8th Annual Secure and Resilient Cyber Architectures ...

8th Annual Secure and Resilient Cyber Architectures Invitational & Training Event: 2018 Proceedings

1

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

Table of Contents

Overview ........................................................................................................................................ 4 Background.................................................................................................................................... 4

Prior Years: 2010 - 2017 ............................................................................................................. 4 2018 .......................................................................................................................................... 5 Introduction ................................................................................................................................... 6 Section 1: Tutorial, Monday, May 7th ......................................................................................... 8 Section 2: Presentations, Tuesday, May 8th ................................................................................ 9 Kickoff Presentation.................................................................................................................... 9 Building Cyber Resilient Systems: A National and Economic Security Imperative .................. 9 Cyber Resiliency Without Detection......................................................................................... 10 Micro-Virtualization.................................................................................................................. 11 Operationalizing Resiliency Track............................................................................................ 12 Consequence-driven Cyber-Informed Engineering (CCE) Methodology ................................ 12 Operationalizing Resiliency: An Infrastructure Lifelines Perspective...................................... 13 Large-Program Cyber Resiliency.............................................................................................. 14 Section 3: Presentations Wednesday May 9th ........................................................................... 15 Resilience in Elections .............................................................................................................. 15 Cyber Resilience and Response Impressions from the Field .................................................... 16 Cyber Resiliency for Weapons Systems ................................................................................... 17 DoD Weapon System Engineering for Operations in Contested Cyberspace Environments ... 18 Cyber Resiliency for Weapon Systems ..................................................................................... 19 Applying Cyber Prep 2.0 and Cyber Resiliency to Build Out a Risk Universe........................ 20 Product Vendor Talks.................................................................................................................... 21 Section 4: Break Out Sessions, Tuesday, May 8th .................................................................... 21 Breakout Session: NIST SP 800-160 Volume 2 ....................................................................... 21

Goal .................................................................................................................................. 21 Discussion / Observations ..................................................................................................... 22 Challenges ............................................................................................................................. 23 Recommendations/Way Forward .......................................................................................... 24 Breakout Session: Resiliency without Detection - Mini-Table-Top Exercise (TTX)............... 24 Phase 1, 45 minutes ............................................................................................................... 25

2

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

Phase 2, 45 minutes ............................................................................................................... 26 Phase 3, 45 minutes ............................................................................................................... 27 Readout, 30 minutes .............................................................................................................. 27 Break out Session: Operationalizing Cyber Resiliency ............................................................ 28 Goal .................................................................................................................................. 28 Discussion / Observations ..................................................................................................... 28 Issues and Challenges............................................................................................................ 29 Section 5: Break Out Sessions, Wednesday, May 9th ............................................................... 30 Using Cyber Resiliency to Mitigate Adversary Actions ........................................................... 30 Goal .................................................................................................................................. 30 Discussion / Observations ..................................................................................................... 30 ATT&CK and CREF Discussion .......................................................................................... 31 ACR Discussion .................................................................................................................... 32 Challenges ............................................................................................................................. 33 ATT&CK and CREF Challenges ...................................................................................... 33 ACR Challenges................................................................................................................... 33 Recommendations/Way Forward .......................................................................................... 33 Cyber Resiliency in Weapons Systems ..................................................................................... 34 Goal ........................................................................................................................................ 34 Observations.......................................................................................................................... 34 Challenges ............................................................................................................................. 36 Way Forward......................................................................................................................... 36

3

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

Overview

May 2018 marked the eight year in which approximately 150 subject matter experts (SMEs) in cyber resiliency from government, industry, and academia came together in McLean, VA, for collective work on topics of common policy and engineering concern. For two days, the 8th Annual Secure and Resilient Cyber Architectures Invitational & Training Event accelerated recognition and adoption of cyber resiliency with a focus on organizations.

Background

Prior Years: 2010 - 2017

The first workshop, held in October 2010, established the initial community and shared architectural, technical, and policy perspectives on cyber resiliency. The second workshop, held in May 2012, focused on collaborating to develop a communal view of resiliency frameworks, engineering principles, and metrics [1]. The third workshop, held in June 2013, centered on identifying favorable conditions for use of specific resiliency techniques, assessing the use of techniques in enterprise architectures, and developing use cases [2]. The fourth meeting, now renamed "Invitational" and held in May 2014, emphasized applying cyber resiliency to spacebased systems and critical infrastructure, designing a cyber resiliency challenge, and identifying roles played by cyber resiliency throughout the systems engineering life cycle [3].

The Fifth Annual Secure and Resilient Cyber Architectures Invitational, held in May 2015, concentrated on taking stock of the state of cyber resiliency: the lessons learned and the remaining challenges to overcome. It sought community consensus on the theme of Cyber Resilience: Looking Backward (What Has Worked? What Has Not?), Looking Forward (What New Challenges Must Be Faced?). Keynote speakers included representatives from the National Institute of Standards and Technology (NIST), US Navy, Indiana University, and Bit9 + Carbon Black [4].

The Sixth Annual Secure and Resilient Cyber Architectures Invitational, which took place on 18?19 May 2016, centered on the theme of Institutionalizing Cyber Resiliency [5]. Four keynote speakers were followed by panel discussions inclusive of industry leaders. Three working groups furthered knowledge sharing by focusing on: cyber resiliency and system security engineering cyber resiliency and an organization's cybersecurity program, and cyber resiliency and acquisition. In addition, vendor booths and representatives displayed leading-edge cyber resiliency offerings.

The Seventh Annual Secure and Resilient Cyber Architectures Invitational and Training Event was held May 9-10th, with an optional tutorial held the afternoon of the May 8th. The addition of the tutorial was the reason that that "Training Event" was added to the title. The event included four presentations, a panel, four facilitated working groups, and selected vendors booths and presentations by those vendors. Topics addressed included: cyber resiliency in the financial community, cyber resiliency and architectures, measuring the effectivenss of cyber resiliency, and cyber resilience in weapon systems.

4

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

2018

The rest of this report focuses on the 8th Annual Secure and Resilient Cyber Architectures Invitational and Training Event. These proceedings present a summary of the keynote talks, the panel discussion, and working group tracks. The Cyber Resiliency Invitational Committee believes the Invitational serves a larger mission: to advance the field of cyber resiliency for our sponsors and nation. Additional materials from the invitational and briefings can be found at . The committee welcomes comments from readers through the contact email address: secureandresilient@. The Cyber Resiliency Invitational Committee August 2019

5

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

Introduction

The 8th Annual Secure and Resilient Cyber Architectures Invitational & Training Event included thirteen presentations, a lightning session, five three-hour breakout sessions, and ten selected vendors presented over two days. In addition, there was an optional tutorial the afternoon prior to the commencement of the event which is discussed briefly in Section 1.

Section 2 summarizes the following seven presentations provided on Tuesday May 8th.

? Building Cyber Resilient Systems: A National and Economic Security Imperative, by Dr. Ron Ross, NIST Fellow

? Cyber Resiliency Without Detection, by Dr. Vipin Swarup, MITRE Corporation ? Micro-Virtualization, by Dr Ian Pratt, Bromium ? Operationalizing Resiliency Track, by Ms. Emily Frye, MITRE Corporation ? Consequence-driven Cyber-Informed Engineering (CCE) Methodology -- Engineering

out the cyber risk from things that must not fail, by Mr. Andy Bochman ? Idaho National Labs ? Operationalizing resiliency: An infrastructure lifelines perspective, by Dr. Elise MillerHooks, Hazel Chair in Civil Engineering, George Mason University ? Large Program Cyber Resiliency, by Mr. Skip Reindollar, MITRE Corporation

Section 3 summarizes the following six presentations and the lightning session provided on Wednesday May 9th.

? Resilience in Elections, by Mr. Jeremy Epstein, National Science Foundation ? Cyber Resilience and Response Impressions from the field, by Mr. Peter Mitchener, FBI

Senior National Intelligence Officer for Cyber ? Cyber Resiliency for Weapon Systems, Mr. Daniel Holtzman, United States Air Force ? DoD Weapon System Engineering for Operations in Contested Cyberspace

Environments, by Ms. Melinda Reed, Deputy Director for Program Protection Assistant Secretary of Defense, Research and Engineering (ASD(R&E)) ? Cyber Resiliency for Weapon Systems, by Col. Ed Masterson, Acting Director, Cyber Resiliency Office for Weapon Systems, USAF ? Applying Cyber Prep 2.0 and Cyber Resiliency to build out a Risk Universe, by Mr. James Mailliard, Vice President Cyber Security Governance, Risk and Compliance, Elsevier ? Vendor Product Lightning Round Talks

Section 4 summarizes the three breakout sessions provided during the afternoon of the May 8th.

? NIST SP 800-160 Volume 2 ? Ask the Authors, overseen by Dr. Ron Ross of NIST, Deb Bodeau of MITRE, Rich Graubart of MITRE.

The initial public draft of NIST SP 800-160 Volume 2 ? Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems was released for

6

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

review on 21 March. The purpose of this breakout session was to provide reviewers the opportunity to offer comments informally and to ask the authors questions about the document.

? Cyber Resiliency Without Detection Table-Top o This breakout session built upon and extended the morning briefings by Vipin Swarup and Ian Pratt. Its purpose was to demonstrate the viability of cyber resiliency without detection though a series of table-top injects.

? Operationalizing Cyber Resilience o The breakout session built upon and extended the morning briefings. It provided the attendees the opportunity to share experiences and challenges that they have encountered in their attempts to operationalize cyber resilience. And to discuss unmet needs they see or predict, while turning resilience guidelines and frameworks into practice.

Section 5 summarizes the two breakout sessions provided during the afternoon of the May 9th. ? Using Cyber Resiliency to Mitigate Adversary Actions

o Analysis of adversary actions and cyber resiliency are often considered two

distinct concepts. This track challenged this belief by examining how adversary focused frameworks, in conjunction with cyber resiliency solutions, could help to counter advanced cyber-attacks.

? Cyber Resiliency in Weapon's Systems o This breakout session built upon the keynote presentations of the morning. It

provided an opportunity for attendees to discuss challenges in making weapon systems resilient as well possible ways to bring to bear policy, technology, procedures and expertise to enhance the resiliency of such systems.

In parallel to the presentations and breakout sessions, during both days there were vendor booths presenting cyber resiliency enabling products from the following vendors: Akamai, Attivo Networks, Bromium, Cryptonite, Illumio. Illusive Networks, Javelin Networks, Morphisec, Polyverse, and Symantec.

7

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

Section 1: Tutorial, Monday, May 7th

A tutorial on cyber resiliency was presented by Ms. Deb Bodeau, Mr. Rich Graubart, and Ms. Rosalie McQuaid, all from the MITRE Corporation. An outline of the tutorial is presented below.

The presenters are also the authors of the initial public draft of NIST SP 800-160, Volume 2 -Systems Security Engineering: Cyber Resiliency Engineering Considerations for the Engineering of Trustworthy Secure Systems. They drew from that document for much of the tutorial. Discussions covered:

? Definition of cyber resiliency ? Why cyber resiliency is needed ? Explanation (and definitions) of the various cyber resiliency constructs (goals, objectives,

techniques, approaches, design principles) ? Effects cyber resiliency have on adversaries ? Linkages between Volume 1 and 2 of NIST SP 800-160 ? Linkage between cyber resiliency and NIST SP 800-53 In addition, the tutorial covered material not in NIST SP 800-160 Volume 2, such as discussions on cyber metrics and measures of effectiveness and means of assessing the resiliency of a system. The tutorial was intended to provide a common basis and understanding of cyber resiliency prior to the commencement of the Invitational.

8

?2019 The MITRE Corporation. All Rights Reserved Approved for Public Release; Distribution Unlimited. Case # PR 19-02172-5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download