Resilient Cyber Architectures Keep Government IT Operations Mission-ReadyApril 2012
Topics: Critical Infrastructure Protection, Emergency Preparedness and Response, Enterprise Architectures, Information Security Risk Management, Safeguard and Secure Cyberspace
Achieving truly "secure" IT operations—with all attackers successfully repelled—is an impossible goal. But that doesn't mean organizations can't fight back.
"In the past, the reaction to cyber attacks was to build a fortress around your enterprise, but this is a losing battle," says Stephen Huffman, MITRE vice president and chief technology officer. "Attackers are no longer deterred by walls and moats and drawbridges."
Given this reality, organizations face the daunting challenge of maintaining critical functions in the face of inevitable enterprise breaches. MITRE's Resilient Architecture for Mission Assurance and Business Objectives (RAMBO) effort is showing our government sponsors how to carry out their missions when cyber attacks compromise their vital systems.
MITRE researchers are working closely with partners in government, academia, and commercial companies to develop and test scenarios for keeping system functions up and running. Through RAMBO, MITRE IT security and mission assurance experts have developed adaptive, secure architecture frameworks that our government sponsors can replicate in their own enterprises.
"The question is this: How can organizations create IT systems that will help them detect and remove attackers, and at the same time continue to provide services to users?" he asks. "The systems themselves are not what are being protected. It's the functions they provide—the ability to carry out their missions."
Filling a Mission Assurance Gap
"We knew this was a gap area in mission assurance, so we decided to investigate how we could apply earlier internally funded research to resiliency," explains Jeff Picciotto, head of MITRE's Information Assurance Research department. "We also obtained funding for new research into how sponsors would assess resiliency in their own systems, and we're using what we've learned from sponsor programs in this area as well."
"There are a number of tools in the resiliency arsenal, including randomizing where processes are running," Huffman says. "But what happens when you aggregate these tools and put them together? Systems are very complex already, and emerging technology complicates the problem. As you add capabilities, you add vulnerabilities."
Despite the need for resilience in critical systems, MITRE advises organizations to proceed with caution; otherwise, system management can become cumbersome.
"Have you then increased the complexity of managing the systems to the point where they can no longer be easily managed? How would resiliency efforts work in a real-world environment? These are some of the questions we're investigating."
"The Cyber Adversary Has an Asymmetric Advantage"
"Existing cyber-defenses are generally successful against low-end threats to less essential systems," says Harriet Goldman, "but attacks on mission-critical systems can be much harder for sponsors to operate through." Goldman is executive director of cyber mission assurance at MITRE's National Security Engineering Center, the federally funded research and development center the company operates for the Department of Defense.
"The cyber adversary continues to have an asymmetric advantage. To reduce this advantage, organizations must proactively redesign their systems to diminish the impact and consequences of attacks. If you re-architect your systems for resilience, then you increase the cost and uncertainty of attackers' actions, making future attacks less likely."
The RAMBO effort assesses how government information-system architectures can remain resilient during specific types of cyber attacks. (See "Five Steps Toward Greater Resilience," below.) RAMBO also offers recommendations for how organizations should design, deploy, and operate critical systems to allow for system reconfiguration and data recovery if attackers compromise data, system components, or services. As part of this assessment, MITRE researchers will evaluate specific system capabilities to determine whether they will remain resilient over the system life cycle.
The RAMBO team is also examining specific techniques for achieving resilient architectures. These include applying diversity to technology, processes, and policies; transferring target architectures across different network segments; and randomizing application configurations.
In the IT context, "diversity" means the attacker can no longer expect that, for example, each system will be Windows and each mail application will be Outlook. In the case of moving-target architectures, organizations would reposition critical processes across different hosts and network segments, making them more difficult for attackers to find. "Randomizing" means arranging system elements so that attackers cannot identify specific orders or patterns.
Engaging the Broader Cyber Community
MITRE has begun demonstrating these techniques to sponsors to illustrate how resiliency differs from data security, says Rosalie McQuaid, associate head of MITRE's Information Assurance Research department. As one of its first steps in introducing the concept of resiliency, the RAMBO team recently presented a paper, titled "Cyber Resilience for Mission Assurance," at the IEEE International Conference on Technologies for Homeland Security. Next, MITRE will invite sponsors to a two-day workshop on the topic this spring.
"We're looking forward to building sponsor buy-in for these ideas, and we're hoping vendors will come and work on things such as developing a glossary with definitions of resiliency terms," McQuaid says.
Why MITRE? "We're in a good position to work across the government, academia, and vendors on resiliency, because of our FFRDC role and status," Huffman says. "We have good insights into the government's needs. We can provide a realistic environment for testing and give feedback on how well certain solutions will work in the government space.
"Moreover, because we're not competing with industry, commercial companies let us look at new tools early in their development. From our sponsors' perspective, we can help them understand how capabilities developed by vendors can fit in with their needs."
—by Maria S. Lee