Cybersecurity Research and Approaches
Explore novel approaches in computational cybersecurity research to avoid misattribution of malicious cyber activity. Topics include cyber operations, identity discovery challenges, APT infection detection, and metadata-based discovery methods. Join experts in panel discussions and Q&A sessions to delve into the complexities of cybersecurity.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Computational Cybersecurity in Compromised Environments C3E Special Cyber Operations Research & Engineering Novel Approaches to Avoid Misattribution of Malicious Cyber Activity
Agenda Morning 10:30 11:45 2015 C3E Novel Approaches to Avoid Misattribution of Malicious Cyber Activity 10:30 10:40 Introduction to the Challenge Problem Dan Wolf 10:40 10:45 Attribution Cybersecurity Challenge Problem Chip Willard 10:45 11:35 Panel Discussion Finn Ramsland - FireEye/Mandiant Marcho Carvahlo Florida Institute of Technology Dr. Peter Chin - BSU/Draper Labs Sid Faber- CMU/CERT Van Parunuk - AxonAI 11:35 11:45 Q&A
C3E Cybersecurity Problems Identity Discovery Challenge (2012) APT Infection Discovery Using DNS Data (2013) Metadata-based Malicious Cyber Discovery (2014) Novel Approaches to Avoid Misattribution of Malicious Cyber Activity (2015)
Identity Discovery Challenge An Epidemic Contact Tracing and Data Analysis Scenario Unidentified Male Potentially Carrying Deadly and Highly Contagious Virus Tasks: Who is the unidentified male? Where is the unidentified male? Generated datasets.
APT Infection Discovery Using DNS Data To develop techniques for detecting malicious external hosts given the DNS logs for a site, and to identify potentially infected hosts in the process. 1.4TB of real DNS traffic from LANL
Metadata-based Malicious Cyber Discovery To invent and prototype approaches for identifying high interest, suspicious and likely malicious behaviors from meta-data that challenge the way we traditionally think about the cyber problem. DHS PREDICT dataset
Novel Approaches to Avoid Misattribution of Malicious Cyber Activity What are features of malicious cyber events that are not standard technical or behavioral forensics analysis procedures? Are any of these features distinct from one group to another? Are there any threat actor procedural biases, quirks, or other subtleties that can be discerned from malicious cyber event data? Are there any aspects or features of malicious cyber events that can supplement traditional signatures used for making threat attribution assessments? Goal: Novel approaches
Suggested Data Sets PREDICT Data Repository Protected Repository for the Defense of Infrastructure against Cyber Threats (PREDICT), a data repository for cyber security research. PREDICT is supported by the Department of Homeland Security, Science & Technology Directorate. Suggested data set: National Collegate Cyber Defense Competition
2015 National Collegate Cyber Defense Competition Data Captures log files from the 2015 National Collegiate Cyber Defense Competition (nccdc.org). NCCDC is a multi-day competition that specifically focuses on the operational aspects of managing and protecting an existing "commercial" network infrastructure. Teams of undergraduate/graduate students are provided with a fully functional (but insecure) small business network they must secure, maintain, and defend against a live Red Team. Teams must also respond to business tasks called "injects" throughout the competition. More metadata is provided as a text file accompanying the dataset data files. Good repository of known malicous and defensive activity
Specific Research Goals Research and identify novel approaches to distinguishing between different malicious actors Reduce false positives in the attribution process Develop new approaches for analyst practitioners who perform incident response and reporting
Why is this Important? Warning: Adversary Attribution Isn t Easy, And It Can Be Dangerous Misattribution can occur. It isn t always clear who is responsible for an attack because the lines between activists, state actors, and cybercriminals are blurry. Adversaries can use false flags to throw you off their trail. False flags are an example of counter-intelligence operations. A false flag is a component of tradecraft where an adversary adopts the TTPs of another threat actor to throw the defenders off the scent of the actual actor behind the attack or campaign. Proving that false flags are in use can be difficult, but you can expect that advanced adversaries will leverage them if needed. Excerpts from Know your adversary Forrester Research Whitepaper by Rick Holland dtd November 3, 2014
Why is this Important? (cont.) Given that attribution of one malware asset could lead to attribution of other missions and the revelation of a given actor (cascading attribution) The art of misattribution rises in importance Paller, Alan, Ed Skoudis, Johannes Ullrich. The Five Most Dangerous New Attack Techniques and What's Coming Next Sans Technology Institute Presentation, RSAConference 2013 "The risk of missed attribution, missed calculation and escalation in cyberspace are very real. As a government, any action we take in cyberspace must be considered against its possible foreign policy implications and our desire to establish international norms of acceptable behavior in cyberspace. We don't want our response to something that's annoying to harm our relationship with other nations, or worse yet, result in a physical conflict White House Cybersecurity Coordinator, Michael Daniel (2013) from TheHill article White House debating actions to retaliate against foreign cyberattacks by Jennifer Martinez February 28, 2013
Why is this important? (cont.) ambiguity in cyberspace elevates the risk that a significant cyber event amid a geopoliticalcrisis will be misattributed or misperceived, prompting a disproportionate response or unnecessary expansion of the conflict. Such an escalation would impair the United States prominent role and interest in global security and its commitment to international law. Brake, Benjamin Strategic Risks of Ambiguity in Cyberspace Council on Foreign Relations: contingency planning memorandum no. 24 dtd May 15, 2015
General Panel Questions What is your proposed research approach or technique to address the problem? What is your success to-date in using real data such as the National Collegate Cyber Defense Exercise (NCCD) dataset to demonstrate your approach? What are your next steps? If you currently are engaged in attribution activities what are your experiences? What were your experiences with PREDICT?
