2. www.securitytodayinfo.com
About Me
• Attack Analysis Scientist, Multisource Cyber
Intelligence Analyst, & Sci-Fi Geek
• Veteran – US Navy Cryptology Community
• Former Lockheed Martin Senior Fellow
• Former member UK Cybercrime Experts
Working Group (UK Govt CSOC / OCSIA)
4. www.securitytodayinfo.com
Science of Security (SoS)
• The Science of Security term has been around since 2010 when an
independent science and technology advisory committee for the
U.S. Department of Defense concluded there is a science of (cyber)
security discipline.
• The following year, 2011, the White House released “Trustworthy
Cyberspace: Strategic Plan For The Federal Cybersecurity
Research And Development Program” formally establishing the
Science of Security as 1 of 4 key strategic thrusts for U.S. Federal
cybersecurity R&D programs.
• A cyber security scientist, in a broad sense, is one engaging in a
systematic activity to acquire and organize knowledge in the cyber
security domain.
5. www.securitytodayinfo.com
SoS – Core Themes
• In 2011 Canada,
United States, and
United Kingdom
established 7 core,
inter-related themes
that make up the
Science of Security
domain.
SoS
Attack
Analysis
Common
Language
Core
Principles
Measurable
Security
Agility
Risk
Human
Factors
6. www.securitytodayinfo.com
Cyber Ecosystem
• Ecosystem is defined as “a
community of living organisms in
conjunction with the nonliving
components of their environment,
interacting as a system”.
• DHS defines a cyber ecosystem as:
“Like natural ecosystems, the cyber
ecosystem comprises a variety of
diverse participants – private firms,
non-profits, governments,
individuals, processes, and cyber
devices (computers, software, and
communication technologies) – that
interact for multiple purposes.”
People
ProcessesTechnology
http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
13. www.securitytodayinfo.com
Cyber Ecosystem w/ Terrain
Persona
Layer
Software App
Layer
Operating System
Layer
Machine Language Layer
Logical Layers
Communications Ports & Protocols
Physical Layer
Geographic Layer
Organization Layer
Government Layer
Technology /
Cyber Terrain
People
Processes /
TTPs
14. www.securitytodayinfo.com
Cyber Attack Lifecycle
“Use a cyber attack lifecycle as a framework for
observing and understanding an adversary’s
actions and for defining an active defense
strategy that makes effective use of information
available through both internal and external
sources throughout the lifecycle.”
Recon Weaponize Deliver Exploit Control Execute Maintain
Cyber Attack Lifecycle from: http://www.mitre.org/publications/technical-papers/cyber-resiliency-and-nist-special-publication-800-53-rev4-controls
Key recommendation from NIST Guide To Cyber Threat Information Sharing (DRAFT)
http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf
15. www.securitytodayinfo.com
Cyber Ecosystem Attack Analysis
Persona
Layer
Software
App Layer
Operating System
Layer
Machine Language Layer
Logical Layers Communications
Ports & Protocols
Physical Layer
Geographic Layer
Geographic Layer
Physical Layer
Logical Layers Communications
Ports & Protocols
Machine Language Layer
Operating System
Layer
Software
App Layer
Persona
Layer
Organization Layer
Organization Layer
Government Layer
Government Layer
Technology /
Cyber Terrain
Processes /
TTPs
Threat Actors / People
Defenders
Threat Actor’s use of
technology and
observable technical
indicators
Threat Actor’s
Modus Operandi
(Methods of Operation)
Defender’s technology
based mitigations and
countermeasures
Defender’s process
based mitigations and
countermeasures
Recon Weaponize Deliver Exploit Control Execute Maintain
Threat Intelligence is
based on analysis of the
Threat Actor’s Cyber
Offense Ecosystem.
Active Defense is
based on analysis of
the Defender’s Cyber
Defense Ecosystem.
Offense
Defense
Offense
informs
Defense
16. www.securitytodayinfo.com
Boyd Cycle / OODA Loop
• Decision cycle developed by USAF Colonel John Boyd who applied
it to combat operations. Often applied to understand commercial
operations and learning processes.
http://en.wikipedia.org/wiki/OODA_loop
17. www.securitytodayinfo.com
Threat Intelligence Method
1. Observe – Observe each stage of the attack, collect and process
available data and information about the attack for each layer of the
cyber ecosystem.
2. Orient – Analyze and synthesize the attack data and information for
each stage and layer. Orient on the Threat Actor’s methods of operation
and use of technology to identify observable indicators in the attack
data for each stage across one or more layers of the cyber ecosystem.
3. Decide – Based on the Threat Actor’s modus operandi identify
observables and indicators, decide if this attack is from a new threat
actor or if the attack is part of a larger campaign. Produce threat
intelligence report.
4. Act – Disseminate the threat intelligence report.
19. www.securitytodayinfo.com
PDCA – Plan Do Check Act
• Iterative four-step management method used in business for the
control and continuous improvement of processes and products.
AKA Deming circle/cycle/wheel, Shewhart cycle, or as seen in
ISO 9001.
http://en.wikipedia.org/wiki/PDCA
20. www.securitytodayinfo.com
Active Defense Method
1. Plan – Plan active defense courses of action based on threat intelligence
for each stage of the Threat Actor’s attack, consider both technical and
process based mitigations and countermeasures for each layer of the
Defender’s cyber defense ecosystem.
2. Do – Implement the intelligence based courses of action to mitigate and
counter the Threat Actor’s attack and to increase the defender’s
resilience to future attacks by this threat actor.
3. Check – Measure the quality of the threat intelligence and effectiveness
of the mitigations and countermeasures over time.
4. Act – Provide feedback on the quality of the threat intelligence and
effectiveness of the mitigations and countermeasures, take action to
continuously improve the security and resilience of the cyber ecosystem.
22. www.securitytodayinfo.com
Cyber Ecosystem Attack
Analysis Methodology
Persona
Layer
Software
App Layer
Operating System
Layer
Machine Language Layer
Logical Layers Communications
Ports & Protocols
Physical Layer
Geographic Layer
Geographic Layer
Physical Layer
Logical Layers Communications
Ports & Protocols
Machine Language Layer
Operating System
Layer
Software
App Layer
Persona
Layer
Organization Layer
Organization Layer
Government Layer
Government Layer
Technology /
Cyber Terrain
Processes /
TTPs
Threat Actors / People
Defenders
Threat Actor’s use of
technology and
observable technical
indicators
Threat Actor’s
Modus Operandi
(Methods of Operation)
Defender’s technology
based mitigations and
countermeasures
Defender’s process
based mitigations and
countermeasures
Recon Weaponize Deliver Exploit Control Execute Maintain
Offense
Defense
Threat Intelligence Cycle
Active Defense Cycle
23. www.securitytodayinfo.com
Benefits
• Takes a more holistic approach by considering the attack
across both the Threat Actor’s cyber offense ecosystem
and the Defender’s defense ecosystem.
• Enables the Defender to better identify, chain, and track
Threat Actors and Campaigns over time.
• Enables a more resilient cyber defense ecosystem by
having multiple observable indicators for each stage of
attack across different layers of the ecosystem.
• Costs the Threat Actor considerable more to defeat
layered intelligence based mitigations and
countermeasures.
25. www.securitytodayinfo.com
Summary
• Following this methodology will reduce the
defender’s cost per attack while increasing
the threat actor’s cost to overcome
• Based on methods used by many
organizations already - OSI Model, OODA
Loop, and PDCA cycle
• Maturing from a reactive, passive defense
posture to a more proactive, active
defense posture