The Exception Becomes the Rule

During a peer teaching session, EWA analyst Sean Rosado discusses open-source intelligence gathering tactics.

Flagging anomalies is the basis for real-time cyberthreat detection architecture.

Researchers at the U.S. Army Research Laboratory and Electronic Warfare Associates Incorporated have partnered to implement a new intrusion detection architecture designed to defend against advanced persistent threat. The architecture, a component of the Network Attack Characterization, Modeling and Simulation Testbed, is an Army Research Laboratory computer network defense enclave that secures against cyber adversaries by providing rapid flexible responses to new threats. The program was launched in 2008 to combat the growing threat of cyberwar by improving intelligence sharing and computer network defense tactics among the U.S. Defense Department, cleared defense contractors, universities and private companies.

The United States is facing increasingly potent weapons in cyberspace. Recent Defense Department assessments of scenarios involving state and non-state adversaries have highlighted the need for improved capabilities to counter threats in cyberspace. The most recent Quadrennial Defense Review states, “[Defense] networks are infiltrated daily by a myriad of sources, ranging from small groups of individuals to some of the largest countries in the world.” These sophisticated attacks on our critical infrastructure have led to the coining of the term advanced persistent threat (APT), referring to the long-term patterns of sophisticated attacks by determined attackers, often sponsored by nation-states. Information security experts are struggling to keep up with APT.

Scientists within the Network Attack Characterization, Modeling and Simulation Testbed (NACMAST) program recognized that network-based intrusion detection in its current implementation was ineffective. The majority of intrusion detection systems (IDS) deployed on both secured and public networks are signature-based. These types of systems examine network traffic for preconfigured attack patterns based on known techniques. As adversarial expertise grows, traditional IDS architecture must also evolve beyond the limited capabilities of signature matching or it will become ineffective in the modern battlespace. In effect, the department’s cyberdefenders would be going to war with yesterday’s technology. The NACMAST program is implemented through a consortium of industry, academia and government that includes the Army Research Laboratory (ARL), Electronic Warfare Associates (EWA), Western Kentucky University, the University of Arizona, the University of Louisville Professional Solutions LLC and Patch Advisor LLC. Their combined efforts fuel the research that has led to the development of Seminole, a hybrid intrusion detection architecture capable of detecting and characterizing network threats in near real time. Seminole is based upon Interrogator 2i, which was originally developed by ARL solely for monitoring Defense Department networks.

Seminole is a framework that allows for the reconfiguration and addition of new analytic tools on the fly. Seminole IDS architecture is considered a hybrid design because it employs both signature-based detection techniques and anomaly based methods. In an anomaly based system, a baseline of network communication traffic is created based upon normal expected traffic and internetworking standards. Whenever a deviation from this baseline is detected, analysts are alerted.

The anomaly detection engine in Seminole is unique in that it relies on the separation of the collection and analysis functions. The sensor is a passive device deployed within secured data realms on a network that transmits collected data to a centralized storage location. As data from multiple sensors arrives at this centralized location, the data is processed by analysis tools that identify anomalous traffic from normal communications.

This separation of collection and analysis provides a strategic advantage because it allows for collection and processing of more network data. The majority of anomaly based intrusion detection and analysis tools currently deployed do not capture and process data at an acceptable rate. They capture only network flow information rather than the full contents of data packets. This flow data doesn’t contain all of the information within a packet, just basic addressing and timing. While this is useful, it doesn’t provide the full picture and limits the capabilities of intrusion detection, causing sophisticated attacks to slip by undetected.

(l-r) Sen. Mitch McConnell (R-Ky.) meets with Western Kentucky University President Gary Ransdall, EWA Operations Manager Jonathan Paschal and NACMAST Program Manager Dr. Phillip C. Womble of EWA at the launch of the NACMAST program.

The anomaly based analysis tools developed by the NACMAST research partners include artificial intelligence neural network analysis capabilities that examine network traffic from its most basic bit level all the way up to reassembled stream level. These tools have proven effective in deployment scenarios. In one instance, while monitoring a protected enclave, NACMAST analysts were alerted to a deviation from normal traffic coming from a friendly nation. The deviation was analyzed and found to be a precursor to a larger network attack potentially aimed at the exfiltration of sensitive data—the friendly nation was being used as a routing point for attacks. The technique used in this attack was unknown and did not conform to any recognized attack signature. Reliance on signature-based tools would have not detected this attack.

The NACMAST Bowling Green Computer Network Defense Service Provider (BGCNDSP) is located in a state-of-the-art facility in Bowling Green, Kentucky. The BGCNDSP is staffed 24 hours a day by intrusion analysts with a variety of specialties encompassing protocol analysis, hardware engineering, network forensics, incident response, malware analysis and network exploitation.

While Seminole automatically detects anomalous traffic and does a basic level of incident correlation, the analysts perform long-term trending and retrospective analysis in order to connect several smaller events from multiple sources into a timeline that describes a sophisticated targeted attack.

Kerry Long, a computer scientist at ARL, sees human analysts as a key component to the architecture. “Automated analysis systems probably will never and should never replace the human analyst,” Long points out. “Rather, automated systems should complement the human analyst; they should serve as a cyberforce multiplier to make a few of our guys equal to many more of theirs. The Seminole concept embraces this philosophy, which is what makes it stand out among the many other network detection offerings.”

The Seminole tools are on the cutting edge of network exploitation detection. A cyberdefense test range, managed by Western Kentucky University, allows for the configuration of multiple simulated networks that researchers use to examine current attack techniques so they can develop new tools to detect and defeat these techniques.

One of the primary areas of interest highlighted by the current U.S. administration is the emergence of the persistent threat to our critical infrastructure through supervisory control and data acquisition (SCADA) systems. Recent cyberspace policy reviews have highlighted a cyberthreat to critical infrastructure components controlled by SCADA systems. Central Intelligence Agency Senior Analyst Tom Donahue stated, in an interview with Information Week, “We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands.” Donahue further stated, “We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.” NACMAST is working to develop and implement new tools and techniques for countering threats to SCADA systems.

Along with research and tool development, one of the primary goals of the NACMAST program is to broaden the view of the cyberwarfare intelligence base. “Sophisticated attacks are no longer attempting to directly breach the DOD itself,” said Dr. Phillip C. Womble, NACMAST program manager and EWA senior scientist. “Secured network connections are now being extended to private entities and cleared defense contractors more than ever. The adversary sees these as potential weak points and will attempt to exploit those connections in order to obtain the classified information they are seeking.”

By monitoring both government and nongovernment entities, NACMAST and the Defense Department benefit by having a broad view of the cyber battlefield. Computer and service vulnerabilities are often discovered first in public networks. The early detection of these attacks allows for the creation of new signatures and tools for Seminole so that the attacks can be detected before classified data is lost from government systems. Likewise, attack signatures from the government domain may be used within public companies and defense contractors to detect system breaches, denial-of-service attacks or theft of intellectual property. By monitoring across a broad spectrum, the intelligence gathered at one collection point can be used to achieve a stronger level of information assurance across the board.

Anthony Pressley, deputy chief for strategic programs within the Division of Network Sciences at ARL, states that the landscape is evolving. “The partnership engages smart people in the industry and smart people in universities to help us develop new tools and new methodology.”

The Seminole architecture is currently deployed within the Defense Department, and NACMAST is currently working with commercial entities, cleared defense contractors and educational institutions to deploy Seminole extensively by 2011.

Chris Sanders is senior information security analyst with Electronic Warfare Associates.