The document discusses DOE's Cyber Fed Model (CFM), which enables near real-time sharing of structured cyber threat information between large enterprises to help reduce cybersecurity risks. CFM uses a client-server model to exchange encrypted threat data in XML format every 5 minutes. It maximizes local detection and global response by allowing enterprises to focus on threats affecting their infrastructure while benefiting from others' threat information. The document argues collaboration will be key to future cyber defense and a CFM pilot could assess its ability to enhance collective defense between the energy sector and DOE laboratories.

1. Collaborative Threat Mitigation
or
(Collective Self Defense)
DOE’s
Cyber
Fed
Model
(CFM)
Sco5
Pinkerton
pinkerton@anl.gov
www.anl.gov/it/cfm

2. Agenda
§ What
is
DOE’s
Cyber
Fed
Model
§ SubscripHon
vs.
parHcipaHon
§ Relevance
&
ROI
§ Why
are
we
here
?
§ Conclusions
&
Takeaways
§ QuesHons
2
Tech
for
Security
Summit

3. Cyber Fed Model (CFM) is …
§ A
near
real-­‐Hme
exchange
of
cyber
threat
informaHon
focused
on
the
reduc&on
and
mi&ga&on
of
cyber
security
risk
across
large
enterprises
– Typically
every
300
second
– AcHonable
–
blocking
– Autonomic
– Highly
Scalable
3
Tech
for
Security
Summit

4. Structured Threat Information
§ InformaHon
shared
uses
an
XML
syntax
– Based
upon
IODEF
(RFC
5070)
– Looking
to
support
OpenIOC
formats
in
the
future
for
sharing
malware
informaHon
§ InformaHon
focuses
on
IP,
DNS,
URL,
e-­‐mail,
hash
strings
4
Tech
for
Security
Summit

5. How Cyber Fed Model (CFM) Works
§ High
Level:
Client-­‐server
data
exchange
§ Reality:
Central
repositories
providing
access
via
web
service
– Sites
control
who
can
see
the
data
they
upload
(by
PGP
key)
– Sites
decide
how
to
use
data
they
download
§ Repository
accepts
encrypted
files
on
upload
– Contents
may
be
any
format
– Simply
export
from
a
third
party
tool,
encrypt,
and
upload
§ Output
comes
in
standardized
XML
format
– Allows
for
predictability
– Converters
can
translate
to
another
format
– Scripts
can
convert
and
send
to
other
tools
inline
Tech
for
Security
Summit
5

6. High Level Architecture
Tech
for
Security
Summit
6

7. Cyber Fed Model (CFM) maximizes local
resources
§ Premise
based
on
the
idea
of
local
detecHon
and
global
response
§ Enables
an
enterprise
to
focus
their
limited
resources
on
their
most
pressing
problems
– A5acks
that
are
occurring
on
their
infrastructure
and
no
where
else
7
Tech
for
Security
Summit

8. Effective Cyber Security Defense for an Enterprise
§ It
conHnues
to
be
a
hard
job
§ Doubly
so
for
those
supporHng
criHcal
infrastructure
§ Doesn’t
appear
to
be
gefng
any
easier;
mostly
harder
§ Increasing
skill
&
sophisHcaHon
of
the
bad
guys;
commodity
hacking
tools
Tech
for
Security
Summit
8

9. DOE’s Cyber Fed Model is not …
§ OpHmized
for
analysis
(the
transfer
of
“raw”
data)
§ Focused
on
OS
or
ApplicaHon
advisories
(vulnerabiliHes)
§ Sandboxing
or
other
§ Shared
alerts
require
someone
to
first
detect
the
threat
Tech
for
Security
Summit
9

10. Subscription vs. Active Participation
§ Can
you
just
subscribe
to
a
“feed”
of
hosHle
IP
addresses
and
just
download
them
?
– Sure,
there
are
a
growing
number
of
“reputaHonal”
subscripHon
services
– But
will
they
be
RELEVANT
to
you
–
assuming
none
of
the
energy
owner/operators
are
contributors
10
Tech
for
Security
Summit
IP’s exploiting
MS problem
dujour
IP’s exploiting
Adobe problem
dujour
IP’s sending
spam e-mail
farming for
username/PW
IP’s sending
spam e-mail
farming for
bank account
IP’s probing
for ssh
servers
IP’s looking to
attack the
Energy Infra.

11. Volume of Information
Tech
for
Security
Summit
11

12. Benefit: Relevance & ROI
Tech
for
Security
Summit
12

13. We know collaboration is hard
§ Every
organizaHon
is
a
snow
flake
– B2B/collaboraHons
vary
– Blocking
the
wrong
thing
can
be
highly
disrupHve
§ Legal
agreements
are
tricky
– DefiniHons
of
terms
can
vary
• What
does
MOU
mean
to
you?
ISA?
ToS?
etc.
§ A5ribuHon
and
disclosure
concerns
§ A5ack
vectors
change
Tech
for
Security
Summit
13

14. Why are we here ?
§ We
believe
...
– Cyber
threats
to
criHcal
infrastructure
exist
– CollaboraHon
and
collecHve
defense
are
essenHal
– DOE
Cyber
Fed
Model
(CFM)
can
be
part
of
the
soluHon
§ We
want
to
...
– Help
protect
our
country’s
criHcal
infrastructure
– Begin
a
pilot
to
assess
efficacy
in
electric
sector
– See
threat
overlap
between
electric
sector
and
DOE
§ We
have
...
– DOE
labs
willing
to
share
–
public-­‐private
sector
partnership
– Electric
sector
enHHes
which
have
expressed
interest
– Experience
in
collecHve
defense
Tech
for
Security
Summit
14

15. Conclusions & Takeaways
§ Common
adversaries
exist
and
are
acHve
§ CollaboraHon
will
be
key
to
future
cyber
defense
§ The
DOE
Cyber
Fed
Model
(CFM)
provides
collecHve
defense
in
a
flexible,
site-­‐
controlled
manner
§ CFM
can
help
maximize
your
cyber
security
resources
15
Tech
for
Security
Summit

16. Questions ??
Tech
for
Security
Summit
www.anl.gov/it/cfm