Posts Tagged forensic analysis

Emerging Cybersecurity Technologies

Emerging Cybersecurity Technologies

By: Amy Wees

CSEC670

June 9, 2013

 

Abstract: Advanced cyberattacks on the public and private sectors at the local, national, and international level have prompted an increase in funding and support for the study of emerging cybersecurity technologies.  The considerations for this paper are to discuss the emerging technologies and strategies that can be integrated across the public and private sector to improve cybersecurity on a local, national, and international level.  New technologies need to dynamically assess networks real-time such as with the use of Remote Agents and Real-time forensic analysis.  These technologies also need to make the attack space less predictable and constantly evolving such as through the use of moving target defense.

Emerging Cybersecurity Technologies

The E-government Act of 2000 was signed by President Bush to move toward a more 24-7 government.  The dream was to eliminate the need to have to stand in line at the DMV for half a day just to pay annual vehicle registration fees (Barker, 2011).   Security was certainly a concern, but it was not at the forefront of the move as government agencies would go through massive changes in equipment, manning, and practices in order to move information and programs online.  Now, over a decade later we still see moves and changes taking place, such as the department of Veterans Affairs recently moving all of their applications, forms and records online.  The expensive cost of getting the government caught up was expected with such an overhaul in the system; however, the U.S. should have spent more on cybersecurity and had to learn this lesson the hard way.  The recent breaches by Anonymous into the FBIs and Department of Homeland Security’s systems were disappointing as these were the two government agencies tasked with taking on cybercrime (Novasti, 2012).  How does the government expect to control the protection of SCADA systems for critical infrastructures as recently proposed by congress if they cannot protect their own assets (Associated Press, 2012)?  Annual Federal Information Security Management Act (FISMA) audits still point to lax practices (US SEC, 2011).

In 2009, President Obama called for a malware-based cyberattack against Iran’s nuclear system computer networks through the use of the Stuxnet worm, which was noted as the first use of cyber as a weapon by the US.  More recently, Iran has experienced more cyberattacks linked to their nuclear systems and operations.  (Airdemon, 2010).

Advanced Persistent Threats (APT) have changed the cybersecurity game as APT attacks can be so sophisticated that many well-known techniques for detection and mitigation may not be effective against them.  An APT that utilizes targeted exploitation code leveraging zero-day vulnerabilities will not be detected by Intrusion Detection Systems and Anti-virus products (Casey, 2011).  The issue is that once the malware is detected, it might not be obvious as to how long the malware was operational.  Further, in the case of an APT, it cannot be determined if the discovered malware is the entirety of the compromise.  The APT might leverage multiple malware tools to maintain access by state-sponsored attackers.  With the aforementioned attacks on critical infrastructures and government systems, as well as an overall increase in complexity of cyberattacks, governments on an International level have considered cybersecurity to be more crucial than ever before.

The considerations for this paper are to discuss the emerging technologies and strategies that can be integrated across public and private sectors to improve cybersecurity on a local, national, and international level.  New technologies need to dynamically assess networks real-time such as with the use of Remote Agents and Real-time forensic analysis.  These technologies also need to make the attack space less predictable and constantly evolving such as through the use of moving target defense.

Moving Target Technologies

Moving Target (MT) technologies aim to constantly change the attack surface of a network, increasing the cost for an attacker and decreasing the predictabilities and vulnerabilities present at any time (NITRD, 2013).  The problem of most networks today in terms of cybersecurity is that they are static and an easy target for an attacker to analyze over time and strategize on the best way to capitalize on vulnerabilities.  Moving target defenses allow the network to consistently change in configurations and environmental values (Grec, 2012).

For example, an organization could change the network IP addresses, operating systems, open ports and protocols, and many other areas of the environment.  This way when an attacker scans the network, the scans are not consistent, and if an attack is launched, chances of successful penetration are severely reduced because of the dynamic changes in the environment.  The MT defense could also react to an attack by reducing the areas of the network known to or accessed by the attacker (Grec, 2012).

The most difficult challenge in using MT is in maintaining an operational network for users during the changes and minimizing costs involved.  The JumpSoft Company has created a subscription based MT defense package called “JumpCenter.”  JumpCenter uses reactive and adaptive automated systems that reduce the attack surface.  The concept behind JumpCenter and MT defenses is to maximize the cost and risk to the attacker.  JumpCenter keeps the network operational by deploying in the application layer. The application layer is more exploitable as it is updated regularly through vendor releases which are exploitable.  JumpSoft adds the incentive that downed applications are a harder impact on the mission because the loss of one application can bring down the business (JumpSoft, 2013).

Government Support of Moving Target Technologies

In January of 2011, the Presidential Council of Advisors on Science and Technology sponsored the work of the Networking and Information Technology Research and Development (NITRD) program.  NITRD has identified emerging technologies such as MT as a Federal Cybersecurity game change research and development project (NITRD, 2013).  The government’s efforts to support NITRD and other research partners in developing MT technologies supports the efforts of the public and private sectors to redefine security in the cyber domain.

For example, in 2011 Professor Scott DeLoach of Kansas State received a $1 million grant from Air Force Office of Scientific Research to study MT (Chabrow, 2012).  Intelligent defenses can change the military reactive position on cyber to an active position, giving them the upper-hand on the adversary.  If military networks can be made unpredictable through the use of MT, the chances of cyber-attack and APTs are lessened.

Remote Agent Technologies

Remote agents, also known as mobile agents, can actively monitor a network’s security.  Active monitoring is necessary because a network that is not updated with the latest patches has shown to be reactive and ineffective against today’s cyber threats.  Additionally, large networks are nearly impossible for a system administrator to successfully monitor as most are made up of multiple nodes, each with constant system variations and users (Tripathi, Ahmed, Pathak, Carney & Dokas, 2002).  Remote agents can conduct centralized testing of network security from a remote client or server without a large manpower or travel cost requirement.  Most importantly, remote agents can run network tests without using unsecure firewall protocols (UMUC, 2012).

Currently, many organizations use network monitoring tools based on SNMP or the occasional execution of scripts built based on network threats which require tedious and complicated updates in order to remain current and valid.  Both SNMP agents and script monitoring procedures offer limited functionality and require specially trained administrators to comb through logs and write updates (Tripathi, Ahmed, Pathak, Carney & Dokas, 2002).

In response to these network monitoring difficulties, a team of students at the University of Minnesota worked under a grant from the National Science Foundation to develop a framework for mobile agent network monitoring using the Ajanta mobile agent system.  The Ajanta mobile agents can remotely filter information and alter system functions.  They use a centralized database to detect and compare system events to ensure policies are enforced.  Using Ajanta, administrators can securely make changes to an agent’s monitoring and filtering rule sets as well as dynamically remove or add new agents to an area of the network based on events triggered.  The model presented contains different types of agents that can monitor, subscribe, audit or inspect.

Perhaps the largest difference between the traditional SNMP monitoring systems and a remote agent system is the ability of a remote agent to relate one event with another in the system and then generate an alert in the log file and raise awareness or threat levels of other agents.  For example, if one agent detects a user logging in with multiple accounts and another auditor agent detects a subsequent remote or console login in the event registry, a password or security compromise can be detected.  In another example of a system reaction based on an agent, an auditor agent is sent to the login event subscriber by a management station.  When a root login event occurs and passes a predefined threshold, an alert is sent back to the manager to raise the alert level on the system (Tripathi, Ahmed, Pathak, Carney & Dokas, 2002).  All of this can be done without a system administrator’s intervention or brain power.

Government Support for Remote Agent Technologies

The government can benefit from the advancement of remote monitoring capabilities as the largest and most complex networks are government owned and operated.  There are many coalition military networks that cross the boundaries of multiple countries.  The monitoring and security of these government defense networks is at the best interest of everyone involved.

The ability to monitor classified defense networks to this level of clarity across International domains could aid in preventing insider leaks such as that of the Bradley Manning leak of military intelligence data to Wikileaks in 2010.  Although Manning was prosecuted, Wikileaks founder Assange has yet to be prosecuted for publishing classified material on the Internet (Wu, 2011).  Until international cyber laws and jurisdiction are better defined, it is in the best interest of all governments to find ways to successfully and dynamically monitor their networks for signs of attack or breach.

Real-Time Forensic Analysis

The use of computer forensic tools in criminal proceedings has proven to be necessary for making a case in today’s digital world.  Also related to network monitoring is real-time forensic analysis which is an investigative approach to maintain situational awareness and continuous observation of the network (UMUC, 2012).  While remote access monitoring actively monitors the network and takes necessary action to correlate threats and increase defenses, real-time forensic analysis allows for an incident to be reproduced and the cause and effect of the event to be analyzed further (UMUC, 2012).

A Network Forensics Analysis Tool (NFAT) prepares the network for forensic analysis and allows for ease of monitoring and convenience in identifying security violations and configuration flaws.  The information found when analyzing network traffic can also contribute background data to other events (Corey, Peterman, Shearin, Greenberg, & Van Bokkelen, 2002).

In addition to monitoring the network, network forensics has many practical uses. For example, health care agencies fall under the Health Insurance Portability and Accountability Act, which requires that information passed between networks be monitored.  Although all of the information provided by a NFAT may not be necessary, it is better to have more information than not enough in legal situations.  NFAT can also allow for recovery of lost data when other back-up methods fail or repeatable analysis of traffic anomalies or system errors (Corey, Peterman, Shearin, Greenberg, & Van Bokkelen, 2002).

Government Support of Real-time Forensic Analysis

Government support of real-time forensic analysis is more obvious in the state and federal criminal justice sectors as forensic analysis is a regular part of legal proceedings and police agencies have expanded to include entire divisions devoted to computer forensics.  The question remains as to whether the government from a local to international level should be concerned with real-time forensic analysis outside of the criminal justice realm?  Forensic analysis makes sense from a network defense perspective as governments can learn more about emerging threats by conducting an in-depth analysis of them.

In 2006, , the National Science Foundation and DARPA funded a project at Columbia University to create an Email Mining Toolkit (EMT) in support of law enforcement and other government research.  The EMT allows for email traffic to be analyzed for outside communications, social interactions, and specific attachments.  According to the report, EMT is in use by many organizations (Stolfo, Creamer, & Hershkop, 2006).

Since 1999 DARPA has funded numerous information assurance experiments using live red, blue, and white teams to simulate attackers, responders, and users during cyber-attack events such as denial of service, malware, and other threats known to be in use by the adversary based on intelligence data (Levin, 2003).  Real-time forensic analysis has allowed for early detection and analysis of the red team efforts by the blue team and has contributed to lessons learned for future responses.

Conclusion

The liability to protect public and private assets on a local, national, and international level cannot fall solely on the government.  Through the cooperative use of government, scientific, and academic programs, emerging technologies can be brought to the forefront to secure cyber assets dynamically and real-time.  Increased and continuing cooperation to fine-tune moving target defenses, remote agent technologies, and real-time forensic analysis will ensure these technologies can be implemented across sectors to protect against emerging threats now and into the future.

 

References:

Airdemon. (2010). Airdemon. Stuxnet worm. Retrieved from: http://www.airdemon.net/stuxnet.html.

Associated Press. (2012, February 6). Bigger U.S. role against companies’ cyber threats? Retrieved February 25, 2012, from Shreveport Times: http://www.shreveporttimes.com/article/20120206/NEWS03/120206009/Bigger-U-S-role-against-companies-cyberthreats-?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE

Barker, W. C. (2011). E-Government Security Issues and Measures. In H. Bidgoli, Handbook of Information Security (pp. 97-107). Hoboken: John Wiley & Sons.

Casey, E. (2011). Handbook of digital forensics and investigation. Burlington: Academic Press.

Chabrow, E. Government Information Security, (2012). Intelligent defense against intruders. Retrieved from Information Security Media Group, Corp. Website: http://www.govinfosecurity.com/interviews/intelligent-defense-against-intruders-i-1565

Corey, V., Peterman, C., Shearin, S., Greenberg, M. S., & Van Bokkelen, J. (2002). Network forensics analysis. Internet Computing, IEEE6(6), 60-66.

Grec, S. (2012, May 23). Is moving-target defense a security game changer?. Retrieved from https://www.novainfosec.com/2012/05/23/is-moving-target-defense-a-security-game-changer/

JumpSoft. (2013). Cyber moving target defense. Retrieved from http://www.jumpsoft.net/solutions/moving-target-defense/

Levin, D. (2003, April). Lessons learned in using live red teams in IA experiments. In DARPA Information Survivability Conference and Exposition, 2003. Proceedings (Vol. 1, pp. 110-119). IEEE.

NITRD. (2013). Moving target. Retrieved from http://cybersecurity.nitrd.gov/page/moving-target

Stolfo, S. J., Creamer, G., & Hershkop, S. (2006, May). A temporal based forensic analysis of electronic communication. In Proceedings of the 2006 international conference on Digital government research (pp. 23-24). Digital Government Society of North America.

Tripathi, A., Ahmed, T., Pathak, S., Carney, M., & Dokas, P. (2002). Paradigms for mobile agent based active monitoring of network systems. In Network Operations and Management Symposium, 2002. NOMS 2002. 2002 IEEE/IFIP (pp. 65-78). IEEE.

TV-Novasti. (2012, January 20). FBI Website Crippled by Anonymous. Retrieved February 14, 2012, from rt.com: http://rt.com/usa/news/crippled-fbi-megaupload-anonymous-239/

UMUC. (2012). Module 7: The future of cybersecurity technology and policy. Retrieved from the online classroom https://tychousa.umuc.edu

U.S. Securities and Exchange Commission. (2011). 2010 Annual FISMA Executive Summary Report. Washington D.C.: U.S. Securities and Exchange Commission.

Wu, T. (2011, February 4). Drop the Case Against Assange. Retrieved February 27, 2012, from Foreign Policy: http://www.foreignpolicy.com/articles/2011/02/04/drop_the_case_against_assange?page=0,0

 

, , , ,

5 Comments