About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
The MITRE Digest
Advanced Research
Aviation Systems
Defense and Intelligence
Federal Sector Modernization
Health Transformation
Homeland Security

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > News & Events > MITRE Publications > The MITRE Digest >

Resilient Cyber Architectures Keep Government IT Operations Mission-Ready

April 2012

Resilient Cyber Architectures Keep Government IT Operations Mission-Ready
View PDF of this article

Email link to this article

Achieving truly "secure" IT operations—with all attackers successfully repelled—is an impossible goal. But that doesn't mean organizations can't fight back.

"In the past, the reaction to cyber attacks was to build a fortress around your enterprise, but this is a losing battle," says Stephen Huffman, MITRE vice president and chief technology officer. "Attackers are no longer deterred by walls and moats and drawbridges."

Given this reality, organizations face the daunting challenge of maintaining critical functions in the face of inevitable enterprise breaches. MITRE's Resilient Architecture for Mission Assurance and Business Objectives (RAMBO) effort is showing our government sponsors how to carry out their missions when cyber attacks compromise their vital systems.

MITRE researchers are working closely with partners in government, academia, and commercial companies to develop and test scenarios for keeping system functions up and running. Through RAMBO, MITRE IT security and mission assurance experts have developed adaptive, secure architecture frameworks that our government sponsors can replicate in their own enterprises.

"The question is this: How can organizations create IT systems that will help them detect and remove attackers, and at the same time continue to provide services to users?" he asks. "The systems themselves are not what are being protected. It's the functions they provide—the ability to carry out their missions."

Filling a Mission Assurance Gap

"We knew this was a gap area in mission assurance, so we decided to investigate how we could apply earlier internally funded research to resiliency," explains Jeff Picciotto, head of MITRE's Information Assurance Research department. "We also obtained funding for new research into how sponsors would assess resiliency in their own systems, and we're using what we've learned from sponsor programs in this area as well."


What Is Resilience?

Cybersecurity experts increasingly apply the term "resilience," with varying definitions, to the nation, critical infrastructures, organizations, networks, and systems. Common aspects of the many definitions of resilience include:

  • Preparing for, preventing, or otherwise resisting an adverse event;
  • Absorbing, withstanding, or maintaining essential functions in the face of the event;
  • Recovering from the event; and
  • Adapting to (changing processes, systems, or training based on) the event, its consequences, and its implications for the future.

When applied to cyber architecture, the focus of resilience is on events caused by adversary activities. These include reconnaissance, establishing a foothold in the information infrastructure, and exploiting that foothold to steal information or impede missions. Cyber resilience is the ability of information and communications systems—and the missions, organizations, and populations that depend on those systems—to anticipate, withstand, recover from, and address sophisticated cyber adversaries.
 

"There are a number of tools in the resiliency arsenal, including randomizing where processes are running," Huffman says. "But what happens when you aggregate these tools and put them together? Systems are very complex already, and emerging technology complicates the problem. As you add capabilities, you add vulnerabilities."

Despite the need for resilience in critical systems, MITRE advises organizations to proceed with caution; otherwise, system management can become cumbersome.

"Have you then increased the complexity of managing the systems to the point where they can no longer be easily managed? How would resiliency efforts work in a real-world environment? These are some of the questions we're investigating."

"The Cyber Adversary Has an Asymmetric Advantage"

"Existing cyber-defenses are generally successful against low-end threats to less essential systems," says Harriet Goldman, "but attacks on mission-critical systems can be much harder for sponsors to operate through." Goldman is executive director of cyber mission assurance at MITRE's National Security Engineering Center, the federally funded research and development center the company operates for the Department of Defense.

"The cyber adversary continues to have an asymmetric advantage. To reduce this advantage, organizations must proactively redesign their systems to diminish the impact and consequences of attacks. If you re-architect your systems for resilience, then you increase the cost and uncertainty of attackers' actions, making future attacks less likely."

The RAMBO effort assesses how government information-system architectures can remain resilient during specific types of cyber attacks. (See "Five Steps Toward Greater Resilience," below.) RAMBO also offers recommendations for how organizations should design, deploy, and operate critical systems to allow for system reconfiguration and data recovery if attackers compromise data, system components, or services. As part of this assessment, MITRE researchers will evaluate specific system capabilities to determine whether they will remain resilient over the system life cycle.

The RAMBO team is also examining specific techniques for achieving resilient architectures. These include applying diversity to technology, processes, and policies; transferring target architectures across different network segments; and randomizing application configurations.

In the IT context, "diversity" means the attacker can no longer expect that, for example, each system will be Windows and each mail application will be Outlook. In the case of moving-target architectures, organizations would reposition critical processes across different hosts and network segments, making them more difficult for attackers to find. "Randomizing" means arranging system elements so that attackers cannot identify specific orders or patterns.


Five Steps Toward Greater Resilience

The RAMBO team has identified five steps that government organizations can take as they work towards architecture resilience:

  1. Protect and prepare. The first order of business for organizations is to incorporate security technology and operational best practices for data confidentiality, availability, and integrity into their critical systems. These practices protect against less sophisticated attacks and have a deterrent effect by increasing the adversary's work factor. In addition, organizations must prepare for cyber attacks, making identification of critical cyber assets and development of cyber defense courses of action part of contingency planning.
  2. Monitor and respond. While organizations can't always detect advanced system exploitations, they can improve situational awareness of system intrusions, service degradations, and other compromises. These events should become triggers to invoke contingency procedures and strategies. Systems need many forms of monitoring across the various layers of the architecture. Collecting data during attacks for later forensic analysis can also help organizations develop new deterrent capabilities.
  3. Constrain and isolate. System developers must separate functions, data, and network segments to isolate critical assets and allow for improved forensics and analysis of information about attacks. Isolation should ensure that critical portions of the system function, even if others do not. Examples include segmenting inbound from outbound traffic and isolating organizational intranets from the public Internet.
  4. Maintain and recover. Maintaining critical operations means distinguishing essential from non-essential capabilities, understanding dependencies among components, and executing contingency plans. Planning should allow organizations to address possible degradation in capacity and performance, denial of service, and corruption of data, hardware, or software processing capabilities. Recovery needs to include damage assessment, with particular attention to attacker "leave-behinds."
  5. Continuously adapt. By introducing technical, defensive, and operational change management into enterprise systems, system designs can potentially foil or confuse attackers by adding elements of unpredictability to system responses.
 

Engaging the Broader Cyber Community

MITRE has begun demonstrating these techniques to sponsors to illustrate how resiliency differs from data security, says Rosalie McQuaid, associate head of MITRE's Information Assurance Research department. As one of its first steps in introducing the concept of resiliency, the RAMBO team recently presented a paper, titled "Cyber Resilience for Mission Assurance," at the IEEE International Conference on Technologies for Homeland Security. Next, MITRE will invite sponsors to a two-day workshop on the topic this spring.

"We're looking forward to building sponsor buy-in for these ideas, and we're hoping vendors will come and work on things such as developing a glossary with definitions of resiliency terms," McQuaid says.

Why MITRE? "We're in a good position to work across the government, academia, and vendors on resiliency, because of our FFRDC role and status," Huffman says. "We have good insights into the government's needs. We can provide a realistic environment for testing and give feedback on how well certain solutions will work in the government space.

"Moreover, because we're not competing with industry, commercial companies let us look at new tools early in their development. From our sponsors' perspective, we can help them understand how capabilities developed by vendors can fit in with their needs."

—by Maria S. Lee

Related Information

Articles and News

Technical Papers and Presentations

Websites

 

Page last updated: April 12, 2012   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us