HSARPA Cyber Security R&D
Download
Report
Transcript HSARPA Cyber Security R&D
Dept. of Homeland Security Science & Technology Directorate
Homeland Security: Cyber
Security R&D Initiatives
ACM CCS
Alexandria, VA
November 8, 2005
Douglas Maughan, Ph.D.
Program Manager, HSARPA
[email protected]
202-254-6145 / 202-360-3170
General DHS Organization (prior to 7/13/05)
Secretary (Chertoff)
&
Deputy Secretary
(Jackson)
Management
(Hale)
Border &
Transportation
Security
(Beardsworth,
act.)
Emergency
Preparedness
& Emergency
Response
(Paulison, act.)
• Coast Guard
• Secret Service
• Citizenship & Immigration & Ombuds
• Civil Rights and Civil Liberties
• Legislative Affairs
• General Counsel
• Inspector General
• State & Local Coordination
• Private Sector Coordination
• International Affairs
• National Capital Region Coordination
• Counter-narcotics
• Small and Disadvantaged Business
• Privacy Officer
• Chief of Staff
Information
Analysis &
Infrastructure
Protection
(Stephan, act.)
Science &
Technology
(McQueary)
8 November 2005
2
Organization Chart
(proposed end state)
EXECUTIVE
SECRETARY
SECRETARY
DEPUTY SECRETARY
UNDER SECRETARY
FOR MANAGEMENT
UNDER SECRETARY
FOR SCIENCE &
TECHNOLOGY
UNDER SECRETARY
FOR POLICY
ASSISTANT SECRETARY
OFFICE OF
INTELLIGENCE &
ANALYSIS
FEDERAL LAW
ENFORCEMENT
TRAINING CENTER
DIRECTOR
TRANSPORTATION
SECURITY ADMINISTRATION
DOMESTIC
NUCLEAR
DETECTION OFFICE
COMMISSIONER
CUSTOMS & BORDER
PROTECTION
SCREENING
COORDINATION
OFFICE
CHIEF OF STAFF
MILITARY
LIAISON
UNDER SECRETARY
FOR
PREPAREDNESS
GENERAL COUNSEL
A/S CONGRESSIONAL &
INTERGOVERNMENTAL
AFFAIRS
ASSISTANT
SECRETARY PUBLIC
AFFAIRS
INSPECTOR
GENERAL
DIRECTOR OF
OPERATIONS
COORDINATION
DIRECTOR OF
COUNTER
NARCOTICS
OMBUDSMAN
CITIIZENSHIP &
IMMIGRATION
SERVICES
CHIEF PRIVACY
OFFICER
DIRECTOR
CIVIL RIGHTS/CIVIL
LIBERTIES
LABOR RELATIONS
BOARD
DIRECTOR
US SECRET SERVICE
DIRECTOR CITIZENSHIP
& IMMIGRATION
SERVICES
COMMISSIONER
IMMIGRATION &
CUSTOMS
ENFORCEMENT
DIRECTOR
FEMA
COMMANDANT
US COAST GUARD
8 November 2005
3
Department of Homeland Security
Organization Chart—Preparedness
(proposed end state)
UNDER SECRETARY FOR
PREPAREDNESS
CHIEF MEDICAL
OFFICER
ASSISTANT
SECRETARY FOR
GRANTS AND
TRAINING
ASSISTANT
SECRETARY FOR
INFRASTRUCTURE
PROTECTION
NATIONAL
CAPITAL REGION
DIRECTOR
FIRE
ADMINISTRATION
ASSISTANT
SECRETARY FOR
CYBER & TELECOMMUNICATIONS
8 November 2005
4
Science and Technology (S&T) Mission
Conduct, stimulate,
and enable research,
development, test,
evaluation and timely
transition of
homeland security
capabilities to federal,
state and local
operational end-users.
8 November 2005
5
S&T Organization Chart
Under Secretary
for Science & Technology
(McQueary)
Office of Plans
Programs and
Requirements
(Evans, act.)
Homeland Security
Advanced Research
Projects Agency
(Kubricky, act.)
Office of Research
and Development
(McCarthy)
Office of Systems
Engineering &
Development
(Kubricky)
8 November 2005
6
Execution
Science and Technology Directorate
Office of
Research
and
Development
•
•
•
Homeland Security
Advanced Research Projects
Agency
Systems
Engineering
&
Development
Centers
Fellowships
Scholarships
Stewardship of
an enduring
capability
Innovation,
Adaptation, &
Revolution
Development
Engineering,
Production, &
Deployment
8 November 2005
7
Crosscutting Portfolio Areas
Chemical
Biological
Radiological
Nuclear
High Explosives
Cyber Security
Critical Infrastructure
Protection (CIP)
USSS
8 November 2005
8
Legacy of HSARPA Name
How is it different from DARPA?
Differences
85-90%
of funds for
identified DHS requirements
10-15%
of funds for
revolutionary research
Breakthroughs,
New technologies and systems
These
percentages likely to
change over time, but we
need to meet today’s
requirements
8 November 2005
9
HSARPA Funding
HSARPA funding is allocated from Appropriated line items
SCIENCE AND TECHNOLOGY DIRECTORATE
FY05-06 Budget Execution Distribution
Dollars $M
FY 2005
Portfolio
Appropriation
Biodefense/Bio Countermeasures
362.7
Chemical Countermeasures
53.0
Conventional Missions
50.1
Counter-MANPADS
61.0
Critical Infrastructure Protection
27.0
Cyber Security
18.0
Emerging Threats
10.8
High Explosives/Explosives Countermeasures
19.7
National Biodefense Analysis & Countermeasures Ctr (NBACC)
35.0
Office of Interoperability and Compatibility
21.0
Radiological and Nuclear (DNDO)
122.6
Radiological and Nuclear Countermeasures
Rapid Prototyping
76.0
Research and Development Consolidation
Safety Act
10.0
Standards
39.7
Threat and Vulnerability Testing and Assessment
65.8
University Programs/Fellowships
70.0
Grand Total
1,042.3
FY 2006
Tentative
380.0
95.0
80.0
110.0
40.8
16.7
8.0
44.0
26.5
318.0
19.1
35.0
99.9
7.0
35.0
43.0
63.0
1,421.0
Delta
17.4
42.0
29.9
49.0
13.8
-1.3
-2.8
24.3
-35.0
5.5
195.4
19.1
-41.0
99.9
-3.0
-4.7
-22.8
-7.0
378.7
8 November 2005
10
Cyber Security R&D Portfolio: Scope
We focus on threats and issues that warrant
national-level concern
Asymmetric capabilities make cyberspace an appealing
battleground for our adversaries
Cyberspace presents an avenue to exploit weaknesses in our
critical infrastructures
The most significant cyber threats are very different from
“script-kiddies” or virus writers
Terrorism
Organized crime
Economic espionage
8 November 2005
11
R&D Execution Model
Customers
* NCSD
* NCS
* USSS
* National
Documents
Other Sectors
e.g., Banking &
Finance
Critical
Critical
Infrastructure
Infrastructure
Providers
Providers
Post R&D
Experiments
and Exercises
Outreach – Venture
Community &
Industry
R&D
Coordination –
Government
& Industry
Prioritized
Requirements
Customers
Pre R&D
CIP Sector
Roadmaps
R&D
Workshops
DNSSEC
Cyber Security
Assessment
Solicitation
Preparation
Rapid Prototyping
BAAs
Supporting Programs
DETER
PREDICT
SPRI
Emerging Threats
External (e.g., I3P)
SBIRs
8 November 2005
12
R&D Execution Model
Customers
* NCSD
* NCS
* USSS
* National
Documents
Other Sectors
e.g., Banking &
Finance
Critical
Critical
Infrastructure
Infrastructure
Providers
Providers
Post R&D
Experiments
and Exercises
Outreach – Venture
Community &
Industry
R&D
Coordination –
Government
& Industry
Prioritized
Requirements
Customers
Pre R&D
CIP Sector
Roadmaps
R&D
Workshops
DNSSEC
Cyber Security
Assessment
Solicitation
Preparation
Rapid Prototyping
BAAs
Supporting Programs
DETER
PREDICT
SPRI
Emerging Threats
External (e.g., I3P)
SBIRs
8 November 2005
13
Rapid Technology Application Program
(RTAP)
Similar to the existing Technical Support Working
Group (TSWG) approach
Requirements Generation Panel
Identify
general technology needs
Reduce collection of general needs
Explore issues and draft Statement of Requirements (SoR)
Write an SoR for each technology need in detail suitable
for prototype procurement
8 November 2005
14
Cyber Security RTAP Topics
#1 BOTNET Detection and Mitigation Tool
Customer:
#2 Exercise Scenario Modeling Tool
Customer:
IAIP/NCSD
#3 DHS Secure Wireless Access Prototype
Customer:
IAIP/NCSD
S&T OCIO
Pre-solicitation at http://www.hsarpabaa.com
8 November 2005
15
HSARPA Cyber Security Broad Agency
Announcement (BAA 04-17)
A critical area of focus for DHS is the development and
deployment of technologies to protect the nation’s cyber
infrastructure including the Internet and other critical
infrastructures that depend on computer systems for their
mission. The goals of the Cyber Security Research and
Development (CSRD) program are:
To perform research and development (R&D) aimed at improving the
security of existing deployed technologies and to ensure the security
of new emerging systems;
To develop new and enhanced technologies for the detection of,
prevention of, and response to cyber attacks on the nation’s critical
information infrastructure.
To facilitate the transfer of these technologies into the national
infrastructure as a matter of urgency.
http://www.hsarpabaa.com
8 November 2005
16
BAA Technical Topic Areas (TTAs)
System Security Engineering
Vulnerability Prevention
Tools and techniques for better software development
Vulnerability Discovery and Remediation
Cyber Security Assessment
Tools and techniques for analyzing software to detect security vulnerabilities
Develop methods and tools for assessing the cyber security of information
systems
Security of Operational Systems
Security and Trustworthiness for Critical Infrastructure Protection
1) Automated security vulnerability assessments for CI systems
2) Improvements in system robustness of critical infrastructure systems
3) Configuration and security policy management tools
4) Cross-platform and/or cross network attack correlation and aggregation
8 November 2005
17
BAA TTAs (continued)
Security of Operational Systems
Wireless
Security
Security tools/products for today’s networks
Solutions and standards for next generation networks
Investigative and Prevention Technologies
Network Attack
Tools and techniques for attack traceback
Technologies
Forensics
to Defend against Identity Theft
R&D of tools and techniques for defending against identity theft
and other financial systems attacks, e.g., phishing
8 November 2005
18
BAA Program / Proposal Structure
NOTE: Deployment Phase = Test, Evaluation, and Pilot
deployment in DHS “customer” environments
Type I (New Technologies) – Funding NTE 36 months
Type II (Prototype Technologies) – Funding NTE 24 months
New technologies with an applied research phase, a development
phase, and a deployment phase (optional)
More mature prototype technologies with a development phase and a
deployment phase (optional)
Type III (Mature Technologies) – Funding NTE 12 months
Mature technology with a deployment phase only.
8 November 2005
19
BAA 04-17 Proposal Summary
TTA-1
TTA-2
TTA-3
TTA-4
TTA-5
TTA-6
TTA-7
TOTAL
36 Months
24 Months
12 Months
Type I
Type II
Type III
TOTAL
Received Funded Received Funded Received Funded Received Funded
8
0
6
1
3
0
17
1
10
2
8
2
1
0
19
4
3
0
6
1
0
0
9
1
14
1
23
2
2
1
39
4
9
2
7
0
2
0
18
2
4
1
6
1
0
0
10
2
8
1
10
2
0
0
18
3
56
7
66
9
8
1
130
17
http://www.hsarpabaa.com/; Solicitation Awards; BAA04-17 Awards
8 November 2005
20
Small Business Innovative
Research (SBIRs)
http://www.hsarpasbir.com
CROSS-DOMAIN ATTACK
CORRELATION
TECHNOLOGIES (SB04.2-001)
Objective:
Develop a system to efficiently correlate information from
multiple intrusion detection systems (IDSes) about “stealthy” sources and
targets of attacks in a distributed fashion across multiple environments.
REAL-TIME
MALICIOUS CODE IDENTIFICATION
(SB04.2-002)
Objective:
Develop technologies to detect anomalous network payloads
destined for any service or port in a target machine in order to prevent the
spread of destructive code through networks and applications. These
technologies should focus on detecting “zero day attacks”, the first
appearance of malicious code for which no known defense has been
constructed.
8 November 2005
21
SBIR FY05.2 Submission
Hardware-assisted
System Security Monitoring
OBJECTIVE: This topic seeks technologies that provide a hardware-assist for the
monitoring of system security. It is expected that the resulting solutions would be
some type of inexpensive coprocessor board that would work with existing hardware
and software, resulting in a system with much higher assurance than currently
available. By putting the monitoring capability in hardware it is much more difficult for
an attacker to disable this part of the system because the board is isolated from potential
remote attackers and would require physical access to compromise the hardware-assist
board, thus, providing the owner/user technology that can monitor the security health of
the system in near real-time. This will ensure that even when the machine is on, but the
user is not using the machine, the system will be monitored and can even be "shut
down" so unknown communications is not sent while the user's away. The hardwareassist system should have the capability to collect and store information for
forensic purposes and the system should also have capability to report security
related events to a central monitoring station.
Solicitation at http://www.hsarpasbir.com
8 November 2005
22
R&D Execution Model
Customers
* NCSD
* NCS
* USSS
* National
Documents
Other Sectors
e.g., Banking &
Finance
Critical
Critical
Infrastructure
Infrastructure
Providers
Providers
Post R&D
Experiments
and Exercises
Outreach – Venture
Community &
Industry
R&D
Coordination –
Government
& Industry
Prioritized
Requirements
Customers
Pre R&D
CIP Sector
Roadmaps
R&D
Workshops
DNSSEC
Cyber Security
Assessment
Solicitation
Preparation
Rapid Prototyping
BAAs
Supporting Programs
DETER
PREDICT
SPRI
Emerging Threats
External (e.g., I3P)
SBIRs
8 November 2005
23
DHS / NSF Cyber Security Testbed
“Justification and Requirements for a National DDOS
Defense Technology Evaluation Facility”, July 2002
We still lack large-scale deployment of security technology
sufficient to protect our vital infrastructures
Recent investment in research on cyber security technologies by
government agencies (NSF, DARPA, armed services) and industry.
One important reason is the lack of an experimental infrastructure
and rigorous scientific methodologies for developing and testing
next-generation defensive cyber security technology
The goal is to create, operate, and support a researcher-andvendor-neutral experimental infrastructure that is open to a wide
community of users and produce scientifically rigorous testing
frameworks and methodologies to support the development and
demonstration of next-generation cyber defense technologies
8 November 2005
24
DETER Testbed Architecture
Cyber Defense Experiments run on Virtual Internet
UCB
Internet
DETER Testbed
Schematic
User
Sparta
Internet
USC-ISI
'Boss' Server
‘User’ Server
3
major sites; over 200 nodes
GOAL: By end of FY07 to have
1000 nodes distributed at
possibly up to 6 sites
Control
DB
Ethernet Bridge
with Firewall
'Gatekeeper'
User
files
Web/DB/SNMP,
switch mgmt
User Acct &
Data logging
Node Serial
Line Server
…
Control Network VLAN
Power Serial
Line Server
N @100bT
Control ports
PC
PC
PC
Power
160Controller
N x 4 @1000bT
Data ports
Programmable Patch Panel (VLAN switch)
8 November 2005
25
A Protected REpository for Defense of
Infrastructure against Cyber Threats
PREDICT Program Objective
“To advance the state of the research and commercial
development (of network security ‘products’) we need to
produce datasets for information security testing and
evaluation of maturing networking technologies.”
Rationale / Background / Historical:
Researchers with insufficient access to data unable to adequately test
their research prototypes
Government technology decision-makers with no data to evaluate
competing “products”
End Goal: Improve the quality of defensive
cyber security technologies
8 November 2005
26
Industry Workshop 2004
Begin the dialogue between
HSARPA and industry as it pertains
to the cyber security research agenda
Discuss existing data collection
activities and how they could be
leveraged to accomplish the goals of
this program
Discuss data sharing issues (e.g.,
technical, legal, policy, privacy) that
limit opportunities today and
develop a plan for navigating
forward
Develop a process by which “data”
can be “regularly” collected and
shared with the network security
research community
ATTENDEES
AOL
UUNET
Verio
PREDICT participant
XO Comms
Akamai
Arbor Networks
System Detection
Cisco
PCH
PREDICT participant
Symantec
USC-ISI
PREDICT participant
Univ. of WA
PREDICT participant
CERT/CC
LBNL
PREDICT participant
Internet2
PREDICT participant
CAIDA
PREDICT participant
Merit Networks
PREDICT participant
Citigroup
8 November 2005
27
Data Collection Activities
Classes of data that are interesting, people want
collected, and seem reasonable to collect
Netflow
traces – headers and full packet (context dependent)
Critical infrastructure – BGP and DNS data
Topology data
IDS / firewall logs
Performance data
Network management data (i.e., SNMP)
VoIP (1400 IP-phone network)
Blackhole Monitor traffic
Packet
8 November 2005
28
PREDICT Information
https://www.predict.org
Recent Workshop
http://www.hsarpacyber.com/public/PREDICT/
8 November 2005
29
Internet Infrastructure Security
Motivation
The National Strategy to Secure Cyberspace
(2003) recognized the DNS as a critical weakness
NSSC called for the Department of Homeland Security
to coordinate public-private partnerships to encourage
the adoption of improved security protocols, such as
DNS
The security and continued functioning of the
Internet will be greatly influenced by the success or
failure of implementing more secure and more robust
BGP and DNS. The Nation has a vital interest in
ensuring that this work proceeds. The government
should play a role when private efforts break down
due to a need for coordination or a lack of proper
incentives.
8 November 2005
30
Domain Name System Security
(DNSSEC) Program
DNSSEC Program Objective
“Carry forward to completion the recommendation from the
National Strategy to Secure Cyberspace by engaging industry,
government, and academia to enable all DNS-related traffic on
the Internet to be DNSSEC compliant”
Rationale / Background / Historical:
DNS is a critical component of the Internet infrastructure and was not
designed for security
DNS vulnerabilities have been identified for over a decade and we are
addressing these vulnerabilities
End Goal: Greatly increase the security of the
Internet (as critical infrastructure) by securing
the DNS through the use of crypto signatures
8 November 2005
31
The Domain Name System
DNS database maps:
Name to IP address
www.dhs.gov = 206.18.104.198
And many other mappings
(mail servers, IPv6, reverse…)
Data organized as tree
structure:
Each zone is authoritative
for its own data
Root
edu
isi
nge
mil
darpa
ru
usmc
mil
alpha
Minimal coordination between
zone operators
8 November 2005
32
DNS Attacks
Attacks via and against the DNS infrastructure are
increasing
Attacks
are becoming costly and difficult to remedy
Consumer confidence in Internet accuracy is decreasing
Financial/large enterprises are seeing a significant
increase in online attacks for fraudulent purposes
Hijacking
(virtual theft of domain names)
http://www.icann.org/announcements/hijacking-report12jul05.pdf
Phishing
(look-alike fraudulent emails and web sites)
Pharming (phishing combined with DNS attacks)
Other attacks include DNS name mismatches or
browser tricks aimed at careless users
8 November 2005
33
DNSSEC – What it provides
Provides an approach so DNS users can:
Approach integrates with existing server infrastructure and
user clients
DNSSEC awareness by application
Validate that data they receive came from the correct originator, i.e.,
Source Authenticity
Validate that data they receive is the data the originator put into the
DNS, i.e., Data Integrity
Results of DNSSEC validation functions provided to applications
Applications can take different actions based on DNSSEC validation
results, e.g. won’t connect to www.bankofamerica.com without good
validation but will connect to www.cnn.com without it.
Examples:
Web browsers
Email servers and clients
8 November 2005
34
DNSSEC Initiative Activities
Roadmap published in February 2005
Multiple workshops held world-wide
DNSSEC testbed developed by
http://www.dnssec-deployment.org/roadmap.php
http://www-x.antd.nist.gov/dnssec/
Involvement with numerous deployment pilots
Working with Civilian government (.gov) to develop policy
and technical guidance for secure DNS operations and
beginning deployment activities at all levels.
Working with the operators of the “.us” and “.mil” zones
towards DNSSEC deployment and compliance
8 November 2005
35
DNSSEC Design / Use
Secure DNS Guidance Documents
NIST 800 Series Documents for operators and
policy/decision makers.
Define the problem space
Outline BCP for securing current DNS operations
Guidelines for deployment and use of DNSSEC
Series of outreach efforts
Announcement from:
http://csrc.nist.gov/publications/drafts.html
August 11, 2005: Draft NIST Special Publication
800-81, Secure Domain Name System (DNS)
Deployment Guide
Request for Comments closed Sept. 29th, 2005
8 November 2005
36
Secure Protocols for the Routing
Infrastructure (SPRI)
BGP is the routing protocol that connects ISPs and subscriber
networks together to form the Internet
BGP does not forward subscriber traffic, but it determines the
paths subscriber traffic follows
The BGP architecture makes it highly vulnerable to human
errors and malicious attacks against
Links between routers
The routers themselves
Management stations that control routers
Work with industry to develop solutions for our current routing
security problems and future technologies
8 November 2005
37
SPRI Activities To Date
Formation of government and industry “steering
committee”
DHS,
DOD, DOCommerce, NIST, ICANN, IETF
Held first industry requirements workshop; March
15-16, 2005 in WDC
Held second workshop on operational security; May
18-19, 2005 in Seattle in conjunction with NANOG.
Held third workshop on registry operations; Sept. 1314, 2005 in WDC; Outputs submitted at recent ARIN
mtg
8 November 2005
38
Cyber Security Assessment Activities
Cyber Economics Study
Dept. of Treasury – “Key Business Processes in the
event of a Crisis” Study
8 November 2005
39
Economic Analysis of Cyber Security and
Private-Sector Investment Decisions
The objective of the study is to investigate Internet
stakeholders’ investment decisions for bolstering the
security of their information technology (IT) networks.
To achieve the study objectives, RTI will
• review existing studies to assess the economics of cyber
security,
• conduct a series of interviews within eight industry sectors
to assess companies’ investment decisions related to
securing their IT networks, and
•
identify potential areas for government involvement and/or
support for the deployment and adoption of existing cyber
security technologies.
DHS/Cyber Security IMPACT
•
•
•
DHS is interested in economic decisions that may
lead to inadequate investment in cyber security
measures.
Better information on the costs and benefits of
security technologies and adverse events will help
inform private investment decisions.
Understanding the public goods nature of Internet
security may inform government’s involvement in
cyber security.
SCHEDULE
Months from Award
Tasks
1
Task 1: Convene Project Meeting
2
3
4
5
k
k
6
7
8
9
k
Task 2: Review Existing Economic
Cybersecurity Studies and Methodology
Task 3: Interview Targeted Industries
M
F
Task 4: Enhance Approaches to Model the
Economic Impacts of Cybersecurity
Task 5: Develop Industry Business Cases
Task 6: Identify Potential Motivation for and
Types of Government Involvement
k
LEGEND
Project Meetings
M
Draft Questionnaire
F
Interim Deliverable
G
Draft Report
G
O
Final Report
8 November 2005
O
40
Prototyping of a Business Process Model (A Computer
Simulation) of the Finance Sector
DESCRIPTION / OBJECTIVES / METHODS
-
-
-
DHS/Cyber Security IMPACT
•
•
•
This project addresses the requirement for a man-in-the
loop simulation that emulates sector-wide disruptions and
their operational (business) impact.
Sector-level simulation of impacts resulting from cyber and
physical disruptions of business processes and
transactions between critical entities in the Finance Sector
will provide government and industry stakeholders and
users with unique insight of operational risks, single points
of failure, and mitigation strategies.
Potential users include risk managers responsible for the
operational health of the sector; also enterprise risk
managers
“Proof of Concept” activities are designed to assess initial technical
and operational feasibility, including scoping and development of a
concept of operations, before stakeholders invest substantial
resources in full-scale development.
Various private and public-sector stakeholders have determined the
immediate operational need for this capability; it meets several gaps
defined by the Treasury Department and sector-level coordinating
councils.
The research involves 4 phases: Engage SMEs to help define the
logical and physical extent of the sector at a high level; Determine an
appropriate subset of sector transactions to model as a proof of
concept; Use rapid prototyping to define simulation requirements;
Report on technical and operational feasibility
BUDGET & SCHEDULE
TASK
FY05
FY06
FY07
Proof of Concept
(Feasibility)
Phase 1
Requirements Definition
Phase 1
Simulation Design
Phase 1
Implementation, Integration,
Testing, and Roll-out
8 November 2005
41
Rapid Prototyping – Authoritative SSL
Auditing
PROJECT DESCRIPTION / OVERVIEW
Client
Machine
Client
ClientMachine
Machine
Client
ClientMachine
Machine
Client
Application
ServerMachine
Machine
Server
Server
Machine
Network
Switch
Server
Application
SSL
Server
SSL
Client
Key
Shield
Goal: Enable organizations to audit secure communications
to prove policy compliance, investigate attacks, and
arbitrate disputes.
Approach: Use a passive network device to record SSL
traffic, sign it with a hardware security module, and open
communications when necessary. Requires the cooperation
of the original secure sever to keep its keys secure. Web
portal restricts access to authorized personnel.
•Status: Alpha Aug 15, 2005; Beta planned for Dec 15, 2005
Auditing Device
Recording
Application
Signing
Application
Portal Device
Auditing
Portal
•End Users: Information technology and security officers in government
agencies and commercial organizations, especially those that need to
comply with regulations such as HIPAA, FACTA, and Sarbanes-Oxley.
BUDGET & SCHEDULE
DHS/Cyber Security Impact
• Complete, authoritative records of electronic
transactions
• Ensure users/organizations follow security
policies
• Better investigate attacks and fraud over SSL
• All records remain confidential until specifically
reviewed
• Very low total cost of ownership encourages
adoption
TASK
FY05
FY06
FY07
Reqmnts. & Design
Alpha System
Beta System
Final System
8 November 2005
42
Emerging Threats – VME-DEP
Virtual Machine Environment - Detection and
Escape Prevention
VME use is increasing in industry and government,
and is starting to be used in classified networks
Goals of this project are to
Gain
a better understanding of where VMEs are used and
for what purpose
Determine how an attacker might break the security models
defined by a VME
Develop techniques for preventing those attacks
Develop a “secured” open source VME
8 November 2005
43
Emerging Threats - NGCD
Next Generation Crimeware Defenses
Crimeware: Malicious software specifically designed to steal
identity information and other associated financial information
Goals of this project are:
Gain an understanding of the nature of crimeware technologies and
how to defend against their increasing sophistication
Collect and analyze crimeware samples
Build threat and vulnerability models based on the attack types and
goals of stealing access credentials and identity information and
correlated to popular computing environments
Develop a “secure computing environment”: web browser (based on
open-source Mozilla), secure keyboard and embedded co-processor to
proactively prevent crimeware
8 November 2005
44
The Institute for Information
Infrastructure Protection (I3P)
The I3P is a consortium of 24 academic and not-for-profit
research organizations
The I3P embodies a concept developed in studies between
1998 and 2000 by PCAST, IDA, and OSTP
The I3P was formed in September 2001 and funded by
congressionally appropriated funds assigned to Dartmouth
College
DHS/S&T/HSARPA now oversees the I3P funding
$17.883 M Congressional Earmark for the Institute for Security
Technologies Studies (ISTS) at Dartmouth College
Inherited from Office of Domestic Preparedness (ODP) during R&D
consolidation activity
8 November 2005
45
Other Activities – Institute for Infrastructure
Protection (I3P)
Creation of two research plans for cyber security, one in
Supervisory Control and Data Acquisition (SCADA) systems,
and one in economic and policy issues
Two Independent Research Advisory Boards (RABs) established to
review final research plans submitted for I3P support.
Two-year, $8.5 million research program to protect SCADA
systems in the oil and gas industry and other critical
infrastructure sectors.
Led by Sandia, comprises 10 research institutions with expertise in
cyber security, risk management, and infrastructure systems analysis.
Kickoff meeting held April 14-15 at Sandia National Laboratories’
Center for SCADA Security in Albuquerque
Attended by project researchers along with oil and gas experts from
ChevronTexaco, Ergon Refining, Public Utility of New Mexico, and
Williams
Provided training on SCADA hardware, software, and typical system
configurations, as well as common threats and vulnerabilities associated
with these systems
8 November 2005
46
I3P Cyber Economics Project
Two project goals:
How to quantify the cost of cyber security and the effects of cyber
attacks?
How to measure the effectiveness of current security tools and policies?
Three intertwined threads
National perspective:
Enterprise or corporate perspective:
Considers the effects of degraded or destroyed infrastructure on the degree
to which an enterprise can maintain its bottom line by developing and
delivering products and services.
Technological perspective:
Views the information infrastructure as an element of national security,
where cyber security incidents can disrupt, impair or destroy critical
economic capabilities.
Addresses those technologies that protect the infrastructure, by deterring
particular threats, preventing certain classes of attacks, or mitigating the
consequences of attack.
Participants: RAND Corporation, University of Virginia, MIT
Lincoln Laboratory, George Mason University, Dartmouth
8 November 2005
47
R&D Execution Model
Customers
* NCSD
* NCS
* USSS
* National
Documents
Other Sectors
e.g., Banking &
Finance
Critical
Critical
Infrastructure
Infrastructure
Providers
Providers
Post R&D
Experiments
and Exercises
Outreach – Venture
Community &
Industry
R&D
Coordination –
Government
& Industry
Prioritized
Requirements
Customers
Pre R&D
CIP Sector
Roadmaps
R&D
Workshops
DNSSEC
Cyber Security
Assessment
Solicitation
Preparation
Rapid Prototyping
BAAs
Supporting Programs
DETER
PREDICT
SPRI
Emerging Threats
External (e.g., I3P)
SBIRs
8 November 2005
48
Experiments and Exercises
Experiments
U.S. / Canada Secure Blackberry Experiment
Oil and Gas Sector
CIDDAC
U.S. NORTHCOM
Working with DOE and industry
Finance Sector
PSTP-agreed upon deployment activity
CWID 2005 (originally known as JWID)
Exercises
National Cyber Security Exercise (Cyber Storm)
National Critical Infrastructure Exercise (NCIE)
Exercise led by industry
8 November 2005
49
US-CAN Secure Wireless Trial
Objective
Technologies
Test effectiveness of US/Canadian crossborder secure wireless architecture to cope
with real-time communication in variety of
scenarios
PKI (S/MIME), Identity-based encryption,
enforcement of policy and compliance
Trial Activity
July: U.S.-only initial four-day test period
October: Four-day test period with 35
activities and with 40+ participants acting
out homeland security scenarios using
BlackBerry devices
8 November 2005
50
LOGI2C – Linking the Oil and Gas
Industry to Improve Cybersecurity
LOGI2C is a 12-month technology
integration and demonstration project
driven by industry, supported by DHS
Technical goal: Attack indications and
warnings through event analysis and
correlation across business and process
control networks
Approach:
Identify new types of security sensors
for process control networks
Adapt a best-of-breed correlation
engine to this environment
Integrate in testbed and demonstrate
Transfer technology to industry
External
Events
Attack
Indications
and
Warnings
LOGI2C
Correlation
Engine
Business
Network
Process
Control
Network
8 November 2005
51
2
LOGI C
Partners
LOGI2C is a model for how
DHS S&T and industry can
work together in a publicprivate partnership to address
a critical R&D need
Industry contributes
Requirements and operational
expertise
Project management
Product vendor channels
DHS S&T contributes
Independent researchers with
technical security expertise
Testing facilities
8 November 2005
52
S&T and Cyber Storm
Exercise Objectives:
To incorporate elements of cyber defense and response technology into
the exercise moving it gradually away from the “table top” format.
To socialize the DETER test bed with the exercise participants and
make them aware of its capability and its potential value to their
respective organizations.
Success criteria:
Recognizing the complexity of the exercise and its key focus, S&T
would consider their objective met if the DETER test bed were used in
the planning of the exercise (to lend realism to scenario elements) and
if one or more session can be arranged during the exercise, where the
players could see the test bed in action being used to test exercise
relevant problems or decisions. The session(s) should show the value
of the tool and add defensive technology to the exercise.
8 November 2005
53
National Critical Infrastructure Exercise
(NCIE)
Exercise is co-managed by BearingPoint and Yoran Associates
Objectives
Funded by the private sector with public/private technology
demonstrations
Conduct a private sector exercise
Exercise threat scenarios against SCADA operations
Test and evaluate organizational plans, policies, and procedures
Capture performance data to evaluate Critical Infrastructure Resiliency
metrics and models – U.S. comparison against other countries
Primary participants: senior operations managers and
corporate executives from utility/energy sector
Secondary participation: industry collaboration groups,
government agencies, first responders, and others identified by
primary participants during planning
8 November 2005
54
Commercial Outreach Strategy
Assist commercial companies in providing technology to DHS and
other government agencies
Assist DHS S&T-funded researchers in transferring technology to
larger, established security technology companies
Emerging Security Technology Forums (ESTF)
DHS Mentor / Protégé program
Partner with the venture capital community to transfer technology
to existing portfolio companies, or to create new ventures
Government
Funder/Customer
Established
Commercial
Companies
DHS
Researchers
Commercial
Customers
Emerging
Commercial
Companies
8 November 2005
55
Emerging Security Technology Forum
ESTF held April 13-14, 2005 in Arlington, VA
Opportunity
to introduce government representatives to
smaller-sized information security technology vendors with
innovative technology approaches
For this ESTF vendors presented and demonstrated current
and emerging information security technologies that
defend against DDOS and worm attacks
Next ESTF to be held in May 2006
Topic:
Identity Management technologies
Audience will include industry and government
8 November 2005
56
Emerging Security Technology Forum
Arbor
Networks
CounterStorm, Inc.
Cs3, Inc.
CyberShield Networks,
Inc.
Determina, Inc.
ForeScout Technologies
IntruGuard
Devices, Inc.
Kerio Technologies
netZentry, Inc.
Prolexic Technologies
Q1 Labs Inc.
Top Layer Networks,
Inc.
V-Secure Technologies
8 November 2005
57
DHS Mentor/Protégé Program
Objective
Provide start-up emerging security companies with mentor support in
sales & marketing to government
Existing Mentor/Protégé programs in government are
procurement oriented. New S&T Mentor/Protégé program will
focus on rapidly transitioning cyber security technologies into
government through existing relationships.
Mentors will be large, established government contractors with cyber
security experience
Protégés will provide innovative cyber security technology. There are
no set-aside requirements (e.g. disadvantaged, HubZone business)
Selection Process
The Cyber Security R&D Center will solicit government/industry
technology requirements to identify gaps in the US cyber infrastructure.
These requirements will guide selection of mentors. Protégés, with
technology to meet infrastructure gaps, will be proposed to the mentors
by the Center.
8 November 2005
58
ITTC – The DHS-SRI Identity
Theft Technology Council
ITTC is a revived and
expanded Silicon Valley
expert group originally
convened by the U.S. Secret
Service
Experts and leaders from
Government
Financial and IT sectors
Venture capital
Academia and science
ITTC works closely with
The Anti-Phishing Working
Group (APWG)
Consultant and ITTC
Coordinator: Robert
Rodriguez, retired head of
the Secret Service Field
Office in San Francisco
The ITTC was formed in
April, and has four active
working groups:
Phishing Technology Report
Data collection and sharing
Future threats
Development and deployment
8 November 2005
59
Tackling Cyber Security Challenges:
Business Not as Usual
Strong mission focus (avoid mission creep)
Close coordination with other Federal agencies
Outreach to communities outside of the Federal
government
Building
public-private partnerships (the industrygovernment *dance* is a new tango)
Strong emphasis on technology diffusion and
technology transfer
Migration paths to a more secure infrastructure
Awareness of economic realities
8 November 2005
60
Summary
DHS S&T is moving forward with an aggressive
cyber security research agenda
Working with industry to solve the cyber security
problems of our current infrastructure
DNSSEC,
Working with academe and industry to improve
research tools and datasets
DHS/NSF
Secure Routing
Cyber Security Testbed, PREDICT
Looking at future RDT&E agendas with the most
impact for the nation
SBIRs,
BAA 04-17, RTAP
8 November 2005
61
Other Areas of Interest (were $ available)
Cyber Situational Awareness – Indications &
Warnings
Insider Threat Detection & Mitigation
Information Privacy Technologies
Large-scale network survivability, rapid recovery and
reconstitution
Secure operating systems (open source)
Network modeling and simulation – security policy
reconfiguration impact on networks
Highly scalable identity management
8 November 2005
62
Douglas Maughan, Ph.D.
Program Manager, HSARPA
[email protected]
202-254-6145 / 202-360-3170
8 November 2005
63