Más contenido relacionado
La actualidad más candente (7)
Similar a 27 Nov 2013 Cyber defence CDE themed competition presentations (20)
Más de Defence and Security Accelerator (20)
27 Nov 2013 Cyber defence CDE themed competition presentations
- 1. Room 1
Cyber Defence: Securing
Against the Insider Threat
Centre for Defence Enterprise (CDE)
themed competition
29 November 2013
© Crown copyright 2013 Dstl
- 3. The threat, the risk
• Increasing in complexity and scale
• Diverse, asymmetric & symmetric
• “Non-traditional” cyber threats
– Electromagnetic attack
• MOD’s business
– Working in dangerous situations
– An obvious target
29 November 2013
© Crown copyright 2013 Dstl
- 4. MOD networks
• Large and varied
– 70+ countries
– 1200 UK sites
– 800,000 IP addresses
– 225,000 users
– 95% is made up of 19 core systems with 1000 applications
• Planned and ad hoc
• Bought as a service
29 November 2013
© Crown copyright 2013 Dstl
- 5. Platforms and weapons
• Increasingly cyber-enabled,
connected platforms
• Tighter integration with industry
• Complex logistics and support
• Supply-chain security
29 November 2013
© Crown copyright 2013 Dstl
- 6. “Strange and charmed” systems
• Non-standard hardware, software
and protocols
• Legacy hardware, software and
protocols
• Low-bandwidth connectivity at the
fringes
• Outside the envelope of IA and cyber
security
29 November 2013
© Crown copyright 2013 Dstl
- 8. Defence cyber S&T programme
• Part of national & MOD cyber programmes
• £25m p/a and rising
• Decision support
• Operations
• Situational awareness
• Defence
• Human factors
29 November 2013
© Crown copyright 2013 Dstl
- 9. The pipeline
• Sponsoring research
– Centre for Defence Enterprise (CDE)
– Use of existing consortia
– Shaping and co-sponsoring academic research
– Commercial competitions
• Assessing candidate technologies
– Intelligent customer function
• Test and evaluation
– Testbed connected to MOD networks
29 November 2013
© Crown copyright 2013 Dstl
- 10. Future challenges
• Scale and sophistication of threat
– Situational awareness and defence
– Big data
• Pace of technical changes vs government
– Domestic/professional co-existence, bring-your-own-device (BYOD)
– Cloud
– SMART
• Defence-specific issues
– Cyber in MOD’s mission
– The “strange and charmed”
© Crown Copyright Dstl 2011
- 11. Cyber Defence: Securing Against the
Insider Threat
CDE themed competition – launch 27 Nov 2013
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 12. Cyber defence
• Substantial efforts are focused on
prevention of unauthorised
access to systems or platforms
• However, this does not prevent
the potential abuse of legitimate
credentials
– Both illegitimate users of legitimate
credentials and cyber insiders
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 13. Insider threat
• Employee activity (deliberate or accidental)
is one of the main causes of internal IT
security incidents that lead to the leakage of
confidential corporate data
• Potential issues for MOD
– Reputational damage
– Political/diplomatic fallout
– National security
© BBC 2013
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 14. Aim of this CDE competition
Dstl is looking for novel and innovative proofof-concept tools and techniques to detect
cyber insider threats or abuse of legitimate
user credentials, utilising host-based solutions
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 15. Focus
• Challenge is based on
detecting anomalous
behaviour
– Utilising legitimate
credentials
Malware utilising
legitimate credentials
Unauthorised
personnel utilising
legitimate credentials
• Three main aspects
– Malware
– Unauthorised personnel
– Legitimate personnel
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
Legitimate personnel
utilising legitimate
credentials
- 16. Types of threat
• Malware, individuals or
groups
Types of activities
• Permanent staff, temporary
staff or contractors
• May be deliberate,
accidental or under the
influence of a third party
Espionage
Sabotage
Fraud
IP Theft
Accidental damage
Outcome is negative impact on confidentiality,
availability and integrity of MOD data
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 17. Anomalous behaviour
• Includes that which is significantly different to the
standard user behaviour for a given credential set
– Especially that which increases the risk to the confidentiality,
availability and integrity of MOD data
• May only be obvious over time
– Each individual action might be innocuous and within the
users authorised scope of action
• Need to consider the potential risk of actions and how
this changes over time (cumulative risk)
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 18. Insider threat
• Users often go through
five steps for malicious
behaviour
• However, later attribution
is still valuable
1. Exploration
1
Detection
2. Experimentation
0.75
Likelihood
3. Exploitation
4. Execution
5. Escape/Evasion
© Crown copyright 2013 Dstl
Attribution
0.25
• Want to detect as early
as possible
29 November 2013
0.5
0
UK UNCLASSIFIED
Time
- 19. Baseline behaviour
• To spot changes in behaviour, a baseline is needed
– Requires minimum burden
– Learns regular patterns (diurnal, seasonal, familiarity, aging)
– Ideally can account for changes of role (resulting in changed
patterns)
– Flags, and ideally prioritises, different types of anomalous
behaviour for investigation and mitigation
– Can account for variance in background behaviour
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 20. Pattern of life baseline
M
T
W
T
F
S
S
1
Regular
2
Deadline
3
Remote
4
Change Host
5
Deployed
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 21. Socio-technical indicators
Including, but not limited to, aspects such as:
Experiences
Forensic linguistics etc
Contextual
Forensic authorship, structural semantic
analysis etc
Behavioural
Aspects of the interaction between the
user and the host or platform
Physical
Potential physical aspects of the user
that can be tested and evaluated
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 22. Socio-technical Indicators
Including, but not limited to, aspects such as:
Connectivity
Levels of connectivity, location, bandwidth, access
etc
Data access
Is this consistent with role, are new data sources
being sought, etc
Exploration
Storage & offload
29 November 2013
© Crown copyright 2013 Dstl
Is the user exploring new areas unrelated to them,
are they trying to access different hosts, seeking
new (and unrelated) data sources etc
Is the user storing large quantities of data on the
local host, are they trying to offload this etc
UK UNCLASSIFIED
- 23. Socio-technical methods
Including, but not limited to, methods such as:
Heuristics
Al/Bots/Neural Networks
Grid Based/Vector
Space/Frequency
Analysis
Statistical Algorithms
29 November 2013
© Crown copyright 2013 Dstl
Both behavioural and technical – can we
forecast what abnormal looks like for the host?
Is it possible to train systems to identify
anomalous behaviour?
What are the signals of insider threat? Can we
identify the stages of activity?
Identifying weak signals within a noisy
background – individual activities might be
innocuous
UK UNCLASSIFIED
- 24. Socio-technical indicators
• No single indicator is likely to give a complete picture
• Suppliers need to indentify relevant and
complementary indicators that allow for detection of
anomalous behaviour
– Even when spread over a long time period
• Indicators should allow for prioritisation of risk
– Which activities are more likely to lead to serious impact to
MOD digital assets?
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 25. Host-based solution
29 November 2013
All images taken from theUK UNCLASSIFIED
defence image database © Crown copyright 2013
© Crown copyright 2013 Dstl
- 26. Different types of host
Analysis undertaken
on an inline host
Analysis directly on
the host itself
Inline Host
Platform
(eg ship’s plant)
Host
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 28. Testing concept demonstrators
• Suppliers are expected to be able to demonstrate the
benefits of their chosen approach
Data
Metrics
Suppliers need to have access to a
suitable data source to test and refine
their choice approach
Suppliers need to choose appropriate
metrics to demonstrate the benefits of
their chosen approach
Must be able to demonstrate to Dstl
why their data source is applicable
Must include computational burden,
sensitivity and specificity
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 29. What we want
• Novel and innovative proof-of-concept demonstrators
at Technology Readiness Level (TRL) 1-4
• Success metrics for the approach
• An initial test plan against relevant exemplar data
• A development plan beyond the initial proof-ofconcept phase
• Solutions that consider the breadth of MOD hosts
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 30. What we don’t want
• Existing higher TRL solutions or network analysis
tools
• Proposals that:
– Add substantial burden
– Expand the threat surface
– Force users to alter their behaviour
– Do not include some form of demonstrator
– Are proprietary black box solutions
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 31. Levels of funding
• Dstl have committed up to £1M of funding for the
initial proof-of-concept demonstrators
• No cap on the value of proposals
– However more likely that a larger number of lower-value
proposals (eg £50k - £150k) will be funded at this stage
• Aiming for an initial demonstration within 3-5 months
Submissions via the CDE Portal
17:00 Thursday 9 January 2014
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
- 32. Every little helps...
• Problem space is broad, complex
and challenging
• Requires interaction between
physical and social sciences
• Individual suppliers may only be able
to provide a solution to part of the
problem space
– These pieces are still potentially of value
– Networking and collaborating
29 November 2013
© Crown copyright 2013 Dstl
UK UNCLASSIFIED
© Dstl 2013
- 34. In conclusion
• Opportunity!
• Innovation
• Demonstration
• Focus
– Host-based solutions
– Abuse of legitimate credentials
– “Strange and charmed”
• Closing date - Thursday 9 January 2014 at 17:00 hrs!
29 November 2013
© Crown copyright 2013 Dstl