Future OE Mission Command and Future OE Decision Cycles

Enormous commercial, academic, and governmental resources are being expended to build machines which can autonomously assist humans in a variety of complex tasks (e.g., drive cars, fly aircraft, engage targets, manage distributed operations). This post asserts that the technologies being developed and deployed by these efforts will eventually force future mission command capabilities to include abilities to detect, analyze, and react to man-machine interface deception / surprise events at all echelons of command. The need for these new / improved decision support capabilities will be driven by the challenges of creating accurate Intelligence, Surveillance, and Reconnaissance (ISR) estimates while encountering increased deception / surprise technologies. These deception technologies are appearing at every echelon of mission command and are being driven, in part, by the ongoing commercial integration of the international network of Information Technology (IT) systems and the international network of Operational Technology (OT) systems. A lesson learned from the use of the Stuxnet malware to cause Iranian centrifuges to self-destruct is that malware can be used to achieve tactical surprise of human operators. The centrifuge control man-machine interface was exploited to deceive human operators concerning the true state of the autonomous control system as the machines were being commanded to destroy themselves. The Iranian operators were unaware for a lengthy period that they were being deceived by their monitoring software and they were surprised when they discovered the extent of the damage to the centrifuges. The centrifuge-control, man-machine interface was informing the human operators that everything was proceeding as commanded when in fact the machines were shaking themselves apart. It is apparent from many recent events/results that similar outcomes are now possible at each echelon of command (individual deception outcomes at the “tip of the spear,” as well as tactical surprise outcomes, operational surprise outcomes, and strategic surprise outcomes). This note provides a summary of some results in achieving distributed state estimation and control of complex, networked systems. This post asserts that a wide variety of distributed control systems, including national infrastructure systems and possibly military command and control systems are subject to deliberate and inadvertent cyber and physical anomalies (failure modes) and states the author’s opinions regarding the implications of the ongoing integration of IT and OT for future Mission Command decisions and future Operational Environment (OE) state estimation results

Assessing Mission Performance for Technology Reliant Missions

Operators today increasingly rely on technology to accomplish objectives. Although technology can increase mission success and efficiency in a majority of operations, it can simultaneously increase vulnerability prevalence, resulting in a higher exploitation likelihood. Defense methods have been proposed and evaluated based on their ability to ensure network security. However, these evaluation metrics do not fully quantify how network exploitation impacts mission task completion. Our mission performance model links cyber devices to mission tasks utilizing a mission’s mission map and evaluates a mission’s performance as the proportion of completed mission tasks in an agent based simulation. Our model allows for mission mappings with varying degrees of completion to enable a generic and adaptable model. We investigate the impact differing levels of mission map completion have on the mission performance metric for the same mission. Experiments serve to provide quantitative assessment for mission performance in cyber-network mission systems

Protecting the Protector: Mapping the Key Terrain that Supports the Continuous Monitoring Mission of a Cloud Cybersecurity Service Provider

Key terrain is a concept that is relevant to warfare, military strategy, and tactics. A good general maps out terrain to identify key areas to protect in support of a mission (i.e., a bridge allowing for mobility of supplies and reinforcements). Effective ways to map terrain in Cyberspace (KT-C) has been an area of interest for researchers in Cybersecurity ever since the Department of Defense designated Cyberspace as a warfighting domain. The mapping of KT-C for a mission is accomplished by putting forth efforts to understand and document a mission\u27s dependence on Cyberspace and cyber assets. A cloud Cybersecurity Service Provider (CSSP) continuously monitors the network infrastructure of an information system in the cloud ensuring its security posture is within acceptable risk. This research is focused on mapping the key terrain that supports the continuous monitoring mission of a cloud CSSP. Traditional methods to map KT-C have been broad. Success has been difficult to achieve due to the unique nature of the Cyberspace domain when compared to traditional warfighting domains. This work focuses on a specific objective or mission within cyberspace. It is a contextual approach to identify and map key terrain in cyberspace. Mapping is accomplished through empirical surveys conducted on Cybersecurity professionals with various years of experience working in a cloud or CSSP environment. The background of the Cybersecurity professionals participating in the survey will include United States Government personnel/contractors, and other Cybersecurity practitioners in the private sector. This process provided an approach to identify and map key terrain in a contextual manner specific to the mission of a typical cloud CSSP. Practitioners can use it as a template for their specific cloud CSSP mission

Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability

[ES] La presente tesis doctoral realiza un análisis en detalle de los elementos de decisión necesarios para mejorar la comprensión de la situación en ciberdefensa con especial énfasis en la percepción y comprensión del analista de un centro de operaciones de ciberseguridad (SOC). Se proponen dos arquitecturas diferentes basadas en el análisis forense de flujos de datos (NF3). La primera arquitectura emplea técnicas de Ensemble Machine Learning mientras que la segunda es una variante de Machine Learning de mayor complejidad algorítmica (lambda-NF3) que ofrece un marco de defensa de mayor robustez frente a ataques adversarios. Ambas propuestas buscan automatizar de forma efectiva la detección de malware y su posterior gestión de incidentes mostrando unos resultados satisfactorios en aproximar lo que se ha denominado un SOC de próxima generación y de computación cognitiva (NGC2SOC). La supervisión y monitorización de eventos para la protección de las redes informáticas de una organización debe ir acompañada de técnicas de visualización. En este caso, la tesis aborda la generación de representaciones tridimensionales basadas en métricas orientadas a la misión y procedimientos que usan un sistema experto basado en lógica difusa. Precisamente, el estado del arte muestra serias deficiencias a la hora de implementar soluciones de ciberdefensa que reflejen la relevancia de la misión, los recursos y cometidos de una organización para una decisión mejor informada. El trabajo de investigación proporciona finalmente dos áreas claves para mejorar la toma de decisiones en ciberdefensa: un marco sólido y completo de verificación y validación para evaluar parámetros de soluciones y la elaboración de un conjunto de datos sintéticos que referencian unívocamente las fases de un ciberataque con los estándares Cyber Kill Chain y MITRE ATT & CK.[CA] La present tesi doctoral realitza una anàlisi detalladament dels elements de decisió necessaris per a millorar la comprensió de la situació en ciberdefensa amb especial èmfasi en la percepció i comprensió de l'analista d'un centre d'operacions de ciberseguretat (SOC). Es proposen dues arquitectures diferents basades en l'anàlisi forense de fluxos de dades (NF3). La primera arquitectura empra tècniques de Ensemble Machine Learning mentre que la segona és una variant de Machine Learning de major complexitat algorítmica (lambda-NF3) que ofereix un marc de defensa de major robustesa enfront d'atacs adversaris. Totes dues propostes busquen automatitzar de manera efectiva la detecció de malware i la seua posterior gestió d'incidents mostrant uns resultats satisfactoris a aproximar el que s'ha denominat un SOC de pròxima generació i de computació cognitiva (NGC2SOC). La supervisió i monitoratge d'esdeveniments per a la protecció de les xarxes informàtiques d'una organització ha d'anar acompanyada de tècniques de visualització. En aquest cas, la tesi aborda la generació de representacions tridimensionals basades en mètriques orientades a la missió i procediments que usen un sistema expert basat en lògica difusa. Precisament, l'estat de l'art mostra serioses deficiències a l'hora d'implementar solucions de ciberdefensa que reflectisquen la rellevància de la missió, els recursos i comeses d'una organització per a una decisió més ben informada. El treball de recerca proporciona finalment dues àrees claus per a millorar la presa de decisions en ciberdefensa: un marc sòlid i complet de verificació i validació per a avaluar paràmetres de solucions i l'elaboració d'un conjunt de dades sintètiques que referencien unívocament les fases d'un ciberatac amb els estàndards Cyber Kill Chain i MITRE ATT & CK.[EN] This doctoral thesis performs a detailed analysis of the decision elements necessary to improve the cyber defence situation awareness with a special emphasis on the perception and understanding of the analyst of a cybersecurity operations center (SOC). Two different architectures based on the network flow forensics of data streams (NF3) are proposed. The first architecture uses Ensemble Machine Learning techniques while the second is a variant of Machine Learning with greater algorithmic complexity (lambda-NF3) that offers a more robust defense framework against adversarial attacks. Both proposals seek to effectively automate the detection of malware and its subsequent incident management, showing satisfactory results in approximating what has been called a next generation cognitive computing SOC (NGC2SOC). The supervision and monitoring of events for the protection of an organisation's computer networks must be accompanied by visualisation techniques. In this case, the thesis addresses the representation of three-dimensional pictures based on mission oriented metrics and procedures that use an expert system based on fuzzy logic. Precisely, the state-of-the-art evidences serious deficiencies when it comes to implementing cyber defence solutions that consider the relevance of the mission, resources and tasks of an organisation for a better-informed decision. The research work finally provides two key areas to improve decision-making in cyber defence: a solid and complete verification and validation framework to evaluate solution parameters and the development of a synthetic dataset that univocally references the phases of a cyber-attack with the Cyber Kill Chain and MITRE ATT & CK standards.Llopis Sánchez, S. (2023). Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19424

Policy Conflict Management in Distributed SDN Environments

abstract: The ease of programmability in Software-Defined Networking (SDN) makes it a great platform for implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this dissertation, a formalism for flow rule conflicts in SDN environments is introduced. This formalism is realized in Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller. Brew has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. Techniques for global prioritization of flow rules in a decentralized environment are presented, using which all SDN flow rule conflicts are recognized and classified. Strategies for unassisted resolution of these conflicts are also detailed. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts in an aesthetic manner. The correctness, feasibility and scalability of the Brew proof-of-concept prototype is demonstrated. Flow rule conflict avoidance using a buddy address space management technique is studied as an alternate to conflict detection and resolution in highly dynamic cloud systems attempting to implement an SDN-based Moving Target Defense (MTD) countermeasures.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Assessing the effectiveness of defensive cyber operations

Enormous amounts of resources are being allocated for defensive cyber programs. The White House’s Cyber Security National Action Plan proposes a 35% increase in federal spending on cyber security during Fiscal Year 2017. Without an appropriate understanding of how well the people, processes, defenses, and risk are measured, there will naturally be unproductive tasking, inefficient spending and ineffective reporting. In 2016, the White House established the Commission on enhancing National Cybersecurity to assess the state of our nation’s cybersecurity posture. The report recognized both the difficulty and the need to develop meaningful metrics for cybersecurity in order to better secure the cyber landscape as it pertained to the broader digital ecosystem and its connection to our economy, government, and defense. The commission focused on both the private sector as well as the government and suggested the need to perfect policies, practices and technologies. Additionally, the Marine Corps University recently released research topics addressing some of the most important concerns affecting warfighters. One of the concerns was the lack of a methodology for determining the performance of Defensive Cyber Operations (DCO). Specifically addressed was a need to better understand how actions taken by network defenders facilitate network protection. Previous analysis of this topic led to a reactive and un-actionable approach which was tied to negative events such as the quantity and category of incident reports. As there is currently no framework or scorecard built to evaluate DCO as a whole effort, a methodical approach was taken to scope the problem, compare existing frameworks, develop a framework, and present a scorecard. The first phase of research required scoping exactly what is involved in DCO at the most basic level and understanding how the DoD evaluates performance. This resulted in an understanding of the actionability of metrics, the levels of warfare, and the counterbalance of cyber asymmetry. Also identified was the military doctrine for assessments, which frames evaluations in terms of Measures of Effectiveness and Measures of Performance and supports continuous assessments that provide actionable information to decision makers. The second phase required a detailed analysis of existing frameworks that measured related functions of cybersecurity. Specifically utilized were industry accepted compliance, incident handling, governance, and risk management frameworks. The outcome identified four functional areas common to most frameworks; people, processes, defenses, and risk. The third phase involved developing a framework that evaluated the four functional areas of DCO identified in the problem-framing phase, utilizing the most appropriate features of the already established frameworks. A key facet of this evaluation was that assessments should be weighed over time to demonstrate progress but also be measured against standards, peers, and the adversary. The final phase identified the continuous reporting criteria and the tangible mechanism for evaluating an organization in terms of a scorecard. The framework is not a static list of measurements but rather supports tailoring metrics to the organization’s specific requirements. The fundamentals of the framework are organized into elements, levels, categories, ends/ways, and measures. These metrics should be documented utilizing a standardized rubric that assesses the capability and performance of the metrics. The results should be reviewed and analyzed to determine trends, areas for improvement or investment and actionable information to support decision making. Additionally, a modified Delphi analysis with expert consensus validated the major concepts put forward in this paper. Overall, this research provides a comprehensive framework to evaluate the performance of Defensive Cyber Operations in terms of people, processes, defenses, and risk, filling a knowledge gap that is increasingly vital

CRUSOE: A Toolset for Cyber Situational Awareness and Decision Support in Incident Handling

The growing size and complexity of today’s computer network make it hard to achieve and maintain so-called cyber situational awareness, i.e., the ability to perceive and comprehend the cyber environment and be able to project the situation in the near future. Namely, the personnel of cybersecurity incident response teams or security operation centers should be aware of the security situation in the network to effectively prevent or mitigate cyber attacks and avoid mistakes in the process. In this paper, we present a toolset for achieving cyber situational awareness in a large and heterogeneous environment. Our goal is to support cybersecurity teams in iterating through the OODA loop (Observe, Orient, Decide, Act). We designed tools to help the operator make informed decisions in incident handling and response for each phase of the cycle. The Observe phase builds on common tools for active and passive network monitoring and vulnerability assessment. In the Orient phase, the data on the network are structured and presented in a comprehensible and visually appealing manner. The Decide phase opens opportunities for decision-support systems, in our case, a recommender system that suggests the most resilient configuration of the critical infrastructure. Finally, the Act phase is supported by a service that orchestrates network security tools and allows for prompt mitigation actions. Finally, we present lessons learned from the deployment of the toolset in the campus network and the results of a user evaluation study