27 Nov 2013 Cyber defence CDE themed competition presentations

Room 1
Cyber Defence: Securing
Against the Insider Threat

Centre for Defence Enterprise (CDE)
themed competition
29 November 2013

© Crown copyright 2013 Dstl

Defence challenges in cyber security

© Crown Copyright Dstl 2011

The threat, the risk
• Increasing in complexity and scale
• Diverse, asymmetric & symmetric
• “Non-traditional” cyber threats
– Electromagnetic attack

• MOD’s business
– Working in dangerous situations

– An obvious target

29 November 2013


MOD networks
• Large and varied
– 70+ countries
– 1200 UK sites
– 800,000 IP addresses
– 225,000 users
– 95% is made up of 19 core systems with 1000 applications

• Planned and ad hoc
• Bought as a service

29 November 2013


Platforms and weapons
• Increasingly cyber-enabled,
connected platforms
• Tighter integration with industry
• Complex logistics and support

• Supply-chain security

29 November 2013


“Strange and charmed” systems
• Non-standard hardware, software
and protocols

• Legacy hardware, software and
protocols
• Low-bandwidth connectivity at the
fringes
• Outside the envelope of IA and cyber
security
29 November 2013


Defence cyber S&T


Defence cyber S&T programme
• Part of national & MOD cyber programmes
• £25m p/a and rising

• Decision support
• Operations
• Situational awareness

• Defence
• Human factors

29 November 2013


The pipeline
• Sponsoring research
– Centre for Defence Enterprise (CDE)
– Use of existing consortia
– Shaping and co-sponsoring academic research
– Commercial competitions

• Assessing candidate technologies
– Intelligent customer function

• Test and evaluation
– Testbed connected to MOD networks

29 November 2013


Future challenges
• Scale and sophistication of threat
– Situational awareness and defence
– Big data

• Pace of technical changes vs government
– Domestic/professional co-existence, bring-your-own-device (BYOD)
– Cloud
– SMART

• Defence-specific issues
– Cyber in MOD’s mission
– The “strange and charmed”


Cyber Defence: Securing Against the
Insider Threat
CDE themed competition – launch 27 Nov 2013

29 November 2013


UK UNCLASSIFIED

Cyber defence
• Substantial efforts are focused on
prevention of unauthorised
access to systems or platforms
• However, this does not prevent
the potential abuse of legitimate
credentials
– Both illegitimate users of legitimate
credentials and cyber insiders

29 November 2013


UK UNCLASSIFIED

Insider threat
• Employee activity (deliberate or accidental)
is one of the main causes of internal IT
security incidents that lead to the leakage of
confidential corporate data
• Potential issues for MOD
– Reputational damage
– Political/diplomatic fallout

– National security
© BBC 2013
29 November 2013


UK UNCLASSIFIED

Aim of this CDE competition

Dstl is looking for novel and innovative proofof-concept tools and techniques to detect
cyber insider threats or abuse of legitimate
user credentials, utilising host-based solutions

29 November 2013


UK UNCLASSIFIED

Focus
• Challenge is based on
detecting anomalous
behaviour
– Utilising legitimate
credentials

Malware utilising
legitimate credentials

Unauthorised
personnel utilising
legitimate credentials

• Three main aspects
– Malware
– Unauthorised personnel
– Legitimate personnel

29 November 2013


UK UNCLASSIFIED

Legitimate personnel
utilising legitimate
credentials

Types of threat
• Malware, individuals or
groups

Types of activities

• Permanent staff, temporary
staff or contractors
• May be deliberate,
accidental or under the
influence of a third party

Espionage

Sabotage

Fraud
IP Theft

Accidental damage

Outcome is negative impact on confidentiality,
availability and integrity of MOD data
29 November 2013


UK UNCLASSIFIED

Anomalous behaviour
• Includes that which is significantly different to the
standard user behaviour for a given credential set
– Especially that which increases the risk to the confidentiality,
availability and integrity of MOD data

• May only be obvious over time
– Each individual action might be innocuous and within the
users authorised scope of action

• Need to consider the potential risk of actions and how
this changes over time (cumulative risk)
29 November 2013


UK UNCLASSIFIED

Insider threat
• Users often go through
five steps for malicious
behaviour

• However, later attribution
is still valuable

1. Exploration

1

Detection

2. Experimentation
0.75

Likelihood

3. Exploitation
4. Execution
5. Escape/Evasion


Attribution

0.25

• Want to detect as early
as possible
29 November 2013

0.5

0

UK UNCLASSIFIED

Time

Baseline behaviour
• To spot changes in behaviour, a baseline is needed
– Requires minimum burden
– Learns regular patterns (diurnal, seasonal, familiarity, aging)
– Ideally can account for changes of role (resulting in changed
patterns)
– Flags, and ideally prioritises, different types of anomalous
behaviour for investigation and mitigation
– Can account for variance in background behaviour

29 November 2013


UK UNCLASSIFIED

Pattern of life baseline
M

T

W

T

F

S

S

1

Regular

2

Deadline

3

Remote

4

Change Host

5

Deployed

29 November 2013


UK UNCLASSIFIED

Socio-technical indicators
Including, but not limited to, aspects such as:
Experiences

Forensic linguistics etc

Contextual

Forensic authorship, structural semantic
analysis etc

Behavioural

Aspects of the interaction between the
user and the host or platform

Physical

Potential physical aspects of the user
that can be tested and evaluated

29 November 2013


UK UNCLASSIFIED

Socio-technical Indicators
Including, but not limited to, aspects such as:
Connectivity

Levels of connectivity, location, bandwidth, access
etc

Data access

Is this consistent with role, are new data sources
being sought, etc

Exploration
Storage & offload

29 November 2013


Is the user exploring new areas unrelated to them,
are they trying to access different hosts, seeking
new (and unrelated) data sources etc
Is the user storing large quantities of data on the
local host, are they trying to offload this etc

UK UNCLASSIFIED

Socio-technical methods
Including, but not limited to, methods such as:
Heuristics

Al/Bots/Neural Networks
Grid Based/Vector
Space/Frequency
Analysis
Statistical Algorithms

29 November 2013


Both behavioural and technical – can we
forecast what abnormal looks like for the host?
Is it possible to train systems to identify
anomalous behaviour?
What are the signals of insider threat? Can we
identify the stages of activity?
Identifying weak signals within a noisy
background – individual activities might be
innocuous

UK UNCLASSIFIED

Socio-technical indicators
• No single indicator is likely to give a complete picture
• Suppliers need to indentify relevant and
complementary indicators that allow for detection of
anomalous behaviour
– Even when spread over a long time period

• Indicators should allow for prioritisation of risk
– Which activities are more likely to lead to serious impact to
MOD digital assets?

29 November 2013


UK UNCLASSIFIED

Different types of host
Analysis undertaken
on an inline host

Analysis directly on
the host itself

Inline Host

Platform
(eg ship’s plant)

Host

29 November 2013


UK UNCLASSIFIED

Central analysis
Central analysis

Host

Host

Host

Host

Potential to perform some central analysis. However, solutions must perform a

level of analysis on the host – cannot merely undertake full packet capture

29 November 2013


UK UNCLASSIFIED

Testing concept demonstrators
• Suppliers are expected to be able to demonstrate the
benefits of their chosen approach

Data

Metrics

Suppliers need to have access to a
suitable data source to test and refine
their choice approach

Suppliers need to choose appropriate
metrics to demonstrate the benefits of
their chosen approach

Must be able to demonstrate to Dstl
why their data source is applicable

Must include computational burden,
sensitivity and specificity

29 November 2013


UK UNCLASSIFIED

What we want
• Novel and innovative proof-of-concept demonstrators
at Technology Readiness Level (TRL) 1-4

• Success metrics for the approach
• An initial test plan against relevant exemplar data
• A development plan beyond the initial proof-ofconcept phase
• Solutions that consider the breadth of MOD hosts

29 November 2013


UK UNCLASSIFIED

What we don’t want
• Existing higher TRL solutions or network analysis
tools

• Proposals that:
– Add substantial burden
– Expand the threat surface

– Force users to alter their behaviour
– Do not include some form of demonstrator
– Are proprietary black box solutions

29 November 2013


UK UNCLASSIFIED

Levels of funding
• Dstl have committed up to £1M of funding for the
initial proof-of-concept demonstrators

• No cap on the value of proposals
– However more likely that a larger number of lower-value
proposals (eg £50k - £150k) will be funded at this stage

• Aiming for an initial demonstration within 3-5 months

Submissions via the CDE Portal
17:00 Thursday 9 January 2014
29 November 2013


UK UNCLASSIFIED

Every little helps...
• Problem space is broad, complex
and challenging

• Requires interaction between
physical and social sciences
• Individual suppliers may only be able
to provide a solution to part of the
problem space
– These pieces are still potentially of value

– Networking and collaborating
29 November 2013


UK UNCLASSIFIED

© Dstl 2013

• Technical questions
cybersecurityCDE@dstl.gov.uk
• CDE questions
cde@dstl.gov.uk

29 November 2013


UK UNCLASSIFIED

In conclusion
• Opportunity!
• Innovation
• Demonstration
• Focus
– Host-based solutions
– Abuse of legitimate credentials
– “Strange and charmed”

• Closing date - Thursday 9 January 2014 at 17:00 hrs!

29 November 2013


27 Nov 2013 Cyber defence CDE themed competition presentations

More Related Content

What's hot

Similar to 27 Nov 2013 Cyber defence CDE themed competition presentations

More from Defence and Security Accelerator

Recently uploaded

27 Nov 2013 Cyber defence CDE themed competition presentations