The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) works closely with private business and academic partners to evolve the traditional reactive cyber defense approach to one that is more collaborative, proactive and timely. This work on a new cybersecurity paradigm could eliminate some of the manual steps in cyber protection and enable effective collective defense.
Traditionally, a system identifies a breach in a single network, and analysts mitigate the vulnerability. S&T recently demonstrated a new Federated Command and Control (FC2) infrastructure with the Florida Institute of Technology (FIT) that can protect a multitude of organizations at once—a federation. FC2 protects a federation from potential threats using a variety of preventative measures and automated responses where malicious activity is detected, shared and mitigated.
FC2 moves beyond simple threat information sharing by utilizing existing sensors and techniques to detect and mitigate suspected malicious activity. It allows federated organizations with shared interests to collaboratively identify threat and attack indicators, recommend defenses and evaluate playbooks all in a semi-automatic manner.
The demo began with Edward Rhyne, S&T Program Manager for Federated Security, highlighting work between S&T and FIT to pilot the infrastructure as well as the benefits of a federated cybersecurity system that has the ability to orchestrate defense protocols. During the demo, a mix of physically separated hardware network spaces and virtualized enclaves automatically joined to form federations. These federations then automatically shared attack indicators, recommended and applied defensive responses, and performed various privacy-preserving joint calculations.
S&T and partners had previously set up a federated environment at FIT comprised of organizations exposed to simulated attacks. The system successfully responded to those attacks through the environment’s command and control functions.
“The federation should enable defenders to get ahead of the spread of malicious activity,” Rhyne said.
Automating communication between organizations in a federated environment is a more efficient and effective method of alerting the different groups when they may be vulnerable to cyberattacks. Rather than simply sharing indicators without context, the system can autonomously share them with context and recommend necessary actions to prevent or mitigate the effects of a potential attack.
Dynamic Defense Background
The FC2 infrastructure evolved from S&T’s exploration of “moving target defense” (MTD), which began in 2011. MTD is a novel approach involving the controlled change of system properties to provide a constantly shifting and unpredictable attack surface. This raises uncertainty and complexity for potential attackers as they attempt to learn the system.
The federated defense concept, which followed MTD in 2015, creates an environment for different organizations to enhance their local decision making ability based on global knowledge, enabling stronger protections through greater awareness and common cybersecurity operations across the federated enterprises.
One of the main tenets of the federated defense concept is to preserve existing defensive systems and their unique properties and policies within member organizations to increase the diversity of the federation. Another tenet of FC2 is privacy, with built in protocols for participants in a federation to maintain it. Organizations may not be comfortable with sharing specific information about a cyberattack with outside parties, but the FC2 infrastructure is arranged to notify the federation of potential malicious activity while concealing the identity of the organization that identified it. Additionally, the FC2 environment leverages advancements made in Secure Multi-Party Computing, which allows federation members to perform joint computations on data without needing to know the details of each member’s specific inputs.
Federating Homeland Cybersecurity
A federated command and control environment, connecting organizations that depend on each other but still need their individuality preserved, could benefit both government agencies and private businesses alike. Especially in the Homeland Security Enterprise, where components with their own unique missions share a broader homeland security mission, a federated command and control environment may significantly increase cybersecurity effectiveness.
Giving the upper hand to cyber defenders begins with sharing more proactive solutions, which is why the next step for the FC2 project is to provide a pilot to even more organizations. As malicious actors persist in finding new ways to work together to compromise networks and cause trouble, S&T works to change and evolve cybersecurity measures to protect our national interests.
Government or academic agencies that are interested in piloting this solution should contact the CSD liaison box at SandT-Cyber-Liaison@HQ.DHS.GOV.