Defeating Sophisticated Threats Requires Multipronged Tactics

May 2007
By Maryann Lawlor
E-mail About the Author

 
Using the Prometheus network defense system, personnel at the U.S. Navy’s Network, Information Operations and Space Center can view information from numerous sources at one console in near real time.
Trimming the number of systems while harvesting incident information protects today’s high-value Navy targets.

In the global war on cyberterrorism, the networks and applications that sprouted throughout the U.S. Navy like dandelions in spring are being culled to ensure that the most beneficial remain and can be centrally managed. The largest endeavor moves the Navy from fragmented legacy systems to centrally managed, decentrally executed configurations. At the same time, feeding incident data from many network centers into a single security site is helping cyberwarriors protect not only classified information but also other high-value data targets.

Information security experts know that threats to military systems have escalated from script kiddies defacing Web pages to international computer experts bent on stealing secrets. One of the most recent incidents occurred at the NavalWarCollege in November 2006. Chinese hackers were found to be responsible for the malicious act that shut down the college’s e-mail capability and Internet-connected computer system for weeks. Many suspect that such illegal acts are even state sanctioned.

The Navy intranet systems’ primary line of defense against cyberterrorists is the Navy Cyber Defense Operations Command (NCDOC), Norfolk, Virginia. According to James Granger, technical director, NCDOC, cybercriminals today are far more sophisticated and can extract more data than in the past. They have learned that it is much cheaper to steal the fruit of someone else’s research and development labor and investment than to work for it, he says. And in the case of the break-in at the NavalWarCollege, it is hard to believe that the Chinese government was not aware of the activity, he adds.

Attacks on high-value targets mean that it is more important than ever to build security in at the beginning of system development rather than bolt it on at the end. But securing systems is only one element of defense in depth, Granger says. The Navy’s holistic protection approach also involves winnowing the number of applications and networks, moving what remains to a centrally managed enclave, ensuring that the systems are certified and accredited, and putting them behind an established security suite.

To accomplish this task, the Office of the Chief of Naval Operations is leading the Cyber Asset Reduction and Security (CARS) effort. CARS, which began in December, aims at reducing the number of Navy applications and networks. The project is scheduled to continue for five years and will lead into the Next-Generation Enterprise Network, Granger explains.

Trimming the number of applications was one of the goals of the Navy/Marine Corps Intranet (NMCI), and although significant reduction of the number of systems has occurred, Granger reveals that the figure has plateaued. Now, the service is taking a harder look in a more focused manner. “We’re building on the lessons that we learned from implementing NMCI and further necking it down. The Department of the Navy’s Office of the Chief Information Officer and Naval Operations N-6 have the functional area manager process, and they are necking things down a lot tighter. Ultimately, what it gets down to is what’s referred to around here as ‘capture the money.’ Until you have control of the money, people will go out and do whatever they’re going to do,” he explains.

This approach follows what the U.S. Marine Corps instituted in the late 1990s to create the Marine Corps Enterprise Network (MCEN). When the service’s leadership announced the formation of a single enterprise network, individual commands agreed it was a good idea but still planned to use their own funds to buy what they felt their individual organizations needed. To ensure that these buying decisions did not lead to a new brand of stovepipes, the Marine Corps brought all funding under the umbrella of the service’s technology and communications lead, the G-6.

“Then they got central control, and the MCEN is a very tight, very organized network,” Granger says. “That’s along the lines that we want to go in taking a harder look. We’ve reduced a lot of applications, but a lot of that stuff was easy. Now, we get into the real hard stuff.” The “hard stuff” could include determining the number of vulnerability scanners needed or whether a class of operating systems should be eliminated. “For example, should we say we’re not going to have 72 flavors—or whatever number—of Unix anymore? We’re going to cut it down to something,” he hypothesizes.

Granger admits that some people object to this approach. “Oh, trust me, there is pain out there, but again, it’s the direction we need to go in. We are the military. Aviators don’t get to configure their F/A-18s the way they feel they need to do it. They can’t say, ‘Hey, I feel like dropping a toaster for humanitarian relief. I’m going to drop that out of my Super Hornet,’” he points out. And if information systems are in fact considered weapon systems, they must be treated in a like manner, he notes.

Although BUMED, the Navy’s Bureau of Medicine and Surgery network, may not seem like a system that needs to be treated as a weapon system, if less protected than the other enclaves, it could become the service’s Achilles’ heel, Granger points out. Because of unique requirements such as compliance with the Health Insurance Portability and Accountability Act of 1996, BUMED cannot be folded into NMCI or any of the other highly secure computer network enclaves. However, medical networks are popular targets for hackers because they can be easier to access, providing a door into more valuable networks.

“If I were looking for the least defended, most accessible networks out there, I’d be looking at education, medical, and research and development. In these networks, you want to protect the information, but at the same time you’re trying to make it joint, so you’ve increased your scope of risk. Also, you have people that don’t necessarily have the security mindset. Foremost, they’re thinking about treating patients, not worrying about adversaries trying to mess up their network. They’re thinking, ‘Who really wants to hack a medical record? Who wants to find out what my last cholesterol test results were?’” he explains.

 
NCDOC’s primary mission is to protect the Navy’s four intranet systems: the Navy/Marine Corps Intranet, One-Net, IT-21 and BUMED. However, the command also conducts forensics on computer hard drives to determine vulnerabilities and last year discovered that Social Security numbers and other personal data for 28,000 sailors and their family members were posted on a civilian Web site.
But this attitude ignores the fact that enemies can use even seemingly insignificant computer networks to reach their intended target. Granger illustrates this point with exaggeration. “We may think, ‘Who cares about hacking into a personnel support detachment or into the 30th Mess Kit Repair Company?’” But the big thing about that is that the 30th Mess Kit Repair Company ties to the 1st Mess Kit Repair Group, which ties into a higher headquarters, which ties into the golden goodies over there. So you’ve got to look at it all,” Granger observes.

Network security is as worrisome as it has been in the past, but the flavor has changed, he relates. While today, information security specialists can identify more vulnerabilities and villains than in the past, they also know the number of cyberterrorists lurking in the shadows has increased.

“Every time I see something and say, ‘Oh my God, that’s bad,’ I also say, ‘But I know about it. What’s really bad that I don’t know about?’ I am heartened by the fact that we’ve got exceptional people who are working toward hardening the network. We call it ‘reducing the amount of white space,’ forcing the adversary into more observable avenues of attack.

“That’s great, but the thing that keeps me up at night is what about the guy who already got in, the hard-core deep insider. I think about the counterintelligence world, the cyber-equivalent of a Robert Hanssen—somebody like that who’s been in the network for a while—and we hardened all around him, but he’s right there buried in the heart of it. We’d like to think that we’ve got steps in place and we can reduce the risk. You can mitigate it, but you’ll never eliminate it,” he states.

Granger also is concerned about the “bagel problem,” a term he uses to describe vulnerabilities within an organization. “Personally, I don’t think that 80 percent of the Navy’s employees are disgruntled and want to damage Navy networks. However, what I’m concerned about is the bagel problem: it’s hard and crunchy on the outside, but once you’re inside, it’s soft and chewy. I liken it to a building. The building has a combination lock on the door, but once you’re in, all the doors are unlocked and all the goodies are laying out on the table. Once you get from the outside to the inside, you become an insider. By and large, I’m not as worried about the überdisgruntled employee as I am about the disgruntled outsider who managed to get in and now has the free run of the network,” he explains.

To gain awareness of activity on all of the Navy’s systems, data from NMCI, One-Net, IT-21 and BUMED network centers feeds into the Network, Information Operations and Space Center (NIOSC) at NCDOC. As a result, information gleaned from malicious activity on one network triggers examination of the other networks.

Large amounts of network activity information certainly improve security, but NCDOC has done that one better by adopting Prometheus, a system that Granger calls the Vegematic of computer network defense. “It will slice, dice, whip, chop and puree data. Prometheus will aggregate, correlate and fuse data and give us an analytical capability for a tremendous amount of data from disparate sources,” he says. NIOSC personnel can view information from numerous sources in near real time and can pull up specific information whenever they need it, no matter the source. “So they might be looking at an intrashield sensor from an IT-21 network one minute and at semantic network security feeds off of NMCI the next minute, but they’re looking at it all from the same console,” he relates. In addition to this on-the-spot capability, long-term data storage enables powerful analytical capabilities such as deep analysis and trend tracking.

The need for Prometheus was identified around 1999, but the solution could not be developed at that time, Granger allows. In fact, the tools available in the late 1990s provided only red dots on computer displays as alarms. “We did some stats, and we figured out that, with the number of alarms we were receiving and the number of people we had, if the watchstander did nothing else during the course of his watch—never went to the head, never got a drink, never ate or answered a phone, he just stood there and did alarms—he could spend 2.7 seconds per alarm, obviously not really effective. So the operators defined the requirements, and the operators helped to build what the system is today—not perfect by any stretch, but we have a way ahead, and we’re always refining it,” he says.

Granger notes that standardizing security terminology also will enhance system protection across military and government agencies. NCDOC is working with the U.S. Army, the National Security Agency, the Office of the Secretary of Defense for Networks and Information Integration and the National Institute of Standards and Technology to standardize security terms.

For example, NCDOC shares integrated architecture behavior model data, but the title for the data cites a Microsoft buffer overflow vulnerability. “Well, how do you compare that to other types of buffer overflows? Is this the same thing? Is it just a Microsoft issue? Where’s the common language?” he says. “Those data standards are what are critical. They’re critical to interoperability so that when we’re talking about vulnerabilities across the GIG [Global Information Grid] and the Army reports something, we can all talk the same language and understand that the vulnerability over there is the same thing over here. We need to get that way. It really is about the data.”

 

Web Resources
Navy Cyber Defense Operations Command: https://www.navcirt.navy.mil
Naval Network Warfare Command: www.netwarcom.navy.mil