”We”llness not ”I”llness: Cyber Security is a Shared Responsibility
"mizaru, kikazaru, iwazaru" (see not, hear not, speak not). What can we learn from "see no evil, hear no evil, speak no evil" in the realm of cyber security? In cyber security we do need to see evil, to hear evil, and to speak about evil which can be facilitated by an approach coined as Situation awareness (SA). In SA, we "see and hear" the environment within a context of time and space, then we "speak" about their meaning and the projection in the future. Therefore, systems thinking is very important in cyber security. This blog will discuss how today's endpoint security, network security, threat information sharing, orchestration, and automation of cyber security are still evolving. By considering the current situation, it is good enough for us to say that cyber security is indeed a shared responsibility. It is indeed a "We" in wellness not an "I" in illness.
Situation Awareness
In cyber security we do need to see evil, to hear evil, and to speak about evil which can be facilitated by an approach coined as Situation awareness (SA). SA has many definitions. One definition of SA was proposed by Dr Mica Endslay:
Situation awareness is the perception of the elements of the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.[4]
Another definition of situational awareness was proposed by the United States Army Field Manual:
Knowledge and understanding of the current situation which promotes timely, relevant and accurate assessment of friendly, enemy and other operations within the battle space in order to facilitate decision making. [5]
From both definitions we can learn that SA involved current situation, the context of the environment and the prediction of future situation which can also be applied to cyber security. For interested readers, a good overview of cyber SA is available on [12]. An example of SA application in cyber security is intrusion detection and prevention system.
Security intrusion is unauthorized act of bypassing the security mechanisms of a system. Intrusion Detection System (IDS) is a hardware or software function that gathers and analyzes information from various areas within a computer or a network to identify possible security intrusions. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Intrusion Detection and Prevention System (IDPS) is an extension of an IDS that includes the capability to prevent detected malicious activity.
IDPS is based on the work of Anderson [1] in 1980 which postulated that with reasonable confidence, we can distinguish between an outside attacker and a legitimate user. Furthermore, patterns of legitimate user behavior can be established by observing past history, and significant deviation from such patterns can be detected. In addition, task of detecting an inside attacker (a legitimate user acting in an unauthorized fashion) is more difficult, in that the distinction between abnormal and normal behavior may be small.
IDPS applies two major mechanisms. First, anomaly detection to identify behavior that is not that of legitimate users with limitation the lack of anomalous training data. Second, signature/heuristic detection to identify known malicious behavior by recognizable patterns such as a particular series of bytes or characters which can only identify known attacks.
IDPS can be classified based on the source and type of data analyzed. First, host-based IDS (HIDS) monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls. Second, network-based IDS (NIDS) monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols. Third, distributed or hybrid IDS combines information from a number of sensors, often both host and network-based.
Endpoint Security
Operating system (OS) is the first line of defense. Examples of OS security features are isolating one user from another, memory or storage protection from overwritten by unauthorized processes, and user authentication. Secure OS requires design principles such as least privilege (user and program should operate using the fewest privileges possible), economy of mechanisms (the design of the protection system should be small, simple, and straightforward), and complete mediation (all accesses to objects be checked to ensure that they are allowed).
First critical step in securing a system is to secure the base operating system. Some basic steps for example: to install and patch the OS, to harden and configure the OS by removing unnecessary services, applications, and protocols; configuring users, groups, and permissions; installing and configuring additional security controls, such as anti-virus and IDPS; and sandboxing using a simulated environment i.e. virtual machine (VM).
Network Security
Network communication can be modeled using ISO Open System Interconnection (OSI) model and TCP/IP model. Each layer in consists of various protocols such as HTTP, TLS, TCP, UDP, IPV4, IPV6. The network communication can be attacked for example on wireless network, bluetooth can be attacked with bluejacking (sending unsolicited text messages via the OBEX protocol), or rogue access point (unauthorized access point that allows attacker to bypass network security configurations). On wired or wireless network, denial-of-service is an example of an attack where attacker sends large number of requests to a target such that target system cannot handle volume of requests and system crashes.
Various network attack tools exist. For example, protocol analyzer enables a computer to monitor and capture network traffic. Port scanners is used to scan devices for open ports for example 80 for HTTP web traffic. Vulnerability scanner lists all known vulnerabilities and prioritizes them. Exploit Software incorporates known software vulnerabilities, data, and scripted commands to exploit a weakness in a computer.
We know that connectivity is essential, however, it creates threats. Therefore, there is a need for network protection. For example, firewall is used as a perimeter defense. A complement approach is to equip each workstation and server on the premises network with strong security features, such as IDPS.
Threat Intelligence Sharing
The question raised from our observation is that can we fight these threats alone or shall we collaborate and share our threat information which might be threat intelligent to others ? Intuitively the answer is better to work together to bring the giant down and this has been realized by many in private and public sectors. Some examples of threat intelligence sharing platforms are Nozomi Networks Guardian, Anubis Networks Cyberfeed, Facebook Threat Exchange, Malware Information Sharing Platform (MISP), McAfee Threat Intelligence Exchange, Open Threat Exchange (OTX), Soltra Edge, and Collective Intelligence Framework (CIF) [11]. The next question is how much threat intelligence is really being shared. In private sector for example Symantec has its own Global Intelligence Network that has 98 million attack sensors and keeps tracks over 700,000 global adversaries [2].
Taking into account such a diverse threat intelligence sharing platforms, we may think that all the challenges in threat intelligence sharing such as quality of threat information, reputations risks, legal or regulatory barriers, and economic incentives threat intelligence sharing must have been solved [10]. However, as pointed out by [11] the challenges do still exist and even more if we consider trust, privacy, lack of standard and so on. Currently TAXII (Trusted Automated eXchange of Indicator Information) and STIX (Structured Threat Information
Expression) have become more applied as standard for threat intelligence sharing. The implementations of STIX-TAXII are available both as open source and commercial products. STIX itself does not provide security properties such as integrity and confidentiality which are needed for Critical Information Infrastructure (CII) threat sharing [14]. Therefore, STIX can use TAXII [13] as its communication protocol to ensure confidentiality. TAXII is an application protocol over HTTPS.
Orchestration and Automation
We realize that using only one component such as firewall or NIDS is no longer enough to protect an organization’s network. Therefore, Unified Threat Management (UTM) was introduced. UTM is a combination of network security devices and technologies such as firewalls, NIDS/NIPS systems, anti-malware gateways, Virtual private network (VPN), and data leak prevention added to a single network device for protection.
In the similar spirit of UTM, Open Cybersecurity Alliance (OCA) introduces an industry-driven platform approach for more effective security with main components of an architecture to support communications across cyber security technologies (STIX-shifter), a common communications bus where security technology can share information and interact (Open DXL and OpenDXL Ontology), and common commands and response formats (Open Command and Control (OpenC2)) such that interactions among products are consistent [7, 6].
Open DXL allows organizations to enable security devices to share intelligence and orchestrate security operations in real time. It works whereby applications publish and subscribe to message topics or make calls to DXL services in a request/response invocation, which is similar to the RESTful APIs typically used for developing web services. Therefore, if there are changes to the publishing or receiving applications, the DXL abstraction layer insulates the rest of the deployment from the change, reducing risk and the cost of integration
maintenance [7, 6, 9, 8].
Cyber Security is a Shared Responsibility
We can conclude that systems thinking[3] is very important to cyber security. In the end, we may say that today’s endpoint security, network security, threat information sharing, orchestration, and automation of cyber security are still evolving. But, considering the current situation, it is good enough for us to say that cyber security is indeed a shared responsibility. It is indeed a ”We” in wellness not an ”I” in illness.
Credit for picture: Paulette Vautour (https://unsplash.com/photos/0pfuwRUvUYQ)
References
[1] James P Anderson. Computer security threat monitoring and surveillance. Technical Report, James P. Anderson Company, 1980.
[2] Kavitha Chandrasekar, Gillian Cleary, Orla Cox, and Hon Lau. Internet security threat report (istr) 2017. Technical report, Symantec, April 2017.
[3] Peter Checkland. Systems thinking, systems practice, 1976.
[4] Mica R Endsley. Situation awareness global assessment technique (sagat). In Proceedings of the IEEE 1988 national aerospace and electronics conference, pages 789–795. IEEE, 1988.
[5] NIST. Situational Awareness a New Way to Attack Cybersecurity Issues Rather Than Using a System Defense Approach. https://www.nist.gov/system/files/documents/2017/04/26/tri-county_electric_cooperative_part2_032613.pdf, 2017.[Online; accessed 03-May-2021].
[6] OCA. Introduction to OpenDXL. https://www.opendxl.com/index.php?article/11-introduction-to-opendxl/, 2021. [Online; accessed 03-May-2021].
[7] OCA. Open Cybersecurity Alliance: We’re Making Standards-Based, Interoperable Cybersecurity a Reality. https://opencybersecurityalliance.org/downloads/OCA-Solutions-Brief.pdf, 2021. [Online; accessed 03-May-2021].
[8] OCA. OpenDXL Idea Book. https://www.opendxl.com/index.php?article/16-opendxl-idea-book/, 2021. [Online; accessed 03-May-2021].
[9] OCA.OpenDXL Integration Planning.https://www.opendxl.com/index.php?media/141-opendxl-integration-planning-pdf, 2021.[Online; accessed 03-May-2021].
[10] Neil Robinson and Emma Disley. Incentives and challenges for information sharing in the context of network and information security. Technical report, European Network and Information Security Agency (ENISA), 2012.
[11] Clemens Sauerwein, Christian Sillaber, Andrea Mussmann, and Ruth Breu. Threat intelligence sharing platforms: An exploratory study of software vendors and research perspectives. In 13 th International Conference on Wirtschaftsinformatik, pages 837–851. WI, 2017.
[12] George P Tadda and John S Salerno. Overview of cyber situation awareness. In Cyber situational awareness, pages 15–35. Springer, 2010.
[13] OASIS Cyber Threat Intelligence (CTI) TC. Taxii version 2.0. https://oasis-open.github.io/cti-documentation/resources. html#taxii-21-specification, 27 January 2020.
[14] Brian Willis. Sharing cyber-threat information: An outcomes-based approach. Technical report, Intel Corporation, 2012.