Air Force Institute of Technology Integrity — Service

Air Force Institute of Technology Integrity - Service - Excellence An Automated Information Asset Tracking Methodology to Enable Timely Cyber Incident Mission Impact Assessment (CIMIA) Michael R. Grimaila, Ph. D, CIV / USAF Robert F. Mills, Ph. D, CIV / USAF Larry W. Fortson, Capt / USAF 13 th International Command Control Research and Technology Symposia (ICCRTS) Bellevue, WA June 17 -19, 2008 Research Sponsors: Air Force Research Laboratory (AFRL/RHX) UNCLASSIFIED

Disclaimer The views expressed in this presentation are those of the authors and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government… Integrity - Service - Excellence

Overview n Research Motivation n Background n Information n Tracking is an Asset Information Assets n Conclusions Integrity - Service - Excellence

Research Motivation Consider the following hypothetical scenario: n In Iraq, coalition partners are provided connectivity to a US Secret level network for information sharing purposes n A breach of a coalition partners system occurs n The breach is detected and stopped n The breach enabled the adversary to access a server which contains multiple databases n One of the DBs contains convoy routes and schedules n The Incident Response Team begins their investigation n IRT works with the system custodians to identify and notify all information owners / consumers n The process takes days to complete. . . Integrity - Service - Excellence

Meanwhile, the Next Day Integrity - Service - Excellence

Background n n n n Virtually every organization is dependent upon information accessed/stored/processed in cyberspace Despite our best efforts at developing defensive capabilities, cyber incidents are inevitable Cyber dependence introduces significant risk to both cyber-assets and real-world operations Commanders need accurate and timely damage assessment in terms of their Mission This is not a new development (RAND Report, 1995) We have failed to account for the value of information We don’t collect, document, and refine knowledge of mission-to-information dependencies effectively! Integrity - Service - Excellence

Prior Research n n n n n RAND Report (1995) – The Day After Exercises Lala and Panda (2001) – Database damage assessment Thiem (2005) – Lack of standardized AF damage assessment methodologies Stanley (2005) – Mission impact analysis of communication link state availability Wong-Jiru (2006) – Net centric operations model for holistic view of mission dependencies between entities Shaw (2007) – Model of network outages in CAOC Fortson (2007) – Proposed defensive Cyber Damage Assessment (CDA-D) methodology Hellesen (2008) – Proposed an information valuation schema Sorrels (2008) – Proposed a system architecture for Cyber Incident Mission Impact Assessment Integrity - Service - Excellence

Key Problems Identified n n n n Focus on infrastructure protection Lack of a formal, standardized risk assessment Lack of documentation explicitly identifying: n Information Assets n Information Valuation n Mission / Information Dependencies Dynamic nature of missions and organizations Lack of timely notification of information consumers following cyber incidents Lack of an appreciation for potential impacts Lack of accountability Lack of after action follow-up Integrity - Service - Excellence

Risk Assessment n n n Risk Assessment provides the information required for accurate and timely mission impact assessment Risk Assessment requires the identification and documentation of critical organizational resources Criticality is determined by how a given resource supports the organizational mission The valuation of any resource is: n Frame of reference dependent n Temporally dependent upon the mission(s) n Inherently subjective Risk = (Threats ∩ Vulnerabilities)*Probability*Loss Allows for a racking and stacking of the risks Integrity - Service - Excellence

CDA/D-MIA Methodology (Fortson et al. , 2007) Integrity - Service - Excellence

Impediments to Risk Assessment Conducting a documented risk assessment is: n Labor intensive n Time consuming n Must periodically be revisited (maintenance) n Organizations and resources are dynamic entities n Several different organizations may access and depend upon a resource (hard to estimate value) n Buy-in from commander is needed to insure compliance and accountability n Knowledgeable personnel must value resources n Security aspects of critical asset identification n Social barriers n Integrity - Service - Excellence

Cyber Incident Mission Impact Assessment (CIMIA) Project Provide decision makers near real-time situational awareness of mission impact following cyber incidents Foundations: n Mission operations focus n Holistic approach to mission impact assessment n Confidentiality, integrity, and availability n Requires a chain of interdependent activities: n Information asset identification n Information asset valuation n Technical (IRT) damage assessment n Damage-to-mission impact mapping n Mission impact reporting Integrity - Service - Excellence

CIMIA Goals n n n n Notification of all downstream information consumers when an incident occurs Mission impact assessment from incident declaration (estimated) through remediation (actual) Mapping of mission processes to information assets Temporal mission information valuation models n Learn historical mission patterns Enforce: n Accountability / Documentation / Secrecy Exploit: n Automation to the extent possible Explore non-traditional mechanisms Integrity - Service - Excellence

Conceptual CIMIA Reporting Incident Response Agent INITIAL IIR TECH ASSE NICAL SSME NT INCIDENT & IMPACT REPORT Asset Owner REPORTING DATABASE MISSION IMPACT ASSESSMENT DA M ES MIS AGE TI SI M ON TO AT IO N AS AS SE SE T D SS AM M AG EN E T FINAL IIR (IIR) L CA NT NI ME CH SS TE SE AS CIAP INTERIM IIR SITE OF INCIDENT Integrity - Service - Excellence Units with Mission Dependency

Mission Impact Estimation as a Function of Time Worse Case Value 3. 7 Criticality Rating Impact Summary: Potential Impact A confirmed data spill at Mosul NCC has resulted in the following compromised mission supporting systems: 2. 5 2. 0 System 1. 8 Actual I mpact XXXX 1 4 UAV Feed XXXX 3 1. 3 Est Mission 4 Convoy Mvmnt XXXX 11 3 Personnel Data … … … T 0 T 1 TIIR 2 TIIR_n TRC Integrity - Service - Excellence … … …

Mission Mapping Abstractions n How to best map mission to underlying resource dependencies? n How to represent the “value” provided by each intermediate resource? n What is necessary and feasible to collect and maintain in a mapping? n How to insure an adversary cannot access and exploit this information? Integrity - Service - Excellence

A Paradigm Shift Information is THE asset in cyberspace n Each organization has a different valuation “lens” through which they view information assets n The true value of an information asset can only be determined by summation of each consumers valuation using a common measurement scheme n System focused methods (e. g. , DIACAP) do not: n Account for all the value consumers derive from accessing information on the system n Dynamically update as information assets are added/removed n Integrity - Service - Excellence

Information Asset n n n A specific grouping of data which provides value The granularity is user definable n Coarse: All information contained in a system n Fine: A specific field within a specific database within a system Multiple information assets may reside within the same information container The information asset must be uniquely identifiable across the enterprise Multiple information assets may be repackaged with other information, creating a new information asset (e. g. , intelligence reports) How can we manage our information assets? Integrity - Service - Excellence

Information Sources (Providers) n n n Any network addressable node that sources (provides) information assets upon request Information sources are uniquely identified by the triple containing at least: n Resource number is a locally assigned system resource identifier An information source can contain multiple information assets Information sources “know” the entities who make requests for information assets Example: Weather reports provided by a web server Integrity - Service - Excellence

Information Sinks (Consumers) n n n Any network addressable node that receives an information asset and sinks (consumes) it Information consumers are uniquely identified by the triple containing at least: n Consumer number is a local organizational entity identifier (e. g. , individual, agent, process) There can be multiple consumers present simultaneously on a system Information sinks know from whom they received information assets Example: A web browser application being run by the weather officer in a Air Operations Center Integrity - Service - Excellence

Information Asset Tag Each information asset has an enterprise-wide key (“tag”) which is used to uniquely identify it n The “tag” is a pointer into a database which contains metadata about the information asset n When an information asset is moved, the tag moves n Tagging of information assets enables the tracking of the assets from the source (provider), through the infrastructure elements, to the sink (consumer) n Accountability can be enforced n Network traffic can be prioritized n Mission specific patterns can be identified n Integrity - Service - Excellence

Information Asset Database n A database containing information about the given information asset from the owners perspective: • Key “Tag” • Composite elements • Owner • Producer • Provider • Pedigree • Age • Comments • Confidentiality Sensitivity • Integrity Sensitivity • Availability Sensitivity • Rated Criticality • Derived Criticality • Last update Maintained by a central authority (e. g. , JTF-GNO) n Global database located in a higher classification network only accessible by authorized entities n Integrity - Service - Excellence

Fictional Information Asset Database Tag Owner Producer Age Rated Criticality Contains 7 FD 3 BA 30 AFIOC 33 rd IOS Daily Very High 23 A 9 D 3 D 7, TS-SCI/HCS DD 3100 AC B 723 AA 29 67 th NWW GREEN 10 June 2008 High S/BELL 23 A 9 D 3 D 7 NASIC SMAI Daily Very High TS-SCI/TK DD 3100 AC NSA GROUP 4 Weekly High TS-SCI/G Note: Not all fields are shown for brevity Integrity - Service - Excellence SA_LABEL

Tagging Information Assets n n n Tags are “intelligently” inserted into the network data stream at the source: n One time for a given requestor n After a defined time interval has passed n When a change in the asset occurs Very low overhead impact Tag may be inserted in multiple ways (e. g. , unused bits, IPV 6 Flow Label, encoded into data) The tag itself does NOT contain any information about the information asset The tag is an encrypted using symmetric encryption The tag encryption changes daily using an automated process that is seeded monthly Integrity - Service - Excellence

Information Asset Source / Sink Architecture g Ta As R 1 se t 1 Ta t 1 g e ss A R 2 g Ta s 1 et As R 3 NIPR Network Cloud As se t 1 Ta g Asset 1 Asset 2 Asset 3 Information Source A Tag Request Response + Tag Integrity - Service - Excellence Information Sink B

Source (Provider) Lightweight Database A lightweight database which keeps a record of all consumers who request an information asset n Collects summary statistics for each consumer including information asset tag, last access, frequency of access, amount of data transferred n The source periodically transfers this information to a single local high side database (Tier III) which collects all requests made within the organization n The information is periodically passed to Tier II, and then on to the Tier I systems n Communication is passed through a one-way trusted guard n Integrity - Service - Excellence

Sink (Consumer) Lightweight Database A lightweight database which keeps a record of all requests made to information sources n Collects summary statistics for each information asset received including the information asset tag, last access, frequency of access n The consumer (or organizational representative) must explicitly link each requested information asset to the mission process(es) is supports and assign a “value” in terms of criticality of C/I/A n The database is periodically transferred to a single local high side database (Tier III) which collects all information dependencies within the organization n Similarly, this is transmitted securely up the chain n Integrity - Service - Excellence

Source / Sink Lightweight Databases 13 May 08 1058 B NIPR Network Cloud 13 May 08 1059 A Tag Asset 1 Asset 2 Asset 3 Information Source A Tag Request Response + Tag Integrity - Service - Excellence Information Sink B

Central Authority Process n n n n Links information asset sources and sinks Determine all information dependencies Provides the capability to immediately notify downstream information consumers when an incident occurs Consuming organizations periodically download an encrypted message from the central authority Possible to calculate an aggregate enterprise-wide valuation for each information asset Consuming organizations are now accountable for identifying critical information resources Lesson learned can be shared Integrity - Service - Excellence

Host Based System Security (HBSS) An HIDS for workstations and servers n Mandated to be installed on all Do. D nodes n Collects n Authentication information n Utilization of applications n File/System level access n n Does Virus checking n Firewall monitoring n Malicious Traffic monitoring n n Standard configuration enforcement Multi-tier level reporting n Enables tag insertion and collection n (Gregory & Hensley 2007) Integrity - Service - Excellence

Proposed CIMIA System Architecture Anticipation Secure Internet - Tier 2 and Tier 1 reporting Host IDS / HBSS IDS data Data System/ Server Logs Mission relevant information in time and place relevant to users mission needs for greater situational awareness Web / HTTP Logs Local CIMIA agent Data Collection Perception File, Server, System Access, Audit Logs, HTTP requests, Email exchange, policies Network data tagging Attack 1 Low side mission Attack 2 Attack n Intrusion, Compromise, Equipment Failure A Priori Knowledge Base CIMIA Server / Asset Value database METL Anticipation Potential Attacks Equip monitoring Secure Enclave / High Side System Mission criticality / value assessed through C-CAP and correlated to mission relevance Comprehension Model matching algorithm data One-way trusted Guard Comprehension Tier 2 and 1 HBSS data for HBSS Tier 3 – evidence reportin g Host configuration

Conclusions The research highlights the importance of documenting a formal risk assessment n CIMIA can significantly improve the accuracy and timeliness of impact assessment n Information asset identification is the first step in the CIMIA process n Information asset tagging provides a mechanism to automate a portion of the task n HBSS provides a vehicle for information tagging n Prototype underway to show proof of concept n Integrity - Service - Excellence

Questions Michael R. Grimaila, Ph. D, CISM, CISSP, NSA IAM/IEM Center for Cyberspace Research Air Force Institute of Technology Wright-Patterson AFB, OH 45433 -7765 Michael. Grimaila@afit. af. mil Integrity - Service - Excellence