文档详细内容(约6页)
52 September 2003/Vol. 46, No. 9 COMMUNICATIONS OF THE ACM
BYO SAMISAYDJARI CyBER DEFENS E ART TO SCIENCE Seeking the knowledge and means to more methodically detect, defend against and better understand attacks on networked computer resources ILLUSTRATION BY magine that you lead an organization under cyber attack on ROBERT NEUBECKER lyour critical information systems. What questions are you likely Am I under attack; what is its nature and ori What are the attackers doing; what might they do next? How does it affect my mission? that will be effective against this attack? What can I do about it; what are my options How do I choose the best option? How do i prevent such attacks in the future Unfortunately, today we must often answer, We dont know and we have no way of knowing. "Informally, it is in being able to answer these basic questions that we find the meaning of the term cyber defense. More formally, we can define cyber defense from its component words. Cyber, short for cyberspace, refers to both networked infra- structure(computers, routers, hubs, switches, and firewalls) and the information assets(critical data on which an organization depends to carry out its mission). Defense is the act of making safe rom attack. Therefore, cyber defense refers to an active process of dependably making critical function safe from attac COMMUNICATIONS OF THE ACM March 2004/Vol 47. No.3 53
COMMUNICATIONS OF THE ACM March 2004/Vol. 47, No. 3 53 I magine that you lead an organization under cyber attack on your critical information systems. What questions are you likely to ask? Am I under attack; what is its nature and origin? What are the attackers doing; what might they do next? How does it affect my mission? What defenses do I have that will be effective against this attack? What can I do about it; what are my options? How do I choose the best option? How do I prevent such attacks in the future? Unfortunately, today we must often answer, “We don’t know and we have no way of knowing.” Informally, it is in being able to answer these basic questions that we find the meaning of the term cyber defense. More formally, we can define cyber defense from its component words. Cyber, short for cyberspace, refers to both networked infrastructure (computers, routers, hubs, switches, and firewalls) and the information assets (critical data on which an organization depends to carry out its mission). Defense is the act of making safe from attack. Therefore, cyber defense refers to an active process of dependably making critical function safe from attack. CYBER DEFENSE: ART TO SCIENCE illustration by robert neubecker BY O. SAMI SAYDJARI Seeking the knowledge and means to more methodically detect, defend against, and better understand attacks on networked computer resources
Elements of Cyber Defense in models of real systems with mock adversaries. Defense in cyberspace is as complex as traditional Cyber science and engineering is the foundation warfare--it has the same key elements, corresponding yielding an understanding of design, composition, to the basic questions listed at the beginning of this building, and maintenance of effective defense sys- rticle:sensors and exploitation; situation awareness; tems. Currently, this foundation is dangerously defensive mechanism: command and control: strat- weak to the extent that it exists at all egy and tactics; and science and engineering. Simply put, one needs the knowledge and means to defend Dynamic Defense Is Imperative oneself. detect and understand attacks, and make tatic preventive techniques, while impor- good decisions about defense configuration. Each of tant,are inadequate. In the design of the six elements are discussed in more detail here trustworthy cyber defense systems, there Cyber sensors and exploitation are the eyes"of the system; they determine the attack capability, performance, and functionality. The plans, and actions of an adversary--the essential security dimension itself has at least three first step to any dynamic defense. A primitive form components: confidentiality, data integrity, and of determining adversary actions is what we today availability. One cannot statically optimize all call intrusion detection. To succeed we must dimensions with respect to all attacks. For exam acknowledge that attacks will sometimes succeed ple, although spreading many copies of data and adversaries will get inside the system. To assume around a system can hinder denial-of-service otherwise is foolish attacks, it exacerbates the confidentiality problem Cyber situation awareness is a process that by creating more targets of opportunity for the transforms sensed data into a decision aid by inter- attacker. At the higher level, security functions preting mission consequences and the context of often degrade both performance and functionalit other activity. For example, situation awareness One would rather not have to incur these costs might tell us that attack A will disable the organiza- unless under attack, just as soldiers do not put or tions logistics function for three days and that the chemical suits unless there is a known threat of ttack is pandemic and is thus not targeting our chemical attack on the battlefield organization specifically We need to create systems that make explicit Cyber defensive mechanism is technology to trade-offs within this space both at design time and counter threats. Historically, cyber defense has its at operation time--dynamically moving within the roots in this element, with cryptography countering trade-off space depending on the situation. We ntercepted secret messages, virus scanners counter- also, therefore, need systems capable of quickly ng viruses, and firewalls countering hacker exploita- ascertaining the situation so the correct trade-offs tions. Although this element is an important can be made. building block, professionals must extend their understanding beyond the cyber defense mechanism The Art of war-Strategy and Tactics to see the bigger picture yber attacks are becoming sophisticated Cyber command and control is the process of mak- attackers routinely use attack design ing and executing decisions--orchestrating defensive toolkits, apply stealth techniques, and systems, based on input from the situation awareness target an increasing spectrum of proto- element. Command decision making requires an cols and applications. Cyber attackers are understanding of options based on the situation, and learning to actively evade countermea- the means to evaluate them quickly [12] Control sures. Soon they will develop sophisticated tactics requires a system to communicate the decisions andand will evolve toward strategic campaigns using execute them reliably throughout the system. multi-pronged attacks against strategic obJective Cyber strategies and tactics is knowledge of what Moreover, attackers have the advantage because they constitutes a good decision in terms of initial defen- can carefully plan and choose the best time and the sive policies and configurations as well as changes weakest points at which to attack. Creating defenses needed during operations because of attack situations. capable of thwarting such attacks will take years; we Ideally, such knowledge is based on a wealth of his- cannot afford to wait until we see cyber attack meth- torical experiences, but we prefer not to sustain the ods evolve to this level damages required to gain real cyber battlefield experi- At the same time, defensive mechanisms are prolif- ence. As a substitute, we must begin developing erating and becoming increasingly complex--exceed strategies and tactics and testing them expe ntally ing our ability to understand how best to configure 54 March 2004/Vol 47. No. 3 COMMUNICATONS OF THE ACM
54 March 2004/Vol. 47, No. 3 COMMUNICATIONS OF THE ACM Elements of Cyber Defense Defense in cyberspace is as complex as traditional warfare—it has the same key elements, corresponding to the basic questions listed at the beginning of this article: sensors and exploitation; situation awareness; defensive mechanism; command and control; strategy and tactics; and science and engineering. Simply put, one needs the knowledge and means to defend oneself, detect and understand attacks, and make good decisions about defense configuration. Each of the six elements are discussed in more detail here. Cyber sensors and exploitation are the “eyes” of the system; they determine the attack capability, plans, and actions of an adversary—the essential first step to any dynamic defense. A primitive form of determining adversary actions is what we today call intrusion detection. To succeed we must acknowledge that attacks will sometimes succeed and adversaries will get inside the system. To assume otherwise is foolish. Cyber situation awareness is a process that transforms sensed data into a decision aid by interpreting mission consequences and the context of other activity. For example, situation awareness might tell us that attack A will disable the organization’s logistics function for three days and that the attack is pandemic and is thus not targeting our organization specifically. Cyber defensive mechanism is technology to counter threats. Historically, cyber defense has its roots in this element, with cryptography countering intercepted secret messages, virus scanners countering viruses, and firewalls countering hacker exploitations. Although this element is an important building block, professionals must extend their understanding beyond the cyber defense mechanism to see the bigger picture. Cyber command and control is the process of making and executing decisions—orchestrating defensive systems, based on input from the situation awareness element. Command decision making requires an understanding of options based on the situation, and the means to evaluate them quickly [12]. Control requires a system to communicate the decisions and execute them reliably throughout the system. Cyber strategies and tactics is knowledge of what constitutes a good decision in terms of initial defensive policies and configurations as well as changes needed during operations because of attack situations. Ideally, such knowledge is based on a wealth of historical experiences, but we prefer not to sustain the damages required to gain real cyber battlefield experience. As a substitute, we must begin developing strategies and tactics and testing them experimentally in models of real systems with mock adversaries. Cyber science and engineering is the foundation yielding an understanding of design, composition, building, and maintenance of effective defense systems. Currently, this foundation is dangerously weak to the extent that it exists at all. Dynamic Defense Is Imperative S tatic preventive techniques, while important, are inadequate. In the design of trustworthy cyber defense systems, there is a three-way trade-off among security, performance, and functionality. The security dimension itself has at least three components: confidentiality, data integrity, and availability. One cannot statically optimize all dimensions with respect to all attacks. For example, although spreading many copies of data around a system can hinder denial-of-service attacks, it exacerbates the confidentiality problem by creating more targets of opportunity for the attacker. At the higher level, security functions often degrade both performance and functionality. One would rather not have to incur these costs unless under attack, just as soldiers do not put on chemical suits unless there is a known threat of chemical attack on the battlefield. We need to create systems that make explicit trade-offs within this space both at design time and at operation time—dynamically moving within the trade-off space depending on the situation. We also, therefore, need systems capable of quickly ascertaining the situation so the correct trade-offs can be made. The Art of War—Strategy and Tactics C yber attacks are becoming sophisticated; attackers routinely use attack design toolkits, apply stealth techniques, and target an increasing spectrum of protocols and applications. Cyber attackers are learning to actively evade countermeasures. Soon they will develop sophisticated tactics and will evolve toward strategic campaigns using multi-pronged attacks against strategic objectives. Moreover, attackers have the advantage because they can carefully plan and choose the best time and the weakest points at which to attack. Creating defenses capable of thwarting such attacks will take years; we cannot afford to wait until we see cyber attack methods evolve to this level. At the same time, defensive mechanisms are proliferating and becoming increasingly complex—exceeding our ability to understand how best to configure
each mechanism and the aggregate of mechanisms. some of the key differences. Physical space is three- To effectively manage all the defensive elements, dimensional; cyberspace is hyper-dimensional, mak one needs strategy and tactics. Because we have little ing maneuvering complex. Physical weapon effects ppl Cyberspace, we must look to analogy. We are predictable and constrained by physics; cyber history in analogies from the weaponry is difficult to pre- battlefield [9. For example, Performance dict,often having non-linear he battlefield concept of forc damaging effects. Physic ing an adversary into disad- attacks occur at human-per vantageous terrain has a ceptible speeds; some cyber cyberspace analogue of attacks may aggregate too arranging one's defensive slowly to be perceived, while chitecture to force adver many others could occur in saries into the" sweet spots"of Security milliseconds, making all of their intrusion detection algo- Functionality them outside the realm of rithms. The battlefield con possible human reaction cept of deception has the times. Physical attacks often cyberspace analogue of creating false cyber targets Figure 1. Dynamic design have clear manifestations (also known as honey pots)and misleading configu- and operating trade-off ber attacks can be difficult rations to detect, making damage Similarly, one may borrow from the realm of strate- assessment problematic. gic game playing. The game" of war is extraordinar- ily complex because of the great variety of moves, Science and Technology Deficits changing rules, and changing capabilities. Yet, some To achieve a viable cyber defense capability, we need general principles apply, especially as a human deci- many advances in both science and technology. Here ion aid [3]. Determining the right strategic decisions are a few. is best performed by creative well-informed humans. We must learn how to create trustworthy systems This makes cyber defense a matter of art, supported from untrustworthy components [1]. Trustworthy sys- by science, not a matter for total automation. There- tems are the building blocks of good cyber defense fore, we should focus on The need to create them automating the mundane tasks Mission from untrustworthy compo- and providing decision aids to nents arises from two lified humans for the→ System Design sources: the vulnerable com- strategic decision making puter systems that consumers To develop strategy and tac Adversary habitually choose and basic cs we accumulate hypotheses based on analogy, and then val itermeasure Effectivene tions. Trustworthiness. like idate them. We can gain exp reliability, is not just in the rience through simulation on compo th accurate models of our critical glue" that holds the compo systems InteractI nents together. Therefore, we human decision makers need to understand how fi achieve trustworthiness experiments within these models. Adversaries must Figure 2. Cyber defense through architectures. With- be accurately modeled using our best red teams. Our system design models his,we will be building strategy and tactics--our cyber defense playbook- castles in the sand viable approaches have need to be validated in such simulations to yield the been identified [5] and should be pursued with knowledge to defend our critical cyberspace from vigor sophisticated attack. We must learn how to defend Intrusion detection needs to get a whole lot better. It against how real attackers will attack. is inadequate to employ a detect-respond paradigm Although there is much to be learned from phys- Recent attacks such as Slammer and Code-Red are ical war strategy and tactics, there are other areas just too fast for today's systems, which are based on where the differences are big enough to require a detecting signatures of previously detected attacks completely new way of thinking about strategy and Experimental schemes to identify attacks based on tactics in cyberspace. As a word of caution, consider detecting anomalies deviating from"normal"activity COMMUNICATIONS OF THE ACM March 2004/Vol 47, No. 3 55
COMMUNICATIONS OF THE ACM March 2004/Vol. 47, No. 3 55 each mechanism and the aggregate of mechanisms. To effectively manage all the defensive elements, one needs strategy and tactics. Because we have little history in cyberspace, we must look to analogy. We can apply analogies from the battlefield [9]. For example, the battlefield concept of forcing an adversary into disadvantageous terrain has a cyberspace analogue of arranging one’s defensive architecture to force adversaries into the “sweet spots” of their intrusion detection algorithms. The battlefield concept of deception has the cyberspace analogue of creating false cyber targets (also known as honey pots) and misleading configurations. Similarly, one may borrow from the realm of strategic game playing. The “game” of war is extraordinarily complex because of the great variety of moves, changing rules, and changing capabilities. Yet, some general principles apply, especially as a human decision aid [3]. Determining the right strategic decisions is best performed by creative well-informed humans. This makes cyber defense a matter of art, supported by science, not a matter for total automation. Therefore, we should focus on automating the mundane tasks and providing decision aids to qualified humans for the strategic decision making. To develop strategy and tactics we accumulate hypotheses based on analogy, and then validate them. We can gain experience through simulation on accurate models of our critical systems interacting with human decision makers. We must engage in many scientific experiments within these models. Adversaries must be accurately modeled using our best red teams. Our strategy and tactics—our cyber defense playbook— need to be validated in such simulations to yield the knowledge to defend our critical cyberspace from sophisticated attack. We must learn how to defend against how real attackers will attack. Although there is much to be learned from physical war strategy and tactics, there are other areas where the differences are big enough to require a completely new way of thinking about strategy and tactics in cyberspace. As a word of caution, consider some of the key differences. Physical space is threedimensional; cyberspace is hyper-dimensional, making maneuvering complex. Physical weapon effects are predictable and constrained by physics; cyber weaponry is difficult to predict, often having non-linear damaging effects. Physical attacks occur at human-perceptible speeds; some cyber attacks may aggregate too slowly to be perceived, while many others could occur in milliseconds, making all of them outside the realm of possible human reaction times. Physical attacks often have clear manifestations; cyber attacks can be difficult to detect, making damage assessment problematic. Science and Technology Deficits To achieve a viable cyber defense capability, we need many advances in both science and technology. Here are a few. We must learn how to create trustworthy systems from untrustworthy components [1]. Trustworthy systems are the building blocks of good cyber defense. The need to create them from untrustworthy components arises from two sources: the vulnerable computer systems that consumers habitually choose and basic system engineering limitations. Trustworthiness, like reliability, is not just in the components, but in the “glue” that holds the components together. Therefore, we need to understand how to achieve trustworthiness through architectures. Without this, we will be building castles in the sand. Some viable approaches have been identified [5] and should be pursued with vigor. Intrusion detection needs to get a whole lot better. It is inadequate to employ a detect-respond paradigm. Recent attacks such as Slammer and Code-Red are just too fast for today’s systems, which are based on detecting signatures of previously detected attacks. Experimental schemes to identify attacks based on detecting anomalies deviating from “normal” activity Security Functionality Performance System Design Adversary Updated System Designs Countermeasure Effectiveness Mission Likely Attacks No Yes Acceptable Figure 1. Dynamic design and operating trade-off space. Figure 2. Cyber defense system design models
have unacceptably high false-alarm rates and rela- rapidly growing as collaboration becomes the norm tively poor coverage of the attack spa Further, accomplishing organization goals these schemes often use data from originally On a final note, even if we make the required sci- designed for auditing security-relevant events, not for entific and technological advances, we still must find detecting attacks. Viable detection requires ground- ways to better integrate technology results into main sis of how attacks manifest, custom design of stream products and systems. Industrys and govern- sensors that exploit these manifestations, proper clas- ment's track record of employing useful technology sification algorithms for categorizing relevant events, results from research has been poor so far. For exam and detection algorithms that measurably [11] cover ple, solutions to defend the vulnerable Domain Nam- the entire attack space. ing Service and the Border gateway Protocol have Intrusion response must be developed so that actions been available for several years now, but have yet to be are timely and effective. We need some degree of incorporated into the network infrastructure autonomic response for attacks that are too fast fo the human decision cycle. We also must develop Creating a Systems Engineering Discipline decision aids for enumerating situation-dependent courses of action as well as means to evaluate those defended system is matter of- a well- ck art. One courses of action. Using human anatomy as an anal simply hopes designers were adequately ogy, we need both the autonomic and the central knowledgeable about the range of relevant nervous system, and they must work together to attacks and that they did an adequate job of create a systematic defense defending against those attacks. W e must Defending against distributed denial-of-service evolve toward a systems engineering discipline, which attacks is needed to ensure availability. Cutting off the urgently requires several elements many attack paths available to attackers often cuts What gets measured gets done. Without adequate off the very availability that one is trying to preserve. metrics to assess the performance of cyber defense Further, traditional security and reliability remedies systems, progress is impossible to judge. Some prim often worsen the problem Solutions will almost cer- itive metrics have been proposed [10], but much tainly require that quality of service capabilities are more work remains to be done added to the internet Ve need a spectrum of system models and an Countering life-cycle attacks is essential to trustwor- engineering framework analogous to the thiness. If adversaries can infiltrate software develop- CAD/CAM framework used by hardware engineer ment teams and insert malicious code into systems The community needs adequate threat models, while the software is developed, they can subvert what- adversary models [7], mission models, and counter- ever trust that was established. For modern software, measure effectiveness models. Each type of model the development process and the resulting code are will require tremendous energy to produce, yet little very complex, therefore making preventing and effort is under way in these arenas detecting subversion extraordinarily difficult. Finally, a methodology to quantitatively trade off Nonetheless, we must develop techniques to detect design factors and achieve a specified system result is and eradicate malicious code embedded in our code. needed. a vision for such a framework should be or find ways to architecturally neutralize it. established and it should be realized with dispatch Scientific experimental computer science is needed a make real progress. Much of the knowledge in cyber Achieving a National Cyber Defense defense today has the status of hypothesis rather Capability than fact. Some have significant evidence in their o far, Ive described cyber defense in the favor, yet they are still hypotheses. We need experi- abstract, the principles of which apply at mental methods, based on solid metrics, isolating all scales. Here. I examine and discuss single variables at a time, to convert these hypothe- cyber defense at the macro scale of ses into knowledge. Only this will create the fir defending the national critical informa research foundation needed to enable a sound n infrastructure. To understand what research track suffices as a defense, one needs to understand vul Controlled information sharing is needed more than nerabilities and the consequences of failure. That ever. Computer security has its roots in the require- the threat is serious has been established [6]. If the ment for Multilevel Security(MLS) processing. The reader has any doubts as to the gravity of the prob need continues for controlled sharing among groups lem, consider the major damage done by acciden of differing trust relationships. Further, the need is tal failures of the telephone system, the power grid, 56 March2004/v.47.No.3 TONS OF THE ACM
have unacceptably high false-alarm rates and relatively poor coverage of the attack space [2]. Further, these schemes often use data from sensors originally designed for auditing security-relevant events, not for detecting attacks. Viable detection requires groundup analysis of how attacks manifest, custom design of sensors that exploit these manifestations, proper classification algorithms for categorizing relevant events, and detection algorithms that measurably [11] cover the entire attack space. Intrusion response must be developed so that actions are timely and effective. We need some degree of autonomic response for attacks that are too fast for the human decision cycle. We also must develop decision aids for enumerating situation-dependent courses of action, as well as means to evaluate those courses of action. Using human anatomy as an analogy, we need both the autonomic and the central nervous system, and they must work together to create a systematic defense. Defending against distributed denial-of-service attacks is needed to ensure availability. Cutting off the many attack paths available to attackers often cuts off the very availability that one is trying to preserve. Further, traditional security and reliability remedies often worsen the problem. Solutions will almost certainly require that quality of service capabilities are added to the Internet. Countering life-cycle attacks is essential to trustworthiness. If adversaries can infiltrate software development teams and insert malicious code into systems while the software is developed, they can subvert whatever trust that was established. For modern software, the development process and the resulting code are very complex, therefore making preventing and detecting subversion extraordinarily difficult. Nonetheless, we must develop techniques to detect and eradicate malicious code embedded in our code, or find ways to architecturally neutralize it. Scientific experimental computer science is needed to make real progress. Much of the knowledge in cyber defense today has the status of hypothesis rather than fact. Some have significant evidence in their favor, yet they are still hypotheses. We need experimental methods, based on solid metrics, isolating single variables at a time, to convert these hypotheses into knowledge. Only this will create the firm research foundation needed to enable a sound research track. Controlled information sharing is needed more than ever. Computer security has its roots in the requirement for Multilevel Security (MLS) processing. The need continues for controlled sharing among groups of differing trust relationships. Further, the need is rapidly growing as collaboration becomes the norm in accomplishing organization goals. On a final note, even if we make the required scientific and technological advances, we still must find ways to better integrate technology results into mainstream products and systems. Industry’s and government’s track record of employing useful technology results from research has been poor so far. For example, solutions to defend the vulnerable Domain Naming Service and the Border Gateway Protocol have been available for several years now, but have yet to be incorporated into the network infrastructure. Creating a Systems Engineering Discipline T oday, the process of designing a welldefended system is matter of black art. One simply hopes designers were adequately knowledgeable about the range of relevant attacks and that they did an adequate job of defending against those attacks. We must evolve toward a systems engineering discipline, which urgently requires several elements. What gets measured gets done. Without adequate metrics to assess the performance of cyber defense systems, progress is impossible to judge. Some primitive metrics have been proposed [10], but much more work remains to be done. We need a spectrum of system models and an engineering framework analogous to the CAD/CAM framework used by hardware engineers. The community needs adequate threat models, adversary models [7], mission models, and countermeasure effectiveness models. Each type of model will require tremendous energy to produce, yet little effort is under way in these arenas. Finally, a methodology to quantitatively trade off design factors and achieve a specified system result is needed. A vision for such a framework should be established and it should be realized with dispatch. Achieving a National Cyber Defense Capability S o far, I’ve described cyber defense in the abstract, the principles of which apply at all scales. Here, I examine and discuss cyber defense at the macro scale of defending the national critical information infrastructure. To understand what suffices as a defense, one needs to understand vulnerabilities and the consequences of failure. That the threat is serious has been established [6]. If the reader has any doubts as to the gravity of the problem, consider the major damage done by accidental failures of the telephone system, the power grid, 56 March 2004/Vol. 47, No. 3 COMMUNICATIONS OF THE ACM
