Cyber Mission Assurance
Definition: Mission assurance is "a process to ensure that assigned tasks or duties can be performed in accordance with the intended purpose or plan...to sustain...operations throughout the continuum of operations" . It is executed through a "risk management program that seeks to ensure the availability of networked assets critical to department or agency missions. Risk management activities include the identification, assessment, and security enhancement of assets essential for executing...national...strategy" . Cyber mission assurance focuses on threats resulting from our nation's extreme reliance on information technology (IT).
Keywords: architecture, cyber, cyber threat, mission assurance, resilience
MITRE SE Roles & Expectations: MITRE systems engineers are expected to be able to help customers acquire robust systems that can successfully execute their mission even when under attack through cyberspace. To do this, MITRE systems engineers are expected to be conversant in mission operations, the various types of cyber threats to IT systems, and system malfunctions that can cause missions to fail. They are expected to be familiar with best security practices and the basic principles for building and operating systems that can sufficiently fight or operate through these obstacles, including architecture resilience against the upper end of the cyber threat spectrum. Given the complexity, variety, and constant change of cyber threats, MITRE systems engineers should seek out MITRE cyber security experts to support these activities. MITRE systems engineers are expected to recommend requirements, architectures, strategies, and solutions for cyber protection and mission assurance capabilities, including consideration of technical and operational dimensions across all phases of the system life cycle, from concept development through deployment and operations. MITRE systems engineers are also expected to keep abreast of the evolving discipline of engineering for cyber mission assurance.
Background and Introduction
Today's information technology (IT) environments are increasingly subject to escalating cyber attacks. Cyber threats vary widely in sophistication, intent, and consequences to the targeted systems and networks. The range of attackers extends from users who unintentionally damage systems to hackers, cyber criminals, and full-scale cyber spies and cyber warriors; their intentions span from annoying vandalism to economic threats to taking out the electric grid or defeating armed forces. Similarly, the target of the attacks can vary from a single computer or router to an entire on-line banking system, business enterprise, or global supply chain. At the same time, missions and businesses fall along a spectrum of criticalityfrom desirable to necessary, essential, and mission- or safety-critical. Given the broad spectrum of threat, intent, and consequence to mission-critical functions, determining exactly where mission systems lie in this continuum of dimensions is vital to determine the appropriate level of investment and response.
The notion that 100-percent cyber protection can be achieved is not only unrealistic but also results in a false sense of security that puts our missions and businesses at serious risk. Consequently, the inability to achieve full protection must be compensated by ensuring that missions can be accomplished despite cyber attacks.
When engineering systems for cyber mission assurance, the focus needs to build upon engineering defensive capabilities via protection technologies and engineering both offensive and defensive capabilities within a comprehensive framework of risk management. Engineering for cyber mission assurance requires a mindset akin to the air traffic control (ATC) system concept of "graceful degradation." Weather cannot be controlled, so the air traffic controllers plan how to gracefully degrade the flow of air traffic during bad weather, and the ATC systems are engineered to enable the execution of those plans. It also calls for addressing the unexpected and the undetectable cyber attack in ways that make the adversary's exploit harder and more costly, less likely to succeed, and more likely to cause minimal impact on mission operations.
Cyber defenses generally available today help address low-end threats but alone are often ineffective against more capable forms of cyber attacks that may target our most mission-critical systems. It is at the high end of the continuum that resilience of the system architecture will matter mostto enable continuity of mission-critical operations and support rapid reconstitution of existing or minimal essential capabilities or the deployment of alternative means of accomplishing the mission.
Thus, while this article presents ideas along the full spectrum of cyber security, it concentrates on architectural resilience against the upper end of the threat spectrum, where the stakes are high, the mission or business is critical, and the adversary is sophisticated, motivated, and persistent.
Nevertheless, many of the same techniques are valuable at the low to medium levels of threats and consequences because they can significantly reduce the operational impact and cost of cleanup after an attack. Even if the intentions and consequences of a threat are currently not very serious, it must be kept in mind that today's massive data thefts or passive reconnaissance can quickly escalate into data and system modification, surreptitious commandeering of control, or denial of essential services with far more dire mission impact in the future.
Some of the recommendations in this article are clearly in the domain of systems engineers or designers, while others may fall more naturally to program managers, cyber security experts, or operational users and their leadership. Cyber mission assurance recommendations are most effective when used in combinations to achieve an overall security strategy. The recommendations are therefore presented as a whole instead of attempting to parse out those that fall under the particular purview of systems engineering.
Lastly, the specific recommendations that follow will not be practical for all systems. Some can be done in the short term for certain systems, like those now in design, but would take longer or might never be implemented for legacy systems with a large installed base. Some recommendations address a common concern but in different ways, with the expectation that practitioners will find something that makes cost-effective sense for their particular situation. Following any of these recommendations will decrease risk, but the recommendations are best followed in combinations derived from following a security engineering strategy and practice based on modeling the threats the user is trying to protect against.
Three Levels of Cyber Threat
Low-end threats are often known as hackers or script kiddies, and their techniques typically involve email phishing and hacking. They often take advantage of widely known, still-unpatched vulnerabilities in today's operating systems, applications, and hardware. The motive can be mischief or the bragging rights that come with success. Yet, the same vulnerabilities used by the low-end threat can be used by any threat, including high-end.
Mid-range threats are often state-sponsored and will use low-end techniques to target well-known vulnerabilities where effective. They may also use zero-day attacks (that take advantage of the delay between when vulnerabilities are discovered and when they are reported and corrected); perform reconnaissance and probing to gain knowledge of infrastructure, controls, and configuration weaknesses; and use social engineering to manipulate online users into revealing personal information and other exploits to exfiltrate and/or manipulate information. Mid-range threats can remotely implant malware (viruses, worms, adware, or spyware that can threaten a network) and back doors, cause denial-of-service attacks, and introduce undetectable software modifications that can hide in a system once penetrated and maintain presence across many types of system changes. The cyber espionage documented in a report to the U.S.-China Economic and Security Review Commission is an example of this type of threat .
High-end threats use all of the above techniques and add the ability to circumvent physical security measures; create undetectable hardware and software modifications and insert them via the supply chain; plant or turn insiders in the target organization; and use full-spectrum intelligence to identify targets and vulnerabilities.
Responding to Low-End Threats
Some suggestions and resources for managing low-end threats are provided in the paragraph below. More details are at the references cited.
Responding to low-end threats is tedious and costly, but a necessary part of using IT. Using Security Content Automation Protocol1 (SCAP)-compliant tools will make dealing with low-end threats a more automated process. Even when faced with a mid-range or high-end threat, it makes sense to first deal with the low-end threat, rather than get distracted and let defenses down. Dealing with the low-end threat involves the application of end-to-end solutions incorporating commonly understood components such as firewalls, anti-virus protection, anti-spyware protection, anti-spam protection, intrusion detection, vulnerability patching tools, and scans for wireless access points. The SANS Institute2 maintains a list of the "Top 20 Internet Security Problems, Threats, and Risks" and what to do about them . MITRE and SANS also produced a list of the "Top 25 Programming Errors" . The SANS website also hosts the Consensus Audit Guidelines (CAG) Twenty Critical Controls for Effective Cyber Defense . However, although commonly understood, these defenses are often either not employed, incompletely employed, misconfigured, or not maintained.
Responding to Higher Level Threats
For obvious reasons, most detailed suggestions and resources for managing mid- to high-end threats are sensitive, closely held, and often rapidly evolving to keep pace with ever-changing threats. Recently, cyber mission assurance thought leaders have started structuring the cyber response discussion around the notion of a system architecture that is resilient in the face of different levels of cyber threat. The MITRE report Building Secure, Resilient Architectures for Cyber Mission Assurance  surveys the emerging thinking on building secure, resilient architectures for cyber mission assurance. It motivates the need, lays out the goals and objectives of a resilient cyber architecture, defines its key characteristics, and provides an overview of key resilience techniques and mechanisms.
Defining Resilient Architectures
The term resilience has many definitions depending on the context and application. For a computing paradigm, the simple definition from the University of Kansas's ResiliNets Project proves most useful: "Resilience is the ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation". Resilience is related to survivability, which builds on the disciplines of security, fault tolerance, safety, reliability, and performance.
Government departments and agencies are increasing their attention to resilience.While this increased attention clearly indicates understanding of the importance of resilience, the community is just beginning to understand what it means to turn the concept into practice. Much work is needed to define and validate resilience: techniques and strategies; policies to promote operational and system resilience; risk decision methodologies, analytic processes, and acquisition guidance; and metrics for measuring resilience improvements and evaluating progress. Moreover, funding must be aligned to budget cycles to reflect these needs and build momentum.
Game-changing technologies, techniques, and strategies can make transformational improvements in the resilience of our critical systems. A number of the detailed ideas on building secure, resilient architectures for cyber mission assurance in  are future-looking and suggest the art of the possible from which to begin evaluating the viability of promising strategies and techniques for resilience, singly and in combination, to determine which are the most cost effective to pursue.
Best Practices and Lessons Learned?Near-Term Steps
The four items below are among the most mature practices of engineering for cyber mission assurance. They are rooted in actual experience. The references point to more details.
To begin evolving our architectures to be more secure and resilient, the first step is to reduce their attack surface and make them more understandable, agile, and manageable. Near-term re-architecting actions can begin now by addressing the four following principles:
- Virtualization: Leverage or introduce virtualization as a foundation to implement techniques for isolation, non-persistence, replication, reconstitution, and scaling. Doing so will support capabilities to constrain attacks and damage propagation, improve availability, and provide agility to create, deploy, and move critical capabilities at will (moving target defense) if the system is under attack. (, pp. 8, 10, 11-14)
- Non-persistence: Non-persistence techniques can be applied for access to data, applications, and connectivity when continuous access is nonessential. They can be used to reduce the exposure of the data and applications, as well as the opportunity for the adversary to analyze our vulnerabilities or gain a stronghold and maintain a persistent presence. Non-persistence can also provide operational provisioning and management benefits by pushing a new gold image when a user connects each day or at some fixed interval, thus reducing the period of vulnerability. The goal is to set the frequency so that refreshes occur often enough to prevent the spread or intended impact of an attack, but not so often that it makes the system unstable. Refreshing aperiodically to a known good image can provide the additional advantage of hindering an attacker's ability to predict the window of opportunity in which to launch an attack, thus increasing the risk that the attack will fail or be detected, and reducing the likelihood of gaining a persistent stronghold. Aperiodic refreshing may require additional coordination. (, pp. 8-9, 12, 14-15)
- Partition/Isolate: Segregate components of dubious pedigree from trusted ones to reduce the attack surface, simplify systems and interfaces, and limit the damage and spread of exploits, when they occur. Separation requirements should implement the principle of least privilege and separate critical from non-critical mission functions and data. Partitioning supports the distribution and placement of highly specialized sensors that can improve situational awareness and better detect behavioral anomalies (, pp. 3-6, 8-9, 11-13). Examples include:
- Separation at the network level (e.g., Internet from Intranet and demilitarized zone segmentation) and at the application and data levels (e.g., non-sensitive from sensitive) segregates risky traffic and processing from critical traffic, processing, and data. These tactics help reduce complexity by removing extraneous data and transactions and promote more effective intrusion detection, packet capture analytics, and other anomaly detection capabilities because anomalous behavior cannot easily "hide in the noise."
- Segmentation at the network level should implement controlled interfaces between segments, as needed, both within an enterprise and at its boundaries. This will help limit local area network contamination and flow-through, and with proper sensor deployment can provide better situational awareness (SA) and more precisely targeted computer network defense (CND).
- Isolating the CND network from critical processing networks can help prevent the adversary from learning our intrusion analysis and forensic capabilities.
- Isolating asynchronous communications, analyzing and correlating request-response traffic, and isolating different protocols support detecting anomalous traffic.
- Implementing white lists3 will constrain application pathways.
- Using secure browsers, thin clients, and virtualized clients can be used to sandbox4 risky processing from critical processing.
- Situational Awareness: Beef up detection, analysis, correlation, and forensics tools and processes. Improve integrated SA understanding by improving sensor data collection, analytics for security and mission-critical capabilities' health (i.e., better detect degradations, faults, intrusions, etc.), and visualization techniques. Baseline normal critical processing and user behavior, and focus on anomaly detection within this context. Use forensics to drive evolution of CND and operations.(, pp. 4, 6, 16)
References & Resources
- Department of Defense, July 1, 2010, DoD Directive 3020.40 Change 1 "DoD Policy and Responsibilities for Critical Infrastructure"
- Krekel, B., October 9, 2009, Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation," prepared for The US-China Economic and Security Review Commission, Northrop Grumman Corporation.
- SANS, September 2009, Top Cyber Security Risks.
- MITRE/SANS, February 6, 2010, Top 25 Programming Errors.
- SANS, November 13, 2009, "Twenty Critical Controls for Effective Cyber Defense: Consensus Audit," 20 Critical Security Controls, Version 2.3.
- Goldman, Harriet G., Building Secure, Resilient Architectures for Cyber Mission Assurance, The MITRE Corporation, November 2010.
- University of Kansas ResiliNets Wiki and Wikipedia, "Resilience is the ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation." https://wiki.ittc.ku.edu/resilinets_wiki/index.php/Definitions (accessed on 11 August 2010).
Additional References & Resources
MITRE authors, May 5, 2009, Selected MITRE Cyber-Related Research and Initiatives, The MITRE Corporation.
1 The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP (Wikipedia, accessed on December 14, 2010).
2 The SANS Institute, founded in 1989, provides computer security training, professional certification through Global Information Assurance Certification (GIAC), and a research archive?the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners. SANS is an acronym for SysAdmin, Audit, Network, and Security (Wikipedia, accessed on December 14, 2010).
3 A white list or approved list is a list or register of entities that, for one reason or another, are being provided a particular privilege, service, mobility, access, or recognition (Wikipedia, accessed on January 3, 2011).
4 In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, and untrusted users. The sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access and the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization (Wikipedia, accessed on December 14, 2010).