June 1, 2010  

The silent infiltrator

Many of the challenges of traditional warfare are magnified in the cyber realm. Chief among these is the challenge of situational awareness. Cyberspace is a vast, incredibly complex and rapidly changing battlefield. In the kinetic realm, the “fog of war” is a term derived from Clausewitz to refer to uncertain knowledge about one’s adversary and even one’s own position in the midst of an operation.

While situational awareness is a major challenge in traditional warfare, the fog of cyberwar threatens to be so thick that it can become the primary impediment to victory. As Sun Tzu said, “If you know the enemy and know yourself, you need not fear the results of a hundred battles.” Developing the techniques and tools for cyber situational awareness is paramount to achieving strategic and tactical advantage in this new domain.

One fundamental obstacle and challenge in the cyber domain is the difficulty of determining one’s own defensive posture. Two key aspects of cyberspace make this aspect of situational awareness difficult: its vast complexity and its fantastic rate of change. Traditional manual techniques for gaining friendly situational awareness are quickly overwhelmed by these effects.

The complexity of cyberspace stems from several factors. First, today’s information technology, based on distributed computing concepts, is inherently intricate. Functionality is spread across multiple computer systems that are tied together in global networks. Every element in these architectures must be assessed and protected: applications, databases, Web servers, host computers, networking gear, etc. Even basic knowledge such as the number of systems deployed and how they are connected can be a challenge for those attempting to achieve situational awareness in these networks.

Its inherent redundancy adds to the complexity of cyberspace. Computing systems, especially in military and other critical functions, are often built to ensure availability even if individual components fail. To achieve a high degree of availability, they are often heavily redundant, offering backup systems and failover network paths. While redundancy is key for availability, it greatly adds to the complexity of security. For example, a typical network offers many possible paths to connect a user to an application. If any single path is available, the application is available. However, vulnerability in any of those paths can enable a security breach. While availability is a function of the strongest link in the chain, security is a function of the weakest.

In addition to the complexity of cyberspace, situational awareness is also made challenging by constant and dynamic change. Even if one were able to accurately define and assess one’s position at a given point in time, the assessment would be out of date within hours. Many organizations spend enormous resources trying to control change, but unrestricted change is an inherent characteristic of cyberspace.


There are several aspects of change that affect situational awareness in cyberspace. The first is in the information systems themselves. Systems are constantly being deployed, decommissioned, integrated and updated with new software and hardware. This sort of change is fundamental to the power of distributed computing. It enables great flexibility, rapid reaction time and tremendous innovation — all of which can be key to supporting the mission and gaining superiority. While steps can be taken to manage this change, there are limits to how much control can be imposed without compromising the advantages that cyberspace offers.

The second aspect of change is completely out of our control: the changing nature of vulnerabilities and threats. There are thousands of known vulnerabilities in our information systems, and new ones are discovered every day. Adversaries, from teenage hackers to foreign governments, are constantly developing new mechanisms to exploit these vulnerabilities. Anything we thought was impregnable yesterday is shown to have subtle weaknesses today and will likely be demonstrated to have been compromised tomorrow — or even sooner.

To defend cyberspace, we have deployed a huge array of systems, processes and personnel. As you might expect, our defenses naturally take on aspects of the assets they protect. They themselves are extremely complex and rapidly changing, creating huge challenges for understanding defensive posture.

As an example, let’s look at the network defenses provided by firewalls. A large federal agency will have hundreds of firewalls, each of which may implement thousands of individual rules to restrict access. It’s a great challenge even to assess a single firewall, but that is a small part of the overall network security assessment. Firewalls are deployed in defense-in-depth architectures, so one must assess the collective effect of multiple firewalls. Further, because there are multiple paths through a network, the defense must be assessed multiple ways for each given system. When one considers hundreds of thousands of rules interacting in an intricate, interrelated architecture, it’s clear that assessment complexity makes applying manual techniques impossible.

Further, cyber defenses must be in a constant state of flux to accommodate both changing information systems and changing threats. Security professionals strive to ensure that the complex security infrastructure stays precisely in sync with a complex and changing threat environment and a complex and changing IT environment. Ensuring that defensive posture is sound under these circumstances is a major challenge. Organizations often try to address this necessity with processes that detect and validate changes to defensive systems, but these are at best a partial solution. Because changes to defensive systems are a reaction to changes elsewhere, the absence of change can be as serious an issue as change itself.

It’s clear why the fog of cyberwar is such a challenge for defensive posture. Enormously complex and rapidly changing information systems are protected against rapidly morphing threats by enormously complex and rapidly changing defensive systems. It’s an intricate dance in which everything must remain in sync. Otherwise, breaches most definitely will occur.

Given these realities, it should come as little surprise that the root causes of many breaches are often simple. While extremely sophisticated exploits do occur, the vast majority of breaches are caused by oversights that could, in retrospect, have been easily prevented. In a study of security breaches, Verizon Systems concluded that 87 percent could have been avoided with simple or intermediate controls.

Traditional manual techniques are failing to provide us with the security we require in cyberspace today. The complexity of defensive systems requires comprehensive and intricate analysis to determine if they are correct. The scope of cyberspace requires enormous resources to perform an analysis. And the rapid rate of change requires a complete analysis to be performed quickly and virtually continuously, at least on a daily basis.

The only hope for clearing the fog of cyberwarfare is to bring to bear automated systems that continuously monitor security posture and provide risk-based situational awareness to decision makers. The Joint Task Force Transformation Initiative, a working group with representatives from the Defense Department, the intelligence community and the National Institute of Standards and Technology, has been developing requirements for this automation.

There are three classes of systems for defensive posture management in the cyber arena. They can be classified by when they operate in relation to an attack: after, during and before.


Forensic systems help organizations investigate attacks after the fact to understand both their impact and their root causes. The core of these solutions is historical logs that record activity on each aspect of the infrastructure, from software to network devices. These logs can be analyzed manually to determine the sequence of events that led to a breach. However, the volume and complexity of this data is huge, so most organizations implement log management systems that collect, store and analyze this historical data. These systems correlate information from multiple systems to identify patterns and put together a timeline of the incident. Using this information, the organization can remediate the issues that enabled the breach as well as identify and potentially address any damage that was done.

A second class of situational awareness systems helps organizations detect and respond to an incident in progress. These systems rely on sensors, such as intrusion detection systems, that are deployed throughout the infrastructure to identify suspicious behavior and raise alarms. While these alarms can be analyzed manually, an exploit may raise many such alarms as it moves through the infrastructure. Sorting out a true attack from the normal background noise of false alarms is extremely complex. To address this, organizations deploy systems for security information and event management (SIEM). SIEM systems collect events, analyze them on an infrastructurewide basis and attempt to identify where an exploit is occurring at that point in time. With this information, incident response teams can take action to prevent the breach from progressing further.

The third class of situational awareness systems is designed to operate before an attack begins. They identify vulnerabilities, misconfigurations and risks in the infrastructure. Like forensic and event-based systems, these solutions have components that assess individual devices, such as vulnerability scanners. However, scanners and similar tools identify vast numbers of potential device issues, most of which are effectively mitigated by the defense-in-depth architectures of security. To address this, organizations can deploy security posture management solutions. These systems analyze the configurations and vulnerabilities of the various devices and hosts throughout the infrastructure, correlate them together, and identify the systemwide security issues that exist in the infrastructure. Using this information, security teams can prioritize and address issues to remediate before they are exploited by adversaries.


Today’s security architectures are built on the premise that successful attacks will occur. The rapidly changing and inherently open nature of cyberspace makes this inevitable. The ultimate protection against attacks is to “air gap” critical systems from untrusted sources; i.e. ensure that no connectivity exists at all. This strategy is employed between the Nonclassified Internet Protocol Router Network, or NIPRNet, and the Secret Internet Protocol Router Network, or SIPRNet, but it comes with a high cost in timeliness, flexibility and functionality. To retain functionality while still offering robust security, modern cyber defenses are built in layers. Even if an attack penetrates the first layer of defenses, deeper layers are designed to contain the attack before it can reach critical systems. Much like physical defenses, layered defenses can give incident response teams the time to shut down an attack before it causes unacceptable losses.

Effective situational awareness systems are an integral part of layered defensive architectures. Security posture management systems are necessary to ensure that the layers of defenses are successfully configured at every point in time. Every layer increases the complexity of the defense exponentially, so maintaining multiple layers between changing threats and changing information systems requires automated assessment capabilities. Further, layered defenses can be effective only if attacks are detected and addressed before they can penetrate interior layers. Intrusion detection and event management must therefore be taken into account as security is designed.

Unfortunately, most cyber defenses have evolved over time, often in an ad hoc manner. Layering is often inconsistent, reflecting both budgetary considerations and the historical nature of networks that have been interconnected. Further, situational awareness systems have not been deployed to the degree necessary to achieve effective levels of defense. Ironically, log management systems, which enable investigation of past events, are the most commonly deployed systems. Event management to respond to attacks in progress is becoming more common, while security posture management systems to prevent attacks in the first place are just beginning to emerge.

While forensic investigation of attacks is important, it cannot substitute for preventing the attack. This is the cyber equivalent of shutting the barn door after the horse has bolted. While the emphasis on forensics is understandable given the historical audit-driven approach to security, it is serving us poorly in our efforts to truly prevent our adversaries from successfully attacking us. In early 2009, the Pentagon announced that it had spent more than $100 million in a six-month period dealing with the aftermath of attacks.

With its great complexity and rapid rates of change, situational awareness is even more critical in cyberspace than in the kinetic realm. Unfortunately, it has received less attention than it requires. As such, valuable resources are expended recovering from attacks rather than preventing them. The complexity and rate of change of information systems, adversarial threats and security architectures grows every year. The challenges of situational awareness have progressed far beyond traditional manual capabilities and assessments. Only sophisticated, powerful automation can ensure that our cyber defenses are continuously able to stop attacks before they reach their objectives. Deployment of these capabilities is critical if we are not to become lost in the fog of cyberwar. AFJ

Mike Lloyd is chief scientist at RedSeal Systems. He has more than 20 years experience in the modeling and simulation of dynamic systems.