11
“Defensive Battle Stations In Defensive Battle Stations In Network-Centric Warfare: Network-Centric Warfare: Rapid-Response Cyber Rapid-Response Cyber
ForensicsForensics””
Stephen B. Webb Stephen B. Webb Lockheed Martin Mission Lockheed Martin Mission Systems Systems
J. Philip Craiger, Ph.D J. Philip Craiger, Ph.D University of Nebraska at OmahaUniversity of Nebraska at Omaha
22
What Is Rapid-Response Cyber What Is Rapid-Response Cyber ForensicsForensics™™ ? ?
Rapid-Response Cyber Forensics is an approach to the defense of critical military computers and networks.
It augments “live” computer defense with skilled cyber forensic practitioners and adds a new element to defense-in-depth of critical automated systems.
33
What Rapid-Response Cyber What Rapid-Response Cyber ForensicsForensics Is NOT Is NOT
RRCF is NOT a substitute or replacement for any security tools or procedures being used on your systems today.
RRCF is NOT a “fire-and-forget silver bullet” which will magically solve all your defensive network concerns.
44
LM-MS and PKI PartnershipLM-MS and PKI Partnership
An uncommon partnership between Academics An uncommon partnership between Academics and Business with a common goal:and Business with a common goal:
““Field the Best Military Cyber-Defenders in the World”Field the Best Military Cyber-Defenders in the World”
Leverage the strengths of both LM-MS and PKI Leverage the strengths of both LM-MS and PKI to create a product neither could build aloneto create a product neither could build alone
55
Benefits of PartnershipBenefits of Partnership
LM-MS wanted to provide security training for LM-MS wanted to provide security training for our Government clientour Government client We knew what training could be valuable, but were We knew what training could be valuable, but were
not in the training businessnot in the training business
PKI wanted to expand into this area, but lacked PKI wanted to expand into this area, but lacked experience with a military clientexperience with a military client They knew how to train, but not what to trainThey knew how to train, but not what to train
Both partners shared a strong desire to make Both partners shared a strong desire to make the partnership workthe partnership work
66
Stones on the Path to SuccessStones on the Path to Success
Non-congruent Initial GoalsNon-congruent Initial Goals Culture ClashCulture Clash Lack of ProcessLack of Process
77
Network-Centric LandscapeNetwork-Centric Landscape
The U.S. holds a decisive edge in Network-Centric The U.S. holds a decisive edge in Network-Centric WarfareWarfare Asymmetric threats are emerging to challenge our pre-Asymmetric threats are emerging to challenge our pre-
eminenceeminence
Our combatant networked systemsOur combatant networked systems must be defended to must be defended to assure information superiority and victoryassure information superiority and victory Tools for network defense are rapidly superceded by ever-Tools for network defense are rapidly superceded by ever-
more-virulent attacksmore-virulent attacks
Nothing we are proposing replaces any of the defensive Nothing we are proposing replaces any of the defensive tools presently being usedtools presently being used
88
Network-Centric WarfareNetwork-Centric Warfare
As conflict in Iraq demonstrated, Network-Centric As conflict in Iraq demonstrated, Network-Centric Warfare gives a Commander a decisive advantage Warfare gives a Commander a decisive advantage against any adversary—this point is not lost on our against any adversary—this point is not lost on our future enemiesfuture enemies
The nature of network attack will continue to be The nature of network attack will continue to be appealing to those enemies as an “equalizer”appealing to those enemies as an “equalizer” low costlow cost technologically simpletechnologically simple effective, low profile, and low risk of attributioneffective, low profile, and low risk of attribution
Rapid response to attacks against our network-centric Rapid response to attacks against our network-centric forces will be necessary for military commanders to forces will be necessary for military commanders to sustain future operations sustain future operations
99
The Network-Centric CommanderThe Network-Centric Commander
A successful military commander in the 21A successful military commander in the 21stst century century must “detect, diagnose, and decide”—then act—against must “detect, diagnose, and decide”—then act—against varying types and sources of cyber-attacksvarying types and sources of cyber-attacks
A Network-Centric Commander A Network-Centric Commander must sustain network must sustain network operations while under computer network attackoperations while under computer network attack
Tools and procedures for doing this have analogues in Tools and procedures for doing this have analogues in the non-military world, typically called cyber forensicsthe non-military world, typically called cyber forensics ““Classic” cyber forensics: acquiring and authenticating Classic” cyber forensics: acquiring and authenticating
evidence, analyzing that evidence for evidentiary value, evidence, analyzing that evidence for evidentiary value, and presenting the results in a court of lawand presenting the results in a court of law
These classic tools and procedures are ill-suited for a These classic tools and procedures are ill-suited for a commander under attackcommander under attack
1010
Cyber Forensic PracticeCyber Forensic Practice
Analysis after the fact—the “medical Analysis after the fact—the “medical examiner” modelexaminer” model A law enforcement mind setA law enforcement mind set
Post hoc analysisPost hoc analysis Duplicate evidence, verify authenticity, offline analysisDuplicate evidence, verify authenticity, offline analysis
Focus of present cyber forensic trainingFocus of present cyber forensic training Defensive and conservative, it has served law Defensive and conservative, it has served law
enforcement well, but fails to meet the needs enforcement well, but fails to meet the needs of a commander for sustained operations of a commander for sustained operations under cyber attackunder cyber attack Critical information repositories must remain onlineCritical information repositories must remain online Live-response is the keyLive-response is the key
1111
Rapid ResponseRapid Response
We propose a rapid response cyber forensic We propose a rapid response cyber forensic approach more resembling an Emergency approach more resembling an Emergency Medical Technician than a Medical ExaminerMedical Technician than a Medical Examiner
Tools, protocols, and techniques to perform Tools, protocols, and techniques to perform “cyber-triage” “cyber-triage” evaluating, prioritizing and defending against attacks evaluating, prioritizing and defending against attacks
against our war fighting networksagainst our war fighting networks intelligent application of tools and procedures intelligent application of tools and procedures
applicable to the warfighting contextapplicable to the warfighting context
1212
Warfighting Cyber ForensicsWarfighting Cyber Forensics
Development of new cyber forensic tools is a key Development of new cyber forensic tools is a key component of rapid-response forensics, and while crucial, component of rapid-response forensics, and while crucial, is not the primary focus of our effortsis not the primary focus of our efforts
A disciplined cadre of cyber forensic technicians will A disciplined cadre of cyber forensic technicians will remain the key to success in defending warfighting remain the key to success in defending warfighting systemssystems Live response to sustain operationsLive response to sustain operations
Expert cyber-triage of multiple and simultaneous attacksExpert cyber-triage of multiple and simultaneous attacks
1313
Rapid-Response Cyber ForensicsRapid-Response Cyber Forensics™™
Developed collaboratively between University of Developed collaboratively between University of Nebraska at Omaha and Lockheed Martin Nebraska at Omaha and Lockheed Martin Mission SystemsMission Systems An alternative to traditional law-enforcement-like An alternative to traditional law-enforcement-like
responseresponse ““Classic” forensics not suited to dynamic, real-time warfighting Classic” forensics not suited to dynamic, real-time warfighting
environmentenvironment
Both a human-capital and technological solutionBoth a human-capital and technological solution
Success depends upon a fusion of procedures, Success depends upon a fusion of procedures, techniques, and practicetechniques, and practice
1414
Three Foundations of RRCFThree Foundations of RRCF
Training tailored for RRCF Training tailored for RRCF practitionerspractitioners
Procedures for forensic Procedures for forensic examination of “live” examination of “live” computer systems in real computer systems in real timetime
Regular team practice in a Regular team practice in a lab environment mirroring lab environment mirroring real-world threatsreal-world threats
1515
Training as Key ComponentTraining as Key Component
Practitioners receive rigorous hands-on initial Practitioners receive rigorous hands-on initial training in RRCF techniques with realistic training in RRCF techniques with realistic examplesexamples
Training combines a deep understanding of: Training combines a deep understanding of: Techniques and technologiesTechniques and technologies Realistic hands-on scenario-based practiceRealistic hands-on scenario-based practice
As technology changes, rapid-response cyber As technology changes, rapid-response cyber forensicsforensics™ practitioners skills are reinforced practitioners skills are reinforced and upgradedand upgraded
1616
Rapid-Response Skill SetRapid-Response Skill Set
Understanding of TechnologyUnderstanding of Technology Networks: protocols, attack signatures, normal & Networks: protocols, attack signatures, normal &
abnormal network trafficabnormal network traffic Kept current through trainingKept current through training
Analytical SkillsAnalytical Skills Recognition and understanding of threatsRecognition and understanding of threats Refined through practice in the labRefined through practice in the lab
ToolsTools Employment of the right tool—at the right timeEmployment of the right tool—at the right time
1717
Procedure and DrillProcedure and Drill
Inter-related: Procedures are complex, and make Inter-related: Procedures are complex, and make drill central to proficiencydrill central to proficiency Development of detailed proceduresDevelopment of detailed procedures Application of the correct procedure to counter threatsApplication of the correct procedure to counter threats
Practice when (or “if”) a procedure should be Practice when (or “if”) a procedure should be usedused achieved in a lab setting where virulent attacks may be achieved in a lab setting where virulent attacks may be
staged without risk to actual systemsstaged without risk to actual systems
1818
ResultsResults
Two classes of RRCF practitioners trainedTwo classes of RRCF practitioners trained Screening with a pre-test identified good candidatesScreening with a pre-test identified good candidates All students successfully certified in RRCFAll students successfully certified in RRCF
Excellent customer responseExcellent customer response
Plans for expanding the programPlans for expanding the program
1919
Lessons LearnedLessons Learned
A partnership between Business and A partnership between Business and Academics must serve the goals of bothAcademics must serve the goals of both Expect some surprisesExpect some surprises
Rapid-Response Cyber ForensicsRapid-Response Cyber Forensics™™ is feasible is feasible It is possible to achieve effectiveness—affordably It is possible to achieve effectiveness—affordably Training was challenging, but successfully scaled to Training was challenging, but successfully scaled to
the target audiencethe target audience Importance of appropriate skill set in studentsImportance of appropriate skill set in students
2020
The Future of Rapid-Response The Future of Rapid-Response Cyber ForensicsCyber Forensics
As technology and tools change, so must the As technology and tools change, so must the RRCF practitionerRRCF practitioner Ongoing refresher training using realistic hands-on Ongoing refresher training using realistic hands-on
simulations and exercisessimulations and exercises Adopt and adapt new cyber forensic Adopt and adapt new cyber forensic
techniques that are developedtechniques that are developed Requires continuing education on the part of cyber Requires continuing education on the part of cyber
forensic trainersforensic trainers Develop new cyber forensic procedures in Develop new cyber forensic procedures in
concert with new network-centric warfighting concert with new network-centric warfighting capabilitiescapabilities
2121
Contact InformationContact Information
E-mailE-mail [email protected]@lmco.com [email protected][email protected]
We’d be pleased to answer your questionsWe’d be pleased to answer your questions
Thank youThank you
2222
Back-Up SlidesBack-Up Slides
2323
Starting a Computer ConversationStarting a Computer Conversation
• Final ACK completes the connection.Final ACK completes the connection.• Computers now have a reliableComputers now have a reliable channel for channel for
communicationcommunication
SYN
SYN-ACK
ACK
2424
Computer Dialog Computer Dialog
This is an example of a normal “handshake” between two This is an example of a normal “handshake” between two computerscomputers whammo.cobalt.net asks to connect, s=“syn”, a request to whammo.cobalt.net asks to connect, s=“syn”, a request to
synchronizesynchronize Server1.unomaha.edu answers “syn-ack”, to acknowledgeServer1.unomaha.edu answers “syn-ack”, to acknowledge whammo.cobalt.net sends a final “ack” and establishes whammo.cobalt.net sends a final “ack” and establishes
connectionconnection
2525
Normal Traffic?Normal Traffic?
2626
SYN-AttackSYN-Attack
There is no final ACKThere is no final ACK Connection is never establishedConnection is never established 2nd Computer ends up using all of its resources waiting for 2nd Computer ends up using all of its resources waiting for
the final ACKthe final ACK
Let’s talk
Ok, I’m listening…
Let’s talk
Ok, I’m Listening
Let’s talk
Ok, I’m listening
2727
EndEnd
Thank youThank you