Cyber Defense Situational awareness - Research Paper Example

?Cyber Defense Situational awareness Grade 16th December, 2: Chapter Two: Literature Review 2 Introduction This chapter provides an analysis of cyber situation awareness. Its main purpose is to show the issue with current SA with passive cyber defense and make the case for planning and executing Active SA through active defense particularly, it centers on the theory on decision making as a situation awareness model in decision making for cyber defense. The chapter further outlines the topical issue through sub-topics such as OODA loop, PDAR and J2 intelligence cycle, Cycle and CND and incident response. Other sub-topics include the role of Digital Forensic in Cyber C2 for situation awareness, how models relate in situation awareness, issues with cyber defense in situation awareness and why active defense is required. The chapter provides a presentation on how active defense enhance organization intelligence cycle. It ends with a summary of the main points in the literature review. 2.2: Defining Cyber Security and Situation Awareness. Situation awareness is defined as the capacity to swiftly and efficiently address arriving stimuli with appropriate responses (Cumiford, 2006). It impacts defensive operations at the tactical level through the provision of the ability to recognize and respond to actions of the adversary (Tadda, n.d.). Endsley (1995) describes SA as the view of the fundamentals in the surroundings within a degree of time and space, the understanding of their connotation, and the protuberance of their status in the near future. SA integrates the surroundings, goal, organization, existing substantial and human possessions, and other actors in the environment (Pew, 2000). Situation awareness provides a decision making model that can be broken into three components. The first one entails being aware of the current environment (Endlay and Garland, 2000). It is followed by the other component of determining the importance of certain incidents in the cyber world domain. The last component entail being able to tie the alertness to opportune and apt responses (Cumiford, 2006). In the SA model, cyber situation awareness system is responsible for processing of the incoming data the purpose is to try and repel any attacks from the external source (Tadda, n.d.). In order to do so, a cyber SA system must have such tools as intrusion detection systems, firewall logs, system logs, network flow and connection data (Tadda, n.d.). Models within a cyber SA system combine to enable the cyber SA system to capture and reason about past, current, and future states of the system operations and possible threats. The system is able to build new models or modify existing ones based on a combination of new and old information. This is made possible through positive relations of all models within the cyber domain, as well research in the field (Hettinger and McKeely, 2011). The Cyber SA updates these models based on the input from the external environment, self status and planning and reasoning outputs. This decision making model is pegged on the following capabilities: recognition of particular situations, determination of the significance of particular situations, reactive and proactive capabilities, ability to handle uncertainty and incompleteness, and ability to break goals into constituent parts (Cumiford, 2006). To make the cyber SA decision making model perform better, four additional capabilities are required. Temporal reasoning is required as situations occur in time, including the modal logic. 2.3: CND and incident response and its role in SA Computer network defense is a system aimed at protecting information systems against attacks. A classic CND is comprised of multiple niche intrusion detection tools, each of which carries out network data analysis and produce a unique alerting output (Beaver, et al, n.d.). Passive defense involves such tools as password protection, data encryption, and firewalls. However, these tools suffer from limitations in that hackers are at times able to penetrate them and launch attacks (Holdaway, 2001). Computer Network defense mechanisms enhance a safer and healthy cyber environment. It plays a significant role in situation awareness as it provides ways of detecting possible threats and how to effectively counter and control them. The main objective of CND is to provide an interactive interface which will allow the network system/system operator to acquire and maintain a high level of situational awareness to react more quickly and efficiently to attacks (Bradshaw, Eskridge,Johnson and Lecourte, n.d, 175). When the cyber world is armed with information about various types of attacks, their SA is enhanced as systems within the cyber domain will be better positioned to detect and manage assaults. 2.4: The role of Digital Forensic Science in Cyber C2 for SA Digital forensic science is the appliance of skill to the detection, compilation, assessment and analysis of data while preserving the integrity of the data/information. It enhances SA through crime reconstruction which uses laboratory resources to determine the nature of incidents that occurred in the time of commission of crime. Digital forensic science makes it possible to record document any information related to an incident/attack, preserving the records of the incident, and actions that need to be put in place to ensure that the whole process is efficient. It enables one to collect volatile data while minimizing the footprint left on the suspect system. Forensic science enables the analysis of volatile data so as to determine a logical timeline on the cause of the incident, hence enhancing situation awareness. Consequently, digital forensic science plays a key role in cyber C2 for situation awareness by enabling the documentation of the process of collection of evidence. This enables the process to be validated and ensure that the digital evidence is an exact representation of the original data (JCS, 2009). Digital forensic science works in a scientific methodology. It involves laboratory restoration based on the methodical process, decisive thinking and deductive logic. The process employs various principle such as: determination of whether a crime was committed, identification of the victims and the perpetrators/attackers, and determine the mode of operation of the attack the evidence collected is classified into various categories such as fingerprints, footmarks, tool marks, among others. The man aim of the process is to determine the evidence available for the reconstruction of the attack. The evidence include: sequential, action and associative, directional, positional. Digital forensic science has some limitations which renders it not fully reliable in enhancing situation awareness. For instance, it lacks circumstantial information, has limited materials for comparison, and has limited resources available for accurate reconstruction of attacks, limited knowledge in the field off forensic science, and in most circumstances, poor experimental set up, all which limits SA. 2.5: PDAR and J2 intelligence cycle J2 Intelligence Cycle is a process that is used to provide commanders with intelligent information to enable them make informed decisions that influence the outcome of the mission (McPherson, 1996). The process follows four steps in a cyclic form namely: directing, collecting, processing, and disseminating. The process involves directing as to what information is essential for rational decision making. The next phase is the carefully-balanced collection of information from all sources. Processing and production of the data collected into useable intelligence involves having focused objectives. The J2 process is accomplished by disseminating the intelligence to the right destination through a careful management of information coupled with the understanding of the user (McPherson, 1996). The dissemination of intelligence must be conveyed to the user in the most suitable form. One of the methods of transfer is via the internet, satellite broadcasts, all which are susceptible to cyber assaults. Hence, J2 intelligence enhances cyber SA by making cyber transfer more secure to avoid the enemy hacking into sensitive information which might be used to launch attacks. . PDAR loop is a mechanism that focuses on up-front protection of resources/information (such as policies, procedures and mechanisms) within a computer system. It is a reactionary approach since it responds to events, actions and threats that have been detected. It follows a three phase cycle of: detect and assess, respond and protect (Dussault, n.d.). PDAR loop is an important mechanism which improves the situation awareness of a system and its users, mostly on cyber related attacks. It is an important tool that helps in preventing cyber related assaults, mostly used by terrorists. 2.6: OODA Loops (Observation-Oriented-Action). This is part of Colonel John Boyd’s Asymmetric Fast Transient theory of conflict (33). It acts as an information strategy concept for information warfare which Boyd developed based on his skills as a combatant pilot and work on force maneuverability (Value Based Management, 2011). The OODA (observe, Orient, Decide, and Act) theory is a grand strategy which is used in the military to defeat the adversary strategically by psychological paralysis (Value Based Management, 2011). According to Boyd, the techniques used in the military world are similar to those in the cyber SA domain. The theory views the enemy as a system acting through a decision making process based on what it observes in the surroundings (Value Based Management, 2011). The decision making process is a cycle of four stages: observation, orientation, decision, and action. This model developed by Boyd is illustrated in figure 1 below. Observation Orientation Action Decision Figure 1. The OODA Loop. Source: Author. 2011. When making decisions, people follow a rational series of steps. At first, they examine their surroundings and collect data from it (observation). They then form a mental image based on the observation, upon which their decision is carried out (orientation). Consequently, the judgment is made (decision) and finally, the decision made is implemented (Schechtman, 1996). This process of making decisions in the battlefield is similar to what happens when an attacker wants to attack a network system. A good network system must be able to make appropriate and quick decisions, while denying the enemy, the time and conditions required to adapt to the situations brought about by the decisions made (Schechtman, 1996). Just like in the battlefield, the efficiency of a cyber SA is measured on how its loop measures relative to the adversary. A shorter OODA loop is a good impetus to wad off the enemy’s attacks. This enables one to arrive at decisions at a faster rate than the opponent can cope with, thus, placing enormous psychological strain on the enemy (Meilinger, 1994). By attacking the thought process of the opponent or competitor, his morale and decision making process is compromised. Once this is achieved, then the SA of the cyber domain or the network system is enhanced. 2.7: Issues with Cyber Defense in Situation Awareness and Why Active Defense Is Required. The rapid spread of cyber attacks incidents and their increasing sophistication has proved that the internet is a major hub for defense and security concerns. Among the issues that face cyber security include denial of service attacks (through hacking of systems,), virus attacks on systems, cyber weaponry, and the professional drawing on the Interne with an intention of executing illegitimate operations ( Blasch, Chen, Haynes and Shen, 2007). Originally, cyber attacks were generally one dimensional in the shape of denial of service (DoS) attacks, system bugs or worms, illegal infringements (hacking). The targets of these attacks were websites, mail servers, or client machines. Recently, cyber attacks have undergone a diversification that is ensuing in multistage and multidimensional attacks that make use of and target a variety of assault apparatus and equipment. These issues presents an enormous challenge to Internet users as they are intended to cause destabilization of the system, bring in misinformation, embezzlement and data theft. The contemporary attacks such as the latest generation of worms make use of a range of diverse exploits, promulgation methods, and payloads, to initiate deadly attacks (Blasch, Chen, Haynes and Shen, 2007). The issues of cyber weaponry point the danger posed by enemies through the internet who might launch cyber-assaults. The cyber world is predicted to take shape as a new strategy through which new conflicts will make an appearance. This is the same position that was assumed by space over 50 years (Al Arabiya, 2011). In order to cushion against cyber assaults, there is a need for the adoption of proactive measures such as active defense. Cyber assaults are ranked third behind the risk of terrorism and the threat of missile attack in a hierarchy of threats targeting NATO countries between now and the year 2020 (Al Arabiya, 2011). There is grater need for transition from passive cyber security to active defense mechanisms in order to wad off the threat posed by cyber assaults. Examples of passive security mechanisms involve installation of a firewall and an antivirus system (Stovall, 2011). The mechanism suffers from various shortcomings in that it only efficient against known viruses. There have been cases of more sophisticated virus which the current antivirus systems can not detect. The other method consists of isolating networks based on the theory that a network which is isolated from the world cannot be attacked. This has been proven wrong since all networks use the same technologies and are all vulnerable (Al Arabiya, 2011). The passive cyber defense mechanisms have proved to be unable to offer sufficient protection to networks. The only way out in safeguarding these networks is through the use of active defense approaches. They are based on detecting cyber attacks as early as possible and preventing their occurrence, or minimizing their effect on a network system. The main role of active defense would be to increase the situation awareness, so as to prepare the network system for any possible future threats. 2.8: Active defense enhances organization intelligence cycle Organizations operate in an environment that poses many threats to their confidential data. This information has to be protected from hackers and other attackers so as to safeguard the interests and secrets of the organization. In order to ensure that their confidential data are safeguarded; organizations can utilize the many benefits offered by active defense in their intelligence cycle (HbGary, 2011). Active defense is able to offer faster, more accurate information about the advanced threats including their source, machinist and architect. Through active defense, an organization can upgrade its intelligence system to a level that it can be able to scan many nodes and provide vital intelligence. Hence, it is able to detect the type attack, the movement of the attacker within the network, and credentials that have been compromised and what data has been stolen or destroyed (HBGary, 2011). The next cohort safety answer requires next generation products, technologies and amalgamation (Stovall, 2011). The organization need to invest in upgrading their firewalls and intrusion prevention systems, security information and event management technology, and training their human resource to be up to date with the latest technology (Stovall, 2011). 2.9: Conclusion There is increasing need for research in the area of cyber situation awareness which include data transfer storage, and recovery security. This is as a result of the increase in more sophisticated cyber attacks on computer networks. The nature of cyber attacks can evolve within a matter of hours as opposed to the traditional times where it took years and decades. Attackers are able to probe cyber defenses on a regular basis without detection. This paper has provided an analysis of cyber defense and situation analysis, and how the latter can be utilized to enhance protection of network system. References Al Arabiya, 2011. A new Approach to Cyber Defense, viewed13 December 2011, http://www.alarabiya.net/en_default.htmol. HBGary, 2011. Active Defense. Sacramento: HBGaryinc.viewed 13 December 2011, http://www.hbgary.com/default.aspx. Aschechtman, M. G. 1996. Manipulating the OODA Loop: The Overlooked Role of Information Resource Management in Information Warfare. Thesis. Air University. Beaver, et al. n.d. Visualization Technique for Computer Network Defense , viewed 13 December 2011, http://www.aser.ornl.gov/publications_2011/Publication%2029224_Beaver.pdf. Blasch, E. Chen, G, HAYNES, L, and Shen, D. 2007. Strategies for Comparison for Game Theoretical Cyber Situational Awareness and Impact Assessment. Rockville: Intelligent Automation, Inc. Bradshaw, M.J. Eskridge, T. Johnson, M and Lecourte, D. n.d. Network Situational Awareness: A Representative Study. Pensacola: Florida Institute for Human and Machine Cognition. Cumiford, D. L. 2006. Situation Awareness for Cyber Defense, viewed 13 December 2011 http://www.dodccrp.org/events/2006_CCRTS/html/papers/228.pdf. Dussault, B.M. n.d. Forensic, Fighter Pilot and OODA Loop-the role of digital forensics in cyber command & control, viewed 13 December 2011, Endsley, M. R. and Garland, D.J eds. 2000. Situation Awareness Analysis and Measurement. Mahwah, NJ: Lawrence Erlbaum Associates. Endsley, M.R. 1995. ‘Towards the Theory of Situation Awareness in Dynamic Systems’. Human Factors, vol.37, no. 1 ,pp .32-64. Hettinger, J.L, McKneely, B.A, Opalka, Z and Pharmer, A.J, 2011.Sociotechnical Risks in Cyber Defense. viewed 13 December 2011, https://www.navalengineers.org/Proceedings/HSIS2011/.../Hettinger... Holdaway, J. E. 2001. Active Computer Defense: An Assessment. Alabama: Maxwell Air Force Base. http://www.dfrws.org/2004/day2/Dussault- OODA.pdf. Joint Chiefs of Staff (JCS). Information Assurance &Computer Network Defense , viewed 14 December 2011, viewed 13 December 2011, http://www.dtic.mil/. McPherson, 1996. Intelligence and the Peacekeeping in Haiti, viewed 13 December 2011 http://www.specialoperations.com/mout/index.html. Meilinger, P. 1994. “Ten Propositions Regarding Airpower,” Airpower Journal, vol. 10, no. 50, pp. 19-96. National Protection and Programs Directorate, 2011. Enabling Distributed Security in Cyberspace-building a healthy and resilient cyber ecosystem with automated collective action, viewed, 13 December 2011, viewed 13 December 2011, http://www.faa.gov/nextgen/. Pew, R.W. 2000. ‘The State of Situation Awareness Measurement: Heading Towards the Next Century’, in M Endsley &J Garlands (eds), Situation Awareness Analysis and Measurement. Mahwah: Lawrence Erlbaum Associates, pp 33-47. Stovall, L. 2011. People Processes and Technology. In Military Information Technology.vol. 15, no. 10, December 2011. http:www.military-information-technology.com/mit-home.html. Tadda, P.G. n.d. Measuring Performance of Cyber Situation Awareness Systems. Rome: Rome Research Site. Value Based Management 2011. OODA Loop- John Boyd. viewed 13 December 2011 http://www.valuebasedmanagement.net/. Read More