Transcript West Point 2005 - Visualization Panel Slides

Visual Analytics for
Cyber Defense Decision-Making
Anita D’Amico, Ph.D.
Secure Decisions division of Applied Visions, Inc.
anita.damico@securedecisions. com
631-759-3909
WHAT DO CYBER
DEFENDERS DO?
HOW CAN VISUAL
ANALYTICS HELP?
2
Incident response team activities
(Killcrece, Alberts, CMU studies)

Reactive
 Triggered by an event, such as an IDS alert
 Examples: Reviewing log files, correlating alerts

Proactive
 Prepare, protect and secure for future attacks
 Examples: Prediction of upcoming attacks and techniques

Security Quality Management
 IT services in support of general information security
 Examples: Training, recovery planning, product evaluation
Cognitive and decision analyses show:
Very little effort on proactive
3
Visual analytics can help network defenders
transform raw data into meaning
Raw Data
Interesting Activity
Suspicious Activity
Events
Incidents
Problem Sets
4
Triage analysis
Escalation analysis
Correlation analysis
Incident response
Malware analysis
Forensic analysis
Threat analysis
Vulnerability analysis
Sensor management

Weed out false positives

Escalate suspicious activity for further analysis
 Analyze
data over longer time than Triage

Incorporate multiple data sources (more than Triage)

Look for patterns and trends
 Assess
similarity to related incidents – internal & external

Recommend, implement Courses of Action

Support law enforcement investigation

Reverse-engineer malware

Develop defenses against malware

Collect and preserve evidence

Support law enforcement investigation

Characterize attackers: identification, modus operandi,
motivation, location

Identify and prioritize vulnerabilities

Manage remediation of vulnerabilities

Develop signatures, tune sensors

Modify placement of sensors
(from 2005 D’Amico & Whitley CTA, and other Secure Decisions decision analyses)
5
Mission impact
analysis
6
Visualization should support all stages of SA,
types of CND analysis, and uses
Stages of Situational Awareness (SA)
Perception Comprehension Projection
Types of
Analysis
Triage,
Escalation,
Threat,
Vulnerability Correlation
Response
Forensic
Malware
ORIENT
Uses of
Visualization
attention
EXPLORE data
(for patterns, anomalies)
PREDICT
REPORT and EXPLAIN what has been observed
7
How do Alan Turner’s VA primitives apply?
Perception
Types of
Analysis
Turner’s
Primitives
Comprehension
Projection
Triage,
Escalation,
Threat,
Vulnerability Correlation
Response
Forensic
Malware
ORIENT
QUANTIFY
DISCOVER
CHARACTERIZE
TEST
8
How do cyber defenders differ from Alan’s users?
9

Old way doesn’t work, and they know it

Never feel totally successful

Hard to estimate the level of effort needed

Not clear when they’re done
CND analysts see the world in red and blue;
They attend to timing and sequence
Coordinated attack to exfiltrate email
Legend
Attacker Action
Attacker Obtains
Analyst Interpretation/Hypothesis
Analyst's View
Analyst's Action
Analyst's Wish list
Threads
Malicious exploit
Connect this activity to
scan by Foreign IP on
Day -10
Notable activities of scanned
server over past week
Response by Dest IPs
on Day -10
Noisy probe may be
visible.
Not visible to
analysts
Attack Timeline
Reconnaissance team
identifies targets,
commanders' names, e-mail
scheme
Attack team compromises
numerous hosts, both in
cooperative and noncooperative networks.
No non-public information
acquired.
Anonymity secured.
Nuisance Scan
Intruder Reconnaissance
Legitimate Scanning
Activity
Day -14
Day -13
OS Types
Email applications
Open Ports
Scan IP
address
Range
Intruder
Reconnaissance
May receive report of
compromise or
unusual activity from
DOD
Day -10
Day -9
Probe ports related to Microsoft
Exchange
Legitimate scanning
activity
Determines IP address of host
running mail service
Probe mail server
Find out what other services mail
server is running
Identify Source IP
Research History
Contact target Admin
Log Event
Automatic ID of reply
History of Source IP
Consistency of activity with
previous activity of source
Day -8
Unusual or
unexpected activity
on exploited machine
SNORT or JIDS alert
TCP Dump Data
Incident Reports
Atypical port
open on
exploited
machine
Review packet
Review log data
Eliminate irrelevant
exploits
Profile activities to infer
intent
Nuisance Scan
Noisy scan may be
apparent
May not be malicious
traffic -- may be a
legitimate discussion of
the exploit.
Day -7
Exploit Mail
Server
Administrator access to
mail server.
Vulnerability
scan might see
open FTP port
Filtering of alerts that
are irrelevant to the
target system
Data being
transferred out of
monitored network
Admin email activity
at an unusual time of
day
Open ports on
monitored
machines
Day -4
Install FTP
Server
Means for
exfiltration
Day -3
Sign in as
administrator and
access email
Email content
Day -2
Day -1
Exfiltrate email
Email content
transferred to
external system,
no longer under
control of
monitored
network.
Analysts think about data from perspective of attacker’s goals, methods, and
timing. First instance of attacker’s appearance is an important marker.
10
CYBER SECURITY
VISUAL ANALYTICS CHALLENGES
11
Incomplete, inaccurate and ephemeral data
Public Networks
Missions/ Business
Functions
Mission
-toNetwork
Mapping
Enterprise
Sensor
Location
& Status
Dynamic
Topology
Defender
Patch
Status
12
Adversaries disappear and re-appear, and can be co-located with friendlies.
Wireless networks increase transitory nature of data.
Visual analytics is an unfulfilled promise
in cyber operations
13

Failure to transition, to deliver – Lots of R&D; little
operational deployment of visual analytics systems

“Lack of information” visualization and analytics – rare

Visual interface to security automation – rare

Process visualization – rare

Visual analytics to augment training – rare

Visual analytics to evaluate tactics – rare
deliver
Visual analytics systems
imagine, create,


Data import, normalization and aggregation
Non-viz features to reduce “tool time”
 Importing, filtering “hot IPs”,
authorized devices, and users
 Automated report builders
 Annotations and personal notes

Diverse media
 Workstations, big-board,
PDA, in-vehicle displays

Robust, secure, certifiable code base
Staying ahead of the adversary

How do we use visual analytics make the cyber
defense process more proactive?

How do we enhance information sharing within an
organization, and across organizations?
 Portable, shareable datasets and visual analytics
 Collaborative tools
15
Mapping network assets to organizational
missions
Need information and visual analytics to discover:
16

Vulnerabilities of organization’s highest-priority
goals

Network assets that must be assured for
continuity of mission-critical functions

Organizational impact of an attack, or of a
defensive COA
Anita D’Amico
Secure Decisions division of Applied Visions, Inc.
anita.damico@securedecisions. com
631-759-3909
17