Appendix D
Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance
The Committee on Information Assurance for Network-Centric Naval Forces was provided an overview briefing on a number of information assurance studies conducted for the Department of the Navy in recent years.1 Below is a summary of the most recent revelant reports.2
REPORTS PUBLISHED IN 2007
Overview of Data in NCDOC’s Prometheus Database
Authors: C.A. Davis and B. Behrens
Abstract: This document catalogs the data that the Navy Cyber Defense Operations Command (NCDOC) currently collects for use in intrusion detection and forensic analysis. The report provides background material for future reference. It documents the source of the data and how they are collected, processed, and ultimately stored in the NCDOC “Prometheus” database.
Operationalizing Information Assurance into Computer Network Defense
Authors: S.W. Young and C.A. Davis
Abstract: The Department of Defense defines the computer network defense
(CND) mission as “actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks.” In support of this mission, the Naval Network Warfare Command (NETWARCOM) has drafted a CND concept of operations (CONOPS). The CONOPS lays out a six-step process for CND. As the Navy’s CND service provider, the Navy Cyber Defense Operations Command (NCDOC) implements the CND process on Navy-owned networks through its own operational processes and supporting technologies.
Security Information Management for Enclave Networks
Author: R. McQuaid
Abstract: The Air Force enterprise contains networks that are bandwidth-limited, intermittently attached, and/or internally constrained enclaves. These constrained network environments will not support commercial security information management (SIM) feeds and sensors. Recent threat activities have highlighted the need for an information assurance solution that provides consistent SIM-centric monitoring for these enclave networks. This research will improve current SIM deployments within the Air Force by addressing limitations in commercial products. It will influence commercial SIM vendors and the Air Force SIM strategy. By providing IA monitoring to networks that cannot benefit from a centralized SIM, this research will extend the power of SIM technology to the edge of the Air Force enterprise.
Malware Phylogenetics
Authors: P. Chase and D. Beck
Abstract: The nature of malware threats has evolved from widespread outbreaks for the sake of notoriety to large numbers of targeted attacks motivated by economic gain. In this environment it is critical for end users, researchers, investigators, and security tool vendors to have a better understanding of the relationships between malware families and variants in order to improve detection, protection, and response. Understanding the evolutionary relationships between malware threats may provide improved prediction and protection for end users. It may suggest attribution leads and facilitate the reuse of previous analyses by malware analysts and criminal investigators. It could provide a more rigorous basis for naming malware by security vendors, thereby reducing confusion during malware outbreaks and promoting correlation across security tools.
Cross-Boundary Information Sharing
Author: L. Notargiacomo
Abstract: The CIIS Cross Boundary Information Sharing (XBIS) Initiative is a coordinated set of activities at the MITRE Corporation to address critical infor-
mation-sharing problems facing the intelligence community, the Department of Defense, and other MITRE sponsors. This initiative currently focuses on developing an integrated technical laboratory that defines and implements key scenarios that illustrate enablers for and impediments to effective information sharing. The XBIS Laboratory integrates different technologies that enhance information sharing across organizational and classification security boundaries. To demonstrate the capabilities of these technologies, the laboratory provides the ability to simulate many domains and to share information among them. The laboratory architecture supports both integrated scenarios and stand-alone demonstrations, and allows the facility to showcase solutions available today and in the near future.
Navy/OSD Collaborative Review of Acquisition Policy for DoD C3I and Weapons Programs
Authors: D. Gonzales, E. Landree, J. Hollywood, S. Berner, and C. Wong
Abstract: This briefing reviews current U.S. Department of Defense (DOD) policy for ensuring interoperability and information assurance of command, control, communication, intelligence (C3I) and weapons systems. DOD interoperability, information assurance, acquisition, and joint requirement policy are reviewed. This review identifies ambiguities, conflicts, overlaps, and shortfalls in DOD policy and recommends solutions for clarifying policy and remedying other short-comings. The authors find that interoperability-related policy issuance has sharply increased in recent years and that it includes conflicts and redundancies. They also find that Global Information Grid (GIG) technical guidance is still evolving because of continuing advances and change in networking and software technologies. The authors recommend reducing the number of policies and increasing their actionability and traceability. They also recommend that technology risk levels be developed for GIG functional areas, that these be used to track GIG programs during development, and that network-centric implementation documents more carefully define the capabilities for core GIG enterprise services and specify the technical standards with which GIG programs will have to comply for interoperability.
REPORTS PUBLISHED IN 2006
Alarm Types and Sensor Placement: Effects on Computer Network Defense Operations
Author: S.W. Young
Abstract: In the near future, real-time computer network defense (CND) will be an integral part of military operations. Because the Navy is relying more and more on information technology to move large amounts of data quickly, it must protect that information from compromise, especially when confronting near-peer competitors
with known information operations capabilities. To maintain the confidentiality of plans and operations, the Navy needs a real-time intrusion-detection capability to prevent ongoing attacks from exfiltrating sensitive information such as plans and logistics or denying the use of critical information assets. Today, however, most CND in the Navy is on a non-real-time basis.
A Guide for Assessing Navy Enterprise Information Technology
Authors: J.C. Fauntleroy, L.H. Beard, D.A. Birchler, and L.L. Harle
Abstract: Increasingly, within the vision of network-centric warfare, enterprise networks and capabilities are key to the Navy’s achievement of greater coordination and efficiencies in warfare and business functions. To achieve these information technology (IT) and network-related capabilities and efficiencies, expanding enterprise IT (EIT) capabilities must serve the greater needs of the Navy. They must be affordable, given the Navy’s many other funding concerns, and adaptable, given the rapid development of new technologies and the many uses for them. The evaluation and assessment of IT and EIT are particularly challenging because of the well-known difficulty in properly estimating return on investment, which lies in the functional mission lanes. From an EIT assessment perspective, there is a lack of visibility into those lanes. The challenge and responsibility to assess EIT investments in the Navy lie with the Assistant Chief of Naval Operations, Information Technology (ACNO-IT), a relatively new organization established to better manage EIT assets and their development. Much of what constitutes EIT in the Navy still resides within the domain of functional area managers, but with the establishment of the ACNO-IT the Navy is seeing a shift in responsibility for enterprise-wide capabilities and their resourcing.
Detecting Malicious Insiders in Military Networks
Author: M. Maybury
Abstract: Given that a network is only as strong as its weakest link, a key vulnerability to network-centric warfare is the threat from within. This paper summarizes several recent efforts of the MITRE Corporation focused on characterizing and automatically detecting malicious insiders (MIs) within modern information systems. Malicious insiders adversely impact an organization’s mission through a range of actions that compromise information confidentiality, integrity, and/or availability. Their strong organizational knowledge, varying range of abusive behaviors, and ability to exploit legitimate access make their detection particularly challenging. Crucial balances must be struck while performing MI detection. Detection accuracy must be weighed against minimizing time to detect, and aggregating diverse audit data must be balanced against the need to protect the data from abuse. Key lessons learned from MITRE’s MI research include the need to understand the context of the user’s actions, the need to establish models
of normal behavior, the need to reduce the time to detect malicious behavior, the value of non-cyber-observables, and the importance of real-world data collections to evaluate potential solutions.
Using Honeyclients for Detection and Response Against New Attacks
Author: K. Wang
Abstract: Exploits targeting vulnerabilities in client-side applications are a growing threat on today’s Internet. Commonly deployed detection technologies such as honeypots and intrusion-detection systems are useful for detecting server-side attacks but are not effective at detecting client-side attacks. At present there is no proactive client-side attack detection technology. Those using honeyclient technology will gain the capability to proactively detect client exploits in the wild. This project will develop a baseline honeyclient capability and document the ongoing costs of running a honeyclient installation so that informed decisions can be made about how best to apply honeyclient technologies as part of security awareness strategies.
Graph-Based Worm Detection on Operational Enterprise Networks
Authors: D. Ellis, J. Aiken, A. McLeod, D. Keppler, and P. Amman
Abstract: The most significant open challenge to the worm defense community is to develop a sensitive detection method that can detect new worms in real time with a tolerable false-alarm rate. This paper presents a graph-based detection system and validates it on operational enterprise network data. The authors argue that the result is significantly closer to solving this challenge than other published works.
The authors show that a graph-based approach to worm detection in an enterprise network can detect a broad range of active worms with a false-alarm rate of less than two times per day. The supporting analysis comes from running the detection algorithm on a real enterprise network. The sensitivity results are significantly better than what is reported in the literature. The authors can detect all active, fast-spreading unimodal worms, including hit-list, topological, subnet-scanning, and meta-server worms.
REPORTS PUBLISHED IN 2005
Information Technology (IT) Defense, Exploitation, and Attack Study: Identifying Key Maritime IT Domain Technologies for Information Warfare
Author: S.C. Karppi and H. Elitzur
Abstract: At the request of the Office of the Chief of Naval Operations N702, the Center for Naval Analyses (CNA) conducted a study to identify key potential
future U.S. Navy and adversary sea-based/littoral information technologies that, if exploited or attacked, could appreciably alter the Navy’s ability to accomplish its Sea Power 21 (SP-21) missions in certain scenarios of interest. The authors refer to those consequential U.S. Navy and adversary technologies as the maritime information technology domain for information operations (IO). Those technologies are ones for which the Navy should build and maintain IO expertise to effectively carry out its SP-21 missions.
Toward More Meaningful Metrics for Computer Network Defense
Authors: D.P. Shea and S.W. Young
Abstract: Developing and implementing a set of practical and informative metrics for computer network defense (CND) pose significant challenges. A computer network, with the associated servers, routers, intrusion detection systems (IDSs), firewalls, and so on generates volumes of data on a daily basis, much of which might be used to form metrics. Likewise, the results of red-team assessments and exercises, and surveys of compliance with Department of Defense CND policies provide additional inputs. The challenges are deciding what decisions can be informed by metrics, selecting the set of variables to track, deciding how to collect and process the data, and finally interpreting the metric outputs and converting these into actionable steps that can head off a network attack or close a security technology gap.
Threats to the GIG and Some Initial Thoughts on Network Security
Authors: A. Hjelmfelt and A.R. Baldwin
Abstract: This document reviews potential threats against Navy information systems, current reports on computer and network incidents, and the types of information assurance practices needed to lessen the risks.
Navy Investments in Computer Network Defense: The Essential Components
Author: S.W. Young
Abstract: The Office of the Chief of Naval Operations N71 asked the Center for Naval Analyses (CNA) to help support the development of an investment strategy for computer network defense (CND). CND is one component of the Information Systems Security Program (ISSP), which is managed by Program Executive Office for Command, Control, Communications, Computers and Intelligence & Space/PMW 160IA and resource sponsored by OPNAV N71. This annotated brief presents some top-level recommendations for technology investments and the associated training programs and policy needed to support a comprehensive CND strategy. In examining technologies, the author uses both the effectiveness and the maturity level of the technologies as a gauge to determine which ones
will be successful at performing the intended mission. Here, “maturity” refers to the experience level of the security community at large in understanding and applying the emerging technologies. “Effectiveness” is assessed by how well the technologies perform their designed tasks. One of the author’s fundamental assumptions in performing this analysis is that Internet Protocol version 6 (IPv6) and Internet Protocol Security (IPSec) will be implemented by the Department of Defense as currently planned. The rollout is scheduled to begin in fiscal year 2008. The briefer’s recommendations for security technologies are in line with these evolving capabilities.
REPORT PUBLISHED IN 2004
Engaging the Board: Corporate Governance and Information Assurance
Authors: A. Anhal, S. Daman, K. O’Brien, and A. Rathmell
Abstract: This report, prepared for and funded by the Information Assurance Advisory Council, analyzes the relationship between corporate governance and information assurance. The study examines the ways in which information assurance can be embedded into corporate risk management processes in the changing corporate governance environment. Corporate governance now calls for the effective management of risks, but board-level awareness is not yet being translated into effective controls. This study outlines the ways in which information assurance can be embedded into corporate risk management practices and how companies can be incentivized to adopt good practices.
REPORT PUBLISHED IN 2003
The Vulnerability and Assessment Mitigation Methodology
Authors: P. Anton, R. Anderson, R. Mesic, and M. Scheiern
Abstract: Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge—especially when considering less-well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. Understanding the risks posed by new kinds of information security threats, the authors build on previous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/social, and infrastructure elements, and of identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure: