27 Nov 2013 Cyber defence CDE themed competition presentations

1,257 views

Published on

Centre for Defence Enterprise (CDE) Innovation Network. Themed competition launch - Cyber defence: securing against the insider threat.

Published in: Technology, Business
  • Be the first to comment

27 Nov 2013 Cyber defence CDE themed competition presentations

  1. 1. Room 1 Cyber Defence: Securing Against the Insider Threat Centre for Defence Enterprise (CDE) themed competition 29 November 2013 © Crown copyright 2013 Dstl
  2. 2. Defence challenges in cyber security © Crown Copyright Dstl 2011
  3. 3. The threat, the risk • Increasing in complexity and scale • Diverse, asymmetric & symmetric • “Non-traditional” cyber threats – Electromagnetic attack • MOD’s business – Working in dangerous situations – An obvious target 29 November 2013 © Crown copyright 2013 Dstl
  4. 4. MOD networks • Large and varied – 70+ countries – 1200 UK sites – 800,000 IP addresses – 225,000 users – 95% is made up of 19 core systems with 1000 applications • Planned and ad hoc • Bought as a service 29 November 2013 © Crown copyright 2013 Dstl
  5. 5. Platforms and weapons • Increasingly cyber-enabled, connected platforms • Tighter integration with industry • Complex logistics and support • Supply-chain security 29 November 2013 © Crown copyright 2013 Dstl
  6. 6. “Strange and charmed” systems • Non-standard hardware, software and protocols • Legacy hardware, software and protocols • Low-bandwidth connectivity at the fringes • Outside the envelope of IA and cyber security 29 November 2013 © Crown copyright 2013 Dstl
  7. 7. Defence cyber S&T © Crown Copyright Dstl 2011
  8. 8. Defence cyber S&T programme • Part of national & MOD cyber programmes • £25m p/a and rising • Decision support • Operations • Situational awareness • Defence • Human factors 29 November 2013 © Crown copyright 2013 Dstl
  9. 9. The pipeline • Sponsoring research – Centre for Defence Enterprise (CDE) – Use of existing consortia – Shaping and co-sponsoring academic research – Commercial competitions • Assessing candidate technologies – Intelligent customer function • Test and evaluation – Testbed connected to MOD networks 29 November 2013 © Crown copyright 2013 Dstl
  10. 10. Future challenges • Scale and sophistication of threat – Situational awareness and defence – Big data • Pace of technical changes vs government – Domestic/professional co-existence, bring-your-own-device (BYOD) – Cloud – SMART • Defence-specific issues – Cyber in MOD’s mission – The “strange and charmed” © Crown Copyright Dstl 2011
  11. 11. Cyber Defence: Securing Against the Insider Threat CDE themed competition – launch 27 Nov 2013 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  12. 12. Cyber defence • Substantial efforts are focused on prevention of unauthorised access to systems or platforms • However, this does not prevent the potential abuse of legitimate credentials – Both illegitimate users of legitimate credentials and cyber insiders 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  13. 13. Insider threat • Employee activity (deliberate or accidental) is one of the main causes of internal IT security incidents that lead to the leakage of confidential corporate data • Potential issues for MOD – Reputational damage – Political/diplomatic fallout – National security © BBC 2013 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  14. 14. Aim of this CDE competition Dstl is looking for novel and innovative proofof-concept tools and techniques to detect cyber insider threats or abuse of legitimate user credentials, utilising host-based solutions 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  15. 15. Focus • Challenge is based on detecting anomalous behaviour – Utilising legitimate credentials Malware utilising legitimate credentials Unauthorised personnel utilising legitimate credentials • Three main aspects – Malware – Unauthorised personnel – Legitimate personnel 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED Legitimate personnel utilising legitimate credentials
  16. 16. Types of threat • Malware, individuals or groups Types of activities • Permanent staff, temporary staff or contractors • May be deliberate, accidental or under the influence of a third party Espionage Sabotage Fraud IP Theft Accidental damage Outcome is negative impact on confidentiality, availability and integrity of MOD data 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  17. 17. Anomalous behaviour • Includes that which is significantly different to the standard user behaviour for a given credential set – Especially that which increases the risk to the confidentiality, availability and integrity of MOD data • May only be obvious over time – Each individual action might be innocuous and within the users authorised scope of action • Need to consider the potential risk of actions and how this changes over time (cumulative risk) 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  18. 18. Insider threat • Users often go through five steps for malicious behaviour • However, later attribution is still valuable 1. Exploration 1 Detection 2. Experimentation 0.75 Likelihood 3. Exploitation 4. Execution 5. Escape/Evasion © Crown copyright 2013 Dstl Attribution 0.25 • Want to detect as early as possible 29 November 2013 0.5 0 UK UNCLASSIFIED Time
  19. 19. Baseline behaviour • To spot changes in behaviour, a baseline is needed – Requires minimum burden – Learns regular patterns (diurnal, seasonal, familiarity, aging) – Ideally can account for changes of role (resulting in changed patterns) – Flags, and ideally prioritises, different types of anomalous behaviour for investigation and mitigation – Can account for variance in background behaviour 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  20. 20. Pattern of life baseline M T W T F S S 1 Regular 2 Deadline 3 Remote 4 Change Host 5 Deployed 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  21. 21. Socio-technical indicators Including, but not limited to, aspects such as: Experiences Forensic linguistics etc Contextual Forensic authorship, structural semantic analysis etc Behavioural Aspects of the interaction between the user and the host or platform Physical Potential physical aspects of the user that can be tested and evaluated 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  22. 22. Socio-technical Indicators Including, but not limited to, aspects such as: Connectivity Levels of connectivity, location, bandwidth, access etc Data access Is this consistent with role, are new data sources being sought, etc Exploration Storage & offload 29 November 2013 © Crown copyright 2013 Dstl Is the user exploring new areas unrelated to them, are they trying to access different hosts, seeking new (and unrelated) data sources etc Is the user storing large quantities of data on the local host, are they trying to offload this etc UK UNCLASSIFIED
  23. 23. Socio-technical methods Including, but not limited to, methods such as: Heuristics Al/Bots/Neural Networks Grid Based/Vector Space/Frequency Analysis Statistical Algorithms 29 November 2013 © Crown copyright 2013 Dstl Both behavioural and technical – can we forecast what abnormal looks like for the host? Is it possible to train systems to identify anomalous behaviour? What are the signals of insider threat? Can we identify the stages of activity? Identifying weak signals within a noisy background – individual activities might be innocuous UK UNCLASSIFIED
  24. 24. Socio-technical indicators • No single indicator is likely to give a complete picture • Suppliers need to indentify relevant and complementary indicators that allow for detection of anomalous behaviour – Even when spread over a long time period • Indicators should allow for prioritisation of risk – Which activities are more likely to lead to serious impact to MOD digital assets? 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  25. 25. Host-based solution 29 November 2013 All images taken from theUK UNCLASSIFIED defence image database © Crown copyright 2013 © Crown copyright 2013 Dstl
  26. 26. Different types of host Analysis undertaken on an inline host Analysis directly on the host itself Inline Host Platform (eg ship’s plant) Host 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  27. 27. Central analysis Central analysis Host Host Host Host Potential to perform some central analysis. However, solutions must perform a level of analysis on the host – cannot merely undertake full packet capture 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  28. 28. Testing concept demonstrators • Suppliers are expected to be able to demonstrate the benefits of their chosen approach Data Metrics Suppliers need to have access to a suitable data source to test and refine their choice approach Suppliers need to choose appropriate metrics to demonstrate the benefits of their chosen approach Must be able to demonstrate to Dstl why their data source is applicable Must include computational burden, sensitivity and specificity 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  29. 29. What we want • Novel and innovative proof-of-concept demonstrators at Technology Readiness Level (TRL) 1-4 • Success metrics for the approach • An initial test plan against relevant exemplar data • A development plan beyond the initial proof-ofconcept phase • Solutions that consider the breadth of MOD hosts 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  30. 30. What we don’t want • Existing higher TRL solutions or network analysis tools • Proposals that: – Add substantial burden – Expand the threat surface – Force users to alter their behaviour – Do not include some form of demonstrator – Are proprietary black box solutions 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  31. 31. Levels of funding • Dstl have committed up to £1M of funding for the initial proof-of-concept demonstrators • No cap on the value of proposals – However more likely that a larger number of lower-value proposals (eg £50k - £150k) will be funded at this stage • Aiming for an initial demonstration within 3-5 months Submissions via the CDE Portal 17:00 Thursday 9 January 2014 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  32. 32. Every little helps... • Problem space is broad, complex and challenging • Requires interaction between physical and social sciences • Individual suppliers may only be able to provide a solution to part of the problem space – These pieces are still potentially of value – Networking and collaborating 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED © Dstl 2013
  33. 33. • Technical questions cybersecurityCDE@dstl.gov.uk • CDE questions cde@dstl.gov.uk 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  34. 34. In conclusion • Opportunity! • Innovation • Demonstration • Focus – Host-based solutions – Abuse of legitimate credentials – “Strange and charmed” • Closing date - Thursday 9 January 2014 at 17:00 hrs! 29 November 2013 © Crown copyright 2013 Dstl

×