Page 1

State University of New York at Cortland ​thank you very much I should start out the reference to hockey here is only partially a obvious attempt to pander to the local New England scene I will mention its relevance in just a little bit so uh there are many people that feel that the current paradigm in cyber defense is failing us we're seeing a huge spike in both the number and severity of cyber attacks both in the government and private industry at a loss of IP the loss of secrets and so what I'd like to talk to you about today is a little bit of description of that paradigm why it's failing and here's a little hint that has to do with scale and complexity some of the new paradigm ideas that are emerging and if I can keep this under the time I'll give you some ideas if you are not a cybersecurity person of how you might help and contribute to where this is going so you can summarize the philosophy of the cyber defence community over the last 20 to 25 years with the notion of reducing the attack service we have a set of systems we want to prevent any adversary from getting to those systems in doing any kind of damage so what do we focus on perhaps some of you have had to patch a system recently perhaps you have antivirus software on your computer perhaps depending on what industry you're in you actually have to insert a physical ID card into the computer in order to use it we monitor our networks we build firewalls we watch the traffic that goes across those when we deploy large-scale systems either in the government or commercial systems we do this very heavy certification and accreditation process to ensure that they don't have any vulnerabilities we try like heck to train users to do the right behavior and yet it doesn't quite seem to be working there's a lot of reasons for that to be fair it's a complex problem the two good I'm going to talk about today I'm going to talk a little bit about how the adversary has gotten a lot more advanced and I'm going to talk about how the scale of this problem has simply grown beyond our ability to manage so let's walk through a few facts so at the end of this year depending on which estimate you like there'll be about 10 billion devices on the Internet that means everybody on the planet gets one and then there's a whole lot left over and all we need to do to protect those is know where every one of them are make sure they are updated with the latest software patches and make sure we are controlling access in every way to those devices should be fairly straightforward if we can't do that perhaps we can watch all the traffic that is traveling across those devices and look for anomalies denial of service attacks all those things you hear about so Cisco Systems that knows a little bit about this estimates that in a few years the mobile devices alone just our phones and tablets will be exchanging about 10 exabytes of data there's some small print on the bottom that tells you that 10 exabytes is about 160 million iPhones worth of data which is about I think what Apple sold in its first week of the iPhone 5 oh by the way that 10 exabytes that's per month so we I don't really think we have much chance of monitoring all that traffic that's going across our networks now one of the big weaknesses are john mentioned with computer security is the people right all of us I admit it Uncle Phil sends me the picture of the dancing cats and I just got a click and then their little box comes up and something funny's going on my machine and I say sure go ahead just show me the dancing cats and that's the end of that so the good news is not everybody on the planet is on the internet yet the bad news is it's growing pretty rapidly about 15% a year by the way the security professionals and the hackers have a special name for these 300 million new users a year we call them targets ok so there are too many computers there's too much traffic to follow we can't stop the users from all their stuff maybe our software can help us maybe we can write better software let's start with a really simple example the soap dispenser automatic soap dispenser you put your hand under it the soap comes out and this is actually from the kitchen of my friend a true story dave was unhappy with the amount of soap that was coming out of his soap dispenser when he put his hand under it so two of us spent a weekend taking it apart completely voiding the warranty downloading the instruction set from the chip and said how hard could this be all we have to do is adjust the amount of soap it turns out that to run a photo gate and led a motor and a push button there's over 1200 instruction sixteen state variables and a whole bunch of spaghetti code so what chance do we have of securing our soap dispensers okay you say that's just a toy problem that's just a soap dispenser let's talk about a real system the boeing 787 dreamliner is rolling off the assembly line right now the avionics system alone has over six and a half million lines of code there isn't any way that we are going to be sure that that software first of all is completely right but i don't want to scare you from flying on

second of all that it is secure from vulnerabilities oh for nobilities let's talk about that so the national vulnerability database issued about four thousand software vulnerabilities last year that is the floor that is a gross underestimate of the total number of vulnerabilities most people process these things as fast as they can they focus largely on major systems so every day our cyber adversaries get 11 new chances to figure out how to penetrate our systems so this whole concept of reducing the attack surface simply may be the wrong approach it's wrong from the from the point of view of scale but it has another problem so let's get to the hockey example the hockey metaphor when when we are trying to reduce the attack surface we are essentially playing hockey as the goalie and facing the goal we are focused on the target we are focusing our efforts on the size and the shape of the target where are we in the right position do we know the shape and what's going on right now is the goal is getting bigger the target is getting bigger we have users coming in and adjusting the target we now have mobile devices new taught new goals floating all around it's the wrong way to play the game and in hockey you can see just look at this what's the right way to play again turn around turn around why do we turn around you have to face the adversary you have to understand the adversary you have to watch what they do you have to understand what direction they come from and how they pass the puck you have to share that information with your team if it's a really bad adversary you may even share it with other teams you have to not sit there and let the puck come to you right you have to probe that attack to see if you can understand it so in hockey it makes perfect sense what does that look like in the cyber realm in the cyber realm we talked about three things just like the hockey example we talked about collecting cyber threat intelligence we have to find a way to understand better what the adversary is doing we have to find a way to engage that adversary during the time of the attack and we have to do a better job of sharing this information so that when I get sick you get the vaccine let's talk about each of these quickly this is something called the cyber kill chain it's been around for a few years and it's gaining a lot of ground it essentially captures the seven stages of a cyber attack we've just changed the whole view just in the last 10 seconds I've changed your view of a cyber attack from a point in time most of us think of that little click when we got the the kitten picture from Uncle Phil that was the attack that wasn't the attack that's just the middle that's just the exploit there are seven stages the adversary has to understand what our systems are who we are and who we want to go after as to build a weapon E is to deliver the weapon we have to click on it he has to control something on our systems he has to execute that code and the advanced cyber adversary the one we are most afraid of will stay on that system for as long as they possibly can to either use us or get more information later by by understanding the cyber adversary in this way we can gain new intelligence we can monitor what they do we can do it forensic ly after we are attacked make no mistake advanced professionals today assume we will be penetrated we do not assume we can protect the attack surface and keep people out one of the ideas that's gaining a lot of traction and we've got some early successes in is something called synthetic environments can we fool the adversary into thinking they are on our network and watch them while they do that don't stop them don't block them don't kick them out watch them and control them divert them it can learn a lot of interesting things with this so for example it turns out that for most of these folks the adversaries it's a job they have a job to do you know how I know that because if you collect a lot of evidence over time if you analyze all this stuff you can tell what hours of the day they work it turns out many of them work an eight-hour day just like us isn't that interesting see it's all just one world it's a job they have to build weapons and control systems and executions and hide software on your system all day long what would you do if you had to do that you would reuse code wouldn't you I'm not gonna write a new one every time I'm gonna reuse it now I've got a new now I have a better understanding of their methodology when I go out to command and control servers I'm an adversary I have to link to the outside I don't want to stand up new so I already have a hundred servers I'll just reuse some of the IP addresses I already have I may even reuse the encryption keys that John just talked about if I'm an adversary where I'm encrypting my traffic I'm a hard code the passwords to those keys in my code you know what turns out the adversaries to choose crummy passwords - what else do we learn we see a adversaries that that come back so we need to be able to adapt so one of our partner organizations has an adversary that comes after their network on a regular basis the long period of time more than days into weeks so regularly do they come back that when our partner doesn't see the attack they check their calendar and they don't see an attack they completely change their defensive posture they assume they have missed it they assume that adversary has gotten past them and gotten in so we can adapt as we go so once I collect that intelligence I need some way to share it right I'm not gonna get every adversary coming after me and even the ones that do come after me quite frankly I'm gonna miss some of them and again I want to share this notion I get sick you get the vaccine so there is a lot of sharing that goes on today it suffers from three problems one of the communities that form in that sharing are very ad hoc they're based on personal trust relationships so you don't get widespread uniform sharing the sharing happens at a very informal level unstructured often in email I try and write up an attack because of those first two things it's very high level information it's not very

actionable somebody has to read an email figure out what that means translate it into some kind of Defense so to improve this sharing we want to focus on two things we want to focus on a better way to share this threat information a more structured detailed way and we want to improve this community sharing structure so right now there's a lot of work in what we call standards-based repositories very simple idea can we standardize the description of these attacks can we standardize descriptions and build schemas database schemas XML schemas around malware around vulnerabilities around threats around the actual attacks themselves around whole campaigns of attacks if we can do that and enable it we do a whole bunch of things one we start to collect more detail about the attacks because we have a way to capture it and represent it so we get uniformity I know what to share and I know what to expect three I have a much better way to control the sharing if I don't want to share every detail of the attack with everybody I know and I may not want to because it might reveal something about my system if I have a structured representation I have a much better way to control that before I start to enable machine the machine sharing that's the Holy Grail here right it takes too long to read emails figure out what action I want to take change my defensive systems right if I can do machine to machine sharing and structured ways I can implement those changes much much faster and five as I build up these repositories I get to do analysis over time we have a database with over three million malware so samples I can start to really understand what's in common there that's where I start to see times of day months places to hide coat once I build those repositories I now have a more I can now facilitate the sharing across these communities so this this is a very fluid problem there's no solution and it's a hard problem because it's a social problem of how to organize that sharing we see a lot of different models out there very common is a hub-and-spoke model a number of participants will get together they pick one trusted partner they send all their information to that one trusted partner who merges it cleans it up and sends it out that has pros and cons it it gives you the value add of the hub it enables a trust model where you trust the hub it tends to be slow to turnover you tend to get filtering there's posts to all we can all get together as a group and every time I see something I send it to all of you you can all see it you can comment on it that has pros and cons as well we're seeing more and more energy around federated communities like this where within the smaller communities we have a tight trust a circle of trust between us and we can share everything and if we have these repositories that's very easy to do and then as we want to share more broadly into organizations or people we may not know as well we can do that controlled sharing that I talked about still a very fluid situation lots of opportunities there for improvement speaking of opportunities so we've had some successes in all of these things I've talked about the synthetic environments the structured repositories you might have seen up there there's a system that might are in a number of other members of the community working on called crits it's just an example database that uses a whole set of standards the standards are community owned and the sharing models there's a public-private partnership in Massachusetts called the a CSC the advanced cybersecurity Center which is really focusing on this information and threat sharing the defense and the government do a lot of the threat sharing but here are some areas that could use improvement so this defensive engagement is an area ripe for research if you think about these synthetic environments trying to fool an adversary into believing they're on a real computer network you have to get a network topology that looks right you have to have files file structures systems and programs that look legitimate you have to have traffic and activity on that network that looks legitimate when we do these engagements we see adversaries that land in that spot and the first thing they do there's the whole set of techniques to try and figure out whether they're in a real place or a fake place there's a lot of opportunity there one challenge is the people that do this well don't publish it it's not really something they want to get out but there are some intermediate places you can work in this exercise platforms where instead of trying to fool somebody we all get together and do a cyber exercise that still needs to be a very authentic infrastructure it just doesn't have to fool anybody so there are intermediate places the information sharing networks I mentioned what are the trust models how do I control information to and from the different parties how do i form these communities and these groups how do I measure if I have if I'm getting the right information to the right people quickly enough all that is still an open question and finally the the data analysis component we collect a lot of data here on malware we're collecting more and more on threats on the engagement with these adversaries and I think there's a lot of opportunity to really do hardcore data analysis on that so if we can do those three things right if the community can get together and advance all of this we turn around and face the threat then we have hopefully what is a pretty good chance of protecting our networks thank you very much Long Island University, C.W. Post Campus.