Achieving Cyber Survivability in a Contested Environment Using a Cyber Moving Target

E cyber threats in a contested environment provide a challenge in protecting operations and critical assets. Traditional cyber protection mechanisms can prove ineffective when facing a motivated, well-resourced adversary. As a result, many mission critical systems remain vulnerable to advanced, targeted cyber attacks despite the significant amount of effort and resources used to secure them. Complex systems and commercial off-the-shelf components often exacerbate the problem. Although protecting the mission critical systems is a priority, recent cyber incidents and alerts have shown that we cannot rely completely on hardening individual components.1, 2 As a result, new attention has been given to game-changing technologies to achieve mission continuity in a contested environment. In fact, the Air Force chief scientist’s report on technology horizons mentions the need for “a fundamental shift in emphasis from ‘cyber protection’ to ‘maintaining mission effectiveness’ in the presence of cyber threats” as a way to build inherently intrusionresilient cyber systems.3 Moreover, the White House National Security Council’s progress report mentions a “moving target (systems that move in multiple dimensions to disadvantage the attacker and increase resiliency)”4 as one of the administration’s three key themes for cyber security research and development strategy. Our approach to developing the necessary survivability involves a combination of research, prototyping, architectural development, and evaluation. We have researched architectural ideas that make it difficult for adversaries to impact mission critical systems and prototyped an architectural component that provides platform heterogeneity as a proof-of-concept. We have also developed an analysis and assessment tool that can evaluate the attack paths into a system and support the architectural component in determining the appropriate orientation based on the current threat level. We are in the process of developing analysis and experimentation frameworks to thoroughly measure the effectiveness and protection offered by the components discuss in this work; we leave them as the future work here. We describe two components for achieving cyber survivability in a contested environment: an architectural component that provides heterogeneous computing platforms and an assessment technology that complements the architectural component by analyzing the threat space and triggering reorientation based on the evolving threat level. Together, these technologies provide a cyber moving target that dynamically changes the properties of the system to disadvantage the adversary and provide resiliency and survivability.5 Trusted dynamic logical heterogeneity system (TALENT),6 the architectural component, provides a framework to migrate, in real-time, mission critical applications across heterogeneous platforms. We hypothesize that in critical warfighting systems, the mission itself is the top priority, not individual instances of the subsystems. By live-migrating the critical application from one platform to another, TALENT can thwart cyber attacks and provide resiliency. This means the information collected by the attacker about the platform during the reconnaissance phase becomes ineffective at the time of attack. TALENT provides heterogeneity at the hardware and operating system levels while it preserves the state of the mission critical application.7, 8 This means we should be able to run the application on top of processors with different instruction sets. By accurately measuring risk for mission critical networks, attack graphs allow network defenders to understand the most critical threats and select the most effective countermeasures. Network Security Planning Architecture (NetSPA),9 the assessment component, analyzes critical networks against the current threat level using attack graphs and reachability analysis. NetSPA assesses the effects of known and zero-day attacks, computes the impact of possible compromises, and proposes countermeasures. By integrating the architectural and assessment components, a critical warfighting system can achieve cyber survivability against aggressive cyber attacks. NetSPA assesses the potential compromises and reacts to changes in the current threat level by triggering reorientation. TALENT then performs reorientation by dynamically changing the platform of the critical applications to the platform recommended by NetSPA. Together they implement a polymorphic system that can operate through aggressive compromises in a contested environment.