Even in the midst of a cyber attack, organizations must continue to operate—on the battlefield or in the emergency room. MITRE is developing a new approach for managing the tradeoffs between protecting computer systems and maintaining critical functions.
Adaptive Cyber Resiliency for Critical Operations
Effective cybersecurity requires multiple layers of defense, and these layers need to work together to provide comprehensive protection against cyber threats. Large, well-resourced organizations can afford to deploy and configure tools to provide such layered defenses. Most small and mid-sized organizations, however, depend on security providers and a range of products to protect their systems.
How do they find and combine the right ones to provide needed levels of protection while minimizing impact to their operations?
MITRE’s Adaptive Cyber Resiliency research team aims to improve the ability of organizations to protect themselves against cyber attacks and increase their networks’ resilience. The team is developing and testing a new capability for cyber resiliency in which they've integrated numerous off-the-shelf components and new MITRE-developed technology.
“MITRE as a whole, including our independent research and development (IR&D) program, has a long history of developing and sharing cybersecurity solutions with government and industry,” says Vipin Swarup, Ph.D., who leads the Adaptive Cyber Resiliency research, funded by the IR&D program. “For example, our ATT&CK framework came out of our early work in identifying adversarial behavior.
“The approach to cybersecurity used to be 'find the adversary in your system and clean up after them.' Today, we have to assume adversaries are already inside but, through resilient systems, we can keep operating our critical functions without compromise.”
After exploring representative network security tools on the market, the Adaptive Cyber Resiliency team created an architecture that can be adapted to an organization’s needs. They also developed new technology that can be integrated into the architecture, including tools that simulate advanced persistent threats, establish trust through multiple attributes, configure end-device microsegmentation, and automatically deploy optimal security configurations.
Today, we assume adversaries are already inside, but resilient systems let us keep operating critical functions without compromise.
All these pieces have been combined into a model of a real-world enterprise system and operation, which we use to test how well various cybersecurity options work—and to analyze which tools work best in certain situations.
One of the team’s goals is to use the architecture to help organizations answer these questions:
- What parts of their systems are most critical to protect and must keep operating under attack?
- What are the system elements that most enable adversarial reach through their environment?
- Which combination of security controls best minimizes potential adversarial reach and maximizes availability of critical systems?
For advanced testing, the team has created a digital twin experimentation environment, which is being combined with artificial intelligence (AI) to dynamically optimize security protections within networks. Using AI algorithms, the team can analyze a network environment, identify potential vulnerabilities, and automatically adjust security protections to best protect against these vulnerabilities.
Organizations can use this architecture to test out tradeoffs and see the consequences. For example, under given threat conditions, what is the optimal combination of access control rules, applied software patches, cached credentials, redundant servers, and deceptive decoys to minimize cyber attack risks and accomplish the organizational mission?
Partners Provide Complementary Expertise
To solve such a big and complex problem, the MITRE team is collaborating with external partners that have their own complementary expertise and resources.
For example, a team from the University of Louisiana at Lafayette is addressing a critical problem within cyber resiliency optimization—anticipating future organizational needs for network access.
These researchers are developing novel approaches based on AI and graph theory to create models of observed behaviors in computer network domains. The models will predict future communication links between users and services provided by computers. The UL Lafayette team comprises professors and their graduate students within the School of Computing & Informatics.
Developing a Platform for Cyber Resiliency Anywhere
“Today, the team is testing cyber options on a realistic, traditional enterprise network, looking at the day-to-day functions of network operations,” Swarup adds. “We’re also creating another use case for a 5G core network in the cloud, which is harder to protect. The objective is to be able to apply our architecture in any cloud application.”
The primary goal of this project is to develop a platform for cyber resiliency optimization that can inform cyber defenders anywhere. The Adaptive Cyber Resiliency team aims to create a cutting-edge prototype that can be used as a practical guide for building effective cyber defense systems.
Such a reference implementation would be a valuable resource in helping organizations optimize their cyber resiliency and enhance their overall security posture.
These publications describe key results from the Adaptive Cyber Resiliency project:
- Improving cyber resilience through the synthesis of optimal microsegmentation policy for a network
- Mapping adversarial attacks through credential harvesting operations and lateral network movements
- Predicting future links in cyber networks and applying the predictions to learn optimal microsegmentation policy rules
Join our community of innovators, learners, knowledge-sharers, and risk takers. View our Job Openings.