies.

Ontologies in turn would allow the machine understand the meaning of the data. Once machines understand the meaning of the data we can then enable them to reason about domain knowledge and the ability for machines to infer new knowledge based on existing knowledge. This in turn could enable further automated courses of action in areas that require reasoning before deciding on an action to take.

The Science of Security is on the cutting edge of security R&D and security scientists are leading the charge for the discovery of new domain knowledge. Organizations should consider hiring cyber security scientists to help organizations in developing a strong, rigorous scientific foundation to cyber security while providing structure and organization to a broad-based body of knowledge in the domain.

No comments: